| Author |
Message |
Ian
Guest
|
 Posted:
Thu Jan 20, 2005 1:14 pm Post subject:
Successful Audit of Deleting Files |
|
|
I enabled the Object Access and configure the server to
audit those successful file delete inside a folder. However,
I found that it is then too many events appear in the
Security Log for just single delete action and I was unable
to clearly identify which one is the actual delete event.
Please help.
Ian |
|
| Back to top |
|
 |
Karl Levinson, mvp
Guest
|
| Posted:
Fri Jan 21, 2005 6:47 am Post subject:
Re: Successful Audit of Deleting Files |
|
|
"Ian" <photo@photo.photo> wrote in message
news:OqjoM%23r$EHA.2540@TK2MSFTNGP09.phx.gbl...
| Quote: | I enabled the Object Access and configure the server to
audit those successful file delete inside a folder. However,
I found that it is then too many events appear in the
Security Log for just single delete action and I was unable
to clearly identify which one is the actual delete event.
Please help.
|
Well, I think your only options are 1) to examine where you have enabled
delete auditing to make sure you have only enabled that auditing on the bare
minimum files and folders necessary, and/or 2) see if you can use a script
or filter that might let you parse and make sense of the logs. If these
files are being edited by MS Office apps like MS Word, it could be difficult
to see what is what. I would enable auditing on a private folder and system
not being used by anyone else but you, then open the file, edit the file,
close the file, and delete the file, to see if you can detect any patterns
in the logged events that might help you tell an edit from a delete.
I think you might have to start logging other file actions like read, this
will surely make your log even larger but might help you tell a Word edit
from a file deletion.
I might recommend using a file change checker like the free SIM from
www.gfi.com or Osiris to monitors the files in the folder. When it detects
a file having been deleted, it could run a script file that dumps the latest
contents of the security event log, to narrow down how many log files you
need to sift through, and maybe even try to parse them to determine the most
likely culprit [by listing the last person to read or delete the file in
question].
To parse the log, you could try using Dumpel or the log dump utility in the
pstools suite at www.sysinternals.com in a batch file, then use grep or
vbscript [sample scripts can be found in www.google.com] or a Mysql database
or an Excel spreadsheet with parsing macros [note that Excel has a limit of
~65,535 rows / events]. You might consider www.ipsentry.com for around $100
US, it will let you monitor windows event logs, and can run a script or send
you an alert when a logged event of interest is found. |
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Sat Jan 22, 2005 1:18 am Post subject:
Re: Successful Audit of Deleting Files |
|
|
If delete of only some of the files are of interest, consider
reorganizing storage so that you can more narrowly define
what is audited. For example, a subfolder set with audit
of delete, into which the files of concern are moved.
--
Roger
"Ian" <photo@photo.photo> wrote in message
news:OqjoM%23r$EHA.2540@TK2MSFTNGP09.phx.gbl...
| Quote: | I enabled the Object Access and configure the server to
audit those successful file delete inside a folder. However,
I found that it is then too many events appear in the
Security Log for just single delete action and I was unable
to clearly identify which one is the actual delete event.
Please help.
Ian
|
|
|
| Back to top |
|
|
Lesley Kipling [MSFT]
Guest
|
| Posted:
Tue Feb 08, 2005 1:38 am Post subject:
Re: Successful Audit of Deleting Files |
|
|
Hi.
Have a look at the following kb which might help explain what you are
seeing..
Event IDs 560 and 562 appear many times in the security event log WGID:491
ID: 841001
The most common reason for a flood of object access events in the log is
that the AuditBaseObjects setting is enabled. Check
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\AuditBaseObjects to see if it is
set to 1.
The second most common reason for object access audits is DC-specific and
only relates to audits of SAM objects. If you are seing large numbers of
SAM_DOMAIN, SAM_USER, and SAM_SERVER object access audits, consider removing
the SACL on cn=server,cn=system,dc=domain,dc=com.
Hope this helps, Cheers Les
This posting is provided "AS IS" with no warranties, and confers no rights.
"Ian" <photo@photo.photo> wrote in message
news:OqjoM%23r$EHA.2540@TK2MSFTNGP09.phx.gbl...
| Quote: | I enabled the Object Access and configure the server to
audit those successful file delete inside a folder. However,
I found that it is then too many events appear in the
Security Log for just single delete action and I was unable
to clearly identify which one is the actual delete event.
Please help.
Ian
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in