We help IT Professionals succeed at work.

Audit Win2008 R2 to log events of files/folders being deleted : for post-mortem

We have a team of Wintel sysadmins & there has been cases where critical files / folders were
accidentally deleted & we need to trace who/what deleted it : not logins to all server are
video-recorded (by tools like Privilege Access Manager or Cyberark).

Not too conversant with setting up Tripwire to monitor as it ended up thousands of lines were
logged daily : too many irrelevant or false positives.

I know in Unix ACL, we can set ACLs on certain files/folder to log to audit trail if files got deleted.
Can provide step by step instructions on how this can be done in Windows 2008 R2 ?  Using
Tripwire is too unwieldy.

Will be good to provide the option of configuring locally (if I plan to do it only for a few servers)
as well as via GPO (if I plan to do it on a big number of servers)
Watch Question



Not too clear on how to avoid "read access" from being logged.

I got a couple of links above.  Next question is how to generate out (is this from event viewer security.evtx ??) into text output
only the "delete events" so that I could email out on daily basis as login to our Production servers is highly restricted.


>Not too clear on how to avoid "read access" from being logged.
I mean in the 2nd link, the author mentioned he ran into the issue of "read access" got logged:
I did not quite see any solution on how to prevent read access from being logged
Take a look at this little tool:


The only downside I would maybe see is that you need to configure for the folders you want to monitor, but it is a free potential solution to your problem.


I did think of various free tools but will need layers of approvals so let's stick to Windows native built-in features
If you're going native, you're going to have a tough time putting together a concise way to see everything you want to monitor. That said:


Following that link will step-by-step you through enabling auditing on a folder and how to propagate that out to all sub-folders inside the parent. You'll then use Event Viewer to track the changes. That's where it gets messy because there's no filter on what it tracks.


Is there a command to extract out from Event Viewer based on certain Event Id ?
Can provide sample command?

I'll have to explore to share a drive over to a PC to send out the output of this command.
I believe I could do you one better:


Unfortunately, this Git isn't really actively developed anymore so you'll have to likely make some tweaks to the script for your own specific purpose.