Windows event logs provide information about system events that occur within the Windows operating system. These events include information, warnings, and error messages about Windows components and installed applications. You typically use Event Viewer to view Windows Server event logs.
To support users, it is important to know how to access event information quickly and efficiently, and to know how to interpret the data in the event log.
Clearing Event Logs
There’s generally no real reason for a user to clear the event logs as the operating system takes care of any required housekeeping. But if an event log is cleared, it could suggest that malicious activity has occurred, and a user is trying to cover their tracks. Therefore, it is important to have visibility over any event log clear activity and to be able to track when and who cleared the event log. Once this information is gathered, it should be a straightforward process to investigate why it was necessary to delete the log.
How to Track Event Log Clear Events
When the event log is cleared, a Log Clear event is added to the new log which contains the username of the user that cleared it so there is always a record of who cleared the log.
The Event Log clear event is Event ID 1102 and an example of the Properties for this is shown in the screenshot below:
- To view the Event Properties, open Event Viewer, and filter the Security Windows Logs for:
- Event sources: Microsoft Windows security auditing
- Event ID 1102
- Task Category: Log clear
- The Account Name and Security ID will show you who cleared the log and when.
How Lepide Can Help
The process of running the event viewer and knowing which event code relates to the Event Log Clear action can be both complex and time consuming. A simpler, more straightforward approach is to run the Event Log Clear Report from the Lepide Data Security Platform:
This report clearly shows information about Who cleared the log, When it was cleared and Where it was cleared from.
To run the report:
- From the States & Behavior screen under the Active Directory domain, choose the Event Log Clear Report
- Specify a Date Range and click Generate Report