Greyware System Change Log

System Change Log

Low-overhead Windows service tracks file deletes, renames, and changes, keeps a log so administrators can see what changed and when. Complements Windows's built-in system auditing.

Overview

The System Change Log service monitors your disks for changes, and records a detailed log of file activity separate from the regular Windows event logs. System Change Log allows easy security review of changes to your critical files without wading through the extraneous and cryptic Event Viewer audit records generated by standard system auditing.

System Change Log Control Panel Applet

System Change Log works with or without Windows's auditing enabled to record file and folder creation, deletion, modification, renaming, and security descriptor changes. If standard auditing is enabled, System Change Log can also report the user account of the person making the change (see the information on the Track User Information option below).

The System Change Log Control Panel applet lets you easily configure all aspects of SCL's activities, including which types of events to monitor. See at a glance and control what is being monitored on your system without painstakingly using Explorer or other tools to apply individual audit attributes to the desired disks or directories!

The System Change Log is kept in standard text format so it can be easily archived or imported into other programs such as custom databases or spreadsheets for analysis. No need to bother with manually exporting log extracts, or worrying about reading incompatible Event Viewer log formats on different versions of Windows.

 

Features

Runs on 32 & 64-bit Windows XP, 2003, Vista, 2008, and Windows 7

Easily monitor NTFS file systems for changes. Know what's changed and who did it.

Record only the security information you want without wading through hundreds of unwanted audit events!

Reports the user account or program making a change!

Keep detailed, easy-to-read logs of your choice (Text, CSV, Windows Event, Syslog)!

Automatically adjusts your Windows file auditing settings without having to wade through Local Security or Active Directory policies

 

Documentation

System Change Log runs as a background system service. You configure the options for the service by using the System Change Log Control Panel Applet (click the icon found in the Control Panel).

Note: If User Account Control (UAC) is enabled on your system, you may need to right-click the System Change Log icon in the Control Panel and choose Run as Administrator to open the applet.

System Change Log Control Panel Applet

Note: Changes you make on the applet will not take effect until you click the Apply button.

Montored Paths

Click the Add button to add a specific path or drive to the list of monitored paths. Click the Remove button to remove the highlighted path or drive.

When you select a folder, subdirectories are always included, so an entry of C:\ means your entire C: drive.

Important: You should only monitor the drives and paths where you need the information. Monitoring all activities on all drives can slow down your system and fill up your log files. Adjust the entries in this box to match your actual monitoring requirements.

Tracking Options

If checked, System Change log will record a log entry for the following events:

Track file Creations:
Track file Deletions:
Track file Changes:
Track file Renames:
Track file attribute changes:
Track NTFS Stream changes:
Track security Changes:

Track User Information:
Click this button to bring up the Auditing dialog:

The Auditing Dialog Page

 

Due to the way Windows handles file activity internally, System Change Log can only report the name of a user account or program that makes a change if the success reporting function of Windows Files/Folders security auditing is enabled for the monitored path(s).

Fortunately, System Change Log handles the complexity of enabling the right kind of auditing for you. This dialog displays the current status of the three tasks necessary to successfully track user information. If any item is set incorrectly, click the Fix button to remedy it.

Note: If you add new paths to the Monitored Path list, you will need to Fix the Specific File and Folder auditing... item to be sure it is enabled properly for the new paths.

Next, click the Files tab to bring up the Includes and Excludes dialog box:

The Files Tab Page

Included Files

Use this function if you want to tell System Change Log to monitor files by the file type (extension) instead of the default of monitoring all files in the monitored path(s).

Excluded Paths and Files

List paths or files, one per line, that you want System Change Log to ignore. You may use wildcards (asterisks and question marks) as well as system variables (example, %systemroot% or %windir%).

Unlike DOS wildcards, you may use more than one wildcard per specification. Click the Help button for syntax examples.

Logging Options

• Write to Event Viewer:
  If checked, System Change Log will direct log entries to the Event Viewer log.
• Write to Log File:
  If checked, System Change Log will direct log entries to the scl.log file in the %systemroot%\system32 directory (i.e. c:\winnt\system32\scl.log). The default file location can be changed by editing the Registry. Max Log Size:
  The maximum desired size of the scl.log file on disk. If this is set to zero, the log file size is limited only by available free space on your disk. Any other number specifies the size, in kilobytes, for the log file. The log file is checked once each hour. If it exceeds the maximum specified size, the log is trimmed by removing entries from the beginning of the file until it is smaller than the maximum specified size.
• View Log
  Clicking this button will bring up the built-in System Change Log viewer, which lets you view log entries in real time.

 

Requirements

 

Version 3.1: 32 or 64-bit XP, 2003/R2, Vista, 2008/R2, and Windows 7 Works with NTFS filesystems on locally-attached drives (not Dynamic Disks).