3

We occasionally have configurations in web.config(s) being changed by the IT team on live production servers. I would like to create an audit trail, e.g., "On October 11 the property "foo" in file "bar" was changed to "banana".

My first thought was to create a PowerShell script that would run every hour, and if one of the .config files changed, save it off in a time stamped folder. My second thought was that this must be a problem that has already been solved.

Ideally, config file changes would not be allowed and any change would require a new deployment, but it's unlikely I could push that through.

I say "web.config" but I have a few different xml config files: web.config, app.config, nant.configs.

I need to know exactly what in these config files changed (approximately) when and (ideally) by whom.

Is there some kind of standard way or open source tool to do file change logging?

mhenry1384
  • 535
  • 6
  • 15
  • Not answering because I don't know what the windows equivalent might be, but the `inotify` system would be equivalent to what you'd want in Linux. All you'd need to do would be hook up `inotify` handlers for file change events within a given directory hierarchy, and then have the handlers apply version control to those files (e.g. `git add `, `git commit -m `, `git push origin master`). – Parthian Shot Apr 13 '17 at 20:45
  • I'm betting you could also have a (non-agentless) config management system like Salt or Puppet alert you about unexpected file contents in config files, though that's a slightly different thing. Salt would probably be better for what you'd want b/c it's more extensible and would be better able to handle version controlling the files. However, again, I haven't tried to do that so I don't know what issues inherently exist. – Parthian Shot Apr 13 '17 at 20:48
  • Followup question, though... Would you care if the thing used polling on an interval, or an interrupt-based model? I'm guessing if you require interrupts that's a more niche question. – Parthian Shot Apr 13 '17 at 20:49
  • There are many different file auditing tools for windows, if they detect a change, you can have it run a script, that will back up the file. So every change that is made, a back-up is made. These tools hook into the windows event notification apis and wait for a callback that triggers them. – Henry Apr 14 '17 at 03:37

1 Answers1

0

As mentioned in the comments, there are most likely third party tools that could help here. There is nothing built into Windows which allows you to do this out of the box.

If I had to do this myself I would do something like this:

Write a small tool to monitor the files to watch. This would use a FileSystemWatcher object. On NTFS drives a change to a watched file would trigger an event automatically.

The code for the event would just copy the file over to a different location which is under source control (say Git) and trigger a commit and possibly a push to a remote server.

Using this you can see what exactly changed in the file.

In addition you can enable Windows auditing on the files to see who made the changes.

I wouldn't write the tool in PowerShell, but as a Windows service that runs in the background and monitors changes in real time.

Peter Hahndorf
  • 14,058
  • 3
  • 41
  • 58