Solved

Help with auditing file deletion on Windows Server 2012

Posted on 2014-04-23
3
4,743 Views
Last Modified: 2014-04-29
I have followed the directions in the link below to turn on auditing.

http://social.technet.microsoft.com/Forums/en-US/971e24e2-462e-41a8-a8ba-e39140508dc7/how-can-track-who-deleted-filefolder-from-windows-server-2008?forum=winserverfiles

I am having a couple of issues with this.

First, since I enabled auditing on a test share, the necessary events are not showing up in the security log. I attached a picture of the audit tab I setup on the folder I am trying to test. Please let me know if there is anything wrong here.

I also have auditing turned on in the GP security audit policy. I attached that as well. Please let me know if this is correct or not.

This server was just installed last year and I don't remember turning auditing on for any other folders but for some reason, the security log fills up with several event logs per second and it fills the log so fast that it is a huge pain to search through. I also tried using a filter to look for events 560 or 564 to try and find the file I deleted to test but that log was not there.

What am I missing? How can I make an even occur when a file or folder is deleted and how do I cut down on the number of events happening in the security log?

This is for a 2012 windows server.

Thanks,

Justin
EE.JPG
ee1.JPG
0
Comment
Question by:JustinGSEIWI
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 40017742
Check for event 4660, event ID numbers changed after 2008.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=564

Notice th corresponding events section.

Is that GPO applying to the machine?

Thanks

Mike
0
 

Author Comment

by:JustinGSEIWI
ID: 40017815
Thank you for the reply.

I looked for event 4660 and found it. It did say an object was deleted but it did not say which file. I looked around and found that event 5145, 4656, and 4663 also showed a deletion and each of those showed the file and path. So that means it is working, I just need to setup auditing on the share now instead of my test folder.

How do I determine why several events a second are coming in. Most of it is not related to the deleted files I want to track. Are those necessary or can all of the excess events be turned off? It makes it hard to find file deletions.

I attached a file showing that the policy is applying to the domain controller that hosts the share. I just noticed other audit policies turned on as well, are these the items filling up the security log? If so, can I turn them off or are they needed?

Justin
ee3.JPG
0
 
LVL 5

Assisted Solution

by:Pankaj_401
Pankaj_401 earned 250 total points
ID: 40019373
Hi Justin,
Lot of good suggestion I see at here and some of them looks good to resolve your concern. please check this link.
However, you can select the permission that you want to audit such as "delete" in this case after that we can determine that by check the auditing events log.
Here is how it can be configured : http://technet.microsoft.com/en-us/library/dn319056.aspx
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now