How to increase the interval for viewing the audit history of a folder?

K

kerber0s2019-01-22 17:25:05

File systems

kerber0s, 2019-01-22 17:25:05

Good day to all.
On the terminal server (it also runs the Hyper-V role), I decided to set up an audit of a folder with 1c databases, where about 15-20 clients work.
In total, there are about 150 file databases 1c, of which 20-30 databases are used every day.
I enabled the corresponding policy:

I also enabled audit on the folder:

Appropriate entries for deletion and for file system requests appear in the audit log.
In addition to them, there are entries in the log of other categories: created by the application, from the file system itself, from events from Hyper-V, there are especially many of them.
for example:

But I can't see the audit history interval for more than 4 days.
A couple of days ago I set the log size to 2 GB. The interval has increased to 5 days. and I would like to increase the ability to view history at least a couple of weeks.
Is it possible to somehow remove events from Hyper-V, or is it possible to simply increase the interval for viewing the audit history?
In advance, thanks a lot!

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

F

fendibober, 2019-03-22
@kerber0s

For the audit to work correctly (to create log entries only for events and users specified in the "Audit" tab), you need to disable all options in the policies in the "Local Policies" - "Audit Policies" section, and enable the "File system audit" option in the "Advanced Audit Policy Configurations".

D

Denis, 2019-01-23
@denilenko

Try Windows Event Forwarding. There you can configure the collection of only the necessary event IDs on a separate computer.