Enable Audit Logging
- To Enable Audit Logging, open Group Policy Editor from the start menu.
- Navigate to Audit Object Access as shown below.
- Select the attempts that we would need to Audit. It can be either Success or Failure or both, based on the desired outcome.
- Now, we have Audit enabled.
Group Policy Update
Next, we would need to update Group Policy.
- Open Windows PowerShell or Command Prompt in Admin mode.
- Type gpupdate /force and press enter. Wait for the Computer and User policy to update.
Folder Permissions:
Next, we would need to give Permissions to the folder where we want the Audit Logging.
- Navigate to the folder properties.
- Select Security Tab and hit Advanced.
- Click on Add.
- Select the Permissions for which we would need to enable Logging. For example, if we need to Audit any deletion from this folder, select the two options encircled below.
- Hit Ok.
Event Viewer:
- Next, open event viewer and hit Create Custom View to easily filter the desired logging.
- Navigate to xml tab and paste the query given below as shown. We would need to edit the path in the below query.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='ObjectName'] and (Data='C:\Program Files (x86)\Sliq\test.txt')]]
</Select>
</Query>
</QueryList>
- Hit Ok and we will have the logging from this location only.