Jump to content


Photo

Report is missing a few new file created events


  • Please log in to reply
5 replies to this topic

#1 RIppie

RIppie

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 08 July 2020 - 02:33 PM

Hi all,

 

just installed free version of Netwrix auditor and added a network share to a monitoring plan. i created 1 file and then quickly copied it 3 times so now i have 4 files. 
When i click update in the plan it sent me an email but it said only 3 files where created.

 

Bit later i did a similar exercise where i created a file, waited a minute or 2 then i deleted it before creating a new one. again it missed the first file being created.

 

Also NetWrix did not automatically configure the audit settings on the target server.

 

Netwrix Server is domain joined Windows Server 2016

 

Target file server is workgroup joined and is Windows Server 2019

Does anyone have any idea as what is going on? i have to rely on these reports if we enable this on 2 machines used for banking.



#2 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 142 posts
  • Gender:Male

Posted 08 July 2020 - 03:39 PM

Hi there,

 

What is the use case of such test scenario?


Best regards,
Forum Engineer
 


#3 RIppie

RIppie

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 08 July 2020 - 05:42 PM

Hi Kirill,

 

I have to make sure that Netwrix catches all new file creations and deletions in 2 folders within a network share. These are used for banking payments (BACS files that goes between our finance system and SWIFT).

 

To ensure all files that arrive and gets deleted is part of our auditing.



#4 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 142 posts
  • Gender:Male

Posted 09 July 2020 - 09:26 AM

Hi there,

 

Thank you for details.

 

Does it correct that copying the same object 3 times or creation/deletion within 1-2 minutes these are exactly actions which are occur while banking payments?


Best regards,
Forum Engineer
 


#5 RIppie

RIppie

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 09 July 2020 - 09:40 AM

Hi Kirill,

 

To be honest i am not 100% sure. i know that we transfer files from our FTP server that comes from Workday using RoboCopy to copy files over to the Alliance Lite 2 server (both windows servers). that copy schedule happens every 10 minutes. we do this in both directions. every 10 minutes.

Often there are no files to copy so the scripts they just exit when there are no files.

 

Anyway i am a little bit concerned that file operations like create and delete if they happen too quickly is not picked up by the auditor? Do you have any info you can give on this?



#6 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 142 posts
  • Gender:Male

Posted 09 July 2020 - 10:02 AM

Anyway i am a little bit concerned that file operations like create and delete if they happen too quickly is not picked up by the auditor? Do you have any info you can give on this?

 

Activity tracking is based on snapshot and security log events; data is collected every 10 minutes.

 

Snapshot reflects the current state of the file system for the shared folder specified in the settings.

 

Snapshot is collected and then updated by the events from the security event log.

 

Consider the situation when you create a file and delete it after two minutes, if there was data collection between these two actions, the report contains records on addition and deletion, because the snapshot is updated after the collection and contains information about the created object, if the data collection does not fall between adding and deleting the object, only the deletion will be displayed in the report because snapshot has no information about the created object.


Best regards,
Forum Engineer
 





0 user(s) are reading this topic

0 members, guests, anonymous users