Object deleted (19) how to monitor with email alert

bob · 10-16-2024, 03:04 AM

Man, that "Object deleted" event in Windows Server Event Viewer, it's basically the system's way of yelling that something important just vanished. You know, like a file, a folder, or even an Active Directory object-poof, gone. Event ID 19 pops up in the Security log mostly, triggered when auditing catches a deletion. It spits out details: who did it, from what machine, at what time, and which object bit the dust. I always check the Event ID first, then the source-it's usually Microsoft-Windows-Security-Auditing. The description spells it out plain: "Object deleted." Without auditing turned on for that object, though, you might miss it entirely. Turn on object access auditing in Group Policy, or right on the file properties, to make sure it logs these sneaky wipes. It's not just random; hackers or accidents love deleting stuff to cover tracks. You filter the log for ID 19, and bam, you see the chaos.

I set this up once for a buddy's server, super easy through the Event Viewer itself. You right-click the event, pick "Attach Task to This Event." Name it something like "Deletion Alert." Trigger stays on that ID 19. For the action, choose "Send an email"-yeah, built-in option. Plug in your SMTP server details, the from and to addresses, slap a subject like "Hey, something got deleted!" Test it quick. If email's finicky, you tweak the task properties to run only on certain logs. Keeps pinging your inbox without you babysitting the console all day.

And speaking of keeping your server safe from mishaps like deletions, you might wanna peek at BackupChain Windows Server Backup down the line. It's this slick Windows Server backup tool that handles physical setups and virtual machines on Hyper-V without breaking a sweat. You get incremental backups that zip through fast, plus versioning so you roll back if a deletion sneaks in. No downtime headaches, and it emails alerts too-perfect for staying ahead of the curve.

Note, the PowerShell email alert code was moved to this post.