How to set up file audit on Windows server?

Enable Audit process tracking for Success and Failure results:

- Open Start -> Run

- Type secpol.msc and hit Enter

- Navigate to Security Setting -> Local Policies -> Audit Policy

- Edit Audit process tracking key and enable both Success and Failure events auditing

Resulting settings should look similar to this picture:

Propagate policy changes:

- Open Start -> Run

- Type in gpupdate /force and hit Enter.

Set up auditing on required files and folders for needed event types:

- Open Windows Explorer and navigate to the file (folder) in question.

- Right-click the file and select Properties

- On the tab Security, click on Advanced button

- Switch to the Auditing tab

- Click Add to choose users and groups for monitoring. The common practice is to add Authenticated Users group on Principal.

- Select in Type for the required events (Success or Failure) . For an explicit audit, select all. As well as for the permissions.

Resulting settings should look similar to this picture:

Now all access attempts will be tracked in the Security log of Event Viewer.

Open the Event viewer

- Open Start -> Run

- Type eventvwr and hit Enter

Select the Security section.

On the right-side, click on Find, and type the filename that should be audit. In this example: FileToTrackAccess.txt

At the Details of the found Audit registry, look for the Logon ID, and remember it.

Again on the right-side, click on Find, and type the Logon ID we're looking for.

The IP address will be shown on the Details.

Export Security log from Event Viewer :

- Open Start -> Run.

- Type Powershell and hit Enter. Then enter:

Get-WinEvent @{Logname='Security'} | ConvertTo-HTML -head '' -pre '<h2>Security audit log</h2>' | Out-File C:SecurityLog.htm

Open the resulting HTML file in your web browser (located at C:SecurityLog.htm)

- Open context search with Ctrl+F.

- Search for the…