[WINLOGBEAT] - Event :Delete folder or file

Hi, I'm a newbie user.
I'd like to know if it could be possible to register a deletion of a file/folder in Windows, and then register it with winlogbeat.
I've read the documentation about winlogbeat and I can't find something that goes down to the thing of file or folder deletion. What I have also read is this topic -> https://www.elastic.co/es/blog/monitoring-windows-logons-with-winlogbeat
which is kind of a "nice to show" but "not clearly documented".
Could you give me a grasp of understanging? Am I missing some obvious thing?
Thanks in advance


You need to enable audit on your windows file systems. Once auditing is enabled, you can use winlogbeat to collect audit events from the security log.

Start here https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder

Thanks for your fast answer Kim,
And also for the information. But I've got a trouble setting up the audit. What happens is that Windows Security logs doesn't collect information about the folder i set to audit.
The steps I made >
1 - Apply a basic audit policy in a folder (set it to deletions, create files, folders, etc.)
2- In the local policyes of the server i want to audit, i set the System Access Control list properly.
And that's all I made,
Maybe do I need to restart the server? for such a little change?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.