Searching through Audit log CIFS folder/file permissions

robmichel2854 · ‎2018-11-15

We want to be able to look quickly look through windows logs to see folder permission changes. We've turned on logging where the logs goto a user directory, but they are all "evtx" logs. We can see everything if we use MS Eventviewer, but there are so many, doing a quick search on them for a user, etc. is just about impossible. Since its in the evtx format, I don't seem to be able to text greps on the data.

Does anyone else have this same problem and tackled it with someone besides a SIEM?

Is there a way to simply have the logs sent over in XML verse evtx ? And only with the File/Folder Permission changes instead of every read/write event to them ?

Vijay_ramamurthy · ‎2018-11-19

Hi ,

You can also configure CIFS auditing to create audit logs in XML format.
The audit logs can be generated only in either XML or EVTX format and not both.
Please refer the TR below for more details :
https://www.netapp.com/us/media/tr-4189.pdf

If the audit logs are in XML and want to convert it to EVTX then you can use the link below to get the tool which converts Audit Logs From XML To EVTX Format.
https://community.netapp.com/t5/Network-Storage-Protocols-Articles-and-Resources/Tool-to-convert-Audit-Logs-from-XML-to-EVTX-Format/ta-p/84735

Also if you want only the permission changes to a file/folder be audited then you can modify SACL accordingly to only audit only those events. “Change Permissions" and/or "Take Ownership” should be able to track it.

scott_f · ‎2018-11-20

You can configure the vserver cifs audit logs to be in either evtx or xml format. That audit SACLs have a lot of options, you wouldd be best to read the auditing documentation to decide what you want to audit.

We read the audit logs (in XML format) and then forward them to Splunk so they are indexed and searchable. You could do similar with the ELK stack or just save them off somewhere.