Cheshire Cat Computing

Hello All,

First, this agent fits the bill for what I am doing perfectly. Thanks for all the hard work.

I want to catch permission changes on a specified folder and report them back to nagios. I am unsure what to scan for though. Should it be event id 562? Do I need to include the path of the folder I am watching? Should I look for 'WRITE_DAC' in the event?

I have tried a few things but I can quite get there. One problem is that windows throws about a million events into the log when a permission changes takes place...

Thanks in advance!

-mwm

First thing to do is to identify examples of the messages you want to catch, and look for similarities. Maybe you can give a list of event IDs with an Event Source string, if they come from the same program. If this won't work, then try the regexp match (you can create all sorts of regexps to match almost anything including multiple pattersns and so on)

If you have a particularly difficult list of matches, then you can create multiple filters (remember, only the FIRST match is used).

I cant give you much help unless I have details on exactly what event you want to match. Usually, the best way to go is to match the Source and EventID if possible, and use regexp as a last resort

_________________
Steve Shipway
UNIX Systems, ITSS, University of Auckland, NZ
Woe unto them that rise up early in the morning... -- Isaiah 5:11

Thanks for the reply.

What I am trying to do is report when an attempt is made to change the permissions on a specific folder on a 2k3 server. 2K3 reports MANY events in this case and I am unsure how to trap it.

Guess it comes down to figuring what to trap on... Maybe someone else on the forum has done this....