Event ID 517 - The audit log was cleared.
|Description||The event is logged whenever the audit log is cleared, regardless of the status of the Audit System Events audit policy.|
The event logs the following information:
|Primary user name||The username of the system where the log was cleared (always SYSTEM).|
|Primary domain||Domain in which the audit occurred (always NT Authority)|
|Primary logon ID||Logon ID of the computer.|
|Client user name||The user name of the user who cleared the audit log.|
|Client domain||The domain to which the client user belongs to.|
|Client logon ID||Logon ID of the user that cleared the log. If the log was archived the logon ID can be used to correlate to logon event ID 528 or 540.|
- ADAudit Plus notifies you whenever the audit log has been cleared.
- You can view this event as a report, that includes details about who cleared the log, and when it was cleared.
- If required, an alert can be set up to let the administrators know when an audit log has been cleared.
Event 517 applies to the following operating systems:
- Windows server 2000
- Windows server 2003 and XP
Corresponding event in Windows 2008 and Vista - Event 1102.