Users sometimes do things they're not supposed to do, and others may not notice until days or even weeks later.  One example that we've seen often is that users may rename or move a folder by accident.  When another user needs to access this folder, they find it has "disappeared" and they cannot access the files they need.


Morro Audit can be used to find these moved or renamed folders.  Here is a simple step-by-step example:


  1. We need to access a file in the folder "findme1" located in the dltest0 share which was mapped as drive w:.  When we go to the w drive, however, the folder is nowhere to be found.


  2. To find our missing folder, we go to the Morro Audit app and go to the Event screen.


  3. We suspect that someone moved the folder within the last 10 days, so we select a 10 day event period.  We could also choose another period with a maximum length of 30 days starting at any time in the past.  The w: drive is mapped to share dltest0, so we select that share in the "Events by Share" dropdown.


  4. Once we are done selecting options, we click Create Event Stream.  This searches the Audit records for items matching our criteria and gives us a summary of what was found.


  5. Since we are looking only for a folder move, we can uncheck all filters except for "Includes Write Data".  Clicking Show Details will then show us the records that match our criteria.


  6. From the above screenshot, we see that findme1 is now at target/findme1.  If we enable the User field, we can see which user made the change.  Going back to File Explorer, we can see that the findme1 folder is indeed located in the target folder.