jalenk
asked on
Parameters list in Security Event ID 4663
I'm trying to alert when files are deleted in a folder. I turned on auditing for deletes and I see event id 4663 in the security log. I'm using SCOM 2012 to comb the event log.
What I need to know is what is the parameters values for this alert.
Specifically, what parameter value is the "DELETE" value.
Access Request Information:
Accesses: DELETE
What I need to know is what is the parameters values for this alert.
Specifically, what parameter value is the "DELETE" value.
Access Request Information:
Accesses: DELETE
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
quick!
I have it memorized from years of SCOM and ACS :)
The easiest way is to open the event you are concerned about in event viewer, select the copy command. Paste the contents into notepad and you will have the XMLdata of the event.
If you look under the EventData section, you'll notice a number of <Data Name=".... Each of those is a string and can be referred to as String01, String02, String03, in order, until you reach the end..
The easiest way is to open the event you are concerned about in event viewer, select the copy command. Paste the contents into notepad and you will have the XMLdata of the event.
If you look under the EventData section, you'll notice a number of <Data Name=".... Each of those is a string and can be referred to as String01, String02, String03, in order, until you reach the end..
ASKER