How to Monitor File creation/change/Deletions and Permission Changes on Windows File Servers with SCOM 2012 R2

shankar431 466 Reputation points
2021-02-15T11:06:32.26+00:00

Hi All,

Is it possible to monitor the below file monitoring criteria with SCOM.

  1. Who has created\changes\deleted what files\folders and when
  2. Who has removed\opened and copied a specific file
  3. Who has modified access rights on files\folders or shares?

We are using SCOM 2012 R2.

Regards,
Ravi Shankar

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,412 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SChalakov 10,261 Reputation points MVP
    2021-02-15T13:04:00.01+00:00

    Hi @shankar431 ,

    yes, you can, but you need to enable some auditing related GPO settings, so that the access to those files and folders is logged in the form of events.
    You can find a very nice example here that will also work for SCOM 2012 R2 of course:

    Monitoring File Access with SCOM
    https://opsmgrsolutions.wordpress.com/2010/02/02/monitoring-file-access-with-scom/

    You can also check the Asnwer of Leon from the old Social Technet forums:

    SCOM 1807 and monitoring File Server
    https://social.technet.microsoft.com/Forums/en-US/07726cdc-5798-4c1b-bbc2-e246465cf6b2/scom-1807-and-monitoring-file-server?forum=operationsmanagergeneral

    The following post froms the SquaredUp forums is presenting also another approach (script based):

    Monitor a Folder in FileServer for User Addition/Removal
    https://community.squaredup.com/t/monitor-a-folder-in-fileserver-for-user-addition-removal/1135

    Hope this will help you out!

    ----------

    If the response is helpful, please click "Accept Answer" and upvote it.
    Regards,
    Stoyan

    1 person found this answer helpful.
    0 comments
  2. Leon Laude 85,646 Reputation points
    2021-02-15T13:08:59.567+00:00

    Hi @shankar431 ,

    I want to warn you that you'll need to be extra careful when monitoring file creations/changes/deletions and permission changes with SCOM as file auditing can be very noisy.

    One way you can achieve this is to enable audit policies in your Active Directory (How to Enable the Security Auditing of Active Directory) and configure auditing for your folders that you want monitor, then you'll need to find which events are generated for each file action, you can find the related event IDs over here:
    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

    Then simply can create SCOM rules to monitor the event IDs that interest you.

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Best regards,
    Leon

    1 person found this answer helpful.
    0 comments