Solved

Logging / Auditing when files are deleted

Posted on 2007-11-21
3
433 Views
Last Modified: 2013-12-05
I have enabled auditing on a directory to log the following:

Name:  Everyone
Delete Subfolders and files (Success and Failure)
Delete (Success and Failure)

I am trying to log everytime a file is deleted in the directory.  i want to capture the file name and who did it.  When I leave it set to "everyone", I don't get any entries.  If I add a specific username, I only log 564 events.  That would be fine, except that 564 events don't tell you what was deleted, it only tells you that the user did delete something:

Event Type:      Success Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      564
Date:            11/21/2007
Time:            2:19:07 PM
User:            domainname\ftpfailover
Computer:      servername
Description:
Object Deleted:
       Object Server:      Security
       Handle ID:      2340
       Process ID:      616
       Image File Name:      C:\WINDOWS\explorer.exe

Can someone explain how I go about setting up logging to track when a file is deleted and who deleted?
0
Comment
Question by:InvoiceInsight
3 Comments
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 500 total points
ID: 20330390
Hi InvoiceInsight,

You should look for prior EventID: 560 with the same handle ID. You need to check both events: 560 and 564 to get complete information, unfortunately.

HTH

Toni
0
 
LVL 15

Expert Comment

by:JimboEfx
ID: 20361252
If you want a commercial solution:

http://www.scriptlogic.com/products/filesystemauditor/

Good reporting, saves your time. Not that expensive.
0
 

Author Closing Comment

by:InvoiceInsight
ID: 31410440
That sucks that you have to correlate two event ID's but at least I know how to track it now.  Thanks!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
setup share and NTFS permissions. 12 70
inactive users 13 71
GPO not applying to designated group-- Server 2012R2 2 59
Auto Login Script 3 20
This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now