
November 6th, 2009, 08:07 PM
|
|
Registered User
|
|
Join Date: Nov 2009
Posts: 1
Time spent in forums: 8 m 54 sec
Reputation Power: 0
|
|
|
Other - Security Event Logs being cleared by User=SYSTEM, Cannot dermine process
OK, I am dumbfounded on this one.
Our Security event logs are being cleared. This is a serious violation of out ITRM policy for obvious reasons. The event log states USER=system. Clearing always occurs at the top of the hour. This behavior is indicative of a script or EXE. All the obvious have been checked; GPO and scheduled tasks. We have checked the other logs, and nothing occurs around the same time. The SA team is thinking it is an application proc doing this, but I need definitive proof of the root cause.
Is there any other logs, or auditing that will show what proc, running under the system context, is clearing the security log? Or does anyone know of a free app that has more granular auditing.
I am hoping this community can help me before I open a case with MS
Thanks In Advance
Aaron
|