Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, May 16, 2019 7:04 AM
We are developing a software for monitoring the access records of files and folders in windows sharing areas. We can't find the correct ID and patterns from Windows server events. The windows event ID alone is not enough to analyze. How do I find the correct event ID and items in the following file access events. The software development team will code according to this information. I was able to fetch events list using with an api but the problem is event logs has more then one result type, how ı parse create with read action in same eventid result ? for example ı am received 4656 eventid result but i havent have idea to parse it as delete action because 4656 can be delete or create or read action. how can i understood exactly what action it is.?
The software language we use is Delphi and C ++.
For Windows 2008, Windows 2012 and windows 2016
File Create
File Modify
File Delete
Fİle Move
File Rename
File Read Access
Folder Permission Change
Folder Audit Setting Changes
Failed Attemp ro Read File
Failed Attempt to Delete File
All replies (2)
Thursday, May 16, 2019 7:15 AM
Check the filesystem secion in below URL
https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter7#FileSys
Please remember to mark the replies as answers if they help
Tuesday, June 4, 2019 8:38 AM
Just checking to see if the response was helpful, if not please comment on the thread so that we can assist further.
Please remember to mark the replies as answers if they help.