• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6222
  • Last Modified:

Help with auditing file deletion on Windows Server 2012

I have followed the directions in the link below to turn on auditing.

http://social.technet.microsoft.com/Forums/en-US/971e24e2-462e-41a8-a8ba-e39140508dc7/how-can-track-who-deleted-filefolder-from-windows-server-2008?forum=winserverfiles

I am having a couple of issues with this.

First, since I enabled auditing on a test share, the necessary events are not showing up in the security log. I attached a picture of the audit tab I setup on the folder I am trying to test. Please let me know if there is anything wrong here.

I also have auditing turned on in the GP security audit policy. I attached that as well. Please let me know if this is correct or not.

This server was just installed last year and I don't remember turning auditing on for any other folders but for some reason, the security log fills up with several event logs per second and it fills the log so fast that it is a huge pain to search through. I also tried using a filter to look for events 560 or 564 to try and find the file I deleted to test but that log was not there.

What am I missing? How can I make an even occur when a file or folder is deleted and how do I cut down on the number of events happening in the security log?

This is for a 2012 windows server.

Thanks,

Justin
EE.JPG
ee1.JPG
0
JustinGSEIWI
Asked:
JustinGSEIWI
2 Solutions
 
Mike KlineCommented:
Check for event 4660, event ID numbers changed after 2008.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=564

Notice th corresponding events section.

Is that GPO applying to the machine?

Thanks

Mike
0
 
JustinGSEIWIAuthor Commented:
Thank you for the reply.

I looked for event 4660 and found it. It did say an object was deleted but it did not say which file. I looked around and found that event 5145, 4656, and 4663 also showed a deletion and each of those showed the file and path. So that means it is working, I just need to setup auditing on the share now instead of my test folder.

How do I determine why several events a second are coming in. Most of it is not related to the deleted files I want to track. Are those necessary or can all of the excess events be turned off? It makes it hard to find file deletions.

I attached a file showing that the policy is applying to the domain controller that hosts the share. I just noticed other audit policies turned on as well, are these the items filling up the security log? If so, can I turn them off or are they needed?

Justin
ee3.JPG
0
 
Pankaj_401Commented:
Hi Justin,
Lot of good suggestion I see at here and some of them looks good to resolve your concern. please check this link.
However, you can select the permission that you want to audit such as "delete" in this case after that we can determine that by check the auditing events log.
Here is how it can be configured : http://technet.microsoft.com/en-us/library/dn319056.aspx
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now