Solved

Logging / Auditing when files are deleted

Posted on 2007-11-21
3
436 Views
Last Modified: 2013-12-05
I have enabled auditing on a directory to log the following:

Name:  Everyone
Delete Subfolders and files (Success and Failure)
Delete (Success and Failure)

I am trying to log everytime a file is deleted in the directory.  i want to capture the file name and who did it.  When I leave it set to "everyone", I don't get any entries.  If I add a specific username, I only log 564 events.  That would be fine, except that 564 events don't tell you what was deleted, it only tells you that the user did delete something:

Event Type:      Success Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      564
Date:            11/21/2007
Time:            2:19:07 PM
User:            domainname\ftpfailover
Computer:      servername
Description:
Object Deleted:
       Object Server:      Security
       Handle ID:      2340
       Process ID:      616
       Image File Name:      C:\WINDOWS\explorer.exe

Can someone explain how I go about setting up logging to track when a file is deleted and who deleted?
0
Comment
Question by:InvoiceInsight
3 Comments
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 500 total points
ID: 20330390
Hi InvoiceInsight,

You should look for prior EventID: 560 with the same handle ID. You need to check both events: 560 and 564 to get complete information, unfortunately.

HTH

Toni
0
 
LVL 15

Expert Comment

by:JimboEfx
ID: 20361252
If you want a commercial solution:

http://www.scriptlogic.com/products/filesystemauditor/

Good reporting, saves your time. Not that expensive.
0
 

Author Closing Comment

by:InvoiceInsight
ID: 31410440
That sucks that you have to correlate two event ID's but at least I know how to track it now.  Thanks!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Server Licensing - Home Server 6 70
Move SQL 2005 Express to Server 2012R2 19 143
User wants to log with Username or Email 4 53
domain and forest trust 1 9
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question