A year ago, I would've said no chance. Lately, however, I have been surprised. We have actually contributed to open source projects. 

On Thu, Oct 18, 2018 at 6:44 PM Ian Ehrenwald <Ian.Ehrenwald@hbgusa.com> wrote:
I've been prospected by Varonis sales folks numerous times and never had the time or budget.  They are very persistent, I'll give them that.

I guess I'll do some more web searches and if I need to, attempt a roll-my-own.  Basil, any chance you could share this potential project with a suitable open source license if you ever get around to doing it?

________________________________________
From: S. Eno <s.eno@me.com>
Sent: Thursday, October 18, 2018 4:48:46 PM
To: Ian Ehrenwald
Cc: Toasters
Subject: Re: Audit logs for CIFS events

We are using Varonis.



> On Oct 18, 2018, at 1:28 PM, Ian Ehrenwald <Ian.Ehrenwald@hbgusa.com> wrote:
>
> Good afternoon
> Is anyone making use of cDOT auditing capabilities on CIFS shares? I've set up a demo implementation to toy around with and the log output leaves something to be desired, in terms of immediate usefulness/understandability. I was hoping for something that I could hand off to an end user when they ask "why did file X get moved to directory Y?".
>
> My demo auditing policy only has file-ops enabled, and the demo share (on NTFS volume) I am testing auditing with has advanced auditing permissions Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, Delete, Change Permissions, and Take Ownership enabled against my demo user.
>
> When I connect to this share as the demo user and create a directory, copy a file into it, create a subdirectory, move the file into this subdirectory, I do indeed get logging events I can view with Windows Event Viewer. Technically auditing is working. However, it is difficult to actually put together a chain of events based on the logged information with just my single user access, nevermind thousands of users across hundreds of shares.
>
> What are other people using to make sense of this audit data? Exporting via XML instead of EVTX and feeding it to.. something? Custom parsers? Spending hours with the awful Event Viewer and filters when your boss's boss wants an explanation for why files moved? :)
>
>
> Ian Ehrenwald
> Senior Infrastructure Engineer
> Hachette Book Group, Inc.
> 1.617.263.1948 / ian.ehrenwald@hbgusa.com
>
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters<https://protect-us.mimecast.com/s/fn1sC0RoXRU25DomCD6Kwi?domain=teaparty.net>

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters