How to disable security logs cleaning?

EEEEEEEEEEEEEE BBBBBBBBBBBBBBB 0 Reputation points
2023-08-24T05:04:44.21+00:00

Hello, I use Windows Server 2022 Datacenter, and I want to disable the clean function for logs. I'd done it for all logs, like Application, System but I can't do it for Security logs.

The command which I used:

wevtutil sl security /ca:"O:BAG:SYD:(A;;0xf0005;;;SY)"

I know that it isn’t good permissions, it just for example.

wevtutil gl security

name: security
enabled: true
type: Admin
owningPublisher:
isolation: Custom
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
  retention: true
  autoBackup: true
  maxSize: 20971520
publishing:
  fileMax: 1

But after setting permissions I still can clean it.

wevtutil cl security

I'd tried to set perms by the GPO, but nothing changed

Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. poliveirasilva-MSFT 86 Reputation points Microsoft Employee
    2023-09-25T17:03:16.25+00:00

    Not sure if there is a supported way to prevent it. Maybe the best approach here is to detect when Security log was cleaned.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.