We help IT Professionals succeed at work.

Audit Win2008 R2 to log events of files/folders being deleted : for post-mortem

We have a team of Wintel sysadmins & there has been cases where critical files / folders were
accidentally deleted & we need to trace who/what deleted it : not logins to all server are
video-recorded (by tools like Privilege Access Manager or Cyberark).

Not too conversant with setting up Tripwire to monitor as it ended up thousands of lines were
logged daily : too many irrelevant or false positives.

I know in Unix ACL, we can set ACLs on certain files/folder to log to audit trail if files got deleted.
Can provide step by step instructions on how this can be done in Windows 2008 R2 ?  Using
Tripwire is too unwieldy.

Will be good to provide the option of configuring locally (if I plan to do it only for a few servers)
as well as via GPO (if I plan to do it on a big number of servers)
Comment
Watch Question

Author

Commented:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/ed46b837-007f-474b-9a68-454c7f76f192/how-to-audit-delete-filesfolders-action-on-shared?forum=winservergen
  https://social.technet.microsoft.com/Forums/ie/en-US/3ddf1f64-b103-4b28-a300-b87ef118abab/file-auditing-for-only-deleted-files?forum=winserverfiles

Not too clear on how to avoid "read access" from being logged.

I got a couple of links above.  Next question is how to generate out (is this from event viewer security.evtx ??) into text output
only the "delete events" so that I could email out on daily basis as login to our Production servers is highly restricted.

Author

Commented:
>Not too clear on how to avoid "read access" from being logged.
I mean in the 2nd link, the author mentioned he ran into the issue of "read access" got logged:
I did not quite see any solution on how to prevent read access from being logged
Commented:
Take a look at this little tool:

http://www.nirsoft.net/utils/folder_changes_view.html

The only downside I would maybe see is that you need to configure for the folders you want to monitor, but it is a free potential solution to your problem.

Author

Commented:
I did think of various free tools but will need layers of approvals so let's stick to Windows native built-in features
Commented:
If you're going native, you're going to have a tough time putting together a concise way to see everything you want to monitor. That said:

https://technet.microsoft.com/en-us/library/cc771070(v=ws.11).aspx

Following that link will step-by-step you through enabling auditing on a folder and how to propagate that out to all sub-folders inside the parent. You'll then use Event Viewer to track the changes. That's where it gets messy because there's no filter on what it tracks.

Author

Commented:
Is there a command to extract out from Event Viewer based on certain Event Id ?
Can provide sample command?

I'll have to explore to share a drive over to a PC to send out the output of this command.
Commented:
I believe I could do you one better:

https://gist.github.com/TrimIdeas/b40ccae0fe9b9d6f1a27

Unfortunately, this Git isn't really actively developed anymore so you'll have to likely make some tweaks to the script for your own specific purpose.