Poor mans file audit on Windows Server 2008 R2 – with an easy search function and GUI

I needed a way to audit file deletions on our Windows 2008 R2 Server, but didn’t need to make pretty reports for our C levels, it was just for techs to track down who deleted what. So I used the built in Windows File Audit with GPO.

We also have about 1800 people who use this share, so we had to keep a watchful eye on how many logs were generated, and then script out deletions after a certain period, we chose 14 days is about how far back we want to retain.

Task 1 was to enable the GPO for the server to start actually recording the file deletions in Event Viewer.
Following this guide: http://www.morgantechspace.com/2013/11/Enable-File-System-Auditing-in-Windows.html
You can enable the GPO to start actually logging the deletions attempts.

Task 2 was to separate the security logs into it’s own directory, for easy pruning.
I then had to go to the file server and enable this: http://blogs.technet.com/b/askds/archive/2009/08/04/tracking-a-remote-file-deletion-back-to-the-source.aspx
So that I can start logging. You are essentially enabled file auditing. I only chose to enable the Success of file deletions, nothing else, as that was all the data I want logged.

Task 3 was to script automated deletions of the evtx files after 14 days of age.

I wrote this to do my automated deletions. You will make a cmd, or bat file on your desktop with these contents:
REM Remove Security older than 14 days
forfiles /p "C:\Windows\System32\winevt\Logs\Security" /s /m *.* /c "cmd /c Del @path" /d -14

You can adjust the 14 days to be whatever you like. Then add it to task schedule to automate and run once a day.

Task 4 was to find a way to prune through 2-3GB of evtx files easily.
SOURCE: https://martin77s.wordpress.com/2010/01/16/evtlogparser/
You will need to install LogParser.msi first.
Then run EVTLOGPARSER.EXE – it is portable after the LogParser.msi is installed.
You can then add the security directory directly: \\SERVERNAME\c$\Windows\System32\winevt\Logs\Security
and query eventid 4663 AND/OR under message, search for your file deleted, partials should work.


Leave a Reply