question

ninessas-6706 avatar image
0 Votes"
ninessas-6706 asked joyceshen-MSFT commented

Windows Event Logs Clea

Hi All,

I'm trying to find out why our MS Exchange server logs were cleared, but couldn't find why. Our SIEM indicated that it's triggered by Microsoft-Windows-Eventlog: EventID 104. Upon checking, event ID 104 is a normal condition and no further action is required (
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc775044(v=ws.10)?redirectedfrom=MSDN). I have tried to check if there's any suspicious logins on the admin accounts but we didn't find anything. Can you advise?

Log is below the eventID 104 is below.


{
"hostIdentifier": "00000000-cbe8-42a1-b497-f6a538fdfc75",
"BackupPath": "",
"Channel": "Microsoft-Exchange-ManagedAvailability/ThrottlingConfig",
"LogFileCleared": "",
"SubjectDomainName": "NT AUTHORITY",
"SubjectUserName": "SYSTEM",
"datetime": "2021-04-02T10:16:39.436600800Z",
"eventid": "104",
"keywords": "-1",
"level": "4",
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"provider_name": "Microsoft-Windows-Eventlog",
"source": "System",
"task": "104",
"time": "1617358599"
}

office-exchange-server-administration
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ninessas-6706 avatar image
0 Votes"
ninessas-6706 answered

Sorry the title is Windows Event Logs Cleared

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

joyceshen-MSFT avatar image
0 Votes"
joyceshen-MSFT answered

Hi @ninessas-6706

What's you Exchange server version? Do you mean your event logs are cleared and you want to find 'who' deleted them?

Please correct me if I have any misunderstanding about your question. If that's the case, we could refer to the below threads which discussed the similar issues:

How to find out who deleted Event Viewer logs
Windows event logs clears or delete itself??
Audit Event logs clear Microsoft-Exchange Activemonitoring ManagedAvailability

Also check that your system logs is not being overwritten by itselft due to maximum size let's say 10 MB or so
Exchange server will not actively delete logs. If you make sure the logs was deleted, I would suggest you use other tool to monitor logs are deleted by which application.


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
 

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.