My goal: I want to find out who deletes files on a network share. Users are sometimes complaining that a file is missing and as usual the others are to blame.
I have file auditing enabled for this network shares. If I go to the event viewer to have a look at the audit events I see a ton of them, sometimes more than 100 from the same user in the same second, only "ReadAttributes" or "ReadData (or ListDirectory)". (I assume search index or similar)
How can I disable logging this events so they do not flood my event log?
My workaround is to make an XML filter using
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*
</Select>
<Suppress Path="Security">
*[EventData[Data[@Name='AccessMask'] and (Data='0x80' or Data='0x1' or Data='0x81' or Data='0x20080' or Data='0x20089')]]
</Suppress>
</Query>
</QueryList>
to only display the important logs like changes and delete. There are always between 28-29k events in the security log.
Maybe because of that flooding I can only see the logs of the last minutes but not from 1 hour ago or longer. Also if I use XML filters. For example if I run
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='AccessMask'] and (Data='0x10000')]]
</Select>
</Query>
</QueryList>
to show the file deletions I only see the ones from like the past five minutes. If I look ten minutes later I see a completely different output and no longer files that were deleted 15 minutes ago.
Is there a maximum number of events in the log and if it is reached older ones are deleted? An archive? Where can I find the logs from one day ago?
Altogether this makes the audit log a non-sense as normally only after days (if not weeks) some user discovers that an important file was deleted. Suggestions?
Best Answer
The best way to reduce the noise you are seeing is to change the audit settings you have enabled on the file share(s).
I suspect that when you enabled auditing, you checked all the boxes for all types of access, including "Read" access. This is bound to flood the event log, since Windows will log a 4663 event for every read access to the file and/or directory.
I suggest that you review the audit settings and only enable auditing for write activity (e.g. WriteData etc.). This should cut down significantly on the noise.
Alternatively you can also increase the size of the security event log. You can do that in the Windows event viewer by right-clicking the log. If the size is controlled by group policy then you'll have to edit the corresponding group policy instead.
Oh, and nice job on those event log filters!