Audit Logs

Did you soecify the group authenticated_users or another ad group to which individuals belong that would be reported?
Note that it will report these events into the security log, make sure it is large enough to avoid the new data overwriting old data.

Under which group did you select the delete event? To make sure it is working, add read/write which are more common, to make sure it is reporting. Then you can uncheck ....

My everyone group I have a folder with a bunch of folders in them for departments.  I started the audit on the top of the share.

Try authenticated_user group and see if you get the results you expect.

Hi,

Is this domain based server? I.e - DC or member server? if so, you need to enable the audit policy first then the logs will be reporting under security logs in event viewer.

Edit the appropriate policy>Computer Configuration, navigate to Windows Settings, Security Settings, and then to Local Policies. Select Audit Policy. define the policy here.

This is a member server, an I did enable audit policy on the folder. Also in the local policies the following are enabled:
Account Login events
account management
logon events
What's left is:
Audit
 Object access - I think this is what I need
Policy change
Privilege use
Processing tracking
system events

I think the issue is the group on which you enabled auditing.  I think you have enabled auditing on the Everyone group, Try using the authenticated_users or domain users group and see whether you will get the correct results.
Do you have eventforwarding configured?

No but I can do that - OK I changed to authenticated users group

create a file/folder and delete it and see if the event is reflected in the security event log.

I think I messed up the event forwarding.  It's only recording detailed files sharing and logon and log off.

Ok this is doing everyting except auditing when I delete a folder/file!  I have auditing set up on the root folder it's set to audit success of a deleted file/folder.   The fowarding events isn't work even though I have that set up!  AND the folders in the folders are not inheriting the audits! UGH!

Are the folders below set to inherit or are they separated from the parent folder because of other needs?  You could use icacls/xcalcs or powershell to scan through the directory and the immidiate subdirectory checking whether it inherits and if not add the auditing settings/group......

Everything looks good but I still don't see deleted however, I'm going to try to monitor event 4663 and see if that gives me my desired results.

Strangely, the only events ID's that are recording are 5145, 5156, 5158, 5140 but no deleting even when I'm actually creating and deleting files.

For what users is it audited, everyone/authenticated users?

Authenticated Users and the location is the local machine

And we are talking about local users or domain users?

Domain users - this is a file server in which things are getting deleted "Lost" way too much.  I need to find out who's doing this.

OK will try that thanks!

this is truly strange.  there must be something else going on I'm not aware of because no matter what I try I can not record deleting or creating files and folders.  I can create a folder and I see the audit for that folder, however, if I add a doc/create a doc or create a new folder the auditing doesn't appear?  I can't even begin to imagine what is going on.  This is setup correctly - The only other thing I can think of this my folder which contains about 105 folders in it is too big and therefore it's not inheriting the auditing?  Or pehaps this is a server with a NAS for storage so maybe that's the issue?  Here's a list of the audits

No list attached.
For a test, try that with a local NTFS folder, please, not on a NAS.

ok will try on the "C" drive - here's the list
audit.png

Use a test folder, NOT the c: drive itself.

Something is very wrong! I created a test folder on C.  I enabled auditing for creating folders and files and deleting folders and files.  I used the account logged into the server for the account to audit.  It didn't work?

Make screenshots of your configuration.

What do you need?  What so frustrating is someone deleted a folder I have have no idea how.

This is what I've done.  The only thing recording is basically who's accessing what...
audit1.png
audit03.png
audit4.png
audit5.png
audit2.png

This size is really too big... please open powershell ISE instead and paste the 2 lines and execute them after adapting the folder path. Then quote the output:

$acl = get-acl c:\test -audit
$acl.getauditrules($true,$true, [System.Security.Principal.NTAccount] )

Select allOpen in new window

the folder path is correct and it says success, In addition I did this on the drive share that's I'm actually trying to use this on.  I'm attaching the results.
auditD.png

Quote the output as is. Like this:

FileSystemRights  : ReadAndExecute
AuditFlags        : Success
IdentityReference : Ten\admin
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

I don't understand sorry? You want me to add that after the output?
audit6.png

Last try :)
1 open powershell ISE (elevated, right click it ans select run as administrator)
2 paste these 2 lines

$acl = get-acl c:\test -audit
$acl.getauditrules($true,$true, [System.Security.Principal.NTAccount] )

Select allOpen in new window

3 press play to execute it
4 copy the output, paste it here.

here you go
audit.png

Yes  I did exactly that - it works!  Thanks however, the problem is it's auditing everytime a user accesses a file and it's over writting quickly. So Now problem 2 is to build a log server and save it all on that box because it's not saving the logs.

I hear you but I can't seem to turn off the detailed file share 5145 I'll look at that article and see what else is there.

Yes I know that however, once you turn on the policy of auditing that automatically starts recording 5145 events.  The only thing I have for my audits is the following:
authenticated users deleted subfolders and files and delete - I don't think there's any way to stop that recording of 5145.

Since I didn't need everything from all my PCS I used the following to backup my security logs
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
 & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _
 & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
 ("SELECT * FROM Win32_NTEventLogFile")
For Each objLogfile in colLogFiles
 If objLogFile.FileSize > 20000000 Then
 strBackupLog = objLogFile.BackupEventLog _
 ("c:\scripts\" & objLogFile.LogFileName & ".evt")
 objLogFile.ClearEventLog()
 End If
Next

Also I redirected the security events to another location and it has 20 gigs for the logs.  I can't thank you enough for helping me!

thanks so much for your help!

Welcome!