Event Message:
The audit log was cleared Primary User Name: user name Primary Domain: name Primary Logon ID: parameter Client User Name: user name Client Domain: name Client Logon ID: parameter
Source |
Event Log |
Event ID |
Event Type |
---|---|---|---|
Security |
Security |
517 |
Success Audit |
Explanation:
This event record indicates that the audit log has been cleared. This event is always recorded, regardless of the audit policy. It is recorded even if auditing is turned off.The audit log should be saved in a file before deleting. The practice of always saving copies of audit logs is good for catching fraudulent users. A fraudulent user with sufficient privileges may delete the audit log as a way of erasing evidence of tampering with the computer systems and files. Lack of a backed-up audit log will help trace an unauthorized user.Once deleted, an audit log is lost unless a copy was made and saved before deleting.
User Action:
Always save copies of your audit logs before deleting them.