Event 517

Hello, I recieved an Event 517 on an NT 4 BDC.  This event typically is supposed to appear when somebody clears the security log.  I am a little bit confused because in this case the primary user name is "System".  Is there something configured in the OS that could cauase this log to get totally purged?  This is the first event I see in the event viewer:

Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      517
Date:            4/12/2006
Time:            11:26:13 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DEANS-BDC1
The audit log was cleared
       Primary User Name:      SYSTEM
       Primary Domain:      NT AUTHORITY
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      SYSTEM
       Client Domain:      NT AUTHORITY
       Client Logon ID:      (0x0,0x3E7)

Any help in finding out what might have caused this security log purge would be greatly appreciated.



Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If the eventlog is set to clear events older than a certain number of days, it would be the system account doing that...
dsulli2000Author Commented:
This cleared the ENTIRE log, and it wasn't set to clear after a certain number of days.  It was set to a max size, which should overwrite the oldest entries as the log size maxes out...
Sam PanwarSr. Server AdministratorCommented:

This event record indicates that the audit log has been cleared. This event is always recorded, regardless of the audit policy. It is recorded even if auditing is turned off. The audit log should be saved in a file before deleting. The practice of always saving copies of audit logs is good for catching fraudulent users. A fraudulent user with sufficient privileges can
delete the audit log as a way of erasing evidence of tampering with the computer systems and files. Lack of a backed-up audit log will help trace an unauthorized user. Once deleted, an audit log is lost unless a copy was
made and saved before deleting.

User Action
Always save copies of your audit logs before deleting them.

These are all normal events and are no cause for concern. It is good idea to have a record of these events going back for a period of time. You can select the length of time and the maximum size (in KB) that the Security log is able to grow to by accessing the Properties of the Security event log.

Some related Knowledgebase articles are:

264769 Event ID 576 Fills the Security Event Log When Auditing

822774 System Performance Decreases, and Many Event ID 576 Entries AreLogged

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.