Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Event 517

Posted on 2006-04-21
6
Medium Priority
?
652 Views
Last Modified: 2013-12-04
Hello, I recieved an Event 517 on an NT 4 BDC.  This event typically is supposed to appear when somebody clears the security log.  I am a little bit confused because in this case the primary user name is "System".  Is there something configured in the OS that could cauase this log to get totally purged?  This is the first event I see in the event viewer:

Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      517
Date:            4/12/2006
Time:            11:26:13 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DEANS-BDC1
Description:
The audit log was cleared
       Primary User Name:      SYSTEM
       Primary Domain:      NT AUTHORITY
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      SYSTEM
       Client Domain:      NT AUTHORITY
       Client Logon ID:      (0x0,0x3E7)

Any help in finding out what might have caused this security log purge would be greatly appreciated.

Thanks,

Dan


0
Comment
Question by:dsulli2000
  • 2
4 Comments
 
LVL 88

Expert Comment

by:rindi
ID: 16514526
If the eventlog is set to clear events older than a certain number of days, it would be the system account doing that...
0
 

Author Comment

by:dsulli2000
ID: 16519271
This cleared the ENTIRE log, and it wasn't set to clear after a certain number of days.  It was set to a max size, which should overwrite the oldest entries as the log size maxes out...
0
 
LVL 18

Accepted Solution

by:
Sam Panwar earned 2000 total points
ID: 16521932
Hi-

Explanation
This event record indicates that the audit log has been cleared. This event is always recorded, regardless of the audit policy. It is recorded even if auditing is turned off. The audit log should be saved in a file before deleting. The practice of always saving copies of audit logs is good for catching fraudulent users. A fraudulent user with sufficient privileges can
delete the audit log as a way of erasing evidence of tampering with the computer systems and files. Lack of a backed-up audit log will help trace an unauthorized user. Once deleted, an audit log is lost unless a copy was
made and saved before deleting.

User Action
Always save copies of your audit logs before deleting them.

These are all normal events and are no cause for concern. It is good idea to have a record of these events going back for a period of time. You can select the length of time and the maximum size (in KB) that the Security log is able to grow to by accessing the Properties of the Security event log.

Some related Knowledgebase articles are:

264769 Event ID 576 Fills the Security Event Log When Auditing
http://support.microsoft.com/?id=264769

822774 System Performance Decreases, and Many Event ID 576 Entries AreLogged
http://support.microsoft.com/?id=822774 
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question