We help IT Professionals succeed at work.

Translate object access audit log

nellster1000
nellster1000 asked
on
Hi all,

We keep having folders mysteriously being moved from one directory to another or being deleted. I have set up auditing on these directories but am having difficulty translating the entries in the event viewer. I set the auditing up to track "Delete Subfolders and files" & "Delete".

What parts of the log entry will inform me if a file/folder has been deleted or moved?

Many thanks in advance!

Nellster

Comment
Watch Question

Commented:
Hi, have a look at this for deletes:

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=564

You should look for 560's with coinciding 564's, A move will be the same as a delete.

HTH

Author

Commented:
Thanks for the reply. Starting to make sense. However, the two entries that I have are both ID 560. have attached a txt file.

Have changed some of the info like domain, user etc. Effectively "D:\someDir" stands for the dir that was moved.

Cheers,

Nellster
ObjectAccess.txt
Commented:
Hi, all this is telling you is that this user has        

Accesses:      DELETE
                  SYNCHRONIZE
                  ReadAttributes

To the file that they are accessing.  

What 560 does is show that you are auditing object level security on those folders.  Again, you will see this if there is a failure or a success if someone has the proper or improper access.  

This doesn't signify anything really, other than the users rights to that file.

When a user deletes a file you WILL see something like this:

Event ID: 564 (0x0234)
       Type: Success Audit
Description: Object Deleted
             Object Server: %1          Handle ID: %2
             Process ID: %3
                        
Again, this will be coupled with a 560, at the same time so you can determine who the culprit is.  

Also, ensure that you have the proper auditing enabled on the share for deleted objects.

Follow this:
http://www.watchdirectory.net/wdhelp/plugins/wdopAuditInfoConf.html#enaudc
(just do the last part as you have already enabled object access)

Also, you may want to look for 563 event ID's as well:

Product:      Windows Operating System
Event ID:      563
Source:      Security
Version:      5.0
Component:      Security Event Log
Symbolic Name:      SE_AUDITID_OPEN_OBJECT_FOR_DELETE
Message:      Object Open for Delete:
Object Server: %1
Object Type: %2
Object Name: %3
New Handle ID: %4
Operation ID: {%5,%6}
Process ID: %7
Primary User Name: %8
Primary Domain: %9
Primary Logon ID: %10
Client User Name: %11
Client Domain: %12
Client Logon ID: %13
Accesses %14
Privileges %15
   
Explanation

This event record indicates that an object has been opened with the intent to delete the object. The only way to determine what happened to the object is to look at the Object Name in the audit log. This message does not mean that the object was deleted. The log will show what action occurred. Note: There are security implications to this action if the object name represents a file containing sensitive data.