Share via

Event 1102 - audit log was cleared

Anonymous
2024-03-24T19:00:02+00:00

Hello everyone,

I have SOC as a service at my company, they reported an incident called "Audit log was cleared"

Event ID 1102, on Exchange server (2012) and this log was cleared by the user ID: S-1-5-20.

I did different searches on the Internet and I found that user is NetworkService account.

I have tried to search for this log on the event viewer but I didn't find anything related.

How could this account clear the log and how could I investigate with this incident, help please!

Windows Server Remote and virtual desktops

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-03-26T08:06:52+00:00

    Thanks for posting in the Microsoft Community forum!

    From the description above, I understand that your question is related to “Exchange Server”.

    Since there are no engineers dedicated to this topic on this forum. To be able to get a quick and effective treatment of your problem, I recommend that you repost your question in the Q&A forum, where there will be a dedicated engineer to give you a professional and effective answer.

    Here is the link to the Q&A forum.

    Questions - Microsoft Q&A

    Click the "Ask a Question" button in the top right corner to post your question and select relevant tags with “Exchange Server”.

    I hope the above information is helpful.

    Regards,

    Jacen Wang

    0 comments