Solved

Which event ID do I trap for file / folder deletions in Windows 2008  (not R2)

Posted on 2013-12-13
5
5,779 Views
Last Modified: 2014-01-08
I need to trap for when a file or folder is deleted on a Windows 2008 server (not R2).
I turned on auditing for file and folder deletions.  I started to trap on event id 4663, but 4663 is also used for renaming and saving the file. The events for a rename and deletion are the same, so I can't use this for a trap.

 I need an event id that is only used for a file / folder deletion so I can trap it for an alert.

Thank You
0
Comment
Question by:jalenk
  • 2
  • 2
5 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 39718005
You can't 'trap' this - - a trap suggests that you can intercept and prevent the action.

Neither can you audit a just a deletion in this way - delete, rename, create are all 'modifications' and share the same audit event - but you can filter the audit log - see http://sogeeky.blogspot.co.uk/2006/07/how-to-audit-and-track-file-deletions.html
0
 

Author Comment

by:jalenk
ID: 39718029
I don't have Event ID 560 in my security log.  I'm using SCOM to pick out the event and alert on it. But, I need a unique event that only fires when a file / foler is deleted.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39718134
Have you also enabled both the auditing of object access (in group policy), and at the folder level?
0
 

Author Comment

by:jalenk
ID: 39721958
Yes i have applied the auditing of object access at the folder and file level. I did some research and Event ID 560 was under in Windows 2003 & early. We have Windows 2008 (not R2)
0
 
LVL 3

Accepted Solution

by:
Detlef001 earned 500 total points
ID: 39726445
You first will need to turn on auditing, from either local policies, or domain policies and apply it to the machine you want to audit. Once the policy is set you need to configure auditing on everything you want to audit, and that will start adding events to the event log.
GPEDIT:
Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy --> Audit object Access
You can turn on success, because if they don't have access to delete things then it would create a failure, so you dont want to monitor those events.
Once that is in place, go to the folder you want to monitor, right click and go to properties
Click the security tab --> Advanced --> Auditing Tab --> Edit --> Add --> then add the group that has access to that folder --> Select the events you want to audit and click OK --> Select Replace all existing inheritable audit entries, to appply the audit on all sub folders and files and click OK

I believe security, look for even ID's 4663 and 4656, those should log the deletion of an object. If not you may not have thigns configured properly

Moreover if you want more easy then you can go for an third party application also for the same.

Please use this application for files and folder monitoring.

Thanks.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Remote access server vs NAP 4 88
Share and Advanced Sharing permissions 8 119
SLMGR Switches Are Not Working On KMS Host 3 114
Server HP DL380 G7 13 47
Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question