Need help for monitoring system

[lokes_ooty]

Hi,
In our lab. to monitor the students what are the files they are deleted and some more monitoring task. I want to know how can I inovke the program when ever the delete function invoked by windows to log the user activities.
something like triggers in dbms.
Thanks in advance.
- lok.

[XTC46]

sorry, I would just like to clarify.

You want a program that will log it every time they delete something? does this include uninstalls? do you want an instant alert, or more of just a log?

off the top of my head Im not sure of a program that does this but would be happy to help you research it a bit if you give a little more info (how many computer, what exactly your intentions are, (ie prevention of deletion?) OS, etc.)

[zencoder]

If your intention is to detect and STOP users from deleting things, look into DeepFreeze. I know nothing about it except for some points raised in another post here recently, but it looks to pretty much lock down ('freeze') a system state so end users can't change anything.

[XTC46]

Deep freeze is a great program. It pretty much takes a snap shot of your system and any changes made t the system will be undid after a restart. Its more for people adding things then deleting them but it should work. But you could also set permissions to not allow things from being deleted by users. if you are going only for prevention.

[Juridian]

You could also look into the built in auditing functionality of the os in question. Linux keeps a log of the commands run by the user. Windows has the ability to turn on auditing for file access and so on.

[Tedob1]

as Juridian has said use whats already available to you first. im assuming you running windows because *nix users know there's a differance. im also assuming your running 2k or better just because we're into 2005.

by default windows audits the failure of 'object access'. it can be made to audit successful access by:

going to the start button selecting 'run' and entering 'secpol.msc'. expand Local policies, double click 'audit object access' then click on the check box labeled 'success'. click OK and it's done.

You can then use dumpel.exe a tool that can be found in the resource kit to read the event logs remotely. you can then redirect the output (&gt to a text file and view it in notepad or take it a step further and look for a string thats particuler to the type of event your looking for then pipe the output of dumpel to 'find' "your string" >el.txt. put this in a batch file and its there when you want it. you'll have a text file containing only successfully accessed objects.

this process can be automated to do all computers using the for command or you can just go to each computer and use the event viewer... which is to me a real pain in the ass. i like to use the 'find' method to show all failed attempts at anything by all of our servers. yesterday i found a raid5 hard drive was failing but giving no visible signs, called dell and they sent a replacement which i received today...before we had a major problem. my boss gave me a "good catch" which made me feel good. i said "put it in my paycheck".

if you think this will be useful to you i can expand upon it if you like.