Hello,
My intention is to create a report, based on the log below, that tells me when a new object (file or folder) was created in the "D:\Folder A\Folder B"
location. I also need to find out when an object was deleted. I have object access auditing turned on and that part works.
I can see events in windows event logs when a file or folder gets added or removed. My problem is reporting on those events in splunk.
This is the query i am currently using:
Folder A* "EventCode=4656" OR "EventCode=4663" OR Accesses="DELETE" OR WriteData | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="READ_CONTROL", "Created", Acceesses="WriteData", "Created", Accesses="DELETE", "Deleted") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action
With the query above I can get data about objects being removed, but not about objects being added. The reason, is because the field Accesses has multiple values and first value is always DELETE. Even when an object is added or created.
If I do a straight query on Folder A* "EventCode=4656", Splunk shows the Accesses field on the left hand side, and only displays one value., DELETE.
I have been fighting with this for a few weeks, and although I feel I am very close I can't seem to make it happen.
Your help is already greatly appreciated and I thank you and in advance.
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=computer1
TaskCategory=File System
OpCode=Info
RecordNumber=15524727
Keywords=Audit Success
Message=A handle to an object was requested.
Object:
Object Server: Security
Object Type: File
Object Name: D:\Folder A\Folder B\New folder
Handle ID: 0x4a4
Process Information:
Process ID: 0x208c
Process Name: C:\Windows\explorer.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE
READ_CONTROL
WRITE_DAC
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Access Reasons: DELETE: Unknown or unchecked
READ_CONTROL: Unknown or unchecked
WRITE_DAC: Unknown or unchecked
SYNCHRONIZE: Unknown or unchecked
ReadData (or ListDirectory): Unknown or unchecked
WriteData (or AddFile): Unknown or unchecked
ReadEA: Unknown or unchecked
WriteEA: Unknown or unchecked
ReadAttributes: Unknown or unchecked
WriteAttributes: Unknown or unchecked
Access Mask: 0x17019b
02/11/2014 08:49:25 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4663
EventType=0
Type=Information
ComputerName=computer1
TaskCategory=File System
OpCode=Info
RecordNumber=15524662
Keywords=Audit Success
Message=An attempt was made to access an object.
Object:
Object Server: Security
Object Type: File
Object Name: D:\Folder A\Folder B\New folder
Handle ID: 0x558
Process Information:
Process ID: 0x208c
Process Name: C:\Windows\explorer.exe
Access Request Information:
Accesses: DELETE
Access Mask: 0x10000
... View more