I was approached a few days ago to develop a solution for monitoring access to a folder on a server (with auditing enabled). My first approach was to try and monitor the files last access time, but I found this to be somewhat unreliable. So my next method was to monitor the systems event logs. This proved much more reliable. If not a little too much at times.
Drop the code below in a .vbs file, execute and sit back and relax.
strComputer = 'TODO: Enter the servers name here
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate, (Security)}!\\" & _
strComputer & "\root\cimv2")
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("Select * from __instancecreationevent where " _
& "TargetInstance isa 'Win32_NTLogEvent' " _
& "and TargetInstance.EventCode = '560' " ) 'TODO: modify the event code to fire on what ever you require
Do
Set objLatestEvent = colMonitoredEvents.NextEvent
strAlertToSend = objLatestEvent.TargetInstance.User _
& " has accessed a folder on a server" 'TODO: Modify the alert you would like to receive
Wscript.Echo strAlertToSend
Set objEmail = CreateObject("CDO.Message")
objEmail.From = 'TODO: Specify a from address
objEmail.To = 'TODO: Enter a To address
objEmail.Subject = strAlertToSend
objEmail.Textbody = strAlertToSend
objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = _
'TODO: Specify your mail servers name here
objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objEmail.Configuration.Fields.Update
objEmail.Send
Loop
Last updated by at .
If you enjoyed this article, please consider sharing it!
