Search This Blog

Tuesday 27 May 2008

Undocumented - Auditing with WatchDirectory


The Audit Plugin writes auditing reports for all changes detected inside the monitored directory. The format of these reports is considered not very "user friendly" by most people. In this blogpost I will show you an undocumented feature that allows you to change the appearance of these reports.

The default format

If you "do nothing", the audit information that is written looks like this:

File/Directory C:\WUTemp\Disasm.log 
   from 7/24/2005 10:41:31 AM to 7/24/2005 10:41:31 AM
[2036] 7/24/2005 10:41:31 AM, Open File by GDPLAP\\Jeremy. Program C:\WINDOWS\explorer.exe. 
   Permissions requested Delete, Read Attributes
   [2036] 7/24/2005 10:41:31 AM, Used a granted permission. Permission used Delete
   [2036] 7/24/2005 10:41:31 AM, Delete 
[2036] 7/24/2005 10:41:31 AM, Close

This tells you that user GDPLAP\\Jeremy used Windows Explorer to delete the file C:\WUTemp\Disasm.log on July 24, 2005 10:41:31 AM.

Change the report format

To change the report format, you need to create a text file named "template.txt" in the "task directory" of this auditing task. Below I assume you have named your task AuditDirectory.

  • Stop the task (AuditDirectory)
  • In the WD Control Center, select the menu "Tools -> Explore Task Directory.
    This opens Windows Explorer in the directory with all your task settings, normally
    C:\Documents and Settings\All Users\Application Data\watchDirectory
  • Open the sub-directory with the same name as your task (AuditDirectory)

Inside this directory, you need to create a file called template.txt. Write the text for the desired layout in this text file. You can use the following variables in this file:

%WD_USER%The user who "did it"
%WD_COMPUTER%The computer from which the user "did it"
%WD_PROGRAM%The program the user used
%DEFAULT%The original message-format (not very useful)

You can also use all variables listed here.


User who did it %WD_USER% (on computer %WD_COMPUTER%)
Using this program %WD_PROGRAM%
The file %WD_FILE%
The original name %WD_OFILE% (if the file was renamed)
What happened is %WD_REASON%
The default auditing output:

No comments: