Events generated on specific files can be audited using the File policy containing the specific file name. This policy holds a set of file names and the corresponding action flags. This policy is specific to the file system and is applicable only to volume objects. Action flags indicate the action to be taken for events involving the file.
To create and associate a File policy:
Select a container.
Click New > Object > New naasFilePolicy.
Add the files that are to be audited, with the appropriate action flag for each file. For example, \system\test.txt (do not include the volume).
Make this policy applicable to appropriate audited volumes.
Grant the appropriate Audit agent objects Read rights to this policy.
NOTE: For auditing events generated on specific files, an Event policy must also be present. In the Event policy, if the filter condition for any event is set to DON'T CARE or the action flag is set to IGNORE, the File policy will not be applied for that event. In this case, the event will be audited irrespective of the file on which it was generated. The filtering condition should be set to either AND or OR for the event to be audited based on the corresponding file.