Object Access Auditing

[tduplantis]

Is there any guide out there that will help you understand the events this generates? I created and deleted a folder in a directory that I want to monitor and this is what I got:


Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 10/11/2002
Time: 10:30:54 AM
User: DOMAIN\TDuplantis
Computer: SERVER1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: E:\PRDDATA\GL\Nvision\Reports\consolidated
New Handle ID: 4104
Operation ID: {0,338643136}
Process ID: 8
Primary User Name: SERVER1$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: TDuplantis
Client Domain: DOMAIN
Client Logon ID: (0x0,0x13FDCFDB)
Accesses SYNCHRONIZE
WriteData (or AddFile)

Privileges SeBackupPrivilege
SeRestorePrivilege


It doesn't say what file, and there is no event saying I "deleted" a folder. This is the next event:

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 10/11/2002
Time: 10:30:54 AM
User: DOMAIN\TDuplantis
Computer: SERVER1
Description:
Handle Closed:
Object Server: Security
Handle ID: 4104
Process ID: 8

 

[brontosaurus]

It doesn't say what file? What is this?:

E:\PRDDATA\GL\Nvision\Reports\consolidated

Do you see any event ID's 564? Those are confirmed delete events...

 

[tduplantis]

That is the name of the directory that the test directory was created and deleted. There are no 564 events, and I'm auditing creat folders/append data, and delete subfolders and files.... both successfull and failed.

 

[GlenJohnson]

Try this one. It's not bad.

http://www.eventid.net/events.asp

Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"A person often meets his destiny on the road he took to avoid it."
Jean de La Fontaine (1621-1695); French poet.