Logging / Auditing when files are deleted

I have enabled auditing on a directory to log the following:

Name:  Everyone
Delete Subfolders and files (Success and Failure)
Delete (Success and Failure)

I am trying to log everytime a file is deleted in the directory.  i want to capture the file name and who did it.  When I leave it set to "everyone", I don't get any entries.  If I add a specific username, I only log 564 events.  That would be fine, except that 564 events don't tell you what was deleted, it only tells you that the user did delete something:

Event Type:      Success Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      564
Date:            11/21/2007
Time:            2:19:07 PM
User:            domainname\ftpfailover
Computer:      servername
Description:
Object Deleted:
       Object Server:      Security
       Handle ID:      2340
       Process ID:      616
       Image File Name:      C:\WINDOWS\explorer.exe

Can someone explain how I go about setting up logging to track when a file is deleted and who deleted?
InvoiceInsightAsked:
Who is Participating?
 
Toni UranjekConsultant/TrainerCommented:
Hi InvoiceInsight,

You should look for prior EventID: 560 with the same handle ID. You need to check both events: 560 and 564 to get complete information, unfortunately.

HTH

Toni
0
 
James MontgomeryCommented:
If you want a commercial solution:

http://www.scriptlogic.com/products/filesystemauditor/

Good reporting, saves your time. Not that expensive.
0
 
InvoiceInsightAuthor Commented:
That sucks that you have to correlate two event ID's but at least I know how to track it now.  Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.