https://community.netapp.com/t5/ONTAP-Discussions/Auditing-Object-Open-for-Delete-and-Object-Access-Attempt/m-p/108913#M22703 <P>The first Event (ID 563) happens when a file is opened with FILE_DELETE_ON_CLOSE which is usually used for temporary files. Netapp will automatically delete that file when the last open file handle to it has been closed. Note that you (or rather a program) can also use that flag to force deletion of a file that is currently in use by another program (it still needs the delete-permission to the file itself of course, you cannot delete random files that way <img id="smileyvery-happy" class="emoticon emoticon-smileyvery-happy" src="https://community.netapp.com/i/smilies/16x16_smiley-very-happy.png" alt="Smiley Very Happy" title="Smiley Very Happy" /> )</P><P>See for example <A href="https://msdn.microsoft.com/en-us/library/ms849297.aspx?f=255&amp;MSPPError=-2147217396" target="_blank">here</A> or <A href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=563" target="_blank">here</A></P><P>&nbsp;</P><P>The second event was introduced with Windows Server 2003 (I think) and is thus not really a "non-standard" event. See <A href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=567" target="_blank">here</A> or <A href="https://support.microsoft.com/en-us/kb/325898" target="_blank">here</A> for a few details</P> Thu, 20 Aug 2015 12:39:18 GMT Darkstar 2015-08-20T12:39:18Z https://community.netapp.com/t5/ONTAP-Discussions/Auditing-Object-Open-for-Delete-and-Object-Access-Attempt/m-p/108906#M22702 <P>Hi, I'd like to have some additional information about events I sometimes gather while auditing CIFS shares.</P><P>&nbsp;</P><P>The first one is EventID 563, Object Open for Delete: NetApp Library (<A href="https://library.netapp.com/ecmdocs/ECMP1196993/html/GUID-1BC2FAB0-A641-4D16-A4A0-44871F560509.html)" target="_blank">https://library.netapp.com/ecmdocs/ECMP1196993/html/GUID-1BC2FAB0-A641-4D16-A4A0-44871F560509.html)</A> says this is a Logon/Logoff event, but I think this is not true.</P><P>&nbsp;</P><P>Se second is EventID 567, Object Access Attempt. I've notice I gather this every 32KB of data readed, can anyone confirm this? Also, this events has more information than what expected from MS documentation: <A href="http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&amp;EvtID=567&amp;Evtsrc=Security." target="_blank">http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&amp;EvtID=567&amp;Evtsrc=Security.</A> Othen than the "standard" fields, I have also the file name and additional information about who did it. Where can I found more documentation about this? Are there any other "non standard" events?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 04 Jun 2025 23:29:34 GMT https://community.netapp.com/t5/ONTAP-Discussions/Auditing-Object-Open-for-Delete-and-Object-Access-Attempt/m-p/108906#M22702 mangiari 2025-06-04T23:29:34Z https://community.netapp.com/t5/ONTAP-Discussions/Auditing-Object-Open-for-Delete-and-Object-Access-Attempt/m-p/108913#M22703 <P>The first Event (ID 563) happens when a file is opened with FILE_DELETE_ON_CLOSE which is usually used for temporary files. Netapp will automatically delete that file when the last open file handle to it has been closed. Note that you (or rather a program) can also use that flag to force deletion of a file that is currently in use by another program (it still needs the delete-permission to the file itself of course, you cannot delete random files that way <img id="smileyvery-happy" class="emoticon emoticon-smileyvery-happy" src="https://community.netapp.com/i/smilies/16x16_smiley-very-happy.png" alt="Smiley Very Happy" title="Smiley Very Happy" /> )</P><P>See for example <A href="https://msdn.microsoft.com/en-us/library/ms849297.aspx?f=255&amp;MSPPError=-2147217396" target="_blank">here</A> or <A href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=563" target="_blank">here</A></P><P>&nbsp;</P><P>The second event was introduced with Windows Server 2003 (I think) and is thus not really a "non-standard" event. See <A href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=567" target="_blank">here</A> or <A href="https://support.microsoft.com/en-us/kb/325898" target="_blank">here</A> for a few details</P> Thu, 20 Aug 2015 12:39:18 GMT https://community.netapp.com/t5/ONTAP-Discussions/Auditing-Object-Open-for-Delete-and-Object-Access-Attempt/m-p/108913#M22703 Darkstar 2015-08-20T12:39:18Z https://community.netapp.com/t5/ONTAP-Discussions/Auditing-Object-Open-for-Delete-and-Object-Access-Attempt/m-p/109000#M22704 <P>First of all, thank you.</P><P>&nbsp;</P><P>Actually, eventID 563 seems to happens even when deleting normal files, not just temporarly. I've installed a netapp simultator and created some shares, and when I try to delete something are always triggered:</P><UL><LI>Object Open with DELETE access on &lt;filename&gt;</LI><LI>Handle closed</LI></UL><P>Then, if I press "I'm sure to delete" in explorer.exe:</P><UL><LI>Object Open with DELETE accesses on &lt;filename&gt;</LI><LI>Handle closed</LI><LI>Object Access Attempt with DELETE and DELETE_CHILD accesses, on &lt;filename&gt;.</LI></UL><P>Can I safely assume there isn't a delete until I found the last event? Online documentation does not state anything about...</P><P>I'm looking for something that avoids me the need of empirically find out "real" action. But again, i found no clear documentation at all.</P> Mon, 24 Aug 2015 07:10:02 GMT https://community.netapp.com/t5/ONTAP-Discussions/Auditing-Object-Open-for-Delete-and-Object-Access-Attempt/m-p/109000#M22704 mangiari 2015-08-24T07:10:02Z