Determine why logs were purged

We had some issues with a user connecting through OWA. This user used to be a server admin.

Upon checking today, all IIS logs have been removed up to and including sept 30 (the day the issues were diagnosed). We do have a back-up and of course all the passwords on the servers and accounts have been changed, and I've checked the system logs - there doesn't seem to be an IP matching that particular user's address.

The "security"-logs seem to have been purged, but there is no log event that the logs have been purged. There are also several other event logs (such as RDP) not showing the IP and dating well back into August. It seems like those logs are actually hitting their max size of 20MB and then doing some form of logrotate.

Of course, attempting to be an as good sysadmin as I can be, I'm a total controlfreak. Can anyone explain to me whether it's possible that Windows automatically purges logs every 3 months? Or can this be done webbased? (we only have OWA/ECP for Exchange 2013).

I also noticed that the physical server is running low on disk... Could that be a reason?


Solution 1:

Logs are automatically purged (on a time- or size-based rotation) because disk space is finite. Keeping every log entry forever would fill even the largest of disks quickly, and every operating system does some kind of log pruning.

While that answers your question, it doesn't solve your problem: Someone who should not have access to your servers clearly still does (at least through OWA).
I suggest reviewing How do I deal with a compromised server? as others have suggested, and deciding how to proceed based on the feedback given there.
I also strongly advise forcing a password change for all users - If this person is logging in to things as an ex-employee who knows what other shady bits they may be retaining (copies of everyone's passwords, mayhaps?).

After that you can start thinking about a real security policy for your company so the next time you fire someone you can be sure all access is properly revoked...