FSA 2 5 Getting Started

ScriptLogic File System Auditor Agent Configuration Getting Started Guide
FILE SYSTEM AUDITOR
II
2011byScriptLogicCorporation Allrightsreserved. ThispublicationisprotectedbycopyrightandallrightsarereservedbyScriptLogicCorporation.It maynot,inwholeorpart,becopied,photocopied,reproduced,translated,orreducedtoany electronicmediumormachinereadableformwithoutpriorconsent,inwriting,fromScriptLogic Corporation.ThispublicationsupportsFileSystemAuditor2.x.Itispossiblethatitmaycontain technicalortypographicalerrors.ScriptLogicCorporationprovidesthispublicationasis,without warrantyofanykind,eitherexpressedorimplied. ScriptLogicCorporation 6000BrokenSoundParkwayNW BocaRaton,Florida334872742 1.561.886.2400 www.scriptlogic.com TrademarkAcknowledgements: FileSystemAuditorandScriptLogicareregisteredtrademarksofScriptLogicCorporationinthe UnitedStatesand/orothercountries. Thenamesofothercompaniesandproductsmentionedhereinmaybethetrademarksoftheir respectiveowners.
UPDATED 1 FEBRUARY 2011
II
FILE SYSTEM AUDITOR
III
DOCUMENTATION CONVENTIONS
Typeface Conventions
Bold
Indicates a button, menu selection, tab, dialog box title, text to type, selections from drop-down lists, or prompts on a dialog box.
CONTACTING SCRIPTLOGIC
ScriptLogicmaybecontactedaboutanyquestions,problemsorconcernsyoumighthave at:
ScriptLogic Corporation 6000 Broken Sound Parkway NW Boca Raton, Florida 33487-2742 561.886.2400 Sales and General Inquiries 561.886.2450 Technical Support 561.886.2499 Fax
www.scriptlogic.com
SCRIPTLOGIC ON THE WEB

ScriptLogiccanbefoundonthewebatwww.scriptlogic.com.Ourwebsiteoffers customersavarietyofinformation: Downloadproductupdates,patchesand/orevaluationproducts. Locateproductinformationandtechnicaldetails. FindoutaboutProductPricing. SearchtheKnowledgeBaseforTechnicalNotescontaininganextensivecollectionof technicalarticles,troubleshootingtipsandwhitepapers. SearchFrequentlyAskedQuestions,fortheanswerstothemostcommonnon technicalissues. ParticipateinDiscussionForumstodiscussproblemsorideaswithotherusersand ScriptLogicrepresentatives.
III
FILE SYSTEM AUDITOR
IV
Contents
WHAT IS FILE SYSTEM AUDITOR?........................................................................................................................1 INSTALLING FILE SYSTEM AUDITOR ....................................................................................................................2 MINIMUM SYSTEM REQUIREMENTS ....................................................................................................................3 Supported Management Platforms .................................................................................................................3 Export Requirements ......................................................................................................................................3 Support for iSCSI disks...................................................................................................................................3 BEFORE YOU BEGIN ............................................................................................................................................4 User Privilege Requirements..........................................................................................................................4 INSTALLING FILE SYSTEM AUDITOR ...................................................................................................................4 STARTING FILE SYSTEM AUDITOR ......................................................................................................................8 Applying a License File ..................................................................................................................................8 Evaluating the Product...................................................................................................................................9 CONFIGURING FILE SYSTEM AUDITOR...............................................................................................................10 STARTING THE AGENT CONFIGURATION CONSOLE ...........................................................................................10 EXAMINING THE AGENT CONFIGURATION CONSOLE START PAGE ....................................................................10 UPGRADING THE AUDIT AGENT ........................................................................................................................13 CREATING AN AUDIT DATABASE ......................................................................................................................14 ADDING FILE SERVERS ......................................................................................................................................14 STOPPING AND STARTING THE AUDIT AGENT ...................................................................................................22 SETTING PATH FILTERS .....................................................................................................................................23 SETTING PROCESS EXCLUSION FILTERS ............................................................................................................27 SETTING USER EXCLUSION FILTERS ..................................................................................................................29 CHANGING DATABASE SETTINGS ......................................................................................................................31 CHANGING ADVANCED SETTINGS .....................................................................................................................32 SETTING DEFAULT FILTERS...............................................................................................................................33 USING THE REAL TIME VIEWER .........................................................................................................................35 PURGING THE AUDIT DATABASE.........................................................................................................................36 PURGING DATA FROM THE COMMAND LINE......................................................................................................43 Using Interactive Mode ................................................................................................................................44 MANAGING THE AUDITING DATABASE ...............................................................................................................45 STARTING THE DATABASE WIZARD ..................................................................................................................45 CREATING A NEW DATABASE ...........................................................................................................................47 REMOVING AN EXISTING DATABASE.................................................................................................................49 INCREASING DATABASE SIZE ............................................................................................................................49 SHRINKING A DATABASE...................................................................................................................................50 RUNNING AN SQL SCRIPT .................................................................................................................................52 VIEWING DATABASE STATISTICS ......................................................................................................................52 ATTACHING A DATABASE .................................................................................................................................53 DETACHING A DATABASE .................................................................................................................................54 TRUNCATING THE TRANSACTION LOG ..............................................................................................................55 CHANGING THE SECURITY MODE ......................................................................................................................55 SETTING THE SA PASSWORD .............................................................................................................................56 SAVING CONNECTION INFORMATION ................................................................................................................57 PERFORMING DATABASE MAINTENANCE ..........................................................................................................58 RESETTING DATABASE SECURITY .....................................................................................................................59 MOVING A DATABASE TO ANOTHER SERVER ....................................................................................................60
IV
FILE SYSTEM AUDITOR
TROUBLESHOOTING ............................................................................................................................................61 REMOVING A FILE SERVER ................................................................................................................................62 UNINSTALLING THE AUDIT AGENT ...................................................................................................................62 UNINSTALLING FILE SYSTEM AUDITOR ............................................................................................................63 AUDIT DATABASE SCHEMA .................................................................................................................................64 STORED PROCEDURES .........................................................................................................................................65 INDEX ...................................................................................................................................................................67
FILE SYSTEM AUDITOR
WhatisFileSystemAuditor?
TheScriptLogicFileSystemAuditor,auniquesolutionforrecordingWindowsfileserver activity,allowsadministratorstoauditfileaccess,generateeasytounderstandreports, andcreatealertstiedtofilesystemevents.Idealforprotectingconfidentialorsensitive data,FileSystemAuditorassistsincompliancereportingbycreatinganaudittrailoffile activityonpatientrecords,financialreports,orothersensitiveinformation. FileSystemAuditorassistsinsecuritymanagementbysendingemailalertsorsavingthe reporttoafilesharewheneverspecificfilesystemeventsoccur,suchasfailedaccess attempts,ormodificationsofaparticularsetoffilesandfolders.
FILE SYSTEM AUDITOR
InstallingFileSystemAuditor
TherearetwocomponentstoFileSystemAuditor:theAgentConfigurationConsoleand theReportingConsole.FromtheAgentConfigurationConsole,youcanremotelyinstall theFileSystemAuditorAgentonsystemstobeaudited.TheAgentconsistsofafile systemdriverandaservice.YoucaninstalljusttheReportingConsoleonsystemstobe usedforreportgeneration. SQL2000,SQL2005,andSQL2008databaseinstances(defaultandnamed)are supported,includingSQL2005Express.
FILE SYSTEM AUDITOR
MINIMUM SYSTEM REQUIREMENTS

IntelPentiumIIIorhigherprocessor 512MBRAM 50MBfreeharddiskspaceforinstallation 100MBfreeharddiskspaceforthedatabase
Supported Management Platforms

Agent Configuration and Report Configuration Consoles Note:Microsoft.NETFramework2isrequiredontheAgentConfigurationandReport ConfigurationConsoles. Windows2000SP4withUpdateRollup1:Professional,Server WindowsXPProfessionalwithSP2 WindowsServer2003FamilywithSP1 WindowsVista WindowsServer2008FamilyincludingR2 Windows7 Agent WindowsServer2000SP4withUpdateRollup1 WindowsServer2003familywithSP1 WindowsServer2008Family,includingR2andServerCore
Export Requirements
MicrosoftSQLServer2000,MicrosoftSQLServer2005,MicrosoftSQLServer2008, MicrosoftSQLServer2008R2,andDataAccessComponents(MDAC)2.7
Support for iSCSI disks

FileSystemAuditor2issupportedoniSCSItargetdisksusingMicrosoftiSCSISoftware InitiatorVersion2.06(build3497).Ifyouareusinganearlierversionofthissoftwareand areexperiencingissuesauditinganiSCSItargetdiskwithFileSystemAuditor2,upgrade tothelatestversionoftheMicrosoftiSCSISoftwareInitiator,whichyoucanfindatthe MicrosoftDownloadCenter:http://www.microsoft.com/downloads/
FILE SYSTEM AUDITOR
BEFORE YOU BEGIN

