Link to home
Start Free TrialLog in
Avatar of jkelley53
jkelley53

asked on

Auditing Files & Folders using Create Files/Write Data

I set up file and folder auditing for a folder by putting a check mark next to Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete under Successful Column for the Everyone Group. Auditing is working fine, Event ID 564 (Object Deleted) is showing up in the Security log when someone deletes a file inside the folder. My question is what Event ID is triggered and that I should look for in the Security Log when someone creates a file or a folder inside the folder that I'm auditing?
ASKER CERTIFIED SOLUTION
Avatar of davidsummers
davidsummers

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jkelley53
jkelley53

ASKER


Thanks for your comment David! That's very helpful. Now, how come I'm only seeing 3 events in the Security Log that is associated with the folder that I'm auditing? Event ID 560 (Object Open), Event ID 562 (Handle Close), Event ID 564 (Object Deleted). How can I tell the difference if someone opens a file and change the file from someone created a new file in that folder? Looks like the same event is being log, event 560 and 562, when someone opens and edit a file and when someone creates a new file. Same event is also triggered followed by 564 when a file is deleted.
It would be. You would not see an event for file modification, only File open