How to generate the Change Reports successfully?

NTFS Change Auditor reports the change data for any audit actions performed on Share/Folder/File objects in the File System. The change data is retrieved from the event log of the target server(s)/workstation(s) in which the shares reside and the change is made.

The change data in the report may sometimes not get reflected immediately after a change is performed in the file system (will be empty/blank in the report window). This may be due to a delay/failure in receiving the event subscription notification by the NTFS Listener Service application. Click 'Refresh' button in the report window to refresh the report.

If the generated report continues to remain unavailable, please ensure the following points in order to retrieve the event data successfully:

  •  Enable the Audit object access Policy and set to success in Default Domain Policy or Local Computer Policy as shown below:
  • Select Create files / Write Data, Create folders / append data, Write attributes, Write extended attributes, Delete sub folders and files, Delete and Change permissions properties for the Folder or File in which you wish to track changes as shown below:

  • No event flooding occurs. This may sometimes prevent the NTFS Listener Service application from receiving the subscribed events. For example, ensure that Read attributes and Read extended properties are not selected in object’s Auditing tab. Selecting this setting will create a flurry of events in the host and will cause event flooding.

  • Disable firewall protection to read event logs: Ensure that the target server/workstation is not protected by Windows firewall to read event logs by remote clients.

  • Ensure that the 'NTFS Listener Service' is running in the computer where Vyapin NTFS Security Management Suite application is installed (can be verified in How to view the subscription status of computers?).