Security Event log ID4740 & 4767 appear and then disappear

tech_tc 26 Reputation points

Has anyone experienced this issue?

While troubleshooting account lockouts, i can search Event viewer for ID's 4740 & 4767 and get return events. Then a few hours later when the account has automatically unlocked, it is no longer possible to find those historical events in event viewer.

Where do they disappear too? Is there a special retention policy for these specific ID's?

Any help or pointers would be much appreciated.

This is a 2012R2 DC

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
10,540 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
4,833 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,543 questions
{count} votes

Accepted answer
  1. Bill Light 81 Reputation points

    By default, there is no retention policy or mechanism that would delete windows event viewer logs. If your search criteria filter isn't the issue within event logs, I would suggest checking for another mechanism. i.e. did someone setup a script to delete these logs, is the security log set to delete at a specific size, date range, etc.

    Remember to mark this answer.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Daisy Zhou 14,886 Reputation points Microsoft Vendor

    Hello techtc-2144,

    Thank you for posting in our Q&A forum.

    Hope the information provided by BillLight is helpful to you.

    Usually, we can see the three options in the security log Properties or other logs Properties.
    Overwrite events as needed (oldest events first).
    Archive the log when full, do not Overwrite events.
    Do not Overwrite events(Clear logs manually).


    You can check if you are in one situation of the three options above. It seems either the log is overwrite or the log is clear manually by default.

    If not, we can check if the "modified time" is changed. I manually delete a event ID, then the "modified time" is changed as the same time I perform the deletion operation.

    And after I delete one event ID, I can see the event ID 1102 (log clear) in the security log.


    You can try to check. Hope the information above is helpful.

    Best Regards,
    Daisy Zhou


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments