Security Event log ID4740 & 4767 appear and then disappear

tech_tc 26 Reputation points
2022-09-09T00:05:46.21+00:00

Has anyone experienced this issue?

While troubleshooting account lockouts, i can search Event viewer for ID's 4740 & 4767 and get return events. Then a few hours later when the account has automatically unlocked, it is no longer possible to find those historical events in event viewer.

Where do they disappear too? Is there a special retention policy for these specific ID's?

Any help or pointers would be much appreciated.

This is a 2012R2 DC

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,091 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,547 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,838 questions
{count} votes

Accepted answer
  1. William Light 81 Reputation points
    2022-09-14T08:14:05.627+00:00

    By default, there is no retention policy or mechanism that would delete windows event viewer logs. If your search criteria filter isn't the issue within event logs, I would suggest checking for another mechanism. i.e. did someone setup a script to delete these logs, is the security log set to delete at a specific size, date range, etc.

    Remember to mark this answer.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Daisy Zhou 23,971 Reputation points Microsoft Vendor
    2022-09-21T06:43:19.487+00:00

    Hello techtc-2144,

    Thank you for posting in our Q&A forum.

    Hope the information provided by BillLight is helpful to you.

    Usually, we can see the three options in the security log Properties or other logs Properties.
    Overwrite events as needed (oldest events first).
    Archive the log when full, do not Overwrite events.
    Do not Overwrite events(Clear logs manually).

    243313-qqqq.png

    You can check if you are in one situation of the three options above. It seems either the log is overwrite or the log is clear manually by default.

    If not, we can check if the "modified time" is changed. I manually delete a event ID, then the "modified time" is changed as the same time I perform the deletion operation.
    243277-qqqq1.png

    And after I delete one event ID, I can see the event ID 1102 (log clear) in the security log.

    243170-qqqq2.png

    You can try to check. Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.