Solved

Which event ID do I trap for file / folder deletions in Windows 2008  (not R2)

Posted on 2013-12-13
5
5,908 Views
Last Modified: 2014-01-08
I need to trap for when a file or folder is deleted on a Windows 2008 server (not R2).
I turned on auditing for file and folder deletions.  I started to trap on event id 4663, but 4663 is also used for renaming and saving the file. The events for a rename and deletion are the same, so I can't use this for a trap.

 I need an event id that is only used for a file / folder deletion so I can trap it for an alert.

Thank You
0
Comment
Question by:jalenk
  • 2
  • 2
5 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 39718005
You can't 'trap' this - - a trap suggests that you can intercept and prevent the action.

Neither can you audit a just a deletion in this way - delete, rename, create are all 'modifications' and share the same audit event - but you can filter the audit log - see http://sogeeky.blogspot.co.uk/2006/07/how-to-audit-and-track-file-deletions.html
0
 

Author Comment

by:jalenk
ID: 39718029
I don't have Event ID 560 in my security log.  I'm using SCOM to pick out the event and alert on it. But, I need a unique event that only fires when a file / foler is deleted.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39718134
Have you also enabled both the auditing of object access (in group policy), and at the folder level?
0
 

Author Comment

by:jalenk
ID: 39721958
Yes i have applied the auditing of object access at the folder and file level. I did some research and Event ID 560 was under in Windows 2003 & early. We have Windows 2008 (not R2)
0
 
LVL 3

Accepted Solution

by:
Detlef001 earned 500 total points
ID: 39726445
You first will need to turn on auditing, from either local policies, or domain policies and apply it to the machine you want to audit. Once the policy is set you need to configure auditing on everything you want to audit, and that will start adding events to the event log.
GPEDIT:
Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy --> Audit object Access
You can turn on success, because if they don't have access to delete things then it would create a failure, so you dont want to monitor those events.
Once that is in place, go to the folder you want to monitor, right click and go to properties
Click the security tab --> Advanced --> Auditing Tab --> Edit --> Add --> then add the group that has access to that folder --> Select the events you want to audit and click OK --> Select Replace all existing inheritable audit entries, to appply the audit on all sub folders and files and click OK

I believe security, look for even ID's 4663 and 4656, those should log the deletion of an object. If not you may not have thigns configured properly

Moreover if you want more easy then you can go for an third party application also for the same.

Please use this application for files and folder monitoring.

Thanks.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question