Solved

Logging / Auditing when files are deleted

Posted on 2007-11-21
3
438 Views
Last Modified: 2013-12-05
I have enabled auditing on a directory to log the following:

Name:  Everyone
Delete Subfolders and files (Success and Failure)
Delete (Success and Failure)

I am trying to log everytime a file is deleted in the directory.  i want to capture the file name and who did it.  When I leave it set to "everyone", I don't get any entries.  If I add a specific username, I only log 564 events.  That would be fine, except that 564 events don't tell you what was deleted, it only tells you that the user did delete something:

Event Type:      Success Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      564
Date:            11/21/2007
Time:            2:19:07 PM
User:            domainname\ftpfailover
Computer:      servername
Description:
Object Deleted:
       Object Server:      Security
       Handle ID:      2340
       Process ID:      616
       Image File Name:      C:\WINDOWS\explorer.exe

Can someone explain how I go about setting up logging to track when a file is deleted and who deleted?
0
Comment
Question by:InvoiceInsight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 500 total points
ID: 20330390
Hi InvoiceInsight,

You should look for prior EventID: 560 with the same handle ID. You need to check both events: 560 and 564 to get complete information, unfortunately.

HTH

Toni
0
 
LVL 15

Expert Comment

by:JimboEfx
ID: 20361252
If you want a commercial solution:

http://www.scriptlogic.com/products/filesystemauditor/

Good reporting, saves your time. Not that expensive.
0
 

Author Closing Comment

by:InvoiceInsight
ID: 31410440
That sucks that you have to correlate two event ID's but at least I know how to track it now.  Thanks!
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question