AnsweredAssumed Answered

Auditing of File/Folder, Created/Deleted on Winodws - Looking for that audit log?

Question asked by Deepanshu Sood on Mar 20, 2017
Latest reply on Mar 25, 2017 by Anuj Shrivastava

Hello All,


Well I am in a scenario, where there is a requirement to see the logs of the files or directories which are created on any windows system which is integrated with the log decoder.


So to achieve this, what i did that I have enabled the system auditing on that specific directory on the windows machine, but if i refer to the respective logs on the concentrator from investigation pane, then only I would be able to find the logs related to "auditing settings on object were changed" under "Event Description" meta and under that I am only able to see those files & folders details which are already there.


But what I am looking is that, if i add any directory or file and delete any file within the same directory, then the logs should come & I can see them on my concentrator with some basic details like, :

which file has been created & deleted

which folder has been created & deleted

which file has been created & deleted from which user

if any permission get changed on an file or directory


I am looking for some relevant information about any audit change on a specific folder with it's proper windows event id.


Pls suggest that how i could achieve that kind of auditing on a directory with the help of NetWitness.


Hope to hear from you.



Deepanshu Sood.