DownloadthelatestversionoftheFileSystemAuditorprogramfromtheScriptLogic Website:http://www.scriptlogic.com/support
User Privilege Requirements

InordertoinstallandconfigureFileSystemAuditor,ausermustholdadministrative rights.
INSTALLING FILE SYSTEM AUDITOR

Duringtheinstallprocess,youcanchoosetoinstalltheAgentConfigurationConsole and/ortheReportConfigurationConsole.AftertheAgentConfigurationConsoleis installed,youcanremotelyinstalltheFileSystemAuditorAgentonthosecomputersyou wanttoaudit.InstalltheReportConfigurationConsoleonthosecomputerswhoseusers needtogeneratereports. 1. DoubleclicktheFSASetup.msifile.TheWelcomepageopens.
FILE SYSTEM AUDITOR
2.
ClickNext.TheLicenseAgreementpageopens.
3. SelecttheIacceptthetermsintheLicenseAgreementcheckbox,andthen clickNext.TheCustomSetuppageopens.
FILE SYSTEM AUDITOR
Note:Bydefault,boththeAgentConfigurationConsoleandtheReport ConfigurationConsoleareinstalled.IfyouwanttoinstalljusttheReport ConfigurationConsole,opentheAgentConfigurationConsolelist,andthenchoose Entirefeaturewillbeunavailable.
To: Return the selections to the default Change the location of the program files Click:
The Change Current Destination Folder page opens. Choose a new location for the installation directory.
See if there is enough space to install the programs
The Disk Requirements page shows the disk space available on the drive displayed in the Install to area.
FILE SYSTEM AUDITOR
4.
ClickNext.TheReadytoinstallpageopens.
5. ClickNext.Theinstallationprocessbegins.Whentheprocessiscomplete,the Completedpageopens.
6. ClickFinish.
FILE SYSTEM AUDITOR
STARTING FILE SYSTEM AUDITOR

ClickStart,pointtoPrograms ScriptLogicCorporation FileSystemAuditor2,and thenselectoneofthefollowingoptions:
Option Agent Configuration Console Database Wizard FSA Getting Started Guide (PDF) FSA User Guide (PDF) Report Configuration Console Real Time Viewer Description Configure File System Auditor for data collection. See Configuring File System Auditor. Create and manage the auditing database[s]. See Managing the Audit Database. Opens the installation and configuration document for the Agent Configuration Console. Opens the user guide for the Report Configuration Console. Filter and report on data in the auditing database. See the File System Auditor Report Configuration User Guide. View data in the audit database in real-time. See Starting the Real Time Viewer.
EachtimeyourunFileSystemAuditororFileSystemAuditReporter,youwillbe greetedbythesplashscreen,whichdisplaystheinitializationoftheprogramandthe versionnumber.
Applying a License File

ThefirsttimeyoustartFileSystemAuditor,youseetheNewInstallationbox,which allowsyoutoapplyalicensefileorevaluatetheproductwithoutalicense,aswellas contactScriptLogicCorporationandvisitourwebsiteforfurtherinformation. FileSystemAuditorrequiresavalidlicensefileinordertofunctionproperly.Ifyouhave acompanylicensefileorwereprovidedwithanevaluationortemporarylicensefile,you mustenterthelocationandfilenameintheLicenseFilebox.
FILE SYSTEM AUDITOR
Thelicensefileisapproximately1KBinsizeandhasa.licfileextension.YourSales AccountExecutiveorLicensingSpecialistshouldhavesentthisfiletoyouasanemail attachment. Click tolocatethelicensefile,andthenclick .
Evaluating the Product

Note:ThefullandevaluationversionsofFileSystemAuditorareidentical.Thelicense fileisthesoledeterminantofprogramfunctionality.Theevaluationperiodis30days andlimitedto2servers. Ifyouareevaluatingthesoftwareandwouldliketousethepresetvaluesforthe numberoflicenses,objects,andevaluationdays,click .
To: Start the evaluation version Exit Go to the ScriptLogic web site Apply a License File Click:
FILE SYSTEM AUDITOR
10
ConfiguringFileSystemAuditor
TheFileServiceAuditorAgentConfigurationConsoleenablesyoutomanagethedata thatgoesintotheauditingdatabase.Onlythedatathatresidesintheauditingdatabaseis availabletotheFileSystemAuditorconsoleforreporting. BeforeFileSystemAuditorcanbegintocollectdata,youmustdefineapathandchoose thetypesofeventstomonitor.Tomanagethenumberofeventsthatarecollected,you canspecifytoincludeorexcludecertainfiletypes,orexcludecertainprocessesfromthe collection.Lastly,youcanspecifyalengthoftimeduringwhichduplicateeventsare suppressedfromthelist,whichalsohelpsmanagetheamountofdatacollected.
STARTING THE AGENT CONFIGURATION CONSOLE

ClickStart,pointtoPrograms ScriptLogicCorporation FileSystemAuditor2,and thenchooseAgentConfigurationConsole. Eachtimeyouruntheprogramyouwillbegreetedbythesplashscreen,whichdisplays theinitializationoftheprogramandtheversioninformation.
EXAMINING THE AGENT CONFIGURATION CONSOLE START PAGE

IfthisisthefirsttimeyouhaveinstalledFileSystemAuditor,theConfigurationConsole StartPagedisplays.TosetupFileSystemAuditor,youmustaddatleastonefileserver andcreateanauditingdatabase.
10
FILE SYSTEM AUDITOR
11
Option Add File Servers Run Database Wizard Purge Audit Log Modify Application Preferences Display Help Launch Reporting Console
Description Add file servers. See Adding File Servers. Create and manage auditing databases. See Starting the Database Wizard. Purge selected data from an auditing database. See Purging the Audit Database. Create and manage default filters. See Setting Default Filters Display online help. Open the File System Audit Report Configuration Console where you can produce reports based on the data in the auditing database. See the File System Auditor Report Configuration User Guide.
Tool Bar
Icon Description Add file servers. See Adding File Servers. Remove selected file servers. Start the auditing process. Stop the auditing process. Refresh the display. Open the File System Audit Report Configuration Console where you can produce reports based on the data in the auditing database. See the File System Auditor Report Configuration User Guide. Upgrade the Audit Agent from a previous installation of File System Auditor. See Upgrading the Audit Agent. Display the Start Page. Access online help
Menus
Menu Option Add File Servers Remove File Server Exit Menu Option Start Page
Description Add file servers. See Adding File Servers. Remove selected file servers. Close File System Auditor. Description Display the Start Page.
11
FILE SYSTEM AUDITOR
12
Menu Option Start Auditing Stop Auditing Refresh Menu Option Database Wizard Purge Audit Log Report Configuration
Description Start the auditing process. Stop the auditing process. Refresh the display. Description Create and manage auditing databases. See Starting the Database Wizard. Purge selected data from an auditing database. See Purging the Audit Database. Open the File System Audit Report Configuration Console where you can produce reports based on the data in the auditing database. See the File System Auditor Report Configuration User Guide. Create and manage default filters. See Setting Default Filters. Description Access online help View information about the version of File System Auditor installed on your computer, to apply a license file, or to visit the ScriptLogic website.
Preferences
Menu Option Help Contents About ScriptLogic File System Auditor
12
FILE SYSTEM AUDITOR
13
UPGRADING THE AUDIT AGENT

Note:IfyouareinstallingFileSystemAuditorforthefirsttime,proceedtoCreatingan AuditDatabase. Ifyouareupdatingfromapreviousversion,youneedtoupgradetheAuditAgent followingtheinstallationofthelatestversionofFileSystemAuditor. AfterstartingFileSystemAuditor,youseeyourfileserverslistedwithanoticethatthe Agentneedstobeupgraded.
1. Selectthefileserver,andthenclick .Awarningmessagedisplays.
2. Toupgradetheagent,clickYes.
3. ClickClose.
13
FILE SYSTEM AUDITOR
14
CREATING AN AUDIT DATABASE

Important:FileSystemAuditorrequiresaninstanceofMicrosoftSQLServer. Important:Youmustcreateanauditingdatabasebeforeyoucanperformanytasksusing FileSystemAuditor. ThereareseveralmethodsthatyoucanchoosetostarttheDatabaseWizardwhereyou cancreateanauditdatabase. ClickStart,pointtoPrograms ScriptLogicCorporation FileSystemAuditor2, andthenchooseDatabaseWizard. ClickRunDatabaseWizardontheAgentConfigurationConsoleStartPage. ChooseDatabaseWizardfromtheToolsmenuontheAgentConfigurationConsole StartPage. SeeCreatingaNewDatabaseintheDatabaseWizardchapter. Note:YoualsohaveanopportunitytoaccesstheDatabaseWizardtocreateadatabase duringtheprocessofaddingfileservers.SeeAddingFileServers.
ADDING FILE SERVERS

