This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 48%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Hi All,
I'm trying to find out why our MS Exchange server logs were cleared, but couldn't find why. Our SIEM indicated that it's triggered by Microsoft-Windows-Eventlog: EventID 104. Upon checking, event ID 104 is a normal condition and no further action is required (
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc775044(v=ws.10)?redirectedfrom=MSDN). I have tried to check if there's any suspicious logins on the admin accounts but we didn't find anything. Can you advise?
Log is below the eventID 104 is below.
{
"hostIdentifier": "00000000-cbe8-42a1-b497-f6a538fdfc75",
"BackupPath": "",
"Channel": "Microsoft-Exchange-ManagedAvailability/ThrottlingConfig",
"LogFileCleared": "",
"SubjectDomainName": "NT AUTHORITY",
"SubjectUserName": "SYSTEM",
"datetime": "2021-04-02T10:16:39.436600800Z",
"eventid": "104",
"keywords": "-1",
"level": "4",
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"provider_name": "Microsoft-Windows-Eventlog",
"source": "System",
"task": "104",
"time": "1617358599"
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi @ninessas
Any update?
Hi @ninessas
Any progress here?
Sorry the title is Windows Event Logs Cleared
Hi @ninessas
What's you Exchange server version? Do you mean your event logs are cleared and you want to find 'who' deleted them?
Please correct me if I have any misunderstanding about your question. If that's the case, we could refer to the below threads which discussed the similar issues:
How to find out who deleted Event Viewer logs
Windows event logs clears or delete itself??
Audit Event logs clear Microsoft-Exchange Activemonitoring ManagedAvailability
Also check that your system logs is not being overwritten by itselft due to maximum size let's say 10 MB or so
Exchange server will not actively delete logs. If you make sure the logs was deleted, I would suggest you use other tool to monitor logs are deleted by which application.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.