sunhux
asked on
Audit Win2008 R2 to log events of files/folders being deleted : for post-mortem
We have a team of Wintel sysadmins & there has been cases where critical files / folders were
accidentally deleted & we need to trace who/what deleted it : not logins to all server are
video-recorded (by tools like Privilege Access Manager or Cyberark).
Not too conversant with setting up Tripwire to monitor as it ended up thousands of lines were
logged daily : too many irrelevant or false positives.
I know in Unix ACL, we can set ACLs on certain files/folder to log to audit trail if files got deleted.
Can provide step by step instructions on how this can be done in Windows 2008 R2 ? Using
Tripwire is too unwieldy.
Will be good to provide the option of configuring locally (if I plan to do it only for a few servers)
as well as via GPO (if I plan to do it on a big number of servers)
accidentally deleted & we need to trace who/what deleted it : not logins to all server are
video-recorded (by tools like Privilege Access Manager or Cyberark).
Not too conversant with setting up Tripwire to monitor as it ended up thousands of lines were
logged daily : too many irrelevant or false positives.
I know in Unix ACL, we can set ACLs on certain files/folder to log to audit trail if files got deleted.
Can provide step by step instructions on how this can be done in Windows 2008 R2 ? Using
Tripwire is too unwieldy.
Will be good to provide the option of configuring locally (if I plan to do it only for a few servers)
as well as via GPO (if I plan to do it on a big number of servers)
ASKER
>Not too clear on how to avoid "read access" from being logged.
I mean in the 2nd link, the author mentioned he ran into the issue of "read access" got logged:
I did not quite see any solution on how to prevent read access from being logged
I mean in the 2nd link, the author mentioned he ran into the issue of "read access" got logged:
I did not quite see any solution on how to prevent read access from being logged
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I did think of various free tools but will need layers of approvals so let's stick to Windows native built-in features
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is there a command to extract out from Event Viewer based on certain Event Id ?
Can provide sample command?
I'll have to explore to share a drive over to a PC to send out the output of this command.
Can provide sample command?
I'll have to explore to share a drive over to a PC to send out the output of this command.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
https://social.technet.microsoft.com/Forums/ie/en-US/3ddf1f64-b103-4b28-a300-b87ef118abab/file-auditing-for-only-deleted-files?forum=winserverfiles
Not too clear on how to avoid "read access" from being logged.
I got a couple of links above. Next question is how to generate out (is this from event viewer security.evtx ??) into text output
only the "delete events" so that I could email out on daily basis as login to our Production servers is highly restricted.