Solved

Which event ID do I trap for file / folder deletions in Windows 2008  (not R2)

Posted on 2013-12-13
5
6,203 Views
Last Modified: 2014-01-08
I need to trap for when a file or folder is deleted on a Windows 2008 server (not R2).
I turned on auditing for file and folder deletions.  I started to trap on event id 4663, but 4663 is also used for renaming and saving the file. The events for a rename and deletion are the same, so I can't use this for a trap.

 I need an event id that is only used for a file / folder deletion so I can trap it for an alert.

Thank You
0
Comment
Question by:jalenk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 39718005
You can't 'trap' this - - a trap suggests that you can intercept and prevent the action.

Neither can you audit a just a deletion in this way - delete, rename, create are all 'modifications' and share the same audit event - but you can filter the audit log - see http://sogeeky.blogspot.co.uk/2006/07/how-to-audit-and-track-file-deletions.html
0
 

Author Comment

by:jalenk
ID: 39718029
I don't have Event ID 560 in my security log.  I'm using SCOM to pick out the event and alert on it. But, I need a unique event that only fires when a file / foler is deleted.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39718134
Have you also enabled both the auditing of object access (in group policy), and at the folder level?
0
 

Author Comment

by:jalenk
ID: 39721958
Yes i have applied the auditing of object access at the folder and file level. I did some research and Event ID 560 was under in Windows 2003 & early. We have Windows 2008 (not R2)
0
 
LVL 3

Accepted Solution

by:
Detlef001 earned 500 total points
ID: 39726445
You first will need to turn on auditing, from either local policies, or domain policies and apply it to the machine you want to audit. Once the policy is set you need to configure auditing on everything you want to audit, and that will start adding events to the event log.
GPEDIT:
Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy --> Audit object Access
You can turn on success, because if they don't have access to delete things then it would create a failure, so you dont want to monitor those events.
Once that is in place, go to the folder you want to monitor, right click and go to properties
Click the security tab --> Advanced --> Auditing Tab --> Edit --> Add --> then add the group that has access to that folder --> Select the events you want to audit and click OK --> Select Replace all existing inheritable audit entries, to appply the audit on all sub folders and files and click OK

I believe security, look for even ID's 4663 and 4656, those should log the deletion of an object. If not you may not have thigns configured properly

Moreover if you want more easy then you can go for an third party application also for the same.

Please use this application for files and folder monitoring.

Thanks.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question