Aaron
On 4/21/05 11:29 PM, "Peter Jessop" <[EMAIL PROTECTED]> wrote:
More specifically:
To detect file deletion you must audit Succesful object access.
Additionally you must then enable auditing on the folders by means of the security tab.
You must then look for securiy events with ID 560.
The following is a query you can use with logparser to extract the delete events
SELECT
timegenerated AS EventTime,
extract_token(strings, 7, '|') AS UserName,
extract_token(strings, 2, '|') AS File
FROM security
WHERE EventID = '560'
AND EventTypeName = 'Success Audit event'
AND extract_token(strings, 1, '|') like 'File'
AND Message LIKE '%DELETE%'
ORDER BY EventTime DESC
