Why would an employee export the security event log?
Posted on 2015-01-20
Long story but an employee left today and they were mucking around on their computer before they left (mid working shift). We could see that via their email log that they exported their Security Event log just before they left the office. They apparently erased their Internet history.
I don't know why someone would be interested in the security log. They didn't wipe it from their computer either so we were able to go in and just look at it.
Now I don't use the security log really at all (so I don't know much about reading it) but it seems there's events in there (such as that below) that mention other users who have NEVER logged on to that PC.
Special privileges assigned to new logon.
Security ID: S-1-5-21-21086547-2992122978-1601556566-1173
Account Name: Other.User
Account Domain: DOMAIN
Logon ID: 0x1DC7139
The other bizarre thing is that the user is able to right click the event viewer and 'connect to another computer'. It successfully connects to the SBS box and the SBS logs can be read. Is that normal? I've confirmed that the user is not apart of any domain administrators group.
Any clarification on this would be great.