LinkBack URL
About LinkBacks
I've been having some strange issues with stuff going missing from my network drives. Suspecting that it might be down to someone leaving computers unlocked or a student knowing a staff members password I need to log all the file deletion's on the network drives.
Setting the logging up, done. Advanced Auditiong options, enabling auditing for certain groups on the folders all sorted and working (I can see it happening).
The problem is that Windows seems to be logging a huge amount of other information that's filling the security log and making it hard to spot the events I want and impossible to look back more than about an hour. (See Examples below). I can't see obviously where I am auditing this but I could do with it stopping as I'd like, for the minute, just to be logging the file deletions. Any advice?
Event ID's tend to be 4658, 5656, 4663 which are alos the one's used when logging information correctly.Code:An attempt was made to access an object. Subject: Security ID: SYSTEM Account Name: <ServerName> Account Domain: <DomainName> Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\tasklist.exe Handle ID: 0xcf8 Process Information: Process ID: 0x12b4 Process Name: C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe Access Request Information: Accesses: WriteAttributes Access Mask: 0x100
Edit: Just trying disabling logging of "Handle Manipulation" which MS suggested that I enable. See how that goes but I'm still open to sugestions.Code:The state of a transaction has changed. Subject: Security ID: NETWORK SERVICE Account Name: <ServerName>$ Account Domain: <DomainName> Logon ID: 0x3e4 Transaction Information: RM Transaction ID: {741bb055-5306-11e1-99a7-0026b986e57a} New State: 48 Resource Manager: {c90bc1e3-3b69-11df-a48e-cebb1d34c2c0} Process Information: Process ID: 0x448 Process Name: C:\Windows\System32\svchost.exe
Reply With Quote
