Hi @Sayed Mohammed Junaid ,
As regards to the EventID 1102 which means that audit logs are cleared, based on my research it usually shows up in the SECURITY logs:
But “AgentLogFile=Application” included in the logs you mentioned earlier indicates this is an Application event which will be located in the APPLICATION logs:
Also according to description in this official document, this event log doesn't seem to be related to "Microsoft-Filtering-FIPFS" and "MS Filtering Engine Update process is running" mentioned in the logs you shared above:
Therefore, it seems to me that the event ID 1102 in your case is different from the event which means "Windows Security audit log was cleared".
While after searching a lot there isn't an official article explaining this application event 1102 specifically for Exchange server, according to the clues I found from some other threads(like "That is the anti-malware update" in this thread ), events involving "MS Filtering Engine Update process" in the APPLICATION logs usually occurs when Exchange is downloading the antimalware engine and definition updates. I checked it in my test lab and also noticed some events for FIPFS, all these events have "NETWORK SERVICE" showing as the USER, so it looks normal that "User=NETWORK SERVICE" is contained in your events:
With the above being said, and considering that the "Message=MS Filtering Engine Update process is running" in the event logs doesn't sound like there's anything wrong, I assume you can rest assured and just ignore this event.
Furthermore, noticed the thread below which discussed the application Event 1102, and the reply provided there by Joyce also indicates such kind of logs can be ingored safely:
Microsoft-Filtering-FIPFS
"So it should be different if it comes in security or application event id 1102. And the level of the log above is information, generally Information messages indicate a successful action. We can ignore such kind of logs safely."
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 85%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)