2
In my windows server 2012 i want to know which files is deleted from a folder by which network user. I want to track delete events only for particular folder. I have done it using group policy and event viewer as shown in this link
But in event viewer it shows lot of events under security for file access too. Also i was able to get delete events with id 4660 but the name of the file which deleted is not mentioned in that event and only user name was mentioned. So how i can get file name and user name who deleted the file?
IT researcher
Posted 2014-06-26T10:36:09.130
Reputation: 783
1Hi do you not get event ID's 4663 which contain more information? – CharlesH – 2014-06-26T11:19:11.023
@CharlesH ok.Yes from 4663 event id i was able to get the information. But the auditing shows lot of events and it makes the file Security.evtx large. Can i make only required events to get saved or can i make only selected delete events to get noted? – IT researcher – 2014-06-26T12:38:11.293
if you go back to the folder > right click > Security tab > Advanced > Auditing > Edit... what is ticked under the relevant group... If you only tick delete then you will only get those event logs... As per this screenshot... https://www.pointdev.com/images/upload/IAlerter/AuditDossier_EN.JPG
– CharlesH – 2014-06-26T12:54:56.033@CharlesH I did the same.but there are too many 5145 events. i think they may be due to "Audit object access" set to "success". Is that so? in this link http://www.eventtracker.com/newsletters/auditing-file-shares-windows-security-log/ they mentioned about same
– IT researcher – 2014-06-26T13:08:11.930Yep more than likely I thought you could drop all of them except the Delete is that not the case? – CharlesH – 2014-06-26T13:33:52.633