I need to setup an alert to track when ever someone delete any file from a shareholder from windows 2016 file server. I need to know which log need to ingest to Splunk for setting up this alert. If you have the splunk query for this that will be help full.
Hi @msplunk33,
Follow this link to setup auditing windows files deletion: https://www.lepide.com/how-to/track-file-deletions-and-permission-changes-on-file-servers.html
Then forward the Windows Security event logs (with event ID 4663) to Splunk using [WinEventLog://Security] monitor. Check this answer for doing this: https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-collect-basic-Windows-OS-Event-Log-dat...
If this reply helps you, a like would be appreciated.
Hi @msplunk33,
Follow this link to setup auditing windows files deletion: https://www.lepide.com/how-to/track-file-deletions-and-permission-changes-on-file-servers.html
Then forward the Windows Security event logs (with event ID 4663) to Splunk using [WinEventLog://Security] monitor. Check this answer for doing this: https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-collect-basic-Windows-OS-Event-Log-dat...
If this reply helps you, a like would be appreciated.
This search may give you some:
source="WinEventLog:Security" sourcetype=WinEventLog EventCode=4656 Accesses=DELETE Object_Type=File