Well I am in a scenario, where there is a requirement to see the logs of the files or directories which are created on any windows system which is integrated with the log decoder.
So to achieve this, what i did that I have enabled the system auditing on that specific directory on the windows machine, but if i refer to the respective logs on the concentrator from investigation pane, then only I would be able to find the logs related to "auditing settings on object were changed" under "Event Description" meta and under that I am only able to see those files & folders details which are already there.
But what I am looking is that, if i add any directory or file and delete any file within the same directory, then the logs should come & I can see them on my concentrator with some basic details like, :
which file has been created & deleted
which folder has been created & deleted
which file has been created & deleted from which user
if any permission get changed on an file or directory
I am looking for some relevant information about any audit change on a specific folder with it's proper windows event id.
Pls suggest that how i could achieve that kind of auditing on a directory with the help of NetWitness.
Hope to hear from you.