|
Security Event Logs being cleared by User=SYSTEM |
Post Reply 
|
| Author | |
acuster 
Newbie 
Joined: 18 August 2006 Online Status: Offline Posts: 2 |
 Quote Reply
 Topic: Security Event Logs being cleared by User=SYSTEMPosted: 07 November 2009 at 2:35am |
OK, I am dumbfounded on this one.Our Security event logs are being cleared. This is a serious violation of out ITRM policy for obvious reasons. The event log states USER=system. Clearing always occurs at the top of the hour. This behavior is indicative of a script or EXE. All the obvious have been checked; GPO and scheduled tasks. We have checked the other logs, and nothing occurs around the same time. The SA team is thinking it is an application proc doing this, but I need definitive proof of the root cause.Is there any other logs, or auditing that will show what proc, running under the system context, is clearing the security log? Or does anyone know of a free app that has more granular auditing.I am hoping this community can help me before I open a case with MS Thanks In Advance AaronAaron |
|
 |
|
|
Post Reply
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
Topic Options