If you combine the object auditing capabilities of the Operating System with event log monitoring capabilities then you can be notified when a file is deleted in a directory.
In the following example we will configure Windows and EventSentry to notify us when a file is deleted from the C:\Documents folder.
1. Enable Object Auditing
Before we can enable auditing on a folder, we need to enable "Audit object access" in the group policy of your domain or server. You can find this auditing object in the "Security Settings - Advanced Audit Policy Configuration - System Audit Policies - Object Access" container. Make sure that at least "Success" is selected:
2. Auditing a folder on Windows
After object access has been enabled, you need to configure auditing in the file system. Using explorer, navigate to the folder you want to audit (C:\Documents in our case), right-click the folder and select "Properties".
On the "Security" tab, click the "Advanced" button to get to the "Advanced Security Settings" for the folder. There, click the "Auditing" tab and select "Add". Now specify an account you would like to audit (we recommend "Everyone") and select the following types of Access shown in the screen shot below:
After dismissing all the open dialogs with OK auditing will be enabled in the selected folder and EventSentry is ready to forward events.
3. Creating an Include Filter
Now that the OS will log write access to the C:\Documents directory, we can add a filter that will forward Audit Success events to a notification based on the properties of the event and the details of the event message. The filter below shows how to setup the filter text for this particular event 4659:
To know when a file is being changed instead of being deleted, adapt the filter so it matches the screen shot below:
