security event logs missing for a period of time of 9 minutes

i have folder, 'test', includes folders 'test1', 'test2', 'test3' , 'test4'. somehow folders 'test3' , 'test4' moved 1 level up. there security log enabled , audit in windows level. action took place within period of 9 minutes did not last more 1 or 2 minutes due size of files included in them.

need find event , figure out performed move in order prevent next time.

generally, if move or delete folders events 560 , 560. these events not there period of time when incident occurred.

thank you
renold

auditing tricky, may not have setup correctly.  few tests, verify these particular events are created appropriately.

in general need following

1) enable object acces auditing in local audit policies

2) enable ntfs auditing on parent folders of objects audited.  best entire drive.

3) monitor appropriate activities (deletes , writes usually), reading files is not worth effort.

recommended ntfs audit policy
http://networkadminkb.com/kb/knowledge%20base/windows2003/recommended%20ntfs%20audit%20policy.aspx

the event may not appear because auditing incorrectly folders, , or there load on server such many events lost.  appearent when large gaps of no event logs occur.

 

Windows Server  >  Windows Server General Forum