Toauditacomputer,youmustaddittothelistoffileservers.Duringtheprocess,the AuditAgentisinstalledonthetargetcomputers,theconnectiontotheAuditDatabaseis established,andyoucandefinefilterstomanagethedatathatiscollected. 1. Click .Alternatively,chooseAddFileServersfromtheFilemenuor clickAddFileServersontheAgentConfigurationConsoleStartPage.TheAdd FileServerWizardopens.
14
FILE SYSTEM AUDITOR
15
2.
ClickNext.TheSelectfileserverspageopens.
3. Click .TheAddFileServerspageopens.
15
FILE SYSTEM AUDITOR
16
4.
IntheFileServerorCluster/NodeNamesbox,typethenamesofthefileserversor clusterserversseparatedwithcommas,orclick andchoosethe servers. Note:YoucannotselectvirtualclusterserversfromtheActiveDirectoryObject Picker.Youmusttypethenamesinthebox.
5. ClickOK.Theservername(s)displaysintheComputerNamecolumnandthe AgentActioncolumnindicatestheAuditAgentwillbeinstalled.
16
FILE SYSTEM AUDITOR
17
6.
ClickNext.TheChoosedatabaseandsetauthenticationpageopens.
a. FromtheSQLServerInstancelist,selectthenameoftheserverwherethe auditingdatabaseresides.
b. FromtheDatabaseNamelist,selectthenameoftheauditingdatabase. c. ChoosewhethertouseWindowsorSQLServerauthentication.
d. IntheUsernamebox,typethennameoftheaccountwiththepermissions necessarytowritetotheauditingdatabase,orclick to selectanaccount. e. InthePasswordandConfirmPasswordboxes,typethepasswordforthe accountyouselected.
17
FILE SYSTEM AUDITOR
18
7.
ClickNext.TheSelectfilterspageliststheserversyouadded. OntheSelectfilterspage,youcandefinefiltersthatwillincludeorexcludeitems fromtheauditingprocess.Oninitialinstallation,youmaywanttoacceptthedefault settingsasyoucandefinefiltersonceinstallationiscomplete.
Use settings for all file servers
Bydefault,thefiltersthatyouaddhereapplytoallthefileserversinthelist.Ifyou wanttodefinefiltersseparatelyforeachserver,clearthecheckbox. Path Filters

Add all public shares as path filters
Bydefault,allpublicsharesareaddedaspathfilters.Ifyouwanttoadddifferent pathfilters,cleartheUsesettingsforallfileserverscheckbox,andthenclearthis checkbox. Youcanspecifyspecificfolderstoincludeorfilteroutanyfoldersyoudonotwantto includeinthedata.Inaddition,youcanspecifyspecificeventsandfilestoincludeor exclude.SeeStoppingandStartingtheAuditAgent. Process Exclusion Filters SeeSettingProcessExclusionFilters. User Exclusion Filters SeeSettingUserExclusionFilters.
18
FILE SYSTEM AUDITOR
19
8.
ClickNext.TheSetadvancedinstalloptionspageopens.
Advanced Options Duplicate entry and suppression delta (seconds)
Bydefault,duplicateentriesthatoccurwithin10secondsofeachotherare suppressed.Onlythefirstentryappearsintheeventlist.Youcanincreasethisvalue toreducethelengthoftheeventlist.Changesapplytoneweventcollectiononly. Existingdataisnotaffected.

Rename-and-delete pattern detection
Insomesoftwareapplications,whensavingafile,insteadofoverwritingtheoriginal file,theapplicationsavestoatemporaryfile,renamestheoriginalfile,renamesthe temporaryfiletothecurrentfilename,andthendeletesthetemporaryfile.This processoccurssoyoucanrecovertheoriginalfile.Bydefault,FileSystemAuditor detectsthisbehaviorandlogsitinthedatabaseasafilemodificationonthefileyou wereediting,ratherthanasarenameanddeleteprocess.Todisablethisdetection, selectthecheckbox.

Capture file share events (Create, Modify, Delete)
IfyouarerunningWindowsServer2003orlater,fileshareeventsareincludedinthe datacollectionbydefault.Todisablethisfeature,clearthecheckbox.
Agent Start Options Start agent(s) immediately after install
Bydefault,theagentsarestartedafterinstallationiscomplete.
Only install agents. User will start agents later
Selecttoinstallagentsonly.Tostarttheagentsafterinstallation,seeStoppingand StartingtheAuditAgent.
19
FILE SYSTEM AUDITOR
20
9.
ClickNext.TheSummarypagedisplaystheselectionsyoumade.
Button Description Print the summary information. Save the summary information to a file.
10. ClickFinish.
11. ClickClose.
20
FILE SYSTEM AUDITOR
21
Themainwindowdisplaysthefileserversthatyouinstalled.Youcanselecteach serverindividuallytoviewinformationandtocreatefilters.
TheDatabaseSettingsareadisplaysinformationabouttheSQLServerInstance andtheauditingdatabase.SeeChangingDatabaseSettings, TheAdvancedSettingsareadisplaysthechoicesmadeduringinstallationofthe fileserver.SeeChangingAdvancedSettings. TheHealthStatusareashowsthestatusoftheFileServer,Agent,andAudit Database. Note:Youmayneedtoclick torefreshthestatus.Alternatively,choose RefreshfromtheServermenu. TheFiltersareacontainsthreetabs.Youhadtheoptiontoaddfiltersduringthe processofaddingafilter.Ifyouchosetobypassthatstep,youcanaddthem now,orifyoudidaddfilters,youcaneditorremovethem. SeeSettingPathFilters SeeSettingProcessExclusionFilters SeeSettingUserExclusionFilters
21
FILE SYSTEM AUDITOR
22
STOPPING AND STARTING THE AUDIT AGENT

TostoptheAuditAgent,click Servermenu. .Alternatively,chooseStopAuditingfromthe
TostartastoppedAuditAgent,click AuditingfromtheServermenu. .Alternatively,chooseStart
22
FILE SYSTEM AUDITOR
23
SETTING PATH FILTERS

Youcanspecifyspecificfoldersorfilestoincludeorfilteroutanyfoldersorfilesyoudo notwanttoincludeinthedata. Note:IfyouarerunningWindowsServer2003orlater,fileshareevents(Create,Modify, andDelete)areincludedinthedatacollectionbydefault.Todisablethisfeature,see ChangingAdvancedSettings. 1. OpenthePathFilterstabtodisplaythecurrentfilters.
Button Description Add a new filter Remove selected filters Edit the selected filter
2. 3.
Click
.TheCreateNewAuditingFilterboxopens.
IntheFolder/FileWildcardbox,typethepathtowhichtoapplythefilter,orclick tolocateafolder.Youcanusethe*wildcardwhentypingthepath.
23
FILE SYSTEM AUDITOR
24
Ifyouclick ,theSelectRemotePathboxopens.Doubleclickaselectiontobuild thepathintheFolderpathbox.
Whenthepathiscomplete,clickSelect.
4. IntheInclude/ExcludeFileSystemEventsarea,selectthefileandfoldereventsthatyou wanttoincludeorexcludefromthepath.Bydefault,alleventsareselected.
Events Affecting Files Events Affecting Folders
Note:ProtectedPermissionsarethosewheretheparentpermissionsdonotapplyto thechildobjects.UnprotectedPermissionsarethosewheretheparentpermissionsdo applytothechildobjects.
24
FILE SYSTEM AUDITOR
25
Note:Youcanselecttoincludeorexcludeevents,butnotbothinthesamefilter. Createseparatefilterstoincludeandexcludeevents. Important:UsecautionifincludingFileReadorFileAccessDenied(Opening/ Modifying)eventsasthenumberofeventsrecordedbyFileSystemAuditormay overwhelmtheauditingdatabase.AnyfocusonafileinWindowsExplorer,suchas amouseoverorusingthearrowkeystoscrollthroughthedirectory,causesaFile ReadeventinFileSystemAuditoriftheuserhasaccesstothefile(s).Iftheuserdoes nothaveaccesstothefile(s),FileSystemAuditorrecordsaFileAccessDenied (Opening/Modifying)event. IfyouneedtoincludetheFileReadorFileAccessDenied(Opening/Modifying) events,restrictthepathtoaminimumnumberoffiles/folders,andtoeliminatefalse positives,makesureyouhaveWindowsAccessBasedEnumeration(availablewith WindowsServer2003ServicePack1)enabledandoperational. Note:SomeapplicationsgenerateaFileReadeventonlywhenafileisopenedfor thefirsttime.Ifthefileisopenedagain,theapplicationmaypullfromamemory cacheandnotfromthedisk.SinceFileSystemAuditorwatcheseventsgoingto NTFS,ifanapplicationpullsafilefromamemorycacheandnevercallsNTFS,aFile Readeventisnotlogged.Ifanotheruseropensthatsamefileforthefirsttime,that FileReadeventislogged. 5. IntheInclude/ExcludeFileMasksarea,youcanspecifyfilestoincludeorexclude. Toaddamask,clickAddintheappropriatearea.TheAddIncludedFileMaskor AddExcludedFileMaskboxappears.Typethemaskintheboxusingwildcardsas needed,andthenclickOK. Note:Toincludeorexcludeeventsforfilesthathavenoextension,type*.(asterisk, dot).Ifyouthenrenameafilewithoutanextensiontoafilenamewithanextension, youwillseetheeventbecauseitshowsupforthefilenamewiththeextension.
Include Mask Exclude Mask
25
FILE SYSTEM AUDITOR
26
TheCreateNewAuditingFilterboxdisplaystheselections.
Toremoveaselectedfilemask,clickRemoveintheappropriatearea. 6. ClickOK.ThePathFilterstabdisplaysthefilter.TheEventslistdisplaystheFile Eventsfirstinthelist,andthentheFolderEvents. Eventsincludedinthefilterareindicatedwith . .
Eventsexcludedfromthefilterareindicatedwith
Toeditaselectedpathfilter,click Todeleteselectedpathfilters,click ordoubleclickthepathfilter. .
26
FILE SYSTEM AUDITOR
27
SETTING PROCESS EXCLUSION FILTERS

Bydefault,allprocessesareincludedintheeventcollection.Youcanexcludespecific processesfromtheeventcollection. 1. OpentheProcessExclusionFilterstabtodisplaythecurrentfilters.
Button Description Add a new filter Remove selected filters Edit a selected filter Add filters that exclude all events for the following processes: abackup.exe cavtray.exe cobbu.exe fsm32.exe mcshield.exe msssrv.exe navapw32.exe ntbackup.exe NtrsScan.exe rbserv.exe rtvscan.exe savscan.exe slase.exe slfsasvc.exe spybotsd.exe spysweeper.exe webscanx.exe winbackup.exe ws_rep.exe
2. 3.
Click .TheProcessExclusionFilterboxliststheeventsyoucanchooseto excludefromtheprocess.Bydefault,alleventsareselected. IntheProcessNamebox,typethenameoftheprocess,usingwildcardsasneeded.
27
FILE SYSTEM AUDITOR
28
4.
IntheExcludeFileSystemEventsarea,selectthefileandfoldereventsthatyou wanttoexcludefromtheprocess.
5.
ClickOK.TheProcessExclusionFilterstabdisplaysthefilter.TheEventslist displaystheFileEventsfirstinthelist,andthentheFolderEvents. Eventsincludedinthefilterareindicatedwith . .
Toeditaselectedprocessexclusionfilter,click Todeleteselectedprocessexclusionfilters,click ordoubleclickthefilter. .
28
FILE SYSTEM AUDITOR
29
SETTING USER EXCLUSION FILTERS

Bydefault,allusersareincludedintheeventcollection.Youcanexcludespecificusers fromtheeventcollection. 1. OpentheUserExclusionFilterstabtodisplaythecurrentfilters.
Button Description Add a new filter Remove selected filters Edit the selected filter
2.
Click .TheUserExclusionFilterboxappears.IntheUserNamebox,typea username,orclick tolocateausername.Youcanusethe*wildcardwhentyping theusername. IntheExcludeFileSystemEventsarea,selectthefileandfoldereventsthatyou wanttoexcludefortheselecteduser.

3.
29
FILE SYSTEM AUDITOR
30
4.
ClickOK.TheUserExclusionFilterstabdisplaysthefilter.TheEventslistdisplays theFileEventsfirstinthelist,andthentheFolderEvents. Eventsincludedinthefilterareindicatedwith . .
Toeditaselecteduserexclusionfilter,click Todeleteselecteduserexclusionfilters,click ordoubleclickthefilter. .
30
FILE SYSTEM AUDITOR
31
CHANGING DATABASE SETTINGS

TheServerConfigurationareafortheselectedserverdisplaysthedatabasebeingused tocollecttheevents.Youcanchangetoadifferentdatabase,changethedatabase authentication,orchangetheaccountusedtowritetothedatabase.
Tochangeanydatabasesettings,clickChangedatabasesettingsintheServer Configurationareafortheselectedserver.TheAgentInformationboxdisplaysthe currentdatabasesettings.Makeanynecessarychanges,andthenclickOK. Note:Youcancreateanewdatabase,ifnecessary,byclickingRunthedatabasewizardto createanFSAdatabase.
31
FILE SYSTEM AUDITOR
32
CHANGING ADVANCED SETTINGS

Bydefault,theDuplicateentryandsuppressiondeltaissetto10seconds,andRename anddeletepatterndetectionandCapturefileshareeventsareturnedon.
Tochangetheadvancedsettings,clickChangeadvancedsettingsintheServer Configurationareaforaselectedfileserver.TheAdvancedSettingsboxdisplaysthe currentsettings.
Duplicate entry and suppression delta (seconds)
Bydefault,duplicateentriesthatoccurwithin10secondsofeachotheraresuppressed. Onlythefirstentryappearsintheeventlist.Youcanincreasethisvaluetoreducethe lengthoftheeventlist.Changesapplytoneweventcollectiononly.Existingdataisnot affected.

Rename-and-delete pattern detection
Insomesoftwareapplications,whensavingafile,insteadofoverwritingtheoriginalfile, theapplicationsavestoatemporaryfile,renamestheoriginalfile,renamesthe temporaryfiletothecurrentfilename,andthendeletesthetemporaryfile.Thisprocess occurssoyoucanrecovertheoriginalfile.Bydefault,FileSystemAuditordetectsthis behaviorandlogsitinthedatabaseasafilemodificationonthefileyouwereediting, ratherthanasarenameanddeleteprocess.Todisablethisdetection,clearthecheckbox.

Capture file share events (Create, Modify, Delete)
IfyouarerunningWindowsServer2003orlater,fileshareeventsareincludedinthe datacollectionbydefault.Todisablethisfeature,clearthecheckbox.
32
FILE SYSTEM AUDITOR
33
SETTING DEFAULT FILTERS

Whenaddingfileservers,userscanchoosetoadddefaultprocessexclusionfilters.You candeterminetheprocessesintheexclusionfilter 1. ChoosePreferencesfromtheToolsmenu.TheAuditingPreferencesboxdisplays thedefaultfilters.
Ask user if default process exclusion filters should be used
Bydefault,theuserisaskedtoincludethedefaultprocessexclusionfilterswhen addingafileserver.Ifyouwanttosuppressthedisplayofthismessagebox,clearthe checkbox.
33
FILE SYSTEM AUDITOR
34
Add default process exclusion filters to new file servers
Toactivatethischeckbox,cleartheAskuserifdefaultprocessexclusionfilters shouldbeusedcheckbox.Bydefault,processexclusionfiltersareaddedtonewfile servers.Clearthecheckboxifyoudonotwantthedefaultfiltersaddedautomatically.

Button Description Add a new filter Edit a selected filter Remove selected filters Return the default filters list to the default:
Default Filters
Process Anti-Virus cavtray.exe fsm32.exe mcshield.exe Navapw32.exe ntrsScan.exe rtvscan.exe savscan.exe webscanx.exe Anti-Spyware mssrv.exe slase.exe spybotsd.exe spysweeper.exe Backup Software abackup.exe cobbu.exe ntbackup.exe rbserv.exe winbackup.exe File Replication ws_rep.exe Auditing Slfsasvc.exe ScriptLogic Corporation File System Auditor ScriptLogic File System Auditor Service Xosoft WANSyncHA Agent Modular Software Cobian Microsoft Mike Lin UniBlue Systems Ltd. aBackup Cobian Backup Windows Backup Rapid Backup WinBackup Webroot Software McAfee ScriptLogic McAfee AntiSpyware Desktop Authority Spybot Search and Destroy SpySweeper Computer Associates McAfee McAfee Symantec Trend Micro Symantec Symantec McAfee Norton Antivirus Agent OfficeScan Antivirus Antivirus Scanner Network Traffic Monitor EZ Antivirus Stinger Real-time Scanner Real-time AV Scanner Manufacturer Product Name Application Name
UPDATED 1 FEBRUARY 2011 34
FILE SYSTEM AUDITOR
35
UsingtheRealTimeViewer
OnceyouhavesetupFileSystemAuditor,youcanusetheRealTimeViewertolookat eventsastheyoccur. Note:YoucannotvieweventsthatoccurpriortothetimeyouopenedtheRealTime EventViewer.Tovieweventsthatoccurredinthepast,usetheReportingConsole.
STARTING THE REAL TIME VIEWER

