Data Centers

Product Spotlight: ScriptLogic File System Auditor

Derek Schauland gives an overview of File System Auditor from Scriptlogic, which allows you to monitor, audit, and report on network file usage in your organization.

Helping users locate and work with networked files is a big part of IT support duties. Imagine a support call rolling across your desk where the user is looking for a file for a project that he has been working on but the file is now gone. Usually these kinds of panic calls occur about thirty minutes before the file is needed for a meeting. How do you go about tracking down the mystery file?

Sure, using a snapshot of the file will allow a previous version to be restored, but that only solves half the problem. If the user is not aware who moved or deleted the file in the first place, then restoring a version might not solve the issue. If this scenario seems all too familiar, File System Auditor from ScriptLogic might provide a solution for you. It helps the IT staff sort out what happened to files on the network and when.

Specifications

File System Auditor (FSA) is a great reporting tool for tracking down the user who may have changed or removed a file or for keeping tabs on file creation. It monitors a file path and can alert users or administrators to changes made to a file or all files in a folder. The goal of the application is to ensure that files stored on the network can be accounted for and that changes to them can be traced back to a specific user and time of day.

Preventing the action on behalf of the user can be done through Windows, but understanding what is happening to the files stored on the network is the ultimate job of FSA.

Supported operating systems:
  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows Server 2003
Hardware requirements:

None specific to the application

Who's it for?

IT administrators who need to keep track of files (and changes or modifications to them) for compliance reasons may find FSA very helpful. In my organization, FSA made it possible to isolate a file removal operation to a specific user. Having a log of the action ensured that the file's creator and its other users could get what they needed prior to the file being deleted as well as work with the individual to determine the reason why the file was being removed.

What problem does it solve?

File System Auditor can help when evaluating disk usage by allowing administrators to track which files others in the organization are using most. For example, when a user asks about a file that they insist cannot be archived to offsite storage because it might be needed, the access and usage of the file can be reported on for a given time period to help determine the overall usefulness of the item. The single pane view of this information is also much more user friendly than creating a bunch of views within Windows Explorer and trying to get a reportable view.

Standout features

Ease of use has to be at the top of this list. When working with FSA, simply specifying a path on the licensed server will provide any information about the file or files within the path. From creation and modification to removal and permissions changes, all of the information about actions on the file is reported in a very user-friendly way.

A key feature of the FSA application is filtering.  While it is nice to know when someone on the network changes or accesses a particular file, there may be some types of files or applications or even user accounts that access these files that you wish to exclude from reporting.

For example, I have a report that is used by a specific department and the manager of that department noticed that the previous day's document was being deleted so further changes and analysis could not be completed. When I began auditing the path to that file, the report was muddied with .tmp files that were being included in the results. Excluding *.tmp from audited paths allowed me to show only necessary results when the report was executed.

Another thing I noticed after using the application for a while was access by our backup application and a system user account. Because the user account was also used by the backup application, excluding that user from the reporting prevented events by this user account from being included.

To track access by a service account, setting up a separate report for this user might be the best way to go. This allows the events to be monitored, but doesn't create confusion within the other audit reports.

Another key feature is audit logging. All events reported by FSA are logged to a database. This allows events captured to be stored for reporting and real-time review. As more information is stored, the database may need to be purged to keep the size under control.

FSA includes a wizard to help an administrator clean out events from the database. Events can be purged by time/date range, selected (or all) users or groups, event types, and selected workstations. Advantages to this approach might be that certain events used for testing a particular audit scenario (auditing changes to a file without excluding the backup service account) need to (or can be) purged because they are not valid data and are of no value for the audit requirements you have.

Figure A

Click to enlarge.

Configuration console

Figure B

Click to enlarge.

Report configuration console

What's wrong?

The licensing can be a bit prohibitive for some organizations. At approximately $700 per server this could quickly become very expensive if there are many environments to monitor. The biggest benefit of this model is that one file server can be licensed very inexpensively and still be very scalable.

The learning curve for creating reports isn't too steep, but it did take a few tries and uses of the software to get the hang of creating and scheduling useful reports.

Competitive products

Bottom line for business

If you are fielding calls from coworkers about lost files or unauthorized access, FSA might be a good tool to help you get to the bottom of the issues. In environments where strict compliance rules apply, a file auditor of this kind might be necessary. FSA can be used to make informed decisions about how to handle access to the files without just removing or adding permissions in your environment.

Related: Product Spotlight: ScriptLogic Active Administrator

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

2 comments
Adunkin
Adunkin

I use the netwrix file server change reporter for file auditing. Provides much of the same file server auditing functionality as above, but for a good amount cheaper. There is also a freeware version available, which we used at first. For anyone who doesn?t need the bells and whistles, it?s a solid product.

famigorena
famigorena

..., extremely easy to set up and use, officially certified for Windows 7, and gets the job done! It is already in use by hundreds of international organizations, including: Boeing, Ernst & Young, GlaxoSmithKline, Honda, Lockheed Martin, LVMH, PriceWaterhouseCoopers, ... http://www.FileAudit.com

Editor's Picks