Network Share File Deletions

Viewing 2 reply threads
  • Author
    Posts
    • #1567957
      Jon Albright
      Participant
      Member Points: 128
      Rank: 2

      I had to turn on auditing on some of our server file shares due to either accidental or intentional file/folder deletions & have been experimenting with a couple scripts I found that launches when event id 4663 occurs in the Security log.  Unfortunately, along with some other processes that occur which generated 4663, this event id is also generated whenever a file is renamed & as a result, the log file is capturing a lot of superfluous information.  I have accessible template folder structures on the server which are used to store various files that relate to customer projects.  These templates are copied & then renamed to match whatever the project name is & so hence, each time this occurs, event id 4663 is generated and records each folder / subfolder into the .CSV file I use to import into PostgreSQL.  Is there a particular value within the generated array of values that is specific to only the file / folder being deleted?  It seems that the hex value 0x10000 (65536) array member doesn’t seem to be filtering as anticipated.

      Attachments:
      You must be logged in to view attached files.
    • #1567960
      David Johnson
      Participant
      Member Points: 56
      Rank: 1

      Open the Event Viewer and search the security log for event ID 4656 with a task category of “File System” or “Removable Storage” and the string “Accesses: DELETE”. https://www.netwrix.com/how_to_detect_who_deleted_file.html#:~:text=Navigate%20to%20%E2%80%9CReports%E2%80%9D%20%E2%86%92%20Click,%E2%80%9D%20%E2%86%92%20Click%20%E2%80%9CView%E2%80%9D.

    • #1568139
      Jon Albright
      Participant
      Member Points: 128
      Rank: 2

      Thanks for your response David.  Been away for a bit & hence the delayed response.  Will take a look & see how I can make it work.

Viewing 2 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account