asked on
Audit Win2008 R2 to log events of files/folders being deleted : for post-mortem
We have a team of Wintel sysadmins & there has been cases where critical files / folders were
accidentally deleted & we need to trace who/what deleted it : not logins to all server are
video-recorded (by tools like Privilege Access Manager or Cyberark).
Not too conversant with setting up Tripwire to monitor as it ended up thousands of lines were
logged daily : too many irrelevant or false positives.
I know in Unix ACL, we can set ACLs on certain files/folder to log to audit trail if files got deleted.
Can provide step by step instructions on how this can be done in Windows 2008 R2 ? Using
Tripwire is too unwieldy.
Will be good to provide the option of configuring locally (if I plan to do it only for a few servers)
as well as via GPO (if I plan to do it on a big number of servers)
accidentally deleted & we need to trace who/what deleted it : not logins to all server are
video-recorded (by tools like Privilege Access Manager or Cyberark).
Not too conversant with setting up Tripwire to monitor as it ended up thousands of lines were
logged daily : too many irrelevant or false positives.
I know in Unix ACL, we can set ACLs on certain files/folder to log to audit trail if files got deleted.
Can provide step by step instructions on how this can be done in Windows 2008 R2 ? Using
Tripwire is too unwieldy.
Will be good to provide the option of configuring locally (if I plan to do it only for a few servers)
as well as via GPO (if I plan to do it on a big number of servers)
Microsoft Server OSWindows OSOS Security
Last Comment
William Miller
ASKER
>Not too clear on how to avoid "read access" from being logged.
I mean in the 2nd link, the author mentioned he ran into the issue of "read access" got logged:
I did not quite see any solution on how to prevent read access from being logged
I mean in the 2nd link, the author mentioned he ran into the issue of "read access" got logged:
I did not quite see any solution on how to prevent read access from being logged
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I did think of various free tools but will need layers of approvals so let's stick to Windows native built-in features
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Is there a command to extract out from Event Viewer based on certain Event Id ?
Can provide sample command?
I'll have to explore to share a drive over to a PC to send out the output of this command.
Can provide sample command?
I'll have to explore to share a drive over to a PC to send out the output of this command.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
https://social.technet.microsoft.com/Forums/ie/en-US/3ddf1f64-b103-4b28-a300-b87ef118abab/file-auditing-for-only-deleted-files?forum=winserverfiles
Not too clear on how to avoid "read access" from being logged.
I got a couple of links above. Next question is how to generate out (is this from event viewer security.evtx ??) into text output
only the "delete events" so that I could email out on daily basis as login to our Production servers is highly restricted.