Q: Windows Event ID 5140 logs each user access to a network share, but it doesn't show the name of the file the user accessed on the share. How can I track which files users access on a Windows file share?
A: Tracking which files a user accessed on a file share is possible via the Detailed File Share audit subcategory that Microsoft introduced in Windows Server 2008. This information is provided through Event ID 5145. This event identifies the user in the Subject field, the user's IP address in the Network Information field, the share name, and the actual file that was accessed via the share in the Share Information filed. It also shows the permissions requested and the results of the access request. Event 5145 logs the access attempt and therefore shows success and failure events.
You must be careful when enabling this audit subcategory because Windows will generate an event for every file accessed through a network share. Don't enable this audit subcategory unless you really want to see all events for every access to every file on a network share.