nellster1000
asked on
Translate object access audit log
Hi all,
We keep having folders mysteriously being moved from one directory to another or being deleted. I have set up auditing on these directories but am having difficulty translating the entries in the event viewer. I set the auditing up to track "Delete Subfolders and files" & "Delete".
What parts of the log entry will inform me if a file/folder has been deleted or moved?
Many thanks in advance!
Nellster
We keep having folders mysteriously being moved from one directory to another or being deleted. I have set up auditing on these directories but am having difficulty translating the entries in the event viewer. I set the auditing up to track "Delete Subfolders and files" & "Delete".
What parts of the log entry will inform me if a file/folder has been deleted or moved?
Many thanks in advance!
Nellster
ASKER
Thanks for the reply. Starting to make sense. However, the two entries that I have are both ID 560. have attached a txt file.
Have changed some of the info like domain, user etc. Effectively "D:\someDir" stands for the dir that was moved.
Cheers,
Nellster
ObjectAccess.txt
Have changed some of the info like domain, user etc. Effectively "D:\someDir" stands for the dir that was moved.
Cheers,
Nellster
ObjectAccess.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=564
You should look for 560's with coinciding 564's, A move will be the same as a delete.
HTH