WatchDirectory Forum
http://www.watchdirectory.net/cgi-bin/yabb25/YaBB.pl
watchDirectory forums >> How to... >> Monitoring the deletion of a folder.
http://www.watchdirectory.net/cgi-bin/yabb25/YaBB.pl?num=1131963077

Message started by theaudiopimp on Nov 14th, 2005 at 11:11am

Title: Monitoring the deletion of a folder.
Post by theaudiopimp on Nov 14th, 2005 at 11:11am
The program detects the files are deleted but when some one deletes a folder the log shows nothing, even if there are files within that folder.

Surely the program has the capability of monitoring the deletetion of a folder within the monitored dir, how is this done ?

Cheers

Title: Re: Monitoring the deletion of a folder.
Post by theaudiopimp on Nov 14th, 2005 at 1:03pm
Right i have managed to do this, but the activity loged is eratic, for example when i set up the auditing for just sucess on create new folder, delete and delete folder, and set the same in the program, when i create a new folder inside the monitored folder it keeps saying Used permission delete ???

Also any folders that were already in the monitored folder dont seemed to be monitored at all???

Any ideas why, i have cascaded the auditing down the tree so it is inherited, and the group everyone is added.

Cheers

D

Title: Re: Monitoring the deletion of a folder.
Post by Gert on Nov 14th, 2005 at 4:53pm
Hi,

I jus tried this sequence of commands inside a command box:

Code (]
D:\AuditMeForFilesAndDirs>md abc

D:\AuditMeForFilesAndDirs>cd abc

D:\AuditMeForFilesAndDirs\abc>md def

D:\AuditMeForFilesAndDirs\abc>rd def
[/code):

and the resulting output for "abc":
[code]
File/Directory D:\AuditMeForFilesAndDirs\abc
    from 2005-11-14 16:43:34 to 2005-11-14 16:43:34
[12] 2005-11-14 16:43:34, Open File by GDPLAP\\Gert Rijs. Program C:\WINDOWS\system32\cmd.exe.
  Permissions requested Synchronize, ReadData (or List Directory)
[12] 2005-11-14 16:43:34, Close

and for folder "def":

Code (]
File/Directory D:\AuditMeForFilesAndDirs\abc\def
    from 2005-11-14 16:43:42 to 2005-11-14 16:43:49
[116):

2005-11-14 16:43:42, Open File by GDPLAP\\Gert Rijs. Program C:\WINDOWS\system32\cmd.exe.
  Permissions requested Synchronize, ReadData (or List Directory)
[116] 2005-11-14 16:43:42, Close
[116] 2005-11-14 16:43:49, Open File by GDPLAP\\Gert Rijs. Program C:\WINDOWS\system32\cmd.exe.
  Permissions requested Delete, Synchronize, Read Attributes
  [116] 2005-11-14 16:43:49, Used a granted permission. Permission used Delete
  [116] 2005-11-14 16:43:49, Delete
[116] 2005-11-14 16:43:49, Close


You should make sure that you leave the "delay starting the task" option to a few seconds because Windows will not immediately write the audit info to the security log.
My auditing settings are "attached".

Gert
auditset.jpg (41 KB | )

WatchDirectory Forum » Powered by YaBB 2.5.2!
YaBB Forum Software © 2000-2017. All Rights Reserved.