Symantec.com
VERITAS.com
Partners
About Symantec
cartCart
WelcomeProducts & ServicesSecurity ResponseSupportSolutions & IndustriesLicensingTrainingStore
Enterprise
Symantec.com > Enterprise > Support > Knowledge Base


PRINT THIS PAGE PRINT THIS PAGE

Advanced query building: How to audit for file or folder delete with bv-Control for Windows

Question/Issue:
How do you determine if a file or folder has been deleted?


Solution:
Enable auditing on the target directory and on the query engine, then build an event logs query to check for event IDs 564 and 563.


PART 1

These steps must be completed on each target computer and directory to audit.

  1. Navigate to the target directory using Windows Explorer. Right-click the target directory, then click Properties.
  2. Click the Security tab, then click the Advanced button.
  3. Click the Auditing tab.
  4. Click the Add button. Then, type "everyone" in the field "Enter the object name to select". Click OK.
  5. In the Auditing Entry for <Folder Name> dialog box, select each of the following in the Success column:
    • Create Files / Write Data
    • Create Folders / Append Data
    • Delete Subfolders and Files
    • Delete
  6. Check the box "Apply these auditing entries to objects and/or containers within this container only" in order for the changes to apply to all sub- files and directories.
  7. Click OK. Then, click OK again.
    • NOTE: Consider enabling auditing on the root of C:> to cover the entire drive.


PART 2

Enable auditing on the target computer in bv-Config.
  1. In the RMS Console, right-click bv-Control for Windows | click Configuration | bv-Config.
  2. Select the name of the domain in the left column where the target computer resides.
  3. In the right pane, right-click in a blank area, then click Filter Computers.
  4. In the filter computer dialog box, check Servers and Workstations.
  5. Click OK.
    • NOTE: Be patient while the list of computers populates.
  6. In the left column under the domain name, click the name of the target computer.
  7. In the right pane, double click the Audit Policy applet.
  8. Select the radio button "Audit These Events", then in the Success column select the check box File and Object Access.
  9. Click OK.


PART 3

Build an event logs query to audit for event IDs 564 and 563, scoping it to the target computer.
  1. In the RMS Console, click the New Query Builder icon (red book) on the icon bar across the top.
  2. Expand bv-Control for Windows, then select the Event Logs (Security) data source. Click OK.
  3. On the Field Specification Tab, add the User Name field additional to the default fields listed.
  4. On the Filter Specification Tab, add Event ID equal to 564.
  5. Repeat the above step for Event ID equal to 563. Consider enclosing both filters within parenthesis ( ).
    • WARNING: Be sure to use the Boolean operator OR for the filter.
  6. Click the Scope Tab. Expand Advanced Scopes. Then, double click "Scope to a directory on a machine in a domain".
  7. Enter the domain name and the name of the target computer in their respective fields.
    • NOTE: To improve query performance, consider defining a date range with the From and To fields in the scope.
  8. Click OK, Click OK again.
  9. Select the radio button Grid, then click the Run button.



Document ID: 2007122010534353
Last Modified: 09/09/2008
Date Created: 12/20/2007
Product(s): Symantec bv-Control for Windows
Release(s): Symantec bv-Control for Windows 8.0, Symantec bv-Control for Windows 8.0 SP1, Symantec bv-Control for Windows 8.0 SP2, Symantec bv-Control for Windows 8.1, Symantec bv-Control for Windows 8.5


Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2008 Symantec Corporation