• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 249
  • Last Modified:

Event Log

One of our employees thinks that someone else has been accessing their computer. I am starting to agree with them now that I noticed that the Security Event log has been cleared out. Is there anyway for me to see when this occured? Or is there some form of auditing that I need to setup  to catch it in the future?
3 Solutions
Will SzymkowskiSenior Solution ArchitectCommented:
Hello there,

As for restoring the log this not possible. What you might want to do is a system restore and see if that helps.

MJoshuaAuthor Commented:
System Restore is off, and I do not think that a system restore would bring back the eventlog. It would only restore the system state (drivers/settings).

I am not looking to restore the Security Event Log (that would be REALLY nice though). I just want to see when it happened or by whom. Where else would there be a record?

(sorry if I did not make it clear in my origional post.)

PsLogList will let you track all Event Viewer logs (saving to any location you like).
Try it for free: http://www.sysinternals.com/Utilities/PsLogList.html
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

"Where else would there be a record?"

Do a search for all files created/modified during a certain time period. That may give you a clue.
Given that my log is continually being updated,

>  I just want to see when it happened

It happened right before the new records were placed in the log. Check the timestamps of events.

Possibly the logfile was full. Review setting for handling space for messages, and for what to do when it gets full.
"Full log files" is a really good reason for having them re-directed to a different location.
No size restrictions and you can do some quick Perl scripting (or text searching) to find any particulars you are looking for.
We quit relying on the 'default' logs years ago and have been grateful every since.
Install Sygate Firewall on the client computer being connected to.
By default it does not allow incoming network share connection attempts.
You can then review the logs for any attempts (rather than trying to work out what happened after the damage is done)

I hope this helps.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now