Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, March 4, 2020 9:09 AM
I am using File Server in windows server 2012 R2 yesterday i have turned on Auditing (tracking deletion of files in my file server), So one thing which i noticed that in one second event viewer logs more than 1000 logs in security section.
I want to stop all event logs except deletion of folders, sub folders and files
Thanks
All replies (21)
Thursday, March 5, 2020 9:16 AM ✅Answered
Did some testing in my lab, the following GPOs and settings is what you want:
Group Policies:
Configure auditing for "Everyone" on the share (Under the Security > Auditing tab) as follows:
Here are the events you will receive:
1. A user accesses the share:
2. A user has deleted a folder (first comes event ID 4663):
3. Lastly the event ID 4660 will appear teling us the object was deleted:
The event IDs 4663 and 4660 are connected, so to know which folder got deleted, you need to check first for an event ID 4663, followed up by a event ID 4660.
This should drastically lower the amount of events being logged in your Security event log.
Blog: https://thesystemcenterblog.com LinkedIn:
Wednesday, March 4, 2020 9:26 AM
Hi,
I'm afraid it won't be possible to stop "all other events" from the Security event log, many alerts cannot be removed. You could consider changing the size of the event log to a bigger size to start with.
Which event is filling the log with 1000 events in one second? If this is also some audit policy that is configured in your organization, you should reconsider if it's required or not. If it isn't required/needed then you can disable those audit policies and you should receive less events in the Security event log.
Best regards,
Leon
Blog: https://thesystemcenterblog.com LinkedIn:
Wednesday, March 4, 2020 9:52 AM
We have 3 share folder which is around 2.3 TB, So 95% of the logs are Audit logs from these share folders.
All of them are Audit Success.
Also I have set maximum size limit to 4GB
Wednesday, March 4, 2020 9:59 AM
The auditing of folders can easily be very noisy and flood the event logs, this is a known thing.
If you have a a lot of deletion activities then your log will be filled quickly, there's nothing really to prevent it unless you have other events that can be turned off from logging.
Blog: https://thesystemcenterblog.com LinkedIn:
Wednesday, March 4, 2020 10:03 AM
Per day i have around 10 to 20 deleting files but there is millions of this log.
and this millions log its access type is: SYNCHRONIZE and its Task Category is: Detailed File Share
Wednesday, March 4, 2020 10:10 AM
The thing is to audit a folder deletion, you need the at least the "Audit object access" policy, every time a user successfully accesses an object (a file / folder), you will receive an event, so it is understandable that you do receive a lot of events in your Security event log.
If your organization requires you to audit this, then you will have to deal with the logs getting full, or then simply change the event log settings to create a new event log once it's full (or alternatively overwrite the existing event log).
Blog: https://thesystemcenterblog.com LinkedIn:
Wednesday, March 4, 2020 10:19 AM
Our organization has around 350 users which from this only 300 is using These 3 share drives, but one thing which i am seeing here in one second when i refresh 1000 events are going to log.
I am 100% sure that this 300 users are not working on this share folders at the same time so many be right now i am typing this message 50 of them will be using share drive or may be less so in one seconds its not possible to happen more than 1000 events to be record.
What I want is to only log event of deleted files and folder that is all.
Wednesday, March 4, 2020 10:21 AM
Which exact event is getting logged a lot?
Blog: https://thesystemcenterblog.com LinkedIn:
Wednesday, March 4, 2020 10:32 AM
Security Event.
Wednesday, March 4, 2020 10:37 AM
Which security event? Event ID?
Blog: https://thesystemcenterblog.com LinkedIn:
Thursday, March 5, 2020 6:14 AM
Its Audit Access with Event ID of: 5145
Thursday, March 5, 2020 6:42 AM
Hi Tariq,
>All of them are Audit Success
Do you use the following steps to enable auditing on the file share:
1. Right click on the file/folder that we want to audit and choose Properties.
2. On Security tab, choose Advanced.
3. On Auditing tab, choose Continue, then choose Add.
4. Choose Select a principal and type everyone, choose Check Names and choose OK.
5. Choose Type: All and choose Show advanced permissions.
6. Check option Delete subfolders and files and Delete.
7. Choose OK and choose Apply.
After all permissions are set properly, we try to delete a folder under the parent folder, open Event Viewer Security log, we can see event ID 4660 appears.
If there are any concerns about the information above, please feel free to contact me. Thanks for your understanding.
Best Regards,
Anne
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, March 5, 2020 6:47 AM
Yes I did same way and turned on delete and delete folder, sub folder and files.
I have another server 2012 which hosted services of Virtual Machines but isn't event viewer getting full even in days.
Thursday, March 5, 2020 7:03 AM
Hi Tariq,
Would you please provide the whole result of "auditpol /get /category:Object Access":
Thanks for your time!
Best Regards,
Anne
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, March 5, 2020 7:04 AM
Well the Event ID 5145 (A network share object was checked to see whether client can be granted desired access) is part of the Audit Detailed File Share subcategory, it is not only users that accesses the file share, but also member servers, workstations, Domain Controllers, and this is why a lot of events are logged, it is nothing uncommon.
You should consider only using the Audit File Share (non-detailed), the specific event you're looking for is Event ID 5144 (A network share object was deleted).
Do note that both Audit Detailed File Share and Audit File share do log many events still, this can be seen in the documentation:
Blog: https://thesystemcenterblog.com LinkedIn:
Thursday, March 5, 2020 8:06 AM
the command is not working
Thursday, March 5, 2020 8:17 AM
How can I only log deleting and deleting folder, sub folder and files.
I mean how to configure it to only record Event ID 5144
Friday, March 6, 2020 5:04 AM
the command is not working
Hi Tariq Hashemee,
Do you run cmd as administrator, please run the command as administrator.
If you has run as admin, what is the error message do you get when run the command, please provide the screenshot.
The result can help us check the security policies you enabled.
Thanks for your cooperation.
Best Regards,
Anne
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Saturday, March 7, 2020 4:17 AM
One question,
What is the difference between Audit file share policy and object access Policy?
Saturday, March 7, 2020 4:59 AM
I have changed the Server Computer Object to another Organizational Unit and turned off some policies of audit now my event viewer don't log at all.
Saturday, March 7, 2020 8:06 AM
The audit object access policy handles auditing access to all objects outside AD. Are the computers receiving the GPOs first of all? If you have made changes.
The audit file share allows you to audit events related to file shares: creation, deletion, modification, and access attempts.
Make sure to run a gpupdate /force and you can run a gpresult /H ”C:\Temp\GPResult.html” to check if you received the new GPOs.
Blog: https://thesystemcenterblog.com LinkedIn: