OK, I am dumbfounded on this one.
Our Security event logs are being cleared. This is a serious violation of
out ITRM policy for obvious reasons. The event log states USER=system.
Clearing always occurs at the top of the hour. This behavior is indicative
of a script or EXE. All the obvious have been checked; GPO and scheduled
tasks. We have checked the other logs, and nothing occurs around the same
time. The SA team is thinking it is an application proc doing this, but I
need definitive proof of the root cause.
Is there any other logs, or auditing that will show what proc, running under
the system context, is clearing the security log? Or does anyone know of a
free app that has more granular auditing.
I am hoping this community can help me before I open a case with MS
Thanks In Advance
Aaron
|
Similar Threads
Linear Mode
