Professional Documents
Culture Documents
II
2011byScriptLogicCorporation Allrightsreserved. ThispublicationisprotectedbycopyrightandallrightsarereservedbyScriptLogicCorporation.It maynot,inwholeorpart,becopied,photocopied,reproduced,translated,orreducedtoany electronicmediumormachinereadableformwithoutpriorconsent,inwriting,fromScriptLogic Corporation.ThispublicationsupportsFileSystemAuditor2.x.Itispossiblethatitmaycontain technicalortypographicalerrors.ScriptLogicCorporationprovidesthispublicationasis,without warrantyofanykind,eitherexpressedorimplied. ScriptLogicCorporation 6000BrokenSoundParkwayNW BocaRaton,Florida334872742 1.561.886.2400 www.scriptlogic.com TrademarkAcknowledgements: FileSystemAuditorandScriptLogicareregisteredtrademarksofScriptLogicCorporationinthe UnitedStatesand/orothercountries. Thenamesofothercompaniesandproductsmentionedhereinmaybethetrademarksoftheir respectiveowners.
II
III
DOCUMENTATION CONVENTIONS
Typeface Conventions
Bold
Indicates a button, menu selection, tab, dialog box title, text to type, selections from drop-down lists, or prompts on a dialog box.
CONTACTING SCRIPTLOGIC
ScriptLogicmaybecontactedaboutanyquestions,problemsorconcernsyoumighthave at:
ScriptLogic Corporation 6000 Broken Sound Parkway NW Boca Raton, Florida 33487-2742 561.886.2400 Sales and General Inquiries 561.886.2450 Technical Support 561.886.2499 Fax
www.scriptlogic.com
III
IV
Contents
WHAT IS FILE SYSTEM AUDITOR?........................................................................................................................1 INSTALLING FILE SYSTEM AUDITOR ....................................................................................................................2 MINIMUM SYSTEM REQUIREMENTS ....................................................................................................................3 Supported Management Platforms .................................................................................................................3 Export Requirements ......................................................................................................................................3 Support for iSCSI disks...................................................................................................................................3 BEFORE YOU BEGIN ............................................................................................................................................4 User Privilege Requirements..........................................................................................................................4 INSTALLING FILE SYSTEM AUDITOR ...................................................................................................................4 STARTING FILE SYSTEM AUDITOR ......................................................................................................................8 Applying a License File ..................................................................................................................................8 Evaluating the Product...................................................................................................................................9 CONFIGURING FILE SYSTEM AUDITOR...............................................................................................................10 STARTING THE AGENT CONFIGURATION CONSOLE ...........................................................................................10 EXAMINING THE AGENT CONFIGURATION CONSOLE START PAGE ....................................................................10 UPGRADING THE AUDIT AGENT ........................................................................................................................13 CREATING AN AUDIT DATABASE ......................................................................................................................14 ADDING FILE SERVERS ......................................................................................................................................14 STOPPING AND STARTING THE AUDIT AGENT ...................................................................................................22 SETTING PATH FILTERS .....................................................................................................................................23 SETTING PROCESS EXCLUSION FILTERS ............................................................................................................27 SETTING USER EXCLUSION FILTERS ..................................................................................................................29 CHANGING DATABASE SETTINGS ......................................................................................................................31 CHANGING ADVANCED SETTINGS .....................................................................................................................32 SETTING DEFAULT FILTERS...............................................................................................................................33 USING THE REAL TIME VIEWER .........................................................................................................................35 PURGING THE AUDIT DATABASE.........................................................................................................................36 PURGING DATA FROM THE COMMAND LINE......................................................................................................43 Using Interactive Mode ................................................................................................................................44 MANAGING THE AUDITING DATABASE ...............................................................................................................45 STARTING THE DATABASE WIZARD ..................................................................................................................45 CREATING A NEW DATABASE ...........................................................................................................................47 REMOVING AN EXISTING DATABASE.................................................................................................................49 INCREASING DATABASE SIZE ............................................................................................................................49 SHRINKING A DATABASE...................................................................................................................................50 RUNNING AN SQL SCRIPT .................................................................................................................................52 VIEWING DATABASE STATISTICS ......................................................................................................................52 ATTACHING A DATABASE .................................................................................................................................53 DETACHING A DATABASE .................................................................................................................................54 TRUNCATING THE TRANSACTION LOG ..............................................................................................................55 CHANGING THE SECURITY MODE ......................................................................................................................55 SETTING THE SA PASSWORD .............................................................................................................................56 SAVING CONNECTION INFORMATION ................................................................................................................57 PERFORMING DATABASE MAINTENANCE ..........................................................................................................58 RESETTING DATABASE SECURITY .....................................................................................................................59 MOVING A DATABASE TO ANOTHER SERVER ....................................................................................................60
IV
TROUBLESHOOTING ............................................................................................................................................61 REMOVING A FILE SERVER ................................................................................................................................62 UNINSTALLING THE AUDIT AGENT ...................................................................................................................62 UNINSTALLING FILE SYSTEM AUDITOR ............................................................................................................63 AUDIT DATABASE SCHEMA .................................................................................................................................64 STORED PROCEDURES .........................................................................................................................................65 INDEX ...................................................................................................................................................................67
WhatisFileSystemAuditor?
TheScriptLogicFileSystemAuditor,auniquesolutionforrecordingWindowsfileserver activity,allowsadministratorstoauditfileaccess,generateeasytounderstandreports, andcreatealertstiedtofilesystemevents.Idealforprotectingconfidentialorsensitive data,FileSystemAuditorassistsincompliancereportingbycreatinganaudittrailoffile activityonpatientrecords,financialreports,orothersensitiveinformation. FileSystemAuditorassistsinsecuritymanagementbysendingemailalertsorsavingthe reporttoafilesharewheneverspecificfilesystemeventsoccur,suchasfailedaccess attempts,ormodificationsofaparticularsetoffilesandfolders.
InstallingFileSystemAuditor
TherearetwocomponentstoFileSystemAuditor:theAgentConfigurationConsoleand theReportingConsole.FromtheAgentConfigurationConsole,youcanremotelyinstall theFileSystemAuditorAgentonsystemstobeaudited.TheAgentconsistsofafile systemdriverandaservice.YoucaninstalljusttheReportingConsoleonsystemstobe usedforreportgeneration. SQL2000,SQL2005,andSQL2008databaseinstances(defaultandnamed)are supported,includingSQL2005Express.
Export Requirements
MicrosoftSQLServer2000,MicrosoftSQLServer2005,MicrosoftSQLServer2008, MicrosoftSQLServer2008R2,andDataAccessComponents(MDAC)2.7
2.
ClickNext.TheLicenseAgreementpageopens.
3. SelecttheIacceptthetermsintheLicenseAgreementcheckbox,andthen clickNext.TheCustomSetuppageopens.
To: Return the selections to the default Change the location of the program files Click:
The Change Current Destination Folder page opens. Choose a new location for the installation directory.
The Disk Requirements page shows the disk space available on the drive displayed in the Install to area.
4.
ClickNext.TheReadytoinstallpageopens.
5. ClickNext.Theinstallationprocessbegins.Whentheprocessiscomplete,the Completedpageopens.
6. ClickFinish.
To: Start the evaluation version Exit Go to the ScriptLogic web site Apply a License File Click:
10
ConfiguringFileSystemAuditor
TheFileServiceAuditorAgentConfigurationConsoleenablesyoutomanagethedata thatgoesintotheauditingdatabase.Onlythedatathatresidesintheauditingdatabaseis availabletotheFileSystemAuditorconsoleforreporting. BeforeFileSystemAuditorcanbegintocollectdata,youmustdefineapathandchoose thetypesofeventstomonitor.Tomanagethenumberofeventsthatarecollected,you canspecifytoincludeorexcludecertainfiletypes,orexcludecertainprocessesfromthe collection.Lastly,youcanspecifyalengthoftimeduringwhichduplicateeventsare suppressedfromthelist,whichalsohelpsmanagetheamountofdatacollected.
10
11
Option Add File Servers Run Database Wizard Purge Audit Log Modify Application Preferences Display Help Launch Reporting Console
Description Add file servers. See Adding File Servers. Create and manage auditing databases. See Starting the Database Wizard. Purge selected data from an auditing database. See Purging the Audit Database. Create and manage default filters. See Setting Default Filters Display online help. Open the File System Audit Report Configuration Console where you can produce reports based on the data in the auditing database. See the File System Auditor Report Configuration User Guide.
Tool Bar
Icon Description Add file servers. See Adding File Servers. Remove selected file servers. Start the auditing process. Stop the auditing process. Refresh the display. Open the File System Audit Report Configuration Console where you can produce reports based on the data in the auditing database. See the File System Auditor Report Configuration User Guide. Upgrade the Audit Agent from a previous installation of File System Auditor. See Upgrading the Audit Agent. Display the Start Page. Access online help
Menus
Menu Option Add File Servers Remove File Server Exit Menu Option Start Page
Description Add file servers. See Adding File Servers. Remove selected file servers. Close File System Auditor. Description Display the Start Page.
11
12
Menu Option Start Auditing Stop Auditing Refresh Menu Option Database Wizard Purge Audit Log Report Configuration
Description Start the auditing process. Stop the auditing process. Refresh the display. Description Create and manage auditing databases. See Starting the Database Wizard. Purge selected data from an auditing database. See Purging the Audit Database. Open the File System Audit Report Configuration Console where you can produce reports based on the data in the auditing database. See the File System Auditor Report Configuration User Guide. Create and manage default filters. See Setting Default Filters. Description Access online help View information about the version of File System Auditor installed on your computer, to apply a license file, or to visit the ScriptLogic website.
Preferences
12
13
1. Selectthefileserver,andthenclick .Awarningmessagedisplays.
2. Toupgradetheagent,clickYes.
3. ClickClose.
13
14
14
15
2.
ClickNext.TheSelectfileserverspageopens.
3. Click .TheAddFileServerspageopens.
15
16
4.
5. ClickOK.Theservername(s)displaysintheComputerNamecolumnandthe AgentActioncolumnindicatestheAuditAgentwillbeinstalled.
16
17
6.
ClickNext.TheChoosedatabaseandsetauthenticationpageopens.
a. FromtheSQLServerInstancelist,selectthenameoftheserverwherethe auditingdatabaseresides.
b. FromtheDatabaseNamelist,selectthenameoftheauditingdatabase. c. ChoosewhethertouseWindowsorSQLServerauthentication.
17
18
7.
Bydefault,allpublicsharesareaddedaspathfilters.Ifyouwanttoadddifferent pathfilters,cleartheUsesettingsforallfileserverscheckbox,andthenclearthis checkbox. Youcanspecifyspecificfolderstoincludeorfilteroutanyfoldersyoudonotwantto includeinthedata.Inaddition,youcanspecifyspecificeventsandfilestoincludeor exclude.SeeStoppingandStartingtheAuditAgent. Process Exclusion Filters SeeSettingProcessExclusionFilters. User Exclusion Filters SeeSettingUserExclusionFilters.
18
19
8.
ClickNext.TheSetadvancedinstalloptionspageopens.
IfyouarerunningWindowsServer2003orlater,fileshareeventsareincludedinthe datacollectionbydefault.Todisablethisfeature,clearthecheckbox.
Agent Start Options Start agent(s) immediately after install
Bydefault,theagentsarestartedafterinstallationiscomplete.
Only install agents. User will start agents later
Selecttoinstallagentsonly.Tostarttheagentsafterinstallation,seeStoppingand StartingtheAuditAgent.
19
20
9.
