DX Infrastructure Manager

Expand all | Collapse all

alarming when a file is deleted

  • 1.  alarming when a file is deleted

    Posted 10-15-2010 03:10 AM

    Earlier yesterday Ed asked the following:

     

    I had a request during a demo to search directories and sub-directories for files that have been deleted.

     

    The scenario is below.

     

    1. Files are continually added to a directory/sub-directory.
    2. If a file is delete an alarm needs to be triggered to identify the file/s that have been removed.
    3. Since files are being added to the directories a constant inventory needs to be updated after each search to compare to the next search.

     

    My immediate thought was a perl script that would deliver the functionality since I couldn’t think of another means with one of the out-of-the-box probes.

    Does anyone know of a probe that delivers this today?

    Any better ideas than a perl script.

     

    Perl script would run every 5 minutes.

    Compare the current inventory of files in the directories to the previous list.

    Generate alarm if a file/s is missing.

    Create a new inventory list to reference 5 minutes later.

     

    Let me know???

     

    Javier provided the following url that provides instructions for enabling auditing on the file system therby security event log entries are created when a file is deleted.

     

    http://community.spiceworks.com/topic/30161

     

    The summary of this is that you can enable file system auditing (a sub category of the Object Access category) using the command line

    AUDITPOL /SET /SUBCATEGORY:"file system" /SUCCESS:ENABLE /FAILURE:ENABLE

    You can verify the setting with

    auditpol /get /category:*

     

    Enable auditing for user/group: You'll need to enable and add user/security group for auditing on the folder which needs to be captured for file deletion.

    •  
      • Right click on the target folder (ex. C:\Program Files\Honeywell), select Properties and go to Security Tab.
      • Click on Advanced , and select Auditing Tab.
      • Add here the security group which would include the user who you think might be deleting the file. If you are not sure, include EVERYONE .
      • On the next screen select "Successful" & "Failed" on "Delete subfolders and files" & "Delete". Apply new settings and exit from properties.
      • These configurations will generate file/folder access audit logs for the configured folder in Securit Event Logs . Since we are interested in only the logs that show details of file/folder deletions, we'll need to look for Security Logs with event ID 560 .
    • Any file deletion operation will generate two events with event ID 560. After you've realized that your target file has been deleted, you'll need to filter the security log view to show only logs with event ID 560 (right click on Event Viewer->Security, select Filter...).
    • A typical security log with file deletion details will look something like this:

    Event Type: Success Audit
    Event Source: Security
    Event Category: Object Access
    Event ID: 560
    User: domain\username
    Computer: GKY
    Description:
    Object Open:
    Object Server: Security
    Object Type: File
    Object Name: D:\Test\testdoc.txt
    Handle ID: 1756
    Operation ID: {0,3190200}
    Process ID: 4040
    Image File Name: C:\WINDOWS\explorer.exe
    Primary User Name: username
    Primary Domain: domain
    Primary Logon ID: (0x0,0x40C41)
    Client User Name: -
    Client Domain: -
    Client Logon ID: -
    Accesses: DELETE
    SYNCHRONIZE
    ReadAttributes

    The referenced article at the included url states that the event ID is 560 in the Security Event Log. However, my test on Windows 7 64 bit produced  an event ID of 4663 for the object access event tht has the actual file name in it and event 4660 for the file deleteioin event.



  • 2.  Re: alarming when a file is deleted

    Posted 10-15-2010 10:16 PM

    Hello Jim,

     

    Perl would be quickest and simplest way to implement this.

     

    For Customers, in order to demonstrate that this can be implemented using NMS probes, we can use 'dirscan' probe.

     

    # Create a New Profile (file watcher) with following options enabled for 'Alarm messages':

     

      - Directory age

      - Number of files ( = 0 )

      - Size of file ( = 0 bytes )  and Watch size of ( individual files)

     

     

    # Create a Trigger which will hold list of events (files) to match the events generated due to following option:

     

      - Size of file ( = 0 bytes )  and Watch size of ( individual files) # last token is the file name

     

     

    # Create an AO profile to be based on above trigger with option 'Activate on change in trigger alarmlist' enabled and a custom script for post processing.

     

     

     

    Thanks,

     

    Gyan