Windows Clearing Event Logs

It is unlikely that event log data would be cleared during normal operations and it is likely that a malicious attacker may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. Centrally collecting events has the added benefit of making it much harder for an attacker to cover their tracks. Event forwarding permits sources to forward multiple copies of a collected event to multiple collectors thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.

Sections on this page

SIEM Events

Event Log Was Cleared

Event Source - Microsoft-Windows-Eventlog - Event Log - System

Event Log Service Shutdown

(Security Log) Event Log Service Shutdown Event Source - Microsoft-Windows-EventLog - Event Log - Security

AIS Managed SIEM

Last modified March 24, 2021