InvoiceInsight
asked on
Logging / Auditing when files are deleted
I have enabled auditing on a directory to log the following:
Name: Everyone
Delete Subfolders and files (Success and Failure)
Delete (Success and Failure)
I am trying to log everytime a file is deleted in the directory. i want to capture the file name and who did it. When I leave it set to "everyone", I don't get any entries. If I add a specific username, I only log 564 events. That would be fine, except that 564 events don't tell you what was deleted, it only tells you that the user did delete something:
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 564
Date: 11/21/2007
Time: 2:19:07 PM
User: domainname\ftpfailover
Computer: servername
Description:
Object Deleted:
Object Server: Security
Handle ID: 2340
Process ID: 616
Image File Name: C:\WINDOWS\explorer.exe
Can someone explain how I go about setting up logging to track when a file is deleted and who deleted?
Name: Everyone
Delete Subfolders and files (Success and Failure)
Delete (Success and Failure)
I am trying to log everytime a file is deleted in the directory. i want to capture the file name and who did it. When I leave it set to "everyone", I don't get any entries. If I add a specific username, I only log 564 events. That would be fine, except that 564 events don't tell you what was deleted, it only tells you that the user did delete something:
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 564
Date: 11/21/2007
Time: 2:19:07 PM
User: domainname\ftpfailover
Computer: servername
Description:
Object Deleted:
Object Server: Security
Handle ID: 2340
Process ID: 616
Image File Name: C:\WINDOWS\explorer.exe
Can someone explain how I go about setting up logging to track when a file is deleted and who deleted?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That sucks that you have to correlate two event ID's but at least I know how to track it now. Thanks!
http://www.scriptlogic.com/products/filesystemauditor/
Good reporting, saves your time. Not that expensive.