locked
Audit Policy on Event logs? RRS feed

  • Question

  • Hi All,

    I'm wonder if its possible to audit actions done on specific event logs? we'd like to keep track on who delete/clears a specific event log. Sort of like auditing file object being modify/delete but only on event logs instead of file object.

    Friday, October 2, 2015 9:19 AM

Answers

  • Hi All,

    I'm wonder if its possible to audit actions done on specific event logs? we'd like to keep track on who delete/clears a specific event log. Sort of like auditing file object being modify/delete but only on event logs instead of file object.

    As said above, you can audit the activities for file objects not on any special events.

    Please refer to this PDF guide that seems more closer to your concern : https://gallery.technet.microsoft.com/How-to-enable-File-and-af674be4

    • Proposed as answer by Elaine Jing Thursday, October 8, 2015 7:56 AM
    • Marked as answer by Elaine Jing Thursday, October 15, 2015 2:32 AM
    Tuesday, October 6, 2015 10:04 AM

All replies

  • It's possible but only for Security log: 

    Event 1102 is logged whenever the Security log is cleared, REGARDLESS of the status of the Audit System Events audit policy. The Account Name and Domain Name fields identify the user who cleared the log.



    --- Jeff (Netwrix)

    Friday, October 2, 2015 9:56 AM
  • Hi Jeff,

    I'm referring to specifically Windows -> Failover Cluster logs. Based on your answer I suppose the answer is no?

    Monday, October 5, 2015 6:21 AM
  • Hi Jack, 

    Unfortunately you can only detect if there were any gaps in the log, no special event is logged for log other than Security one. 


    --- Jeff (Netwrix)

    Monday, October 5, 2015 9:23 AM
  • Hi All,

    I'm wonder if its possible to audit actions done on specific event logs? we'd like to keep track on who delete/clears a specific event log. Sort of like auditing file object being modify/delete but only on event logs instead of file object.

    As said above, you can audit the activities for file objects not on any special events.

    Please refer to this PDF guide that seems more closer to your concern : https://gallery.technet.microsoft.com/How-to-enable-File-and-af674be4

    • Proposed as answer by Elaine Jing Thursday, October 8, 2015 7:56 AM
    • Marked as answer by Elaine Jing Thursday, October 15, 2015 2:32 AM
    Tuesday, October 6, 2015 10:04 AM