can see audit logs are cleared by NETWORK SERVICE. Want to know if this is expected or not.

Sayed Junaid 21 Reputation points
2021-08-28T09:09:02.187+00:00

Hi
Lately, I am seeing below logs from Exchange server:

"AgentDevice=WindowsLog AgentLogFile=Application Source=Microsoft-Filtering-FIPFS Computer=XYZ User=NETWORK SERVICE Domain=NETWORK SERVICE EventID=1102 EventIDCode=1102 EventType=4 EventCategory=0 RecordNumber=XYZ TimeGenerated=XYZ TimeWritten=XYZ Message=MS Filtering Engine Update process is running. "

Per event ID 1102 it means that audit logs are cleared. Can someone tell me why the audit logs are being cleared by NETWORK SERVICE? what exactly is causing it and whether it is expected? I confirmed with the team that they didn't make any changes.

Microsoft System Center
Microsoft System Center
A suite of Microsoft systems management products that offer solutions for managing datacenter resources, private clouds, and client devices.
885 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,440 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,189 questions
0 comments No comments
{count} votes

Accepted answer
  1. VipulSparsh-MSFT 16,251 Reputation points Microsoft Employee
    2021-08-30T04:23:26.773+00:00

    @Sayed Junaid Thanks for reaching out.

    You should not see event normally, I would highly recommend to investigate this as this might be a attempt to delete the proof of entry to the system or a breach.
    There might be genuine scenarios as well like any service getting upgraded which might try to do this. (Rare case)

    A thorough investigation needs to be happen either way.

    -----------------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Yuki Sun-MSFT 40,916 Reputation points
    2021-08-30T04:44:51.593+00:00

    Hi @Sayed Junaid

    As regards to the EventID 1102 which means that audit logs are cleared, based on my research it usually shows up in the SECURITY logs:
    127396-1.png
    But “AgentLogFile=Application” included in the logs you mentioned earlier indicates this is an Application event which will be located in the APPLICATION logs:
    127367-2.png

    Also according to description in this official document, this event log doesn't seem to be related to "Microsoft-Filtering-FIPFS" and "MS Filtering Engine Update process is running" mentioned in the logs you shared above:
    127456-3.png

    Therefore, it seems to me that the event ID 1102 in your case is different from the event which means "Windows Security audit log was cleared".

    While after searching a lot there isn't an official article explaining this application event 1102 specifically for Exchange server, according to the clues I found from some other threads(like "That is the anti-malware update" in this thread ), events involving "MS Filtering Engine Update process" in the APPLICATION logs usually occurs when Exchange is downloading the antimalware engine and definition updates. I checked it in my test lab and also noticed some events for FIPFS, all these events have "NETWORK SERVICE" showing as the USER, so it looks normal that "User=NETWORK SERVICE" is contained in your events:
    127379-4.png

    With the above being said, and considering that the "Message=MS Filtering Engine Update process is running" in the event logs doesn't sound like there's anything wrong, I assume you can rest assured and just ignore this event.

    Furthermore, noticed the thread below which discussed the application Event 1102, and the reply provided there by Joyce also indicates such kind of logs can be ingored safely:
    Microsoft-Filtering-FIPFS
    "So it should be different if it comes in security or application event id 1102. And the level of the log above is information, generally Information messages indicate a successful action. We can ignore such kind of logs safely."


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    2 people found this answer helpful.