5

On Windows Server 2003 someone has deleted the Security and Application logs.

I would like to know when the logs have been deleted and if possible who this criminal is. :)

I say Reinstate Monica
  • 3,132
  • 7
  • 28
  • 52
Amine Zaine
  • 53
  • 1
  • 1
  • 6
  • 1
    You can tell roughly when the logs were deleted by determining the earliest entry in the newest logs. You all but certainly won't be able to tell who deleted them, though. – ChrisInEdmonton Dec 07 '15 at 14:49
  • A user did some malicious modifications on a windows 2003 server and deleted the eventviewer logs, he modified some files, how can I find out who? –  Dec 07 '15 at 14:51

2 Answers2

5

In Windows 2003, when the Security log is cleared a new event is automatically written to it that contains the information you're looking for.

Example:

Event ID: 517
Source: Security

The audit log was cleared 
    Primary User Name:  SYSTEM
    Primary Domain: NT AUTHORITY
    Primary Logon ID:   (0x0,0x3E7)
    Client User Name:   User's Name
    Client Domain:  CompanyDomain
    Client Logon ID:    (0x0,0x493DDA90)

More info from Microsoft

This event record indicates that the audit log has been cleared. This event is always recorded, regardless of the audit policy. It is recorded even if auditing is turned off.

Beyond that, you'd have to have object auditing policies already in place and configured to have any chance of having additional logs of actions taken by users of the system.

techie007
  • 1,894
  • 17
  • 25
  • I couldn't find anything... It feels like the logs have been overwritten since the maximum log size is 10 MB –  Dec 07 '15 at 15:01
  • Then they may have destroyed them at the file level. If the user can delete logs and system files, you can't possibly log him using that system... so unfortunately I'd say your out of luck, unless you have some form of external auditing in place, which if you did, I'm guessing you wouldn't be asking us about this. ;) – techie007 Dec 07 '15 at 15:03
  • Unfortunately, I don't. But thanks for your answer, I hope it could help someone else :) –  Dec 07 '15 at 15:07
1

Clearing the log enters an entry in the log file. Below is an example from my test server, it logs the username and the time and date.

Log Name:      System
Source:        Microsoft-Windows-Eventlog
Date:          07/12/2015 14:52:05
Event ID:      104
Task Category: Log clear
Level:         Information
Keywords:      
User:          CONTOSO\admin
Computer:      ad.contoso.local
Description:
The System log file was cleared.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
    <EventID>104</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>104</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-07T14:52:05.515696000Z" />
    <EventRecordID>4270</EventRecordID>
    <Correlation />
    <Execution ProcessID="812" ThreadID="3612" />
    <Channel>System</Channel>
    <Computer>ad.contoso.local</Computer>
    <Security UserID="S-1-5-21-3235254930-1055063838-1000765035-500" />
  </System>
  <UserData>
    <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
      <SubjectUserName>admin</SubjectUserName>
      <SubjectDomainName>CONTOSO</SubjectDomainName>
      <Channel>System</Channel>
      <BackupPath>
      </BackupPath>
    </LogFileCleared>
  </UserData>
</Event>
Burgi
  • 140
  • 13
  • Thanks for the hint of the event ID 104. Unfortunately, I filtered the System logs with the event ID 104 and I had nothing. This guy is a pro. –  Dec 07 '15 at 14:56
  • 1
    This isn't accurate for Windows 2003. – techie007 Dec 07 '15 at 14:59