Event 517

Posted on 2006-04-21
Last Modified: 2013-12-04
Hello, I recieved an Event 517 on an NT 4 BDC.  This event typically is supposed to appear when somebody clears the security log.  I am a little bit confused because in this case the primary user name is "System".  Is there something configured in the OS that could cauase this log to get totally purged?  This is the first event I see in the event viewer:

Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      517
Date:            4/12/2006
Time:            11:26:13 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DEANS-BDC1
The audit log was cleared
       Primary User Name:      SYSTEM
       Primary Domain:      NT AUTHORITY
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      SYSTEM
       Client Domain:      NT AUTHORITY
       Client Logon ID:      (0x0,0x3E7)

Any help in finding out what might have caused this security log purge would be greatly appreciated.



Question by:dsulli2000
    LVL 87

    Expert Comment

    If the eventlog is set to clear events older than a certain number of days, it would be the system account doing that...

    Author Comment

    This cleared the ENTIRE log, and it wasn't set to clear after a certain number of days.  It was set to a max size, which should overwrite the oldest entries as the log size maxes out...
    LVL 18

    Accepted Solution


    This event record indicates that the audit log has been cleared. This event is always recorded, regardless of the audit policy. It is recorded even if auditing is turned off. The audit log should be saved in a file before deleting. The practice of always saving copies of audit logs is good for catching fraudulent users. A fraudulent user with sufficient privileges can
    delete the audit log as a way of erasing evidence of tampering with the computer systems and files. Lack of a backed-up audit log will help trace an unauthorized user. Once deleted, an audit log is lost unless a copy was
    made and saved before deleting.

    User Action
    Always save copies of your audit logs before deleting them.

    These are all normal events and are no cause for concern. It is good idea to have a record of these events going back for a period of time. You can select the length of time and the maximum size (in KB) that the Security log is able to grow to by accessing the Properties of the Security event log.

    Some related Knowledgebase articles are:

    264769 Event ID 576 Fills the Security Event Log When Auditing

    822774 System Performance Decreases, and Many Event ID 576 Entries AreLogged
    LVL 18

    Expert Comment

    by:Sam Panwar

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now