Splunk Search

How to write a search to find who deleted or modified files on a Windows server for the last 24 hours?

mattkun
New Member

I am now very new to Splunk. I have installed a Splunk forwarder to monitor Window Security Logs, but would like also build a search to search who deleted and modified files / folder for the last 24 hours. Please point me to the right direction. Also, is it possible to prompt asking to enter the server name or file name when the search is running? Thanks.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi,

Before you can write a search to find out who deleted or modified files on Windows server, you need to enable some sort of file auditing.
Three options currently in Splunk:

  1. Enable Windows native file auditing via security event logs and then tell Splunk to monitor those logs. See this link.
  2. Use a third party tool to monitor file changes and point Splunk to the relevant logs.
  3. Use Splunk Enterprise File Change Monitor (deprecated so not recommended for a long term solution). See this link.

In terms of performance, because we wanted to monitor any type of file operation, which includes millions of log entries per hour in some servers, we decided to go for a 3rd party enterprise agent that was known to have a low impact in your server performance, but in your case I would probably go for the native Windows file auditing via event logs.

Once you have your event logs coming into Splunk, simply filter by the relevant index, sourcetype, host and EventCodes based on the Event IDs used by Windows auditing. See this link again for more information.

Hope that helps.

Thanks,
J

0 Karma

renjith_nair
SplunkTrust
SplunkTrust
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!