Network and Storage Protocols

SMB file audit delete events

SANDSTURM77
3,069 Views

Hi

 

I have a question concerning SMB file audit delete events. We see two different types of events:

 

EVENT_ID: 4659  "Open Object with the intent to delete"

EVENT_ID: 4660  "Delete Object"

 

When we delete a file, event 4659 is always generated, but 4660 not in every case. 4660 is created when deleting MS-Office .tmp files for example.

 

We must to make sure to catch the correct event for the case: "user deletes a file" every time this happens. Can anyone tell my, how to do this?

 

thx and regards

sandsturm

2 REPLIES 2

Gabriel_Boluda
830 Views

I also have been doing some research on why that was happening and I found this question without answer. If it had an answer I may have solved this sooner so let me contribute to the outcome I got with the help of some colleagues.

 

For a generic answer, I think this Knowledge Base document is helpful:

https://kb.netapp.com/Cloud/Amazon_FSX/How_to_track_delete_operations_using_Windows_Events_with_Amazon_FSx

 

Then, there may be specific needs or scenarios where this answer alone may not be enough to understand.

Depending on the protocol and the application use of the protocol, some files may be open with a delete-on-close option (for example MS Office lock files):

In such cases we may see a 4659 at the open time of the file but no event gets registered when the file is actually deleted at close. That's independent from the storage and depends on the application usage of the protocol.

liu
67 Views

No workaround is available, but this is explained in kb  CONTAP-84154: Different Windows Event IDs for SMB file deletion - NetApp Knowledge Base

Public