[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2411
  • Last Modified:

How to determine filename deleted by interpreting event viewer's output

I *thought* I knew what was going on here, but apparently I missed something.

I've enabled auditing of file deletions on our DC and events are showing up fine in the Event Viewer.  Now I need to know how to determine which file was deleted when I see event 564's.  I thought all I needed to do was grab the handle ID then back up to the next-earliest 560 event that matched the Handle ID and viola...there is the filename (seemed to work that way with the tests I did).

If that's the case, then this situation just doesn't make sense to me...here are the events:

-----------------------------------
Event Type:      Success Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      564
Date:            4/14/2005
Time:            1:05:22 PM
User:            APL\Dave
Computer:      APLCO
Description:
Object Deleted:
       Object Server:      Security
       Handle ID:      6204
       Process ID:      
----------------------------------------
So far so good....now I go back in time to match up the Handle:
----------------------------------------
Event Type:      Success Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      560
Date:            4/14/2005
Time:            1:05:22 PM
User:            APL\Dave
Computer:      APLCO
Description:
Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      D:\Insure\AA\pendDJB.dbf
       New Handle ID:      6204
       Operation ID:      {0,1684100312}
       Process ID:      8
       Primary User Name:      APLCO$
       Primary Domain:      APL
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      dave
       Client Domain:      APL
       Client Logon ID:      (0x0,0x645ECAAB)
       Accesses            DELETE
                  ReadAttributes
                  
       Privileges            -
---------------------------------------------------------

Looks like a match, right?  Well then why in explorer is the file still on the server with a creation date of 03/22/2005? (At first I thought the file was deleted then recreated w/ the same filename, but that idea got tossed when I added the Creation Date column in explorer.)  Seems to me that my thoughts on how to determine what file was deleted were incorrect...what am I interpreting wrong?

I guess I need help in interpreting the way ms logs deletion events.
0
fixnix
Asked:
fixnix
  • 3
  • 2
1 Solution
 
nader alkahtaniCommented:
the  Event ID:     560  means  that the "Object Open"  wherease Event ID  563  means the "Object Open for Delete " and  564 means that the "Object Deleted  " and the file that appears in the last event is Event ID:     560 that means  that the "Object Open"

 D:\Insure\AA\pendDJB.dbf is not yet deleted

http://www.microsoft.com/technet/security/bestprac/bpent/sec3/monito.mspx
**************************
helpfull resources  :
Windows Server 2000  Events and Errors :
http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%202000%20Server&ProdName=Windows%20Operating%20System&MajorMinor=5.0&LCID=1033****************************************
Windows Server 2003 Events and Errors:
http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%20Server%202003&ProdName=Windows%20Operating%20System&MajorMinor=5.2&LCID=1033
****************************************
http://www.eventid.net
0
 
fixnixAuthor Commented:
Well how about that!  I've never seen an Event 563 tho on test files I actually did delete (although there were a few admin & backupexec 563 entries for .tmp files),
the file I deleted only produced 560 and 564 events...so how would I interpret what file was deleted from the Event Logs if all I get are 560 & 564's?
0
 
fixnixAuthor Commented:
(win 2k server btw)
0
 
nader alkahtaniCommented:
Note : Delete All Child Objects auditing entry for an Active Directory object does not record an event log entry in Windows Server 2003 :
http://support.microsoft.com/default.aspx?scid=kb;en-us;828074
------------------------------------------------------
HOW TO: Audit Active Directory Objects in Windows Server 2003 :
http://support.microsoft.com/default.aspx?scid=kb;en-us;814595


0
 
fixnixAuthor Commented:
I'm auditing successes and failures with the following boxes checked:

Delete Subfolders and Files:   Success and Failure are both checked

Delete:                                 Success and Failure are both checked

I have not changed anything...according to all the links I've looked at, I have configured everything correctly before I posted this question.
I have not seen anything in any links you've posted indicating I need to change anything.
Therefore, I have not changed anything and my original question (in the title) remains unanswered.

I'll at least give you credit for explaining my mis-interpretation of the examples I posted...but I'm still needing to know how to
determine the filenames of audited files that were deleted.

If I know the filename, I can export the log then do a simple text search on the filename, find a 560 event then search forward
in time for a 564 using the same handle (I think it's almost always been the next entry or real close to it), and that seems to be
accurate, but the way you described it, that isn't the right way.  Regardless, I need to do it "backwards"....as in "Fire up event
viewer and determine what files were deleted and by whom after 5PM yesterday".

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now