OnthecomputerwheretheAuditAgentisinstalled,clickStart,pointtoPrograms ScriptLogicCorporation FileSystemAuditor2,andthenselectRealTimeViewer. Eventsstarttodisplayastheyoccur.
Youcansizethecolumnstoviewthecompleteentry,orselectarecordandthenpointto theentry.
Insert Events into List Below (Realtime Viewer only the last 100 events are shown)
Bydefault,eventsbegintoappearinthelistassoonasyouopentheRealTimeViewer. Toturnoffthecaptureofevents,clearthecheckbox.
Menus and Toolbar Icons

Menu Menu Option Exit Icon Description Close the Real Time Event Viewer
Clear List About File System Auditor
Clear the list of events View the copyright information
35
FILE SYSTEM AUDITOR
36
PurgingtheAuditDatabase
ThePurgeDatabaseWizardhelpsyoupurgespecificdatafromtheauditingdatabase. 1. FromtheToolsmenu,choosePurgeAuditLog.Alternatively,clickPurgeAuditLog ontheStartPage.ThePurgeDatabaseWizardopenstotheWelcomepage.
2. ClickNext.TheChoosedatabasepageopens.ChooseaserverfromtheSQLServer Instancelist.ChooseadatabasefromtheDatabaseNamelist.Choosewhetherthe databaseusesWindowsorSQLServerAuthentication.IfyouchooseSQLServer Authentication,typetheusernameandpasswordintheappropriateboxes.
36
FILE SYSTEM AUDITOR
37
3.
ClickNext.TheSelectdata/timerangepageopens.
Delete file system events for the following number of hours
Bydefault,allfilesystemeventsforthepasthouraredeleted.Typeanumberinthe Hoursboxtoincreaseordecreasethetimerange.
Delete file system events between the following times
Selecttochooseadateandtimerange.Clickthecalendartoselectadate.Eithertype orscrollthevaluesinthetimeboxes.
37
FILE SYSTEM AUDITOR
38
4.
ClickNext.TheSelectuserfilterspagedisplaystheusersintheauditdatabase.
Include All Users
Bydefault,allusersareincludedinthepurge.
Include Selected Users
SelecttoactivatetheUsersarea.Selectusersinthelisttoincludeinthepurge.You canalsoaddgroupstoincludeinthepurge.SeeAddingaGroup.
Exclude Selected Users
SelecttoactivatetheUsersarea.Selectusersinthelisttoexcludefromthepurge. Youcanalsoaddgroupstoexcludefromthepurge.SeeAddingaGroup.
38
FILE SYSTEM AUDITOR
39
Adding a Group
a.
TypeagroupnameintheGroupbox.Alternatively,clickSelectagroup,and thensearchforagrouptoadd.
b. ClickAddGroup.Thenamedisplaysinthelist. Toshowaselectedgroupsmembers,clickShowGroupMembers. Toremoveselectedgroupsfromthelist,clickRemoveSelectedGroups.
39
FILE SYSTEM AUDITOR
40
5.
ClickNext.TheSelecteventfilterspagelistsalltheeventspresentintheAudit Database.
Include All Events
Bydefault,alleventsareincludedinthepurge.
Include Selected Events
SelecttoactivatetheEventsarea.Selecteventsinthelisttoincludeinthepurge.
Exclude Selected Events
SelecttoactivatetheEventsarea.Selecteventsinthelisttoexcludefromthepurge.
40
FILE SYSTEM AUDITOR
41
6.
ClickNext.TheProcessesboxliststheprocessesincludedintheauditingdatabase.
Include All Processes
Bydefault,allprocessesareincludedinthepurge.
Include Selected Processes
SelecttoactivatetheProcessesarea.Selectprocessesinthelisttoincludeinthe purge.
Exclude Selected Processes
SelecttoactivatetheProcessesarea.Selectprocessesinthelisttoexcludefromthe purge. 7. ClickNext.TheSelectserverfilterspagedisplaystheserversintheAuditDatabase.
Include All Servers
Bydefault,allserversareincludedinthepurge.
Include Selected Servers
SelecttoactivatetheServersarea.Selectserversinthelisttoincludeinthepurge. UPDATED 1 FEBRUARY 2011 41
FILE SYSTEM AUDITOR
42
Exclude Selected Servers
SelecttoactivatetheServersarea.Selectserversinthelisttoexcludefromthepurge. 8. ClickNext.TheSelectworkstationpagedisplaystheworkstationsintheauditing database.
Include All Workstations
Bydefault,allworkstationsareincludedinthepurge.
Include Selected Workstations
SelecttoactivatetheWorkstationarea.Selectworkstationsinthelisttoincludein thepurge.
Exclude Selected Workstations
SelecttoactivatetheWorkstationsarea.Selectworkstationsinthelisttoexclude fromthepurge. 9. ClickNext.ThePreviewresultspagedisplaystheselectionsyoumade.Thenumber ofeventstobepurgeddisplaysintheEventstobePurgedarea.Toexaminethe actualdata,clickDisplayfirst1000events.
UPDATED 1 FEBRUARY 2011 42
FILE SYSTEM AUDITOR
43
10. ClickPurge.Amessageasksforconfirmation.
11. ClickYestocontinuewiththepurgeprocess.ThePurgeCompleteboxdisplays.
12. ClickClose.
PURGING DATA FROM THE COMMAND LINE

Usage
PurgeData.exe [/? | [/CS="<conn_str>" [/Date="<date>" | /Days="<number_of_days>"]]]
where
/? <conn_str> Display this help message Connection string for DB e.g. "Server=SqlServer1;Database=SLFileAuditor; Integrated Security=SSPI;Asynchronous Processing=true" <date> All events older than the specified date (but not including) are removed from the database. <number_of_days> All events that were happened at least the number of days specified prior to the current date are removed from the database. If 0 specified all the events are removed.
Example
C:\Program Files\ScriptLogic Corporation\File System Auditor 2\PurgeData.exe /CS="Server=VM2K3FSAAGENT\FSA;Database=SLFileAuditor2; Asynchronous Processing=true;Integrated Security=SSPI" /Days=5
43
FILE SYSTEM AUDITOR
44
Using Interactive Mode

RunPurgeData.exewithoutargumentstobegininteractivemode.
C:\Program Files\ScriptLogic Corporation\File System Auditor 2>purgedata.exe FSA Data Purge Tool ===================================================================== Enter the SQL Server Instance:VM2K3FSAAGENT\FSA Enter the Database Name:SLFileAuditor2 Select the SQL Server authentication 1 -- Windows authentication 2 -- SQL Server authentication Enter number, then press (ENTER) to continue (1): 1 Select the events to purge 1 -- All events at least a specific number of days old 2 -- All events older than a given date Enter number, then press (ENTER) to continue (1): 1 You selected to remove all events at least a specific number of days old. Please enter the number of days (10): 5 Preparing to purge data using the following parameters: Purge all events at least 5 days old
Command Line Example

C:\Program Files\ScriptLogic Corporation\File System Auditor 2\PurgeData.exe /CS="Server=VM2K3FSAAGENT\FSA;Database=SLFileAuditor2; Asynchronous Processing=true;Integrated Security=SSPI" /Days=5
44
FILE SYSTEM AUDITOR
45
ManagingtheAuditingDatabase
Important:Youmustcreateanauditingdatabasebeforeyoucanperformanytasksusing FileSystemAuditor.
STARTING THE DATABASE WIZARD

ClickStart,pointtoPrograms ScriptLogicCorporation FileSystemAuditor2, andthenselectDatabaseWizard. ChooseDatabaseWizardfromtheToolsmenuontheAgentConfigurationConsole StartPage.SeeError!Referencesourcenotfound.. TheWelcometotheDatabaseWizardboxappears.
45
FILE SYSTEM AUDITOR
46
ClickNexttodisplaythemainmenu.Whenyouchooseanoperationfromthelist,a briefdescriptiondisplays.
Operation Create New Database Remove Database Increase Database Size Shrink Database Size Run SQL Script View Database Statistics Attach Database Detach Database CheckPoint and Truncate Log Description Create a new database. Remove (drop) an existing database. Increase data and log file size of an existing database. Decrease the data and log file size of an existing database. Run any SQL script. View statistics for an existing database. Attach an existing database. Detach an existing database. Perform a checkpoint operation on the specified database. This checks to see if there are dirty pages in memory that need to be flushed to the hard drive. The log file will be marked accordingly and then a truncate operation will be performed. Change the security mode of a SQL server instance to integrated mode (Windows only) or mixed mode (Windows and SQL Server). Change the current SA login account password for SQL Server. Save the database-related connection information into the registry. Perform several tasks, such as Rebuilding Indexes, Resetting Identity Columns, and Performing Consistency Checks. Reset security related principles, such as roles, logins, and permissions to their default settings.
Change Security Mode
Set SA Password Save Connection Information Perform Database Maintenance
Reset Database Security
46
FILE SYSTEM AUDITOR
47
CREATING A NEW DATABASE

