Solved

Help with auditing file deletion on Windows Server 2012

Posted on 2014-04-23
3
5,451 Views
Last Modified: 2014-04-29
I have followed the directions in the link below to turn on auditing.

http://social.technet.microsoft.com/Forums/en-US/971e24e2-462e-41a8-a8ba-e39140508dc7/how-can-track-who-deleted-filefolder-from-windows-server-2008?forum=winserverfiles

I am having a couple of issues with this.

First, since I enabled auditing on a test share, the necessary events are not showing up in the security log. I attached a picture of the audit tab I setup on the folder I am trying to test. Please let me know if there is anything wrong here.

I also have auditing turned on in the GP security audit policy. I attached that as well. Please let me know if this is correct or not.

This server was just installed last year and I don't remember turning auditing on for any other folders but for some reason, the security log fills up with several event logs per second and it fills the log so fast that it is a huge pain to search through. I also tried using a filter to look for events 560 or 564 to try and find the file I deleted to test but that log was not there.

What am I missing? How can I make an even occur when a file or folder is deleted and how do I cut down on the number of events happening in the security log?

This is for a 2012 windows server.

Thanks,

Justin
EE.JPG
ee1.JPG
0
Comment
Question by:JustinGSEIWI
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 40017742
Check for event 4660, event ID numbers changed after 2008.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=564

Notice th corresponding events section.

Is that GPO applying to the machine?

Thanks

Mike
0
 

Author Comment

by:JustinGSEIWI
ID: 40017815
Thank you for the reply.

I looked for event 4660 and found it. It did say an object was deleted but it did not say which file. I looked around and found that event 5145, 4656, and 4663 also showed a deletion and each of those showed the file and path. So that means it is working, I just need to setup auditing on the share now instead of my test folder.

How do I determine why several events a second are coming in. Most of it is not related to the deleted files I want to track. Are those necessary or can all of the excess events be turned off? It makes it hard to find file deletions.

I attached a file showing that the policy is applying to the domain controller that hosts the share. I just noticed other audit policies turned on as well, are these the items filling up the security log? If so, can I turn them off or are they needed?

Justin
ee3.JPG
0
 
LVL 5

Assisted Solution

by:Pankaj_401
Pankaj_401 earned 250 total points
ID: 40019373
Hi Justin,
Lot of good suggestion I see at here and some of them looks good to resolve your concern. please check this link.
However, you can select the permission that you want to audit such as "delete" in this case after that we can determine that by check the auditing events log.
Here is how it can be configured : http://technet.microsoft.com/en-us/library/dn319056.aspx
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question