如何从重命名时的审计日志中确定新文件名？

【Windows 2008 R2文件系统审计】

当我删除文件时，会出现两条事件日志审计消息：4663表示请求删除文件，4660表示确认删除。 它们可以通过属性连接起来Handler。

当我重命名文件时，出现两个事件日志审核消息：4663这意味着请求删除文件和4663创建新文件（但只有文件夹路径，没有文件名）

当我将文件从一个文件夹移动到另一个文件夹时，出现与重命名相同的图片（因为移动实际上就是重命名，OK）

当我创建新文件时，没有出现任何事件。

所以，问题是：1. 我在审核文件创建时遗漏了什么？2. 我在审核文件重命名时遗漏了什么？

---

我的 AuditPol.EXE 导出（DACL 和 SACL）：

Category/Subcategory                      Setting
System
  Security System Extension               Failure
  System Integrity                        Failure  
  IPsec Driver                            Failure    
  Other System Events                     Failure  
  Security State Change                   Failure    
Logon/Logoff
  Logon                                   Success and Failure   
  Logoff                                  Success and Failure    
  Account Lockout                         Success and Failure    
  IPsec Main Mode                         Success and Failure    
  IPsec Quick Mode                        Success and Failure    
  IPsec Extended Mode                     Success and Failure    
  Special Logon                           Success and Failure    
  Other Logon/Logoff Events               Success and Failure    
  Network Policy Server                   Success and Failure    
Object Access
  File System                             Success    
  Registry                                No Auditing    
  Kernel Object                           No Auditing    
  SAM                                     No Auditing    
  Certification Services                  No Auditing    
  Application Generated                   No Auditing    
  Handle Manipulation                     No Auditing    
  File Share                              No Auditing    
  Filtering Platform Packet Drop          No Auditing    
  Filtering Platform Connection           No Auditing    
  Other Object Access Events              No Auditing    
  Detailed File Share                     No Auditing    
Privilege Use
  Sensitive Privilege Use                 Failure    
  Non Sensitive Privilege Use             Failure    
  Other Privilege Use Events              Failure    
Detailed Tracking
  Process Termination                     Failure    
  DPAPI Activity                          Failure    
  RPC Events                              Failure    
  Process Creation                        Failure    
Policy Change
  Audit Policy Change                     Failure    
  Authentication Policy Change            Failure    
  Authorization Policy Change             Failure    
  MPSSVC Rule-Level Policy Change         Failure    
  Filtering Platform Policy Change        Failure    
  Other Policy Change Events              Failure    
Account Management
  User Account Management                 Failure    
  Computer Account Management             Failure    
  Security Group Management               Failure    
  Distribution Group Management           Failure    
  Application Group Management            Failure    
  Other Account Management Events         Failure    
DS Access
  Directory Service Changes               No Auditing    
  Directory Service Replication           No Auditing    
  Detailed Directory Service Replication  No Auditing    
  Directory Service Access                Success    
Account Logon
  Kerberos Service Ticket Operations      Success and Failure    
  Other Account Logon Events              Success and Failure    
  Kerberos Authentication Service         Success and Failure    
  Credential Validation                   Success and Failure

Entry:            1    
Resource Type:    File   
User:             CONTOSO\Domain Users    
Flags:            Success    
Accesses:
    FILE_WRITE_DATA
    FILE_APPEND_DATA
    FILE_DELETE_CHILD
    DELETE    
The command was successfully executed.

`