Event Log

Posted on 2006-05-24
Medium Priority
Last Modified: 2010-04-11
One of our employees thinks that someone else has been accessing their computer. I am starting to agree with them now that I noticed that the Security Event log has been cleared out. Is there anyway for me to see when this occured? Or is there some form of auditing that I need to setup  to catch it in the future?
Question by:MJoshua
LVL 53

Expert Comment

by:Will Szymkowski
ID: 16752574
Hello there,

As for restoring the log this not possible. What you might want to do is a system restore and see if that helps.


Author Comment

ID: 16752890
System Restore is off, and I do not think that a system restore would bring back the eventlog. It would only restore the system state (drivers/settings).

I am not looking to restore the Security Event Log (that would be REALLY nice though). I just want to see when it happened or by whom. Where else would there be a record?

(sorry if I did not make it clear in my origional post.)

LVL 38

Accepted Solution

younghv earned 600 total points
ID: 16756329
PsLogList will let you track all Event Viewer logs (saving to any location you like).
Try it for free: http://www.sysinternals.com/Utilities/PsLogList.html
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 32

Expert Comment

ID: 16758035
"Where else would there be a record?"

Do a search for all files created/modified during a certain time period. That may give you a clue.
LVL 24

Assisted Solution

SunBow earned 600 total points
ID: 16765787
Given that my log is continually being updated,

>  I just want to see when it happened

It happened right before the new records were placed in the log. Check the timestamps of events.

Possibly the logfile was full. Review setting for handling space for messages, and for what to do when it gets full.
LVL 38

Expert Comment

ID: 16765865
"Full log files" is a really good reason for having them re-directed to a different location.
No size restrictions and you can do some quick Perl scripting (or text searching) to find any particulars you are looking for.
We quit relying on the 'default' logs years ago and have been grateful every since.

Assisted Solution

BennyM82 earned 600 total points
ID: 16774680
Install Sygate Firewall on the client computer being connected to.
By default it does not allow incoming network share connection attempts.
You can then review the logs for any attempts (rather than trying to work out what happened after the damage is done)

I hope this helps.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question