Auditing system resources
Auditing is the best way to track what’s happening on your Windows Server 2012 R2 systems. You can use auditing to collect information related to resource usage such as file access, system logons, and system configuration changes. Any time an action occurs that you’ve configured for auditing, the action is written to the system’s security log, where it’s stored for your review. The security log is accessible from Event Viewer.
NOTE For most auditing changes, you need to be logged on using an account that’s a member of the Administrators group or you need to be granted the Manage Auditing And Security Log right in Group Policy.