I am embarking on a journey to monitor certain critical files within our environment.
Windows event logging appears to give me information when someone uses certain rights against files when auditing in enabled, so from that perspective, Check!
The problem I am running into is that when you create a file, a 4663 event is not generated - for some reason it's not being seen as a "write" access. I can use 4663 to monitor Modify/Write access to an EXISTING file and delete actions against a file, but I can't seem to get this last piece of the puzzle.
There seems to be a lot of mixed information out, some have said 4656 events, but those are requests against an object, and not necessarily the action taken against the file from what I've read.
Anyone else run into this? Is there a way to track this info accurately with event logging?