Live Demo
Free Edition
Download NowSystem Event » Windows System Event: 517
Event ID 517 - The audit log was cleared.
| Description | The event is logged whenever the audit log is cleared, regardless of the status of the Audit System Events audit policy. |
| Category | System |
The event logs the following information:
| Primary user name | The username of the system where the log was cleared (always SYSTEM). |
| Primary domain | Domain in which the audit occurred (always NT Authority) |
| Primary logon ID | Logon ID of the computer. |
| Client user name | The user name of the user who cleared the audit log. |
| Client domain | The domain to which the client user belongs to. |
| Client logon ID | Logon ID of the user that cleared the log. If the log was archived the logon ID can be used to correlate to logon event ID 528 or 540. |
Pro tips:
- ADAudit Plus notifies you whenever the audit log has been cleared.
- You can view this event as a report, that includes details about who cleared the log, and when it was cleared.
- If required, an alert can be set up to let the administrators know when an audit log has been cleared.
Event 517 applies to the following operating systems:
- Windows server 2000
- Windows server 2003 and XP
Corresponding event in Windows 2008 and Vista - Event 1102.
Explore Active Directory auditing and reporting with ADAudit Plus.
Account Management Auditing
Active Directory Auditing
Windows Server Auditing
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools