Questions tagged [audit]
Observing/logging a resource for purposes of: - Adding it to a blacklist of whitelist - Keeping tabs on the security of a system
332 questions
Score of 0
1 answer
178 views
File Server Create Folder / File Auditing
I set Audit File Access to Success, Failure.
I checked the CREATE, DELETE, WRITE attributes under auditing in the relevant folder.
If I delete a folder or file, I see it successfully under EVENT ID ...
Score of 1
1 answer
767 views
How to tell if my project / server was compromised by the shai hulud npm supply chain attack?
On September 15 2025, a npm supply chain attack named shai hulud was discovered. It extracts extracts secrets from git repositories, either by injecting github actions and trufflehog.
From my ...
Score of 2
0 answers
214 views
Cant get File Audit Settings to generate events for folder creation
I am trying to monitor folder creation, moves and renames for a certain directory.
I have enabled "Audit File System" in group policy.
And have configured the folder audit settings per below....
Score of 0
0 answers
216 views
Setting up IBM HTTP server audit_log rotate
I found somewhere online that you can set up log rotation for audit_log on httpserver so in my modsecurity.conf i switched logging conf from:
SecAuditLog logs/audit_log
to
SecAuditLog "|/usr/IBM/...
Score of 2
2 answers
314 views
How do I identify compromised Microsoft 365 mailboxes
Several users have reported receiving phishing emails, and one at least has admitted to following the link. Investigation found that their Microsoft 365 account had been compromised (despite MFA being ...
Score of 3
1 answer
959 views
Fedora 40: auditctl doesn't audit creating, editing and deleteing to files as expected
Many thanks the @Romeo Ninov's help! The mistakes I made are
should use file /etc/audit/rules.d/audit.rules to add a rule for RedHat 7 & 8
should use service auditd restart to restart auditctl ...
Score of 1
0 answers
70 views
Audit trasspasing information
I would like to know if there is a way to audit what files a user is "passing" from the file server to their local environment.
I have the event viewer enabled but I can only see which file ...
Score of 0
1 answer
807 views
How to enable service installation event (event id 4697) in windows 7?
In windows 10, after I use the following command to enable Security System Extension:
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:disable
Whenever a new ...
Score of 2
2 answers
505 views
Splunk Enterprise - Configure to drop specific events
I have a simple Splunk set-up. about 120 or so Linux servers (that are all basically appliances) w/ universal forwarder installed, and a single Linux server running Splunk Enterprise acting as the ...
Score of 0
1 answer
623 views
How do I use Azure Log Analytics to discover what a service account is doing when it signs in?
I have started working as sysadmin at a company that uses Microsoft 365. Before I started a few generically named accounts with the Global Administrator role were being used by multiple people to do ...
Score of 0
0 answers
271 views
OpenShift action audit log
Good day everyone !
I am looking if there is any way to audit or look at a audit log for any specific actions done by a specific user on a deployment for example.
My goal would be to see, who scaled ...
Score of 0
1 answer
1433 views
How to create a GPO to audit start/stop of a service not running on the DC?
I'm trying to enable auditing of service start/stop events for a few specific services on a group of domain computers, and to make this change using Group Policy.
I've seen this answer, however when I ...
Score of 1
0 answers
755 views
How to set proctitle to ascii in auditd?
I configured auditd to send the logs to SIEM through rsyslog.
But when I get those logs the proctitle is in hex.
Ex.:
<134>Aug 25 17:08:44 vmauditd tag_audit_log: node=vmauditd type=PROCTITLE ...
Score of 3
1 answer
8650 views
Linux Auditd: Error receiving audit netlink packet (No buffer space available)
I have some Linux servers that are getting errors like the below in the logs...
auditd[1074]: Error receiving audit netlink packet (No buffer space available)
I know HOW to resolve the issue (tweak ...
Score of 0
1 answer
425 views
Cannot limit file access auditing on Windows Server 2019
I'm trying to implement file access auditing on a Windows Server 2019 machine with mixed success.
The server in question is a member server, but not a domain controller.
I have enabled success ...