Event ID 1102 – The Audit Log Was Cleared
|Category||Non Audit (Event Log)|
|Sub-category||Other Events (Log Clear)|
|Description||Audit log was cleared|
Whenever Windows Security audit log is cleared, event ID 1102 is logged.
This log data provides the following information:
- Security ID
- Account Name
- Account Domain
- Logon ID
Why does event ID 1102 need to be monitored?
- Typically, there is no need for manual clearing of the event log, so the occurrence of this event must be further investigated.
- To monitor actions of high value accounts
- To detect anomalies and malicious actions
- To ensure non-active, external, and restricted accounts are not used
- To ensure that only white-listed accounts perform certain specific actions
- To enforce conventions and compliances
With in-depth reports, real-time alerts, and options for activities like automatic archiving, ADAudit Plus handles all log related non-audit events, helping you meet your security, operational, and compliance needs with absolute ease.
Event 1102 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.1
- Windows 2016 and 10
Corresponding event ID in Windows 2003 and earlier is 517