Derek Schauland evaluates a file audit application from IS Decisions that helps you track down actions taken on files on volumes running the NTFS file system.
Managing files and access to them is something that can be challenging given the tools available by default within Windows. Luckily several third party vendors have solutions to help you determine just what is happening to the files within your environment. In a previous post I looked at ScriptLogic's File System Auditor, this time I will be checking out FileAudit by IS Decisions.
Sometimes an application needs killer remote or automation features, of which I am definitely a fan, but other times a simple interface with a great feature set is a better way to go.
FileAudit works on volumes running the NTFS file system.Supported operating systems:
- Windows 2000
- Windows XP
- Windows Vista
- Windows 7
- Windows Server 2003
- Windows Server 2008
- Windows Server 2008 R2
Who's it for?
Organizations looking to audit and keep tabs on files and folders within their environment will find the simple user interface easy to work with. Windows stores a great deal of information about what is happening on a given system; FileAudit takes advantage of this information and presents it in a very useable format.
What problem does it solve?
FileAudit allows administrators to see the access or attempted access to files on the selected server. The actions available on a file (or folder) are displayed at refresh in the main console window of the application. The action taken on the file/folder is listed as is the user who performed the action.
What I like most about FileAudit is the simple learning curve. This seems to be true of most of the applications in this area and may not seem like much, but getting the information about files and folders in many cases is more important than the bells and whistles the application contains.
Simple filtering of event types also caught my eye. By default, all of the following filters are checked, showing all actions available for the selected file(s) or folder(s).
Unchecking a filter removes these event types from view at the next refresh. Also by default, scans include all users. This can be restricted to a specific user by changing the drop-down menu for the User filter.
Because Windows keeps information in the event logs for just about every action that happens to a file or folder, FileAudit scans the event logs for information regarding the chosen items to audit and returns them to the list. Why is this a stand out feature? Because it shows the simplicity and effectiveness of the application; all information related to a scan in FileAudit are read from the event logs. An Access database is used to store events for reporting, but Microsoft Access is not required on the machines being scanned.
One last standout feature is licensing or pricing. Because the application is licensed by target system the pricing is not too bad. Sure if you have a file server with 25 files on it, the $200 price tag per system might be a bit steep, but most organizations have very large file servers (and sometimes many of them) which makes the cost much more reasonable. As the number of target systems goes up, the price of course goes down some as with any volume licensing method around these days. I will note that while there is a volume discount, it was not a spectacular savings. When licensing systems 200-400 the cost only comes down to $133/system, however this is in line with and in many cases less than other applications I have looked at.
Looking at other licensed systems is also possible by entering the full path. For example, if I have a file on server2 on which I want to see an audit, I would enter \\server2\share\file.ext as the path to the file, and assuming I have administrative rights on that target system, the results of the audit will be returned.
Along with this, you can save audits for later use. This allows the administrator (or IT staff) to keep and reuse audits going forward. I would see this as extremely useful to keep remote server audits saved to ensure that they are easy to access without needing to constantly know the path to the file, which can save a bit of time in the use of the product.
FileAudit's main application window
Scheduling scans of Windows event logs
There are some limitations within FileAudit that may skew results a bit. In digging through the help file for the application, I found a section about known issues and one of these issues makes sense to list here. Some files allow shell access by certain applications, which may be seen as an access attempt within FileAudit. The example given was a zip file when WinZip is installed on the target machine. When someone highlights or selects a zip file and WinZip is installed, behind the scenes WinZip counts to determine the number of files within the selected archive. This can appear in FileAudit results because WinZip looked at the file. This should be something that can be filtered out or at least tagged in the display or reporting so the individual reading the results is aware of it. Not a deal breaker by any means, just something to be aware of.
- GFI Event Manager
- ScriptLogic File System Auditor
Bottom line for business
Keeping tabs on events in Windows as a whole can be quite the chore for an organization's IT staff, let alone figuring out what happened to a particular file. Being proactive about being able to track these actions down quickly frees up staff to work on other tasks or projects that go along with top end support of both business and the organization's users.