Important:Youmustcreateanauditingdatabasebeforeyoucanperformanytasksusing FileSystemAuditor. 1. 2. 3. 4. FromtheDatabaseWizardMainMenu,selectCreateNewDatabase. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverthatisrunning MicrosoftSQLServer,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameoftheauditingdatabasetocreate.Toview existingdatabasenames,click .
5. ThedefaultselectionforauthenticationisUseWindowsAuthentication.Ifyou selectUseSQLServerAuthentication,typethenameoftheSQLServeruseraccount intheUserNameboxandthepasswordinthePasswordbox.
47
FILE SYSTEM AUDITOR
48
6.
ClickNext.TheEnterDatabaseSettingsboxdisplaysthedefaultinitialsizesforthe database(*.mdf)andlog(*.ldf)files.
File Sizes
Bydefault,thedatabaseandlogfilesarecreatedat50MBeach.Ifyouwantto changethedefault,typeavalueintheappropriatebox.Thedataandlogfilesgrow automaticallystartingfromtheinitialvaluespecifiedhere.Youcanchangethesize ofthedatafileatalatertime.SeeIncreasingDatabaseSize.

Create default security groups
Bydefault,defaultsecuritygroupsarecreatedaslocalgroupsonnondomain controllersonly.Youcanselecttocreatedefaultdomainglobalorlocalgroups.To bypassthecreationofdefaultsecuritygroups,clearthecheckbox.

Override Default File Locations
Selecttocreatethedatabasetransactionlogfilesinalocationotherthanthedefault location,Typethephysicalpathintheappropriateboxes.Expressthepathasa logicalpathandnotasaUNCpath. 7. 8. ClickNext.TheCreateNewDatabaseboxdisplaysthedatabasename. ClickFinish.
48
FILE SYSTEM AUDITOR
49
REMOVING AN EXISTING DATABASE

Caution:Removingadatabasepermanentlyremovesitfromthesystem.Ifyoujustwant todetachthedatabase,seeDetachingaDatabase. Note:Thedatabasecannotbeinuse.ExitFileSystemAuditor,ifnecessary. 1. 2. 3. 4. 5. FromtheDatabaseWizardMainMenu,selectRemoveDatabase. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase. tolocate
ChoosewhetherWindowsorSQLServerAuthenticationisused.IfyouselectUse SQLServerAuthentication,typethenameoftheSQLServeruseraccountinthe UserNameboxandthepasswordinthePasswordbox. ClickNext.TheRemoveDatabaseboxdisplaysthenameofthedatabaseyouchose. ClickFinish.
6. 7.
INCREASING DATABASE SIZE

MicrosoftSQLServerautomaticallyincreasesthesizeofthedatabasefile,whichcan sometimescauseperformanceissues.Toavoidthis,youmaywanttoincreasethesizeof thedatabasemanually. 1. 2. 3. 4. 5. FromtheDatabaseWizardMainMenu,selectIncreaseDatabaseSize. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase. tolocate
ChoosewhetherWindowsorSQLServerAuthenticationisused.IfyouselectUse SQLServerAuthentication,typethenameoftheSQLServeruseraccountinthe UserNameboxandthepasswordinthePasswordbox.
49
FILE SYSTEM AUDITOR
50
6.
ClickNext.TheEnterDatabaseSizeboxdisplaysthecurrentcombinedsizeofthe databaseandlogfilesintheTotalDatabaseSizearea.
7. IntheEnterNewDatabaseSizebox,typeanumericvalueinmegabytesthatis greaterthantheexistingvalueandrepresentsthesizeofthedatabasefile. Note:Enterthetotalsizeofthedatabase,nottheadditionalsizeofthedatabase.For example,ifthedatabaseis50MBandyouwanttoaddanother50MB,thenyou wouldenter100asthenewdatabasesize. Note:Thelogfileisnotaffectedbythisprocess. 8. 9. ClickNext.TheIncreaseDatabaseSizeboxdisplaysthedatabaseyouchose. ClickFinish.
SHRINKING A DATABASE
Ifyouneedtoreclaimspace,youcanshrinkthedatabase,whichreducesthesizeofthe databasetotheminimumamountbasedonthesizeofthedata. Note:Anotherdatabasetomonitoristhetempdbdatabase,whichistheworkingarea thatMicrosoftSQLServerusestoprocessqueriesandperformotheractions.Youmight shrinkthetempdbdatabaseperiodicallytoreclaimthediskspacethatisnolonger needed. 1. 2. 3. FromtheDatabaseWizardMainMenu,selectShrinkDatabaseSize. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver.
50
FILE SYSTEM AUDITOR
51
4. 5.
IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase.
tolocate
ChoosewhetherWindowsorSQLServerAuthenticationisused.IfyouselectUse SQLServerAuthentication,typethenameoftheSQLServeruseraccountinthe UserNameboxandthepasswordinthePasswordbox. ClickNext.TheEnterShrinkSettingsboxappears.
6.
7. 8. IntheShrinkPercentagebox,typethepercentagebywhichtoshrinkthedatabase. Bydefault,thedatabaseshrinksby10%. IntheShrinkMethodarea,selectamethodtousewhenshrinkingthedatabase.

Default
Dataattheendofthefileismovedtoearlierinthefile.Fileistruncatedbythevalue intheShrinkPercentagebox.
Empty File
RemovealldatafromthedatabaseandreducethesizebythevalueintheShrink Percentagebox.
No Truncate
Dataattheendofthefileismovedtoearlierinthefile.Databasesizeisreducedby thevalueintheShrinkPercentagebox.
Truncate Only
FileistruncatedbythevalueintheShrinkPercentagebox.Dataisnotmoved. 9. ClickNext.TheShrinkDatabaseboxdisplaysthedatabaseyouchose.
10. ClickFinish.
51
FILE SYSTEM AUDITOR
52
RUNNING AN SQL SCRIPT

1. 2. 3. 4. 5. FromtheDatabaseWizardMainMenu,selectRunSQLScript. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase. tolocate
ChoosewhetherWindowsorSQLServerAuthenticationisused.IfyouselectUse SQLServerAuthentication,typethenameoftheSQLServeruseraccountinthe UserNameboxandthepasswordinthePasswordbox. ClickNext.TheSelectSQLScriptFileboxappears. IntheFileNamebox,typethefullpathtotheSQLScriptFile(*.sql)orclick locatethefile. to
6. 7.
8. 9. ClickNext.TheRunSQLScriptboxdisplaysthepathtothefileyouchose. ClickFinish.
VIEWING DATABASE STATISTICS

Viewthecurrentdatabasesettingsandstatisticsonthesizeofthedatabaseandeach tableinthedatabase,whichishelpfulfordiagnosingproblemsintheeventthatSQL Serverisnotfunctioningproperly. 1. 2. 3. 4. FromtheDatabaseWizardMainMenu,selectViewDatabaseStatistics. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase. UPDATED 1 FEBRUARY 2011 tolocate
52
FILE SYSTEM AUDITOR
53
5.
ChoosewhetherWindowsorSQLServerAuthenticationisused.IfyouselectUse SQLServerAuthentication,typethenameoftheSQLServeruseraccountinthe UserNameboxandthepasswordinthePasswordbox. ClickNext.TheViewDatabaseStatisticsboxdisplaysthedatabaseyouchose. ClickFinish.TheDatabaseStatisticsboxdisplaysthedatabasestatistics.
6. 7.
ATTACHING A DATABASE
Whenyoucreateadatabase,itisautomaticallyattachedtoFileSystemAuditor.Ifyou detachadatabase,youcanattachitagaintouseit. 1. 2. 3. 4. 5. FromtheDatabaseWizardMainMenu,selectAttachDatabase. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase. tolocate
ChoosewhetherWindowsorSQLServerAuthenticationisused.IfyouselectUse SQLServerAuthentication,typethenameoftheSQLServeruseraccountinthe UserNameboxandthepasswordinthePasswordbox. ClickNext.TheSelectDatabaseFileboxappears.
6.
53
FILE SYSTEM AUDITOR
54
7.
IntheFileNamebox,typethefullpathtothedatafileorclick filetoattach.
tolocatethedata
8. 9. ClickNext.TheAttachDatabaseboxdisplaysthedatabaseyouchose. ClickFinish.
DETACHING A DATABASE
DetachingadatabaseremovesitfromFileSystemAuditor,butdoesnotdeleteitfrom thesystem.Topermanentlydeleteadatabase,seeRemovinganExistingDatabase. Note:Thedatabasecannotbeinuse.ExitFileSystemAuditor,ifnecessary. 1. 2. 3. 4. 5. FromtheDatabaseWizardMainMenu,selectDetachDatabase. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase. tolocate
ChoosewhetherWindowsorSQLServerAuthenticationisused.IfyouselectUse SQLServerAuthentication,typethenameoftheSQLServeruseraccountinthe UserNameboxandthepasswordinthePasswordbox. ClickNext.TheDetachDatabaseboxdisplaysthedatabaseyouchose. ClickFinish.
6. 7.
54
FILE SYSTEM AUDITOR
55
TRUNCATING THE TRANSACTION LOG

