Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->System->EventID 517 - The audit log was cleared
EventID 517 - The audit log was cleared

This event record indicates that the audit log has been cleared. This event is always recorded, regardless of the audit policy. It is recorded even if auditing is turned off.


The audit log should be saved in a file before deleting. The practice of always saving copies of audit logs is good for catching fraudulent users. A fraudulent user with sufficient privileges can delete the audit log as a way of erasing evidence of tampering with the computer systems and files. Lack of a backed-up audit log will help trace an unauthorized user. Once deleted, an audit log is lost unless a copy was made and saved before deleting.

Primary User Name identifies the system, and Client user name identifies the user who cleared the log.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2008
        Event Type:     Success Audit
        Event Source:   Security
        Event Category: System Event
        Event ID:       517
        Date:           10/26/2009
        Time:           07:31:38
        User:           NT AUTHORITY\SYSTEM
        Computer:       DC1
        The audit log was cleared

        Primary User Name:	SYSTEM
        Primary Domain:	NT AUTHORITY
        Primary Logon ID:	(0x0,0x3E7)
        Client User Name:	Alebovsky
        Client Domain:	RESEARCH
        Client Logon ID:	(0x0,0x59DF36)
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2000
Windows XP
Windows 2003
Category System
Source Security
EventId 517
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Primary User Name The username of the system where the log was cleared (always SYSTEM) InsertionString1 SYSTEM
Primary Domain Since this takes place within the system, domain is NT Authority InsertionString2 NT AUTHORITY
Primary Logon ID ID of the logon session of the computer where the log was cleared InsertionString3 (0x0,0x3E7)
Client User Name The user that cleared the audit log InsertionString4 Alebovsky
Client Domain The domain of the user that cleared the log InsertionString5 RESEARCH
Client Logon ID ID if the logon session of the user that cleared the log. Useful for finding other events indicating the same user activity during the same logon session. InsertionString6 (0x0,0x59DF36)
You must be logged in to comment