File updated - Sysmon Event ID

[kont45]

For custom rules as file overwrite / create which Event ID should we use to logs changes? Event ID 11 or 2? For example I need log file when changed in path c:\programdata\file.log

[jokezone]

It sounds like you want to monitor when someone replaces or modifies a specific file. Sysmon is not the best tool for auditing detailed changes to the file system. For this, you should look into Windows File System auditing.