How to find out who deleted Event Viewer logs

loggingwindows-server-2003

On Windows Server 2003 someone has deleted the Security and Application logs.

I would like to know when the logs have been deleted and if possible who this criminal is. 🙂

Best Answer

In Windows 2003, when the Security log is cleared a new event is automatically written to it that contains the information you're looking for.

Example:

Event ID: 517
Source: Security

The audit log was cleared 
    Primary User Name:  SYSTEM
    Primary Domain: NT AUTHORITY
    Primary Logon ID:   (0x0,0x3E7)
    Client User Name:   User's Name
    Client Domain:  CompanyDomain
    Client Logon ID:    (0x0,0x493DDA90)

More info from Microsoft

This event record indicates that the audit log has been cleared. This event is always recorded, regardless of the audit policy. It is recorded even if auditing is turned off.

Beyond that, you'd have to have object auditing policies already in place and configured to have any chance of having additional logs of actions taken by users of the system.

Best Answer

Related Solutions

Windows – simple way to track who deleted files on server 2003 box

Windows Server 2003 – How to Audit a File to See Who Deleted It

Related Topic