ClickNext.TheSummarypagedisplaystheselectionsyoumade.
Button Description Print the summary information. Save the summary information to a file.
10. ClickFinish.
11. ClickClose.
20
21
Themainwindowdisplaysthefileserversthatyouinstalled.Youcanselecteach serverindividuallytoviewinformationandtocreatefilters.
TheDatabaseSettingsareadisplaysinformationabouttheSQLServerInstance andtheauditingdatabase.SeeChangingDatabaseSettings, TheAdvancedSettingsareadisplaysthechoicesmadeduringinstallationofthe fileserver.SeeChangingAdvancedSettings. TheHealthStatusareashowsthestatusoftheFileServer,Agent,andAudit Database. Note:Youmayneedtoclick torefreshthestatus.Alternatively,choose RefreshfromtheServermenu. TheFiltersareacontainsthreetabs.Youhadtheoptiontoaddfiltersduringthe processofaddingafilter.Ifyouchosetobypassthatstep,youcanaddthem now,orifyoudidaddfilters,youcaneditorremovethem. SeeSettingPathFilters SeeSettingProcessExclusionFilters SeeSettingUserExclusionFilters
21
22
22
23
Button Description Add a new filter Remove selected filters Edit the selected filter
2. 3.
Click
.TheCreateNewAuditingFilterboxopens.
IntheFolder/FileWildcardbox,typethepathtowhichtoapplythefilter,orclick tolocateafolder.Youcanusethe*wildcardwhentypingthepath.
23
24
Whenthepathiscomplete,clickSelect.
4. IntheInclude/ExcludeFileSystemEventsarea,selectthefileandfoldereventsthatyou wanttoincludeorexcludefromthepath.Bydefault,alleventsareselected.
Events Affecting Files Events Affecting Folders
24
25
Note:Youcanselecttoincludeorexcludeevents,butnotbothinthesamefilter. Createseparatefilterstoincludeandexcludeevents. Important:UsecautionifincludingFileReadorFileAccessDenied(Opening/ Modifying)eventsasthenumberofeventsrecordedbyFileSystemAuditormay overwhelmtheauditingdatabase.AnyfocusonafileinWindowsExplorer,suchas amouseoverorusingthearrowkeystoscrollthroughthedirectory,causesaFile ReadeventinFileSystemAuditoriftheuserhasaccesstothefile(s).Iftheuserdoes nothaveaccesstothefile(s),FileSystemAuditorrecordsaFileAccessDenied (Opening/Modifying)event. IfyouneedtoincludetheFileReadorFileAccessDenied(Opening/Modifying) events,restrictthepathtoaminimumnumberoffiles/folders,andtoeliminatefalse positives,makesureyouhaveWindowsAccessBasedEnumeration(availablewith WindowsServer2003ServicePack1)enabledandoperational. Note:SomeapplicationsgenerateaFileReadeventonlywhenafileisopenedfor thefirsttime.Ifthefileisopenedagain,theapplicationmaypullfromamemory cacheandnotfromthedisk.SinceFileSystemAuditorwatcheseventsgoingto NTFS,ifanapplicationpullsafilefromamemorycacheandnevercallsNTFS,aFile Readeventisnotlogged.Ifanotheruseropensthatsamefileforthefirsttime,that FileReadeventislogged. 5. IntheInclude/ExcludeFileMasksarea,youcanspecifyfilestoincludeorexclude. Toaddamask,clickAddintheappropriatearea.TheAddIncludedFileMaskor AddExcludedFileMaskboxappears.Typethemaskintheboxusingwildcardsas needed,andthenclickOK. Note:Toincludeorexcludeeventsforfilesthathavenoextension,type*.(asterisk, dot).Ifyouthenrenameafilewithoutanextensiontoafilenamewithanextension, youwillseetheeventbecauseitshowsupforthefilenamewiththeextension.
Include Mask Exclude Mask
25
26
TheCreateNewAuditingFilterboxdisplaystheselections.
