OS: Windows server 2012 r2
We want to track the accesses to specific files: Which files are opened and how often? Therefore, we started the Windows Event Log. The problem is that all files of the folder are tracked and not only the specific file extension we want: .rpt
I have two questions:
- Can we only watch for specific file extensions before the Event Log is active? Otherwise, our Event Log is really full of files we don't need (and extend the maximum of space)
- If 1 is not possible: How can I filter for a specific file extension on an existing event log?
I managed to filter for a specific file, but can't use a wildcard (eg with the contains function or with * or %). For this, I used an XML-Filter in the XPath-Format. It looks like this:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4656 or EventID=4663)]]
and
*[EventData[Data[@Name='ObjectName'] = 'A:\Server\Folder\SubFolder\File.rpt']]
</Select>
</Query>
</QueryList>
Is it possible to use a wildcard in Windows Event Log? If yes, how? Please share also, when you have other ideas how to track the accesses of a file and how many? (for free / cheap)