The File Audit configuration within a group defines rules for monitoring file system activity on the Windows machines assigned to that group. File audit rules instruct EventLogAgent clients to monitor specific directories for file operations such as reads, writes, deletions, renames, and permission changes, and forward matching activity to LT Auditor MP or the configured syslog destination.
Understanding file auditing in EventLogCentral:
File auditing in EventLogCentral works through Windows Security event logs rather than a separate agent mechanism. Specifically it uses Windows Security Event IDs:
| Event ID | Description |
| 4656 | A handle to an object was requested |
| 4670 | Permissions on an object were changed |
Because file audit relies on Windows Security event logging, Windows Object Access auditing must be enabled on monitored machines before file audit rules will generate events. Without this, EventLogAgent has nothing to collect regardless of how file audit rules are configured.
Rules are evaluated locally on each client โ only matching events are forwarded to reduce network traffic and SIEM ingestion volume.
Enabling Windows Object Access auditing:
Before configuring file audit rules, confirm that Windows Object Access auditing is enabled on the target machines. This can be done via Group Policy:
- Open Group Policy Management Console
- Edit the GPO applied to the relevant machines
- Navigate to:
Computer Configuration โ Policies โ Windows Settings โ
Security Settings โ Advanced Audit Policy Configuration โ
Object Access
- Enable Audit File System for Success and Failure
- Apply the GPO
[Your administrator should confirm that Object Access auditing is enabled across all machines in groups where file audit rules are configured before expecting file audit events to appear in LT Auditor MP.]
Accessing file audit configuration for a group:
- In the left navigation menu, click Groups
- Locate the group you want to configure
- Click the โฎ menu next to the group
- Select File Audit
Creating a file audit rule:
- Click Add Rule
- Configure the rule details:
Rule Name: A descriptive name for the rule:
Example: Monitor HR Documents
Example: Critical Config Files
Example: Finance Share Activity
Path: The full directory path to monitor on the client machine:
Windows examples:
C:\HR\Documents
C:\Windows\System32\config
\\fileserver01\shares\Finance
Recursive: Whether to monitor subdirectories within the specified path:
| Setting | Description |
| Enabled | Monitor the specified path and all subdirectories |
| Disabled | Monitor only the specified path โ subdirectories are not included |
Operations: Select which file operations to monitor:
| Operation | Description |
| Read | File read access |
| Write | File write or modification |
| Delete | File deletion |
| Rename | File or folder rename |
| Permission Change | Changes to file or folder permissions |
Include Patterns: File name patterns to include in monitoring. Leave blank to monitor all file types:
Examples:
*.docx, *.xlsx, *.pdf
SAM, SYSTEM, SECURITY
*.csv, *.txt
Exclude Patterns: File name patterns to exclude from monitoring โ useful for filtering out temporary or system-generated files that create noise:
Examples:
~$* (temporary Office files)
*.tmp (temporary files)
*.log (log files)
- Click Save
Example file audit rules:
Example 1 โ Monitor HR documents:
Rule Name: HR Documents
Path: C:\HR\Documents
Recursive: Yes
Operations: Read, Write, Delete, Rename, Permission Change
Include Patterns: *.docx, *.xlsx, *.pdf
Exclude Patterns: ~$*, *.tmp
Example 2 โ Monitor critical Windows configuration files:
Rule Name: Critical Config Files
Path: C:\Windows\System32\config
Recursive: No
Operations: Write, Delete, Rename, Permission Change
Include Patterns: SAM, SYSTEM, SECURITY
Exclude Patterns: *.log, *.tmp
Example 3 โ Monitor a sensitive network share:
Rule Name: Finance Share
Path: \\fileserver01\shares\Finance
Recursive: Yes
Operations: Read, Write, Delete, Permission Change
Include Patterns: (blank โ monitor all file types)
Exclude Patterns: ~$*, *.tmp, Thumbs.db
Editing an existing file audit rule:
- Navigate to the group’s File Audit configuration
- Locate the rule to edit
- Click the Edit icon
- Modify the settings as needed
- Click Save
Deleting a file audit rule:
- Locate the rule in the File Audit list
- Click the Delete icon
- Confirm the deletion
Troubleshooting file audit:
If file audit events are not appearing in LT Auditor MP, work through the following checks:
| Problem | Likely Cause | Resolution |
| No file events appearing | Windows Object Access auditing not enabled | Enable Audit File System via Group Policy |
| No file events from a specific path | Path does not exist on the client | Confirm the path exists and is accessible on the target machine |
| No file events for specific file types | Include pattern too restrictive | Review and update the Include Patterns setting |
| Excessive noise from a path | Exclude pattern too broad or missing | Add or refine Exclude Patterns to filter out unwanted files |
| File events appearing but not forwarded | Audit policy suppressing events | Review group Audit Policies for DENY rules affecting file event IDs |
| Network share not being monitored | Agent lacks access to the share | Confirm the EventLogAgent service account has read access to the network path |
Best practices:
- Always confirm Windows Object Access auditing is enabled before configuring file audit rules โ without it no events will be generated regardless of rule configuration
- Be specific with monitored paths โ targeting entire drives generates extremely high event volumes and significant performance impact on client machines
- Use Include Patterns to limit monitoring to file types most likely to contain sensitive data
- Use Exclude Patterns to filter out temporary files, log files, and other noise sources from the start
- Disable the Read operation for high-traffic directories if write, delete, and permission change monitoring is sufficient โ read events can generate very high volumes on busy file servers
- Test file audit rules on non-production machines before deploying to production to assess event volume and performance impact
- Confirm the EventLogAgent service account has appropriate read access to any network shares included in file audit rules
[Your administrator should document all active file audit rules and the business rationale for each monitored path so the configuration is auditable and can be reviewed during compliance assessments.]