Whenatransactionlogbecomesfull,itforcesthedatabasetoexpandit.However,since FileSystemAuditordoesnotusethetransactionlog,andthereisnowaytodisablethe transactionlogforadatabase,youmayneedtoperiodicallytruncatethetransactionlog totelltheSQLServerthatthedataisnolongerneeded. 1. 2. 3. 4. 5. FromtheDatabaseWizardMainMenu,selectCheckpointandTruncateLog. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase. tolocate
ChoosewhetherWindowsorSQLServerAuthenticationisused.IfyouselectUse SQLServerAuthentication,typethenameoftheSQLServeruseraccountinthe UserNameboxandthepasswordinthePasswordbox. ClickNext.TheCheckpointandTruncateLogboxdisplaysthedatabaseyouchose. ClickFinish.
6. 7.
CHANGING THE SECURITY MODE

Dependingonyoursystemsetup,youmaywanttoswitchthesecuritymodeontheSQL Servertoenhanceperformanceofsomeapplications.Forexample,ifyouhaveActive AdministratorsetuptouseonemodeandFileSystemAuditortousetheother,you maywanttoswitchthesecuritymodeontheSQLServertoMixedMode(Windowsand SQLServer). 1. 2. 3. 4. 5. FromtheDatabaseWizardMainMenu,selectChangeSecurityMode. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase. tolocate
55
FILE SYSTEM AUDITOR
56
6.
ClickNext.TheSelectModeboxdisplaysthesecuritymodeoptions.
7. Selectthesecuritymode.
Integrated Mode (Windows only)
SelecttousetheIntegratedMode(Windowsonly)ontheselectedserver.
Mixed Mode (Windows and SQL Server)
SelecttouseMixedMode(WindowsandSQLServer)ontheselectedserver. 8. 9. ClickNext.TheChangeSecurityModeboxdisplaystheserveryouchose. ClickFinish.
SETTING THE SA PASSWORD

IftheSQLServerissetupinmixedmode(SQLServerandWindows),setapasswordfor theSQLServeradministrator(saaccount).Youalsocanusethisoptiontochangethe passwordforsecuritypurposes. 1. 2. 3. 4. 5. FromtheDatabaseWizardMainMenu,selectSetSAPassword. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase. tolocate
56
FILE SYSTEM AUDITOR
57
6.
ClickNext.TheEnterPasswordsboxappears.
7. 8. 9. IntheOldSAPasswordbox,typetheexistingpassword. IntheNewSAPasswordbox,typethenewpassword. IntheConfirmPasswordbox,retypethenewpassword.
10. ClickNext.TheSetSAPasswordboxdisplaystheserveryouchose. 11. ClickFinish.
SAVING CONNECTION INFORMATION

Thisoptionwritesthedatabaseconnectionsettingstotheregistry. 1. 2. 3. 4. 5. FromtheDatabaseWizardMainMenu,selectSaveConnectionInformation. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase. tolocate
ChoosewhetherWindowsorSQLServerAuthenticationisused.IfyouselectUse SQLServerAuthentication,typethenameoftheSQLServeruseraccountinthe UserNameboxandthepasswordinthePasswordbox. ClickNext.TheSaveConnectionInformationboxdisplaystheregistrykeytowhich thedatabaseconnectionsettingsiswritten. ClickFinish.
6. 7.
57
FILE SYSTEM AUDITOR
58
PERFORMING DATABASE MAINTENANCE

PerformingregulardatabasemaintenancecanhelpmaintaintheperformanceofSQL Server.RunthisactionifyoufeelSQLServerisnotperformingatthesamelevelitonce did.Youcanselecttorebuildindexes,resetidentifycolumns,andperformconsistency checks. ThePerformDatabaseMaintenanceactionperformsthefollowingDatabase ConsistencyChecker(DBCC)commands.
DBCC Command CHECKCATALOG CHECKFILEGROUP CHECKTABLE REPAIR_REBUILD CHECKIDENT CHECKINDEX Description Checks the system tables for consistency. Performs a physical consistency check on all indexes and tables. Performs a consistency check of the data in each table and rebuilds indexes if necessary. Checks the identity values of each table and resets them if necessary. Checks the physical database allocation of indexes and repairs if necessary.
1. 2. 3. 4. 5.
FromtheDatabaseWizardMainMenu,selectPerformDatabaseMaintenance. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase. tolocate
58
FILE SYSTEM AUDITOR
59
6.
ClickNext.ThePerformDatabaseMaintenanceboxappears.
7. Choosethemaintenanceoptionstoperform.Bydefaultalloptionsareselected.
Perform Consistency Checks
SelecttorunCHECKCATALOG,CHECKFILEGROUP,CHECKTABLE REPAIR_REBUILD,andCHECKINDEX.
Reset Identify Columns
SelecttorunCHECKINDENT.
Rebuild Indexes
SelecttorunCHECKINDEXandCHECKTABLEREPAIR_REBUILD. 8. 9. ClickNext.ThePerformDatabaseMaintenanceboxdisplaysthedatabaseand actionstobeperformed. ClickFinish.
RESETTING DATABASE SECURITY

ResettingthedatabasesecurityrecreatestheWindowsNTsecuritygroups,databaseroles, andlogins,andthenreappliesthedefaultsecuritytoalltables/functions/stored proceduresintheauditingdatabase. 1. 2. 3. 4. FromtheDatabaseWizardMainMenu,selectResetDatabaseSecurity. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase. tolocate
59
FILE SYSTEM AUDITOR
60
5.
ChoosewhetherWindowsorSQLServerAuthenticationisused.IfyouselectUse SQLServerAuthentication,typethenameoftheSQLServeruseraccountinthe UserNameboxandthepasswordinthePasswordbox. ClickNext.TheResetDatabaseSecurityboxdisplaysthedatabaseyouchose. ClickFinish.
6. 7.
MOVING A DATABASE TO ANOTHER SERVER

Ifyouneedtomoveadatabasefromoneservertoanother,werecommendusingthe MicrosoftSQLServer2000/2005/2008ClientUtilities,SQL2005ManagementStudio,or ManagementStudioExpressforSQL2005Express. Note:ClientutilitiesareavailableonlyonafullversionofSQLServer,whichisnot includedwithFileSystemAuditor. 1. 2. 3. 4. OpenSQLEnterpriseManager. Locatethedatabasetomove,rightclick,pointtoAllTasks,andthenchooseDetach Database. Openthefolderwherethedatafilesforthatdatabasearestored,andthencopythe *.mdfand*.ldffilesforthatdatabasetothenewserver. InSQLEnterpriseManager,navigatetothenewserverwhereyouwanttoattachthe database,rightclickontheDatabasefolder,pointtoAllTasks,andthenchoose AttachDatabase. Selectthe*.mdffileyoujustcopiedtothecomputer,andthencompletethe operation.
5.
60
FILE SYSTEM AUDITOR
61
Troubleshooting
InitsKnowledgeBase,ScriptLogicCorporationhasalibraryofarticlesthatmayprovide ananswertoaproblemyouareexperiencing.Beforecallingtechnicalsupport,checkto seeifyourproblemisdocumentedhere.YoumightalsobrowsetheDiscussionForums toseeifanyoneelseisexperiencingthesameissue. http://www.scriptlogic.com/support
Not seeing events in the database

Checkthat(a)youhavesetuptheserviceconfigurationutilitycorrectlytocapturethe events,and(b)youhavenotexcludedthefilesandfoldersyouareauditing. SomeapplicationsgenerateaFileReadeventonlywhenafileisopenedforthefirsttime. Ifthefileisopenedagain,theapplicationmaypullfromamemorycacheandnotfrom thedisk.SinceFileSystemAuditorwatcheseventsgoingtoNTFS,ifanapplicationpulls afilefromamemorycacheandnevercallsNTFS,aFileReadeventisnotlogged.If anotheruseropensthatsamefileforthefirsttime,thatFileReadeventislogged.
Auditing database fills up fast

