jalenk
asked on
Which event ID do I trap for file / folder deletions in Windows 2008 (not R2)
I need to trap for when a file or folder is deleted on a Windows 2008 server (not R2).
I turned on auditing for file and folder deletions. I started to trap on event id 4663, but 4663 is also used for renaming and saving the file. The events for a rename and deletion are the same, so I can't use this for a trap.
I need an event id that is only used for a file / folder deletion so I can trap it for an alert.
Thank You
I turned on auditing for file and folder deletions. I started to trap on event id 4663, but 4663 is also used for renaming and saving the file. The events for a rename and deletion are the same, so I can't use this for a trap.
I need an event id that is only used for a file / folder deletion so I can trap it for an alert.
Thank You
ASKER
I don't have Event ID 560 in my security log. I'm using SCOM to pick out the event and alert on it. But, I need a unique event that only fires when a file / foler is deleted.
Have you also enabled both the auditing of object access (in group policy), and at the folder level?
ASKER
Yes i have applied the auditing of object access at the folder and file level. I did some research and Event ID 560 was under in Windows 2003 & early. We have Windows 2008 (not R2)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Neither can you audit a just a deletion in this way - delete, rename, create are all 'modifications' and share the same audit event - but you can filter the audit log - see http://sogeeky.blogspot.co.uk/2006/07/how-to-audit-and-track-file-deletions.html