security event logs missing for a period of time of 9 minutes

-

i have folder, 'test', includes folders 'test1', 'test2', 'test3' , 'test4'. somehow folders 'test3' , 'test4' moved 1 level up. there security log enabled , audit in windows level. action took place within period of 9 minutes did not last more 1 or 2 minutes due size of files included in them.

need find event , figure out performed move in order prevent next time.

generally, if move or delete folders events 560 , 560. these events not there period of time when incident occurred.

thank you
renold

auditing tricky, may not have setup correctly.  few tests, verify these particular events are created appropriately.

in general need following

1) enable object acces auditing in local audit policies

2) enable ntfs auditing on parent folders of objects audited.  best entire drive.

3) monitor appropriate activities (deletes , writes usually), reading files is not worth effort.

recommended ntfs audit policy
http://networkadminkb.com/kb/knowledge%20base/windows2003/recommended%20ntfs%20audit%20policy.aspx

the event may not appear because auditing incorrectly folders, , or there load on server such many events lost.  appearent when large gaps of no event logs occur.

 



Windows Server  >  Windows Server General Forum



Comments

Post a Comment

Popular posts from this blog

Schannel Issue

-
hello there, i have windows 2008 r2 machine. , have hosted sharepoint 2010 on it. i have site have published on internet. i don't know whether it's related , getting error unable resolve or come conclusion. it's pretty frequent. my server patched latest updates. log name:      system source:        schannel date:          8/12/2011 3:49:43 pm event id:      36887 task category: none level:         error keywords:      user:          system computer:      mycomp.domain.com description: following fatal alert received: 42.   the above error doesn't provide info . could please me identify issue , possible solution ? there have been lot of posts one. i believe can safely ignored...
Read more

Indexing Server

-
just quick question - 2008 have indexing server? can't see option - , want setup web based search engine using indexing server catalogs , asp.net....   it availble? does not based on - http://technet2.microsoft.com/windowsserver2008/en/library/82bac070-bee4-452e-a783-3ce31b5e1d0f1033.mspx?mfr=true Windows Server  >  Management
Read more

oclist /xml or /?

-
oclist have qualifiers? can behaviour changed, example output xml?   given previous comments andrew m , comments in forums , blogs think answer no, it’s simple app calling underlying api, thought i'd ask can't seem find anything.   why asking question? i'd @ least 2 things oclist (apart nicer looking output [which i'm not going get], dependances listed [dicussed in forum , ruled out], , refrushing add ad componets , telling use dcpromo [which in banner know]): - whether installing component cuase / require reboot (currently believe qwave , printing services require reboot)   - xml output, can't justify team looking see if can commality with full server   fwiw :j   hi,   oclist not have qualifiers or ways change output. when iis came in late, make oclist output longer, unfortunately late make significant changes.   i'll take feedback , add our list next version.   thanks,   andrew   ...
Read more