UsecautionifincludingFileReadorFileAccessDenied(Opening/Modifying)events asthenumberofeventsrecordedbyFileSystemAuditormayoverwhelmtheauditing database.AnyfocusonafileinWindowsExplorer,suchasamouseoverorusingthe arrowkeystoscrollthroughthedirectory,causesaFileReadeventinFileSystem Auditoriftheuserhasaccesstothefile(s).Iftheuserdoesnothaveaccesstothefile(s), FileSystemAuditorrecordsaFileAccessDenied(Opening/Modifying)event. IfyouneedtoincludetheFileReadorFileAccessDenied(Opening/Modifying) events,restrictthepathtoaminimumnumberoffiles/folders,andtoeliminatefalse positives,makesureyouhaveWindowsAccessBasedEnumeration(availablewith WindowsServer2003ServicePack1)enabledandoperational.
61
FILE SYSTEM AUDITOR
62
REMOVING A FILE SERVER

Whenyouremoveafileserverfromthelistofservers,theAuditAgentisuninstalledas partoftheprocess.Toaddtheserverbacktothelist,seeAddingFileServers. 1. Selecttheserverfromthelistoffileservers,andthenclick StopAuditingfromtheServermenu. .Alternatively,choose
2. 3. Withtheserverstillselected,click fromtheFilemenu. .Alternatively,chooseRemoveFileServer
Toremovetheserver,clickYes.Duringtheprocessofremovingtheserver,theAudit Agentisuninstalled.
UNINSTALLING THE AUDIT AGENT

YoucanuninstalltheAuditAgentwithoutremovingafileserverfromthelist. ToreinstalltheAuditAgentonthefileserver,addthefileserveragain.SeeAddingFile Servers. 1. 2. 3. FromtheWindowsControlPanel,chooseAdd/RemovePrograms. SelectFileSystemAuditorAgentSetup,andthenclickRemove.Amessagebox promptsyouforconfirmation. Toremovetheagent,clickYes.
62
FILE SYSTEM AUDITOR
63
UNINSTALLING FILE SYSTEM AUDITOR

1. 2. 3. FromtheWindowsControlPanel,chooseAdd/RemovePrograms. SelectFileSystemAuditor2,andthenclickRemove.Amessageboxpromptsyou forconfirmation. Toremovetheapplication,clickYes. Note:TheinstallationdirectorythatcontainedFileSystemAuditorremainsafterthe processiscomplete.Thisdirectorycontainsthelicensefilefortheproductandany filescreatedaftertheproductwasinstalled.Thesemaybedeletedmanuallyifyou wishtocompletelyremoveFileSystemAuditor.
63
FILE SYSTEM AUDITOR
64
AuditDatabaseSchema
64
FILE SYSTEM AUDITOR
65
StoredProcedures
Name CleanUpTables DeleteFullPath dt_addtosourcecontrol dt_addtosourcecontrol_u dt_adduserobject dt_adduserobject_vcs dt_checkinobject dt_checkinobject_u dt_checkoutobject dt_checkoutobject_u dt_displayoaerror dt_displayoaerror_u dt_droppropertiesbyid dt_dropuserobjectbyid dt_generateansiname dt_getobjwithprop dt_getobjwithprop_u dt_getpropertiesbyid dt_getpropertiesbyid_u dt_getpropertiesbyid_vcs dt_getpropertiesbyid_vcs_u dt_isundersourcecontrol dt_isundersourcecontrol_u dt_removefromsourcecontrol dt_setpropertybyid dt_setpropertybyid_u dt_validateloginparams Owner dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo Type User User System System System System System System System System System System System System System System System System System System System System System System System System System Create Date 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26
65
FILE SYSTEM AUDITOR
66
Name dt_validateloginparams_u dt_vcsenabled dt_verstamp006 dt_verstamp007 dt_whocheckedout dt_whocheckedout_u GetAccountID GetComputerID GetPathID GetPathIDEx GetPermissionID GetProcessID InsertEntry InsertEntry2 PopulateEventNames PurgeDataByDate Update1 Update2
Owner dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo
Type System System System System System System User User User User User User User User User User User User
Create Date 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05
66
FILE SYSTEM AUDITOR
67
Index
.
.lic, 9
E
editing default filters, 35 file path filter, 27 process exclusion filter, 29 user exclusion filter, 31 evaluation period, 10 excluding files, 24 folders, 24 processes, 28 users, 30
A
adding default filters, 34 file path to filter, 24 file servers, 15 process filters, 28 user filters, 30 Advanced Settings, 33 attaching database, 54 Audit Agent starting, 23 stopping, 23 upgrading, 14 Audit Database creating, 15 viewing data, 36 auditing database, 65
F
file extensions .sql, 53 file masks removing, 27 file servers adding, 15 File System Auditor starting, 11 filters file path, 24 process, 28 user, 30
C
creating Audit Database, 15 database, 48
D
database attaching, 54 changing settings, 32 creating, 15, 48 detaching, 50, 55 increasing size, 50 maintenance, 59 moving to another server, 61 purging, 37 shrinking, 51 viewing data, 36 viewing statistics, 53 database schema, 65 Database Wizard, 46 DBCC commands, 59 default filters, 34 detaching database, 50, 55 duplicate entries suppressing, 33
I
including files, 24 folders, 24 increasing database size, 50 installing SQL Server 2005 Express, 32 iSCSI disks, 3
L
license file applying, 9
M
moving database to another server, 61
67
FILE SYSTEM AUDITOR
68
O
opening Agent Configuration, 11
P
path filter editing, 27 removing, 27 process filters adding, 28 editing, 29 removing, 29 purging audit database, 37
SLFileAuditor, 65 SQL Script running, 53 SQL Script File, 53 SQL Server 2005 Express, 32 starting Agent Configuration, 11 Audit Agent, 23 stopping Audit Agent, 23 suppressing duplicate entries, 33 system requirements, 3
T
tempdb database, 51 transation log truncating, 56 truncate transaction log, 56
R
reducing database size, 51 register product, 10 removing default filters, 35 file masks, 27 file path filter, 27 process exclusion filter, 29 user exclusion filter, 31
U
upgrading Audit Agent, 14 user filters adding, 30 editing, 31 removing, 31
S
saving connection information, 58 servers moving a database, 61 setting process filters, 28 user filters, 30 setting filters file path, 24 shrinking database, 51
V
viewing data, 36 database statistics, 53
W
web site, 10
68

FSA 2 5 Getting Started

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FSA 2 5 Getting Started

Uploaded by

Copyright:

Available Formats

ScriptLogic File System Auditor Agent Configuration Getting Started Guide

FILE SYSTEM AUDITOR

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

SCRIPTLOGIC ON THE WEB

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

MINIMUM SYSTEM REQUIREMENTS

Supported Management Platforms

Support for iSCSI disks

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

BEFORE YOU BEGIN

User Privilege Requirements

INSTALLING FILE SYSTEM AUDITOR

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

Note:Bydefault,boththeAgentConfigurationConsoleandtheReport ConfigurationConsoleareinstalled.IfyouwanttoinstalljusttheReport ConfigurationConsole,opentheAgentConfigurationConsolelist,andthenchoose Entirefeaturewillbeunavailable.

See if there is enough space to install the programs

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

STARTING FILE SYSTEM AUDITOR

EachtimeyourunFileSystemAuditororFileSystemAuditReporter,youwillbe greetedbythesplashscreen,whichdisplaystheinitializationoftheprogramandthe versionnumber.

Applying a License File

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

Thelicensefileisapproximately1KBinsizeandhasa.licfileextension.YourSales AccountExecutiveorLicensingSpecialistshouldhavesentthisfiletoyouasanemail attachment. Click tolocatethelicensefile,andthenclick .

Evaluating the Product

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

STARTING THE AGENT CONFIGURATION CONSOLE

EXAMINING THE AGENT CONFIGURATION CONSOLE START PAGE

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

Menu Option Help Contents About ScriptLogic File System Auditor

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

UPGRADING THE AUDIT AGENT

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

CREATING AN AUDIT DATABASE

ADDING FILE SERVERS

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR

IntheFileServerorCluster/NodeNamesbox,typethenamesofthefileserversor clusterserversseparatedwithcommas,orclick andchoosethe servers. Note:YoucannotselectvirtualclusterserversfromtheActiveDirectoryObject Picker.Youmusttypethenamesinthebox.

UPDATED 1 FEBRUARY 2011

FILE SYSTEM AUDITOR