I'm trying to implement file access auditing on a Windows Server 2019 machine with mixed success.
The server in question is a member server, but not a domain controller.
I have enabled success auditing using a GPO in Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy | Audit Object Access
I know this is effective, because if I revoke this the File Access auditing stops.
I moved to enabling auditing at a folder level, but after I'd set up the auditing for a particular folder I found that the server was logging file access events for every event on the server. I checked back up the folder tree to see if there were any policies being inherited, but I found nothing.
So, with auditing enabled, and no auditing policies in place on any folder from the drive route to the shared folder, file access is still being logged throughout the shared folder.
I have worked across the whole drive and checked the audit policy at every key point: there are no audit policies in place.
If I've understood this process, I should only be seeing audit logs for folders and files with audit log entries, and anything below them where the entries are inherited.
To be quite sure, I took a sample log from the event viewer and followed the path, checking every folder from the drive root to the file. Nowhere did I find an audit entry of any kind.
I'm at a loss. I can enable and disable logging using a GPO, but once enabled I'm getting huge volumes of data I can't control, from logging I don't need or want.
I presume I've missed something here, but I have no idea what.
Suggestions?
