Uniquely Identifying the 4656 that was... Expand / Collapse
Author
Message
Posted 7/25/2009 10:08:35 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/7/2009 11:46:33 AM
Posts: 8, Visits: 9
Hi,

I have enabled security on file with auditing enabled for deletion.

I deleted the file and it generated an event 4660.

But when I correlate back in the event logs with handle_id and process_id , I found four 4656 events that matched 4660 based on handle_id and process_id. just wondering if there is any unique way of identifying the 4656 event that immediately preceded 4656 event ?

thx & rgrds,
Srinivas Chamarthi

Post #148
Posted 7/28/2009 9:01:36 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/7/2009 11:46:33 AM
Posts: 8, Visits: 9
also 4663 is generated twice with ACCESSES containing DELETE.

Frank: any idea ?
Post #156
Posted 7/28/2009 10:17:42 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
it would really help if you posted all the events for me to take a look at.  if you need to obfuscate ip addresses or user names please indicate where you have done so
Post #157
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 4:59pm