Z
zibby42
I have a Windows 2016 server running Wampserver. Every hour something is causing the Event Log to clear. Here's the only entry I have right now in the Security log:
The audit log was cleared.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Domain Name: NT AUTHORITY
Logon ID: 0x3E7
- System
- Provider
[ Name] Microsoft-Windows-Eventlog
[ Guid] {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}
EventID 1102
Version 0
Level 4
Task 104
Opcode 0
Keywords 0x4020000000000000
- TimeCreated
[ SystemTime] 2018-11-02T10:57:28.508219200Z
EventRecordID 114191
Correlation
- Execution
[ ProcessID] 344
[ ThreadID] 7860
Channel Security
Computer w2k16-web01
Security
- UserData
- LogFileCleared
SubjectUserSid S-1-5-18
SubjectUserName SYSTEM
SubjectDomainName NT AUTHORITY
SubjectLogonId 0x3e7
According to Process Explorer, ProcessID 344 is svchost running the following services: DHCP, EventLog, lmhosts and TimeBrokerSvc.
ThreadID 7860 Start Address is ntdll.dll!RtlReleaseSRWLockExclusive+0x2200
I could really use help understanding what this means and how to stop the EventLog clearing.
Continue reading...
The audit log was cleared.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Domain Name: NT AUTHORITY
Logon ID: 0x3E7
- System
- Provider
[ Name] Microsoft-Windows-Eventlog
[ Guid] {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}
EventID 1102
Version 0
Level 4
Task 104
Opcode 0
Keywords 0x4020000000000000
- TimeCreated
[ SystemTime] 2018-11-02T10:57:28.508219200Z
EventRecordID 114191
Correlation
- Execution
[ ProcessID] 344
[ ThreadID] 7860
Channel Security
Computer w2k16-web01
Security
- UserData
- LogFileCleared
SubjectUserSid S-1-5-18
SubjectUserName SYSTEM
SubjectDomainName NT AUTHORITY
SubjectLogonId 0x3e7
According to Process Explorer, ProcessID 344 is svchost running the following services: DHCP, EventLog, lmhosts and TimeBrokerSvc.
ThreadID 7860 Start Address is ntdll.dll!RtlReleaseSRWLockExclusive+0x2200
I could really use help understanding what this means and how to stop the EventLog clearing.
Continue reading...