Windows Security Log Event ID 517

517: The audit log was cleared

On this page

• Description of this event
• Field level details
• Examples

Event 517 is logged whenever the Security log is cleared, REGARDLESS of the status of the Audit System Events audit policy.

The Primary User Name and Client User Name fields will identify the user who cleared the log. Primary User Name will correspond to the system, and Client user name will indicate the user who cleared the log.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 517

• Primary User Name: The username of the system where the log was cleared (always SYSTEM)
• Primary Domain: Since this takes place within the system, domain is NT Authority
• Primary Logon ID: Logon ID of the computer  
• Client User Name: The user that cleared the audit log 
• Client Domain: The domain of the user that cleared the log
• Client Logon ID: Logon ID of the user that cleared the log. If the log was archived the logon ID can be used to correlate to logon event ID 528 or 540.

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Mini-Seminars Covering Event ID 517 11 Ways to Detect System Intrusions with the Security Log Top 5 Daily Reports for Monitoring Windows Servers Building a Security Dashboard for Your Senior Executives Detecting Compromised Privileged Accounts with the Security Log

 

Upcoming Webinars

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy