1. Community Tip: Please Give Thanks to Those Sharing Their Knowledge.
    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.
  2. Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)
    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Windows audit feature

Discussion in 'Backup / Archive Discussion' started by swamp2k, Jul 17, 2017 at 8:58 AM.

  1. swamp2k

    swamp2k ADSM.ORG Member

    Joined:
    Jul 18, 2007
    Messages:
    8
    Likes Received:
    0
    Hi,
    I have a windows server on which the owner would like to activate windows file auditing, however, when he does it also trigger a new full backup. So apparently some file and folder attributes change.
    Anyone know if there is a way around this? Im afraid I don't quite know which attributes change in the file.

    I'd like to let him use the audit feature, but triggering a full backup is a rather nasty side effect.
     
  2.  
  3. marclant

    marclant ADSM.ORG Moderator

    Joined:
    Jun 16, 2006
    Messages:
    2,462
    Likes Received:
    346
    Occupation:
    Accelerated Value Specialist for Spectrum Protect
    Location:
    Canada
    The Spectrum Protect client looks at several things to see if a file has changed or not.

    Changes include any of the following:
    • File size
    • Date or time of last modification
    • Extended Attributes
    • Access Control List
    • Sparse, reparse point or encrypted file attributes.
    • NTFS file security descriptors. These are the Owner Security Identifier (SID), Group SID, Discretionary Access Control List (ACL), and System ACL.
    source: https://www.ibm.com/support/knowled...0/com.ibm.itsm.client.doc/c_bac_fullpart.html

    The Auditing falls under the System ACL.
    upload_2017-7-17_10-33-17.png



    So if this changes, the file is backed up because those attributes are part of the file, not separate from the file. Because it changed, the whole file is backed up so that if you ever have to restore those files, they will be restored with their current SACL.
     
  4. swamp2k

    swamp2k ADSM.ORG Member

    Joined:
    Jul 18, 2007
    Messages:
    8
    Likes Received:
    0
    That's very interresting! Thanks.
    I'll have a look right away and see where that leaves me :)
     
  5. swamp2k

    swamp2k ADSM.ORG Member

    Joined:
    Jul 18, 2007
    Messages:
    8
    Likes Received:
    0
    Very nice. So I guess the big question is, what - if anything - can I do about it?
    Since the ACL is an integral part of the file, maybe there isn't much to do. Or is there an option I haven't found that ignores that part of file checking?
     
  6. marclant

    marclant ADSM.ORG Moderator

    Joined:
    Jun 16, 2006
    Messages:
    2,462
    Likes Received:
    346
    Occupation:
    Accelerated Value Specialist for Spectrum Protect
    Location:
    Canada
    There is, but in 99.9% of cases, not recommended. You could use the client option "Skipntpermissions yes"

    However, if you use that option, file permissions are NOT backed up. Therefore if you restore the filesystem, all files and directories will be restored WITHOUT permissions and you or someone will have to manually go and set file permissions on the entire directory structure.

    If you already enabled auditing, it's best to just bite the bullet and let it backup all files that have auditing enabled.

    If you have not enabled auditing yet, maybe consider doing it for more critical directories instead of the entire filesystem.
     

Share This Page