Audit Win2008 R2 to log events of files/folders being deleted : for post-mortem
We have a team of Wintel sysadmins & there has been cases where critical files / folders were
accidentally deleted & we need to trace who/what deleted it : not logins to all server are
video-recorded (by tools like Privilege Access Manager or Cyberark).
Not too conversant with setting up Tripwire to monitor as it ended up thousands of lines were
logged daily : too many irrelevant or false positives.
I know in Unix ACL, we can set ACLs on certain files/folder to log to audit trail if files got deleted.
Can provide step by step instructions on how this can be done in Windows 2008 R2 ? Using
Tripwire is too unwieldy.
Will be good to provide the option of configuring locally (if I plan to do it only for a few servers)
as well as via GPO (if I plan to do it on a big number of servers)
Not too clear on how to avoid "read access" from being logged.
I got a couple of links above. Next question is how to generate out (is this from event viewer security.evtx ??) into text output
only the "delete events" so that I could email out on daily basis as login to our Production servers is highly restricted.