Event ID - 517

Event Id517
DescriptionThe audit log was cleared.

Primary User Name: <Primary User Name>
      Primary Domain: <Primary Domain>
      Primary Logon ID: <Primary Logon ID>
      Client User Name: <Client User Name>
      Client Domain: <Client Domain>
      Client Logon ID: <Client Logon ID>     

Event InformationCause:
This event record indicates that the audit log has been cleared. This event is always recorded, regardless of the audit policy. It is recorded even if auditing is turned off. The audit log should be saved in a file before deleting. The practice of always saving copies of audit logs is good for catching fraudulent users. A fraudulent user with sufficient privileges can delete the audit log as a way of erasing evidence of tampering with the computer systems