Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 175
  • Last Modified:

Windows DC / Webserver Logging

We have a secondary domain controller that also serves as our corporate intranet.
About a week ago, a confidenital document was discovered on the intranet and I'd like to find out when it was placed there and by whom. (Sdaly, it was deleted as soon is was discovered)

Does Windows keep any logs that may help me find out who put it there?

Thanks!
0
edalzell
Asked:
edalzell
  • 2
1 Solution
 
mvgeertruyenCommented:
Not really unless configured. The good new is that IIS does in the C:\WINDOWS\system32\LogFiles\W3SVC1 folder. Have a look through the text files one the date that the incident happened (search the log files for the name of the document - depending on your intranet config it does give a fair bit of info (such as IP, User, POST/GET,...)

Hope this helps
0
 
edalzellAuthor Commented:
mvgeertruyen,

Thanks for the tips.
Will the W3SVC1 logs tell me who saved a file to a web dir, or just who viewed them via the intranet?
Thanks for your response! :-)

E.D.
0
 
mvgeertruyenCommented:
Depends on you intranet - I'm using SPS 2003 (still :-( ) and saving a file would cause log entries like below


2009-04-28 08:55:16 W3SVC1 Y.Y.Y.Y OPTIONS /_vti_bin/owssvr.dll - 80 - X.X.X.X Microsoft+Office+Protocol+Discovery 401 2 2148074254
2009-04-28 08:55:16 W3SVC1 Y.Y.Y.Y PROPFIND /_vti_bin/owssvr.dll - 80 DOMAIN\USER X.X.X.X Microsoft-WebDAV-MiniRedir/6.0.6001 404 0 0
2009-04-28 08:55:16 W3SVC1 Y.Y.Y.Y OPTIONS /_vti_bin/owssvr.dll - 80 - X.X.X.X Microsoft+Office+Protocol+Discovery 401 1 0
2009-04-28 08:55:16 W3SVC1 Y.Y.Y.Y OPTIONS /_vti_bin/owssvr.dll - 80 DOMAIN\USER X.X.X.X Microsoft+Office+Protocol+Discovery 200 0 0
2009-04-28 08:55:16 W3SVC1 Y.Y.Y.Y POST /_vti_bin/shtml.dll/_vti_rpc - 80 - X.X.X.X MSFrontPage/12.0 401 1 0
2009-04-28 08:55:16 W3SVC1 Y.Y.Y.Y POST /_vti_bin/shtml.dll/_vti_rpc - 80 DOMAIN\USER 
2009-04-28 08:55:16 W3SVC1 Y.Y.Y.Y GET /_vti_bin/owssvr.dll location=Document%20Library1/20200900428.docx&dialogview=SaveForm 80
2009-04-28 08:55:16 W3SVC1 Y.Y.Y.Y GET /_vti_bin/owssvr.dll location=Document%20Library1/20200900428.docx&dialogview=SaveForm 80 
2009-04-28 08:55:17 W3SVC1 Y.Y.Y.Y GET /_vti_bin/owssvr.dll location=Document%20Library1/20200900428.docx&dialogview=SaveForm 80 DOMAIN\USER 

Open in new window

0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now