[Help] Best FOSS stack for Network Share Auditing (Win11 Workgroup) – Need "Who, What, When" without the noise.
Posted by theoldregime@reddit | sysadmin | View on Reddit | 9 comments
Hey r/sysadmin,
I’m setting up a professional-grade (but strictly FOSS) file sharing and auditing system for a small office (approx. 10 people), and I've hit a bit of a wall with the "noise" in standard Windows auditing.
The Setup (The "Hard" Part): * Host: Windows 11 Pro. * Network: Workgroup-based only (No Domain Controller / Active Directory). * User Types: Boss (Full), MGT (Full), and Interns (Read/Write but No Delete via NTFS Deny rules). * Storage: Shared folder on a dedicated data drive.
The Goal: I need reliable user attribution for every file change. I need to know exactly which intern created a file or who deleted something (so I can restore it from Shadow Copies) without digging through thousands of Event ID 4663 entries that don't always give a clean "Who did what" at a glance.
What I've Tried: * Standard Windows Object Access Auditing: Too noisy, filtering via CLI is a nightmare. * Netwrix: The free edition is too limited for what I need.
My Current Plan: I’m leaning towards Sysmon (Event ID 26) combined with Osquery so I can query file activity via SQL.
I'd love to hear from you: 1. What do you use? If you're running a similar small-scale, non-domain setup, what is your go-to FOSS stack for auditing? 2. Is Sysmon + Osquery really the best lightweight path for Win11, or am I overcomplicating it? 3. Any tips on handling the "Word/Excel temporary file delete" issue? When interns have a "Deny Delete" rule, it often breaks Office temp file handling.
I'm looking for driver-level tracking, clean CLI access for scripting reports, and human-readable logs.
Thanks in advance for any insights!
rejectionhotlin3@reddit
zfs diff. Honestly though, you're gonna need some kind of auditing enabled on samba or windows file server and some kind of user management. Domain / Entra of some kind.
kona420@reddit
If you really need change tracking like you are describing, a windows file share is not the solution.
Have you looked at Sharepoint?
theoldregime@reddit (OP)
Hmm it's good but I have a hdd I found out it was adding a lot of overhead so I have no descide to let go off auditing and focus on bakcuo and snapshots
kona420@reddit
I was going to mention that relying on VSS is a recipe for disaster. As soon as a bitlocker type attack hits, it will quickly sage out all valid backups and you'll be screwed.
These days it's not just having backups, it's about having immutable and tested backups. A common pattern is a filer with an airgapped or hardened management interface that presents a volume to receive backups, that is then doing snapshots of those backups so that if a network attack occurs the attacker can't delete the backups. Or just use an S3 bucket and mark the backups with a retention policy.
theoldregime@reddit (OP)
You have been really helpful I will have to see how I can apply and customise for my case
theoldregime@reddit (OP)
Yes that was my orginal thought as well , but I have practically zero budget so i am setting up small NAS server in 2 different places around the city wil use tailscale to have Grandfather -Father-Son style backup
chickibumbum_byomde@reddit
Honestly, for a small workgroup setup, this is starting to become into “building enterprise auditing on top of consumer Windows.” your biggest issue is that windows file auditing was never designed really to be clean or pleasant at small scale. It’s extremely noisy because office apps, Explorer, antivirus, indexing, and temp files constantly touch files in the background, anything windows hehehe, sysmon + Osquery can work, but it’s probably more complexity than you actually need unless you specifically want a security telemetry platform.
i would simplifying will help the most, separate user accounts properly, keep permissions simple, rely on backups/shadow copies for recovery, audit only the critical folders/events you truly care about, also, “deny delete” on Office heavy shares often causes pain because Office relies heavily on temp file rename/delete behavior. That’s a very common issue.
i would also add in some lightweight monitoring, currently using checkmk, set you thresholds, conifgure basics, monitori integrity and you are good to go.
theoldregime@reddit (OP)
Yeah that's what I have descide to focus more on snapshots and backups
Quirky-Persimmon3342@reddit
for a workgroup setup without a domain, Wazuh can do file integrity monitoring and access logging if you configure the Windows audit policies first. lighter option is just enabling object access auditing in Windows Security Policy and shipping the event logs to a central syslog server. the problem with workgroup setups is there's no central place to define audit policy, so you have to configure each machine manually.