We have an automated deployment tool that automatically installs the latest version of our software on a production server every night at 9:00 PM. This has been working well for a long time.
Very recently, I started noticing that every time the software gets installed, the Application event log empties around the time that the installation completes. I can't believe that our application is doing that, because we have no code whatsoever that clears the event log. We do log entries to the Application event log, but that hasn't changed in years.
I checked the System event log, and I found an event indicating that the Application event log was cleared: "The Application log file was cleared." When I check the details of the event, I determined that svchost.exe is the service that cleared it based on the process ID. The user that cleared it was NT AUTHORITY\SYSTEM.
I checked the services running under the process ID that cleared the event log, and there are three services:
- DHCP Client
- Windows Event Log
- TCP/IP NetBIOS Helper
The Application event log settings are in the following screenshot. When the log gets cleared, there are only about 20 entries in it, which is far below the size limit, so I don't see why it would be clearing due to fillup.
