2

We had a file folder moved in our system last night, causing a ripple effect throughout our network, changing file paths and basically messing up our documents.

We are doing an audit on the server logs to look for the time and user that moved the file. What is the event ID for moving a file, if any? Or what would be the easiest way to look through thousands of event logs to find the event. File and folder auditing are in place.

Ben Pilbrow
  • 12,041
  • 5
  • 36
  • 57
Kernel Panic
  • 291
  • 2
  • 8
  • 19
  • 5
    Do you have file and folder auditing enabled and audit settings in place? If not, there won't be any trail to follow. – joeqwerty Mar 18 '11 at 17:38
  • I think I found my answer. Event ID 564 is generated when an object is deleted, which is what happens when a file is moved from one location to another. However it does not identify said item. ID 560 lists item access, so, I think, I need to look for both events and find the one with the same time stamp. Of course, I could be way off on that. – Kernel Panic Mar 18 '11 at 18:37

0 Answers0