Audit Win2008 R2 to log events of files/folders being deleted : for post-mortem

We have a team of Wintel sysadmins & there has been cases where critical files / folders were
accidentally deleted & we need to trace who/what deleted it : not logins to all server are
video-recorded (by tools like Privilege Access Manager or Cyberark).

Not too conversant with setting up Tripwire to monitor as it ended up thousands of lines were
logged daily : too many irrelevant or false positives.

I know in Unix ACL, we can set ACLs on certain files/folder to log to audit trail if files got deleted.
Can provide step by step instructions on how this can be done in Windows 2008 R2 ?  Using
Tripwire is too unwieldy.

Will be good to provide the option of configuring locally (if I plan to do it only for a few servers)
as well as via GPO (if I plan to do it on a big number of servers)
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:

Not too clear on how to avoid "read access" from being logged.

I got a couple of links above.  Next question is how to generate out (is this from event viewer security.evtx ??) into text output
only the "delete events" so that I could email out on daily basis as login to our Production servers is highly restricted.
sunhuxAuthor Commented:
>Not too clear on how to avoid "read access" from being logged.
I mean in the 2nd link, the author mentioned he ran into the issue of "read access" got logged:
I did not quite see any solution on how to prevent read access from being logged
William MillerIT SpecialistCommented:
Take a look at this little tool:

The only downside I would maybe see is that you need to configure for the folders you want to monitor, but it is a free potential solution to your problem.
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

sunhuxAuthor Commented:
I did think of various free tools but will need layers of approvals so let's stick to Windows native built-in features
William MillerIT SpecialistCommented:
If you're going native, you're going to have a tough time putting together a concise way to see everything you want to monitor. That said:

Following that link will step-by-step you through enabling auditing on a folder and how to propagate that out to all sub-folders inside the parent. You'll then use Event Viewer to track the changes. That's where it gets messy because there's no filter on what it tracks.
sunhuxAuthor Commented:
Is there a command to extract out from Event Viewer based on certain Event Id ?
Can provide sample command?

I'll have to explore to share a drive over to a PC to send out the output of this command.
William MillerIT SpecialistCommented:
I believe I could do you one better:

Unfortunately, this Git isn't really actively developed anymore so you'll have to likely make some tweaks to the script for your own specific purpose.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.