Scenario: The Administrator comes into the office one morning and everyone is in a panic.  Someone, either by accident or maliciously, deleted the folder containing a project that is to be presented to an important client later this afternoon.  Because of Morro's versioning feature, the folder can easily be restored, but no one is willing to admit they were at fault.  What can the Administrator do?

Let's say that the folder is named "deleteme", was in the "audit-test0" share, and was removed sometime in the last couple of days.

Step 1 - Go to the Events page in Morro Audit.


Step 2 - Enter the known information and create an event trace.

Since we know the folder was deleted in the last couple of days, we can set the Since and Until fields to cover this period of time.  As a shortcut, we can select Last 2 Days or Last 3 Days in the Period field.

We don't know who deleted it or from which gateway, so we can leave the default values in those fields.  The share containing the folder can be selected to reduce the amount of data that needs to be processed.

Once these settings are configured, we can see that there are 181 events that meet the criteria.  The event chart shows when these events occurred, with darker squares signifying a larger number of events in that period.

Click CREATE EVENT STREAM to create the event trace.

Step 3 - Create the event stream and final filter.

Now that the event trace has been created, we can create a final filter before seeing the results.

Since we're trying to find out who deleted the folder, we can unset all of the event types except "RMDIR".

There are three types of path filtering:

  1. Search by Path Prefix - Path starts with this value.
  2. Search by Path Suffix - Path ends with this value.
  3. Search by Path Containing - Path contains this value.

We know that the name of the folder is "deleteme", so we can add that to the "Search by Path Suffix" field.

The final settings can be seen in the screenshot below:

Step 4 - View the results.

Click SEARCH to see the results and enable fields as necessary to see the required information. 

Here we see that deleteme was deleted:

  • on 7/05/2023 at 10:15:09 UTC
  • by user admin
  • on gateway T600-new
  • from a client with IP address