Security Event Logs being cleared by User=SYSTEM

net helpmsg 4006

OK, I am dumbfounded on this one.  
Our Security event logs are being cleared.  This is a serious violation of 
out ITRM policy for obvious reasons.  The event log states USER=system.  
Clearing always occurs  at the top of the hour.  This behavior is indicative 
of a script or EXE.  All the obvious have been checked; GPO and scheduled 
tasks.  We have checked the other logs, and nothing occurs around the same 
time. The SA team is thinking it is an application proc doing this, but I 
need definitive proof of the root cause.
Is there any other logs, or auditing that will show what proc, running under 
the system context, is clearing the security log?  Or does anyone know of a 
free app that has more granular auditing. 
I am hoping this community can help me before I open a case with MS

Thanks In Advance
Aaron
Aaron

Author	Message Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search Topic Options Post Reply Create New Topic
molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Online Status: Offline Posts: 17492	Post Options Post Reply Quote molotov Report Post Quote Reply Topic: Security Event Logs being cleared by User=SYSTEM Posted: 24 November 2009 at 10:26am
	Hi Aaron, You might use Process Monitor to identify what other files are accessed, and what processes are started or running, around the time you notice the logs are being cleared. That may provide further clues as to what may be going on...
	Daily affirmation: net helpmsg 4006

molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Online Status: Offline Posts: 17492	Post Options Post Reply Quote molotov Report Post Quote Reply Posted: 24 November 2009 at 10:24am
	note: moved topic to Troubleshooting forum
	Daily affirmation: net helpmsg 4006

acuster Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 18 August 2006 Online Status: Offline Posts: 2	Post Options Post Reply Quote acuster Report Post Quote Reply Posted: 07 November 2009 at 2:35am
	OK, I am dumbfounded on this one. Our Security event logs are being cleared. This is a serious violation of out ITRM policy for obvious reasons. The event log states USER=system. Clearing always occurs at the top of the hour. This behavior is indicative of a script or EXE. All the obvious have been checked; GPO and scheduled tasks. We have checked the other logs, and nothing occurs around the same time. The SA team is thinking it is an application proc doing this, but I need definitive proof of the root cause. Is there any other logs, or auditing that will show what proc, running under the system context, is clearing the security log? Or does anyone know of a free app that has more granular auditing. I am hoping this community can help me before I open a case with MS Thanks In Advance Aaron Aaron