Earlier yesterday Ed asked the following:
I had a request during a demo to search directories and sub-directories for files that have been deleted.
The scenario is below.
- Files are continually added to a directory/sub-directory.
- If a file is delete an alarm needs to be triggered to identify the file/s that have been removed.
- Since files are being added to the directories a constant inventory needs to be updated after each search to compare to the next search.
My immediate thought was a perl script that would deliver the functionality since I couldn’t think of another means with one of the out-of-the-box probes.
Does anyone know of a probe that delivers this today?
Any better ideas than a perl script.
Perl script would run every 5 minutes.
Compare the current inventory of files in the directories to the previous list.
Generate alarm if a file/s is missing.
Create a new inventory list to reference 5 minutes later.
Let me know???
Javier provided the following url that provides instructions for enabling auditing on the file system therby security event log entries are created when a file is deleted.
http://community.spiceworks.com/topic/30161
The summary of this is that you can enable file system auditing (a sub category of the Object Access category) using the command line
AUDITPOL /SET /SUBCATEGORY:"file system" /SUCCESS:ENABLE /FAILURE:ENABLE
You can verify the setting with
auditpol /get /category:*
Enable auditing for user/group: You'll need to enable and add user/security group for auditing on the folder which needs to be captured for file deletion.
-
- Right click on the target folder (ex. C:\Program Files\Honeywell), select Properties and go to Security Tab.
- Click on Advanced , and select Auditing Tab.
- Add here the security group which would include the user who you think might be deleting the file. If you are not sure, include EVERYONE .
- On the next screen select "Successful" & "Failed" on "Delete subfolders and files" & "Delete". Apply new settings and exit from properties.
- These configurations will generate file/folder access audit logs for the configured folder in Securit Event Logs . Since we are interested in only the logs that show details of file/folder deletions, we'll need to look for Security Logs with event ID 560 .
- Any file deletion operation will generate two events with event ID 560. After you've realized that your target file has been deleted, you'll need to filter the security log view to show only logs with event ID 560 (right click on Event Viewer->Security, select Filter...).
- A typical security log with file deletion details will look something like this:
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
User: domain\username
Computer: GKY
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Test\testdoc.txt
Handle ID: 1756
Operation ID: {0,3190200}
Process ID: 4040
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: username
Primary Domain: domain
Primary Logon ID: (0x0,0x40C41)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
SYNCHRONIZE
ReadAttributes
The referenced article at the included url states that the event ID is 560 in the Security Event Log. However, my test on Windows 7 64 bit produced an event ID of 4663 for the object access event tht has the actual file name in it and event 4660 for the file deleteioin event.