The audit log was cleared Primary User Name: %1 Primary Domain: %2 Primary Logon ID: %3 Client User Name: %4 Client Domain: %5 Client Logon ID: %6

Details
Product: Windows Operating System
Event ID: 517
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_AUDIT_LOG_CLEARED
Message: The audit log was cleared Primary User Name: %1 Primary Domain: %2 Primary Logon ID: %3 Client User Name: %4 Client Domain: %5 Client Logon ID: %6
   
Explanation

This event record indicates that the audit log has been cleared. This event is always recorded, regardless of the audit policy. It is recorded even if auditing is turned off. The audit log should be saved in a file before deleting. The practice of always saving copies of audit logs is good for catching fraudulent users. A fraudulent user with sufficient privileges can delete the audit log as a way of erasing evidence of tampering with the computer systems and files. Lack of a backed-up audit log will help trace an unauthorized user. Once deleted, an audit log is lost unless a copy was made and saved before deleting.

   
User Action

Always save copies of your audit logs before deleting them.

Related:

Leave a Reply