Unsolved
This post is more than 5 years old
1 Message
0
2572
Deleted File
Hey guys, hoping you can help me out. How can I track who deleted a particular folder/file on X day or during Y date range? Some F*$%er deleted a file that my boss desperately needs. How can I track this information on my Isilon without breaking the bank? I cannot let this happen again.
Stdekart
104 Posts
1
April 6th, 2016 07:00
smigelhardtime,
I'm going to assume this was done either via SMB or NFS.
By default we do not have auditing enabled, so unless this was turned on prior to the event there will be no way to track this down, with the default logging on the cluster.
If auditing was enabled you can use isi_audit_veiwer command with some flags to get the logging around the time frame you are looking for.
If Snapshots, or SyncIQ was enabled for that path, you can recover the file.
Anonymous User
170 Posts
2
April 6th, 2016 14:00
> I cannot let this happen again.
That's what ACLs and protection masks on files are for. If the file must not be deleted, set the protections so it can't be. Even telling you who deleted it won't get the file back if it's not readily accessible on your backups.
For Windows shares where an entire folder is deleted, I've found that in the majority of cases somebody dragged and dropped the darn thing someplace else. Look around and see if it got moved. It may have been accidental and the user may not have even realized it.
Stdekart
104 Posts
0
April 6th, 2016 14:00
ed.wilts
Agreed, more often then not the customer finds the file was just moved, usually by accident. (via drag and drop)
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
April 6th, 2016 17:00
enabling audting without an external application that will aggregate that data (Varonis for example) is a waste of disk space and CPU cycles. Those logs roll over so fast that good luck going through the files in /ifs/.ifsvar/audit