How to find out who deleted Event Viewer logs

logging windows-server-2003

On Windows Server 2003 someone has deleted the Security and Application logs.

I would like to know when the logs have been deleted and if possible who this criminal is. :)


Solution 1:

In Windows 2003, when the Security log is cleared a new event is automatically written to it that contains the information you're looking for.

Example:

Event ID: 517
Source: Security

The audit log was cleared 
    Primary User Name:  SYSTEM
    Primary Domain: NT AUTHORITY
    Primary Logon ID:   (0x0,0x3E7)
    Client User Name:   User's Name
    Client Domain:  CompanyDomain
    Client Logon ID:    (0x0,0x493DDA90)

More info from Microsoft

This event record indicates that the audit log has been cleared. This event is always recorded, regardless of the audit policy. It is recorded even if auditing is turned off.

Beyond that, you'd have to have object auditing policies already in place and configured to have any chance of having additional logs of actions taken by users of the system.

Solution 2:

Clearing the log enters an entry in the log file. Below is an example from my test server, it logs the username and the time and date.

Log Name:      System
Source:        Microsoft-Windows-Eventlog
Date:          07/12/2015 14:52:05
Event ID:      104
Task Category: Log clear
Level:         Information
Keywords:      
User:          CONTOSO\admin
Computer:      ad.contoso.local
Description:
The System log file was cleared.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
    <EventID>104</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>104</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-07T14:52:05.515696000Z" />
    <EventRecordID>4270</EventRecordID>
    <Correlation />
    <Execution ProcessID="812" ThreadID="3612" />
    <Channel>System</Channel>
    <Computer>ad.contoso.local</Computer>
    <Security UserID="S-1-5-21-3235254930-1055063838-1000765035-500" />
  </System>
  <UserData>
    <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
      <SubjectUserName>admin</SubjectUserName>
      <SubjectDomainName>CONTOSO</SubjectDomainName>
      <Channel>System</Channel>
      <BackupPath>
      </BackupPath>
    </LogFileCleared>
  </UserData>
</Event>

Related

Why can't I access Tomcat externally?
DNS Round-robin failover and load balancing
Ansible : using different sudo user for different hosts
FTP issue - VSFTPd and connecting to from FileZilla
nginx - deny all *.php requests except index.php for security reasons
x2go passphrase prompt then authentication fail [closed]
Blacklisting and whitelisting SFTP requests
Django - after login, redirect user to his custom page --> mysite.com/username
Why do you use std::move when you have && in C++11? [duplicate]
Java: how to import a jar file from command line
How to qcut with non unique bin edges?
How to access JSON Object name/value?