Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to achieve a search to detect a file deletion in fileserver?

msiri
Observer
‎01-05-2023 04:29 AM

Hello everyone and thanks in advance.

I'm trying to make a search for file deletion but it isn't working.

Do you have any example of a use case? I tested using sysmon but when I delete a file I can't see event 23.

Labels (1)
Labels
0 Karma
Reply

BryantRivera
New Member
‎01-05-2023 05:56 AM

Assuming you are using a Windows OS you could:

1) Enable security auditing for files/folders (this is done within the windows OS, can be enabled via group policy)
2) Use SplunkUniversalForwarder to monitor the Event Log for events 4660 & 4663 (see Splunk: Monitor file system changes on Windows)

0 Karma
Reply

gcusello
Esteemed Legend
‎01-05-2023 05:32 AM

Hi @msiri,

at first you have to enable file monitoring on the File Server, but I don't know hot to do it.

Then, you'll have these information in the WinEventLog:Security  and you can search it: I don't know the EventCode, but you can ask it to the Windows Administator.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...