fixnix
asked on
How to determine filename deleted by interpreting event viewer's output
I *thought* I knew what was going on here, but apparently I missed something.
I've enabled auditing of file deletions on our DC and events are showing up fine in the Event Viewer. Now I need to know how to determine which file was deleted when I see event 564's. I thought all I needed to do was grab the handle ID then back up to the next-earliest 560 event that matched the Handle ID and viola...there is the filename (seemed to work that way with the tests I did).
If that's the case, then this situation just doesn't make sense to me...here are the events:
--------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 564
Date: 4/14/2005
Time: 1:05:22 PM
User: APL\Dave
Computer: APLCO
Description:
Object Deleted:
Object Server: Security
Handle ID: 6204
Process ID:
--------------------------
So far so good....now I go back in time to match up the Handle:
--------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/14/2005
Time: 1:05:22 PM
User: APL\Dave
Computer: APLCO
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Insure\AA\pendDJB.dbf
New Handle ID: 6204
Operation ID: {0,1684100312}
Process ID: 8
Primary User Name: APLCO$
Primary Domain: APL
Primary Logon ID: (0x0,0x3E7)
Client User Name: dave
Client Domain: APL
Client Logon ID: (0x0,0x645ECAAB)
Accesses DELETE
ReadAttributes
Privileges -
--------------------------
Looks like a match, right? Well then why in explorer is the file still on the server with a creation date of 03/22/2005? (At first I thought the file was deleted then recreated w/ the same filename, but that idea got tossed when I added the Creation Date column in explorer.) Seems to me that my thoughts on how to determine what file was deleted were incorrect...what am I interpreting wrong?
I guess I need help in interpreting the way ms logs deletion events.
I've enabled auditing of file deletions on our DC and events are showing up fine in the Event Viewer. Now I need to know how to determine which file was deleted when I see event 564's. I thought all I needed to do was grab the handle ID then back up to the next-earliest 560 event that matched the Handle ID and viola...there is the filename (seemed to work that way with the tests I did).
If that's the case, then this situation just doesn't make sense to me...here are the events:
--------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 564
Date: 4/14/2005
Time: 1:05:22 PM
User: APL\Dave
Computer: APLCO
Description:
Object Deleted:
Object Server: Security
Handle ID: 6204
Process ID:
--------------------------
So far so good....now I go back in time to match up the Handle:
--------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/14/2005
Time: 1:05:22 PM
User: APL\Dave
Computer: APLCO
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Insure\AA\pendDJB.dbf
New Handle ID: 6204
Operation ID: {0,1684100312}
Process ID: 8
Primary User Name: APLCO$
Primary Domain: APL
Primary Logon ID: (0x0,0x3E7)
Client User Name: dave
Client Domain: APL
Client Logon ID: (0x0,0x645ECAAB)
Accesses DELETE
ReadAttributes
Privileges -
--------------------------
Looks like a match, right? Well then why in explorer is the file still on the server with a creation date of 03/22/2005? (At first I thought the file was deleted then recreated w/ the same filename, but that idea got tossed when I added the Creation Date column in explorer.) Seems to me that my thoughts on how to determine what file was deleted were incorrect...what am I interpreting wrong?
I guess I need help in interpreting the way ms logs deletion events.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
(win 2k server btw)
Note : Delete All Child Objects auditing entry for an Active Directory object does not record an event log entry in Windows Server 2003 :
http://support.microsoft.com/default.aspx?scid=kb;en-us;828074
--------------------------
HOW TO: Audit Active Directory Objects in Windows Server 2003 :
http://support.microsoft.com/default.aspx?scid=kb;en-us;814595
http://support.microsoft.com/default.aspx?scid=kb;en-us;828074
--------------------------
HOW TO: Audit Active Directory Objects in Windows Server 2003 :
http://support.microsoft.com/default.aspx?scid=kb;en-us;814595
ASKER
I'm auditing successes and failures with the following boxes checked:
Delete Subfolders and Files: Success and Failure are both checked
Delete: Success and Failure are both checked
I have not changed anything...according to all the links I've looked at, I have configured everything correctly before I posted this question.
I have not seen anything in any links you've posted indicating I need to change anything.
Therefore, I have not changed anything and my original question (in the title) remains unanswered.
I'll at least give you credit for explaining my mis-interpretation of the examples I posted...but I'm still needing to know how to
determine the filenames of audited files that were deleted.
If I know the filename, I can export the log then do a simple text search on the filename, find a 560 event then search forward
in time for a 564 using the same handle (I think it's almost always been the next entry or real close to it), and that seems to be
accurate, but the way you described it, that isn't the right way. Regardless, I need to do it "backwards"....as in "Fire up event
viewer and determine what files were deleted and by whom after 5PM yesterday".
Delete Subfolders and Files: Success and Failure are both checked
Delete: Success and Failure are both checked
I have not changed anything...according to all the links I've looked at, I have configured everything correctly before I posted this question.
I have not seen anything in any links you've posted indicating I need to change anything.
Therefore, I have not changed anything and my original question (in the title) remains unanswered.
I'll at least give you credit for explaining my mis-interpretation of the examples I posted...but I'm still needing to know how to
determine the filenames of audited files that were deleted.
If I know the filename, I can export the log then do a simple text search on the filename, find a 560 event then search forward
in time for a 564 using the same handle (I think it's almost always been the next entry or real close to it), and that seems to be
accurate, but the way you described it, that isn't the right way. Regardless, I need to do it "backwards"....as in "Fire up event
viewer and determine what files were deleted and by whom after 5PM yesterday".
ASKER
the file I deleted only produced 560 and 564 events...so how would I interpret what file was deleted from the Event Logs if all I get are 560 & 564's?