Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Which event ID do I trap for file / folder deletions in Windows 2008  (not R2)

Posted on 2013-12-13
5
Medium Priority
?
6,387 Views
Last Modified: 2014-01-08
I need to trap for when a file or folder is deleted on a Windows 2008 server (not R2).
I turned on auditing for file and folder deletions.  I started to trap on event id 4663, but 4663 is also used for renaming and saving the file. The events for a rename and deletion are the same, so I can't use this for a trap.

 I need an event id that is only used for a file / folder deletion so I can trap it for an alert.

Thank You
0
Comment
Question by:jalenk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 39718005
You can't 'trap' this - - a trap suggests that you can intercept and prevent the action.

Neither can you audit a just a deletion in this way - delete, rename, create are all 'modifications' and share the same audit event - but you can filter the audit log - see http://sogeeky.blogspot.co.uk/2006/07/how-to-audit-and-track-file-deletions.html
0
 

Author Comment

by:jalenk
ID: 39718029
I don't have Event ID 560 in my security log.  I'm using SCOM to pick out the event and alert on it. But, I need a unique event that only fires when a file / foler is deleted.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39718134
Have you also enabled both the auditing of object access (in group policy), and at the folder level?
0
 

Author Comment

by:jalenk
ID: 39721958
Yes i have applied the auditing of object access at the folder and file level. I did some research and Event ID 560 was under in Windows 2003 & early. We have Windows 2008 (not R2)
0
 
LVL 3

Accepted Solution

by:
Detlef001 earned 1500 total points
ID: 39726445
You first will need to turn on auditing, from either local policies, or domain policies and apply it to the machine you want to audit. Once the policy is set you need to configure auditing on everything you want to audit, and that will start adding events to the event log.
GPEDIT:
Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy --> Audit object Access
You can turn on success, because if they don't have access to delete things then it would create a failure, so you dont want to monitor those events.
Once that is in place, go to the folder you want to monitor, right click and go to properties
Click the security tab --> Advanced --> Auditing Tab --> Edit --> Add --> then add the group that has access to that folder --> Select the events you want to audit and click OK --> Select Replace all existing inheritable audit entries, to appply the audit on all sub folders and files and click OK

I believe security, look for even ID's 4663 and 4656, those should log the deletion of an object. If not you may not have thigns configured properly

Moreover if you want more easy then you can go for an third party application also for the same.

Please use this application for files and folder monitoring.

Thanks.
0

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question