Re: SMB file audit delete events

SANDSTURM77 · ‎2017-11-20

Hi

I have a question concerning SMB file audit delete events. We see two different types of events:

EVENT_ID: 4659 "Open Object with the intent to delete"

EVENT_ID: 4660 "Delete Object"

When we delete a file, event 4659 is always generated, but 4660 not in every case. 4660 is created when deleting MS-Office .tmp files for example.

We must to make sure to catch the correct event for the case: "user deletes a file" every time this happens. Can anyone tell my, how to do this?

thx and regards

sandsturm

Gabriel_Boluda · ‎2024-03-14

I also have been doing some research on why that was happening and I found this question without answer. If it had an answer I may have solved this sooner so let me contribute to the outcome I got with the help of some colleagues.

For a generic answer, I think this Knowledge Base document is helpful:

https://kb.netapp.com/Cloud/Amazon_FSX/How_to_track_delete_operations_using_Windows_Events_with_Amazon_FSx

Then, there may be specific needs or scenarios where this answer alone may not be enough to understand.

Depending on the protocol and the application use of the protocol, some files may be open with a delete-on-close option (for example MS Office lock files):

In such cases we may see a 4659 at the open time of the file but no event gets registered when the file is actually deleted at close. That's independent from the storage and depends on the application usage of the protocol.

liu · ‎2024-11-13

No workaround is available, but this is explained in kb CONTAP-84154: Different Windows Event IDs for SMB file deletion - NetApp Knowledge Base

SMB file audit delete events

What tool to monitor SMB/CIFS share activities (File deletion, etc)

Mount volume with ISCSI or SMB ?

Enable auditing

Audit log

Digital AIQUM certificate cannot be deleted