When the Windows Security Event log is cleared, Windows logs event ID 1102 in the Security Event Log. If there are any other applications or processes that also use event ID 1102 on a server where a Change Auditor agent is installed, this will cause Change Auditor to report the Security Event Log Cleared event.
For example, Active Directory Federated Services also uses event ID 1102, which will cause Change Auditor to report false positives for the Security Event Log Cleared event.
WORKAROUND:
Disable the Security Event Log Cleared event from being audited:
STATUS:
Defect ID TF00458321 has been submitted to Development for consideration for a fix in a future release of Change Auditor
© ALL RIGHTS RESERVED. Feedback Términos de uso Privacidad Cookie Preference Center