Eventsexcludedfromthefilterareindicatedwith
26
27
Button Description Add a new filter Remove selected filters Edit a selected filter Add filters that exclude all events for the following processes: abackup.exe cavtray.exe cobbu.exe fsm32.exe mcshield.exe msssrv.exe navapw32.exe ntbackup.exe NtrsScan.exe rbserv.exe rtvscan.exe savscan.exe slase.exe slfsasvc.exe spybotsd.exe spysweeper.exe webscanx.exe winbackup.exe ws_rep.exe
2. 3.
27
28
4.
IntheExcludeFileSystemEventsarea,selectthefileandfoldereventsthatyou wanttoexcludefromtheprocess.
Events Affecting Files Events Affecting Folders
5.
Eventsexcludedfromthefilterareindicatedwith
28
29
Button Description Add a new filter Remove selected filters Edit the selected filter
2.
3.
29
30
4.
Eventsexcludedfromthefilterareindicatedwith
30
31
31
32
IfyouarerunningWindowsServer2003orlater,fileshareeventsareincludedinthe datacollectionbydefault.Todisablethisfeature,clearthecheckbox.
32
33
33
34
Default Filters
Process Anti-Virus cavtray.exe fsm32.exe mcshield.exe Navapw32.exe ntrsScan.exe rtvscan.exe savscan.exe webscanx.exe Anti-Spyware mssrv.exe slase.exe spybotsd.exe spysweeper.exe Backup Software abackup.exe cobbu.exe ntbackup.exe rbserv.exe winbackup.exe File Replication ws_rep.exe Auditing Slfsasvc.exe ScriptLogic Corporation File System Auditor ScriptLogic File System Auditor Service Xosoft WANSyncHA Agent Modular Software Cobian Microsoft Mike Lin UniBlue Systems Ltd. aBackup Cobian Backup Windows Backup Rapid Backup WinBackup Webroot Software McAfee ScriptLogic McAfee AntiSpyware Desktop Authority Spybot Search and Destroy SpySweeper Computer Associates McAfee McAfee Symantec Trend Micro Symantec Symantec McAfee Norton Antivirus Agent OfficeScan Antivirus Antivirus Scanner Network Traffic Monitor EZ Antivirus Stinger Real-time Scanner Real-time AV Scanner Manufacturer Product Name Application Name
35
UsingtheRealTimeViewer
OnceyouhavesetupFileSystemAuditor,youcanusetheRealTimeViewertolookat eventsastheyoccur. Note:YoucannotvieweventsthatoccurpriortothetimeyouopenedtheRealTime EventViewer.Tovieweventsthatoccurredinthepast,usetheReportingConsole.
Youcansizethecolumnstoviewthecompleteentry,orselectarecordandthenpointto theentry.
Insert Events into List Below (Realtime Viewer only the last 100 events are shown)
Bydefault,eventsbegintoappearinthelistassoonasyouopentheRealTimeViewer. Toturnoffthecaptureofevents,clearthecheckbox.
35
36
PurgingtheAuditDatabase
ThePurgeDatabaseWizardhelpsyoupurgespecificdatafromtheauditingdatabase. 1. FromtheToolsmenu,choosePurgeAuditLog.Alternatively,clickPurgeAuditLog ontheStartPage.ThePurgeDatabaseWizardopenstotheWelcomepage.
36
37
3.
ClickNext.TheSelectdata/timerangepageopens.
Bydefault,allfilesystemeventsforthepasthouraredeleted.Typeanumberinthe Hoursboxtoincreaseordecreasethetimerange.
Delete file system events between the following times
Selecttochooseadateandtimerange.Clickthecalendartoselectadate.Eithertype orscrollthevaluesinthetimeboxes.
37
38
4.
ClickNext.TheSelectuserfilterspagedisplaystheusersintheauditdatabase.
Bydefault,allusersareincludedinthepurge.
Include Selected Users
SelecttoactivatetheUsersarea.Selectusersinthelisttoincludeinthepurge.You canalsoaddgroupstoincludeinthepurge.SeeAddingaGroup.
Exclude Selected Users
SelecttoactivatetheUsersarea.Selectusersinthelisttoexcludefromthepurge. Youcanalsoaddgroupstoexcludefromthepurge.SeeAddingaGroup.
38
39
Adding a Group
a.
TypeagroupnameintheGroupbox.Alternatively,clickSelectagroup,and thensearchforagrouptoadd.
39
40
5.
ClickNext.TheSelecteventfilterspagelistsalltheeventspresentintheAudit Database.
Bydefault,alleventsareincludedinthepurge.
Include Selected Events
SelecttoactivatetheEventsarea.Selecteventsinthelisttoincludeinthepurge.
Exclude Selected Events
SelecttoactivatetheEventsarea.Selecteventsinthelisttoexcludefromthepurge.
40
41
6.
ClickNext.TheProcessesboxliststheprocessesincludedintheauditingdatabase.
Bydefault,allprocessesareincludedinthepurge.
Include Selected Processes
SelecttoactivatetheProcessesarea.Selectprocessesinthelisttoincludeinthe purge.
Exclude Selected Processes
Bydefault,allserversareincludedinthepurge.
Include Selected Servers
42
Bydefault,allworkstationsareincludedinthepurge.
Include Selected Workstations
SelecttoactivatetheWorkstationarea.Selectworkstationsinthelisttoincludein thepurge.
Exclude Selected Workstations
43
10. ClickPurge.Amessageasksforconfirmation.
11. ClickYestocontinuewiththepurgeprocess.ThePurgeCompleteboxdisplays.
12. ClickClose.
where
/? <conn_str> Display this help message Connection string for DB e.g. "Server=SqlServer1;Database=SLFileAuditor; Integrated Security=SSPI;Asynchronous Processing=true" <date> All events older than the specified date (but not including) are removed from the database. <number_of_days> All events that were happened at least the number of days specified prior to the current date are removed from the database. If 0 specified all the events are removed.
Example
C:\Program Files\ScriptLogic Corporation\File System Auditor 2\PurgeData.exe /CS="Server=VM2K3FSAAGENT\FSA;Database=SLFileAuditor2; Asynchronous Processing=true;Integrated Security=SSPI" /Days=5
43
44
44
45
ManagingtheAuditingDatabase
Important:Youmustcreateanauditingdatabasebeforeyoucanperformanytasksusing FileSystemAuditor.
45
46
ClickNexttodisplaythemainmenu.Whenyouchooseanoperationfromthelist,a briefdescriptiondisplays.
Operation Create New Database Remove Database Increase Database Size Shrink Database Size Run SQL Script View Database Statistics Attach Database Detach Database CheckPoint and Truncate Log Description Create a new database. Remove (drop) an existing database. Increase data and log file size of an existing database. Decrease the data and log file size of an existing database. Run any SQL script. View statistics for an existing database. Attach an existing database. Detach an existing database. Perform a checkpoint operation on the specified database. This checks to see if there are dirty pages in memory that need to be flushed to the hard drive. The log file will be marked accordingly and then a truncate operation will be performed. Change the security mode of a SQL server instance to integrated mode (Windows only) or mixed mode (Windows and SQL Server). Change the current SA login account password for SQL Server. Save the database-related connection information into the registry. Perform several tasks, such as Rebuilding Indexes, Resetting Identity Columns, and Performing Consistency Checks. Reset security related principles, such as roles, logins, and permissions to their default settings.
46
47
47
48
6.
ClickNext.TheEnterDatabaseSettingsboxdisplaysthedefaultinitialsizesforthe database(*.mdf)andlog(*.ldf)files.
File Sizes
48
49
6. 7.
49
50
6.
ClickNext.TheEnterDatabaseSizeboxdisplaysthecurrentcombinedsizeofthe databaseandlogfilesintheTotalDatabaseSizearea.
SHRINKING A DATABASE
Ifyouneedtoreclaimspace,youcanshrinkthedatabase,whichreducesthesizeofthe databasetotheminimumamountbasedonthesizeofthedata. Note:Anotherdatabasetomonitoristhetempdbdatabase,whichistheworkingarea thatMicrosoftSQLServerusestoprocessqueriesandperformotheractions.Youmight shrinkthetempdbdatabaseperiodicallytoreclaimthediskspacethatisnolonger needed. 1. 2. 3. FromtheDatabaseWizardMainMenu,selectShrinkDatabaseSize. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver.
50
51
4. 5.
IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase.
tolocate
6.
Dataattheendofthefileismovedtoearlierinthefile.Fileistruncatedbythevalue intheShrinkPercentagebox.
Empty File
RemovealldatafromthedatabaseandreducethesizebythevalueintheShrink Percentagebox.
No Truncate
Dataattheendofthefileismovedtoearlierinthefile.Databasesizeisreducedby thevalueintheShrinkPercentagebox.
Truncate Only
FileistruncatedbythevalueintheShrinkPercentagebox.Dataisnotmoved. 9. ClickNext.TheShrinkDatabaseboxdisplaysthedatabaseyouchose.
10. ClickFinish.
51
52
6. 7.
8. 9. ClickNext.TheRunSQLScriptboxdisplaysthepathtothefileyouchose. ClickFinish.
52
53
5.
6. 7.
ATTACHING A DATABASE
Whenyoucreateadatabase,itisautomaticallyattachedtoFileSystemAuditor.Ifyou detachadatabase,youcanattachitagaintouseit. 1. 2. 3. 4. 5. FromtheDatabaseWizardMainMenu,selectAttachDatabase. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase. tolocate
6.
53
54
7.
IntheFileNamebox,typethefullpathtothedatafileorclick filetoattach.
tolocatethedata
8. 9. ClickNext.TheAttachDatabaseboxdisplaysthedatabaseyouchose. ClickFinish.
DETACHING A DATABASE
DetachingadatabaseremovesitfromFileSystemAuditor,butdoesnotdeleteitfrom thesystem.Topermanentlydeleteadatabase,seeRemovinganExistingDatabase. Note:Thedatabasecannotbeinuse.ExitFileSystemAuditor,ifnecessary. 1. 2. 3. 4. 5. FromtheDatabaseWizardMainMenu,selectDetachDatabase. ClickNext.TheEstablishConnectionboxappears. IntheSQLServerInstancebox,typethenameoftheserverwherethedatabaseis located,orclick tolocatetheserver. IntheDatabaseNamebox,typethenameofthedatabase,orclick thedatabase. tolocate
6. 7.
54
55
6. 7.
55
56
6.
ClickNext.TheSelectModeboxdisplaysthesecuritymodeoptions.
7. Selectthesecuritymode.
Integrated Mode (Windows only)
SelecttousetheIntegratedMode(Windowsonly)ontheselectedserver.
Mixed Mode (Windows and SQL Server)
56
57
6.
ClickNext.TheEnterPasswordsboxappears.
6. 7.
57
58
1. 2. 3. 4. 5.
58
59
6.
ClickNext.ThePerformDatabaseMaintenanceboxappears.
7. Choosethemaintenanceoptionstoperform.Bydefaultalloptionsareselected.
Perform Consistency Checks
SelecttorunCHECKCATALOG,CHECKFILEGROUP,CHECKTABLE REPAIR_REBUILD,andCHECKINDEX.
Reset Identify Columns
SelecttorunCHECKINDENT.
Rebuild Indexes
59
60
5.
6. 7.
5.
60
61
Troubleshooting
InitsKnowledgeBase,ScriptLogicCorporationhasalibraryofarticlesthatmayprovide ananswertoaproblemyouareexperiencing.Beforecallingtechnicalsupport,checkto seeifyourproblemisdocumentedhere.YoumightalsobrowsetheDiscussionForums toseeifanyoneelseisexperiencingthesameissue. http://www.scriptlogic.com/support
61
62
Toremovetheserver,clickYes.Duringtheprocessofremovingtheserver,theAudit Agentisuninstalled.
62
63
63
64
AuditDatabaseSchema
64
65
StoredProcedures
Name CleanUpTables DeleteFullPath dt_addtosourcecontrol dt_addtosourcecontrol_u dt_adduserobject dt_adduserobject_vcs dt_checkinobject dt_checkinobject_u dt_checkoutobject dt_checkoutobject_u dt_displayoaerror dt_displayoaerror_u dt_droppropertiesbyid dt_dropuserobjectbyid dt_generateansiname dt_getobjwithprop dt_getobjwithprop_u dt_getpropertiesbyid dt_getpropertiesbyid_u dt_getpropertiesbyid_vcs dt_getpropertiesbyid_vcs_u dt_isundersourcecontrol dt_isundersourcecontrol_u dt_removefromsourcecontrol dt_setpropertybyid dt_setpropertybyid_u dt_validateloginparams Owner dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo Type User User System System System System System System System System System System System System System System System System System System System System System System System System System Create Date 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26
65
66
Name dt_validateloginparams_u dt_vcsenabled dt_verstamp006 dt_verstamp007 dt_whocheckedout dt_whocheckedout_u GetAccountID GetComputerID GetPathID GetPathIDEx GetPermissionID GetProcessID InsertEntry InsertEntry2 PopulateEventNames PurgeDataByDate Update1 Update2
Owner dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo dbo
Type System System System System System System User User User User User User User User User User User User
Create Date 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:26 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05 3/21/2007 11:05
66
67
Index
.
.lic, 9
E
editing default filters, 35 file path filter, 27 process exclusion filter, 29 user exclusion filter, 31 evaluation period, 10 excluding files, 24 folders, 24 processes, 28 users, 30
A
adding default filters, 34 file path to filter, 24 file servers, 15 process filters, 28 user filters, 30 Advanced Settings, 33 attaching database, 54 Audit Agent starting, 23 stopping, 23 upgrading, 14 Audit Database creating, 15 viewing data, 36 auditing database, 65
F
file extensions .sql, 53 file masks removing, 27 file servers adding, 15 File System Auditor starting, 11 filters file path, 24 process, 28 user, 30
C
creating Audit Database, 15 database, 48
D
database attaching, 54 changing settings, 32 creating, 15, 48 detaching, 50, 55 increasing size, 50 maintenance, 59 moving to another server, 61 purging, 37 shrinking, 51 viewing data, 36 viewing statistics, 53 database schema, 65 Database Wizard, 46 DBCC commands, 59 default filters, 34 detaching database, 50, 55 duplicate entries suppressing, 33
I
including files, 24 folders, 24 increasing database size, 50 installing SQL Server 2005 Express, 32 iSCSI disks, 3
L
license file applying, 9
M
moving database to another server, 61
67
68
O
opening Agent Configuration, 11
P
path filter editing, 27 removing, 27 process filters adding, 28 editing, 29 removing, 29 purging audit database, 37
SLFileAuditor, 65 SQL Script running, 53 SQL Script File, 53 SQL Server 2005 Express, 32 starting Agent Configuration, 11 Audit Agent, 23 stopping Audit Agent, 23 suppressing duplicate entries, 33 system requirements, 3
T
tempdb database, 51 transation log truncating, 56 truncate transaction log, 56
R
reducing database size, 51 register product, 10 removing default filters, 35 file masks, 27 file path filter, 27 process exclusion filter, 29 user exclusion filter, 31
U
upgrading Audit Agent, 14 user filters adding, 30 editing, 31 removing, 31
S
saving connection information, 58 servers moving a database, 61 setting process filters, 28 user filters, 30 setting filters file path, 24 shrinking database, 51
V
viewing data, 36 database statistics, 53
W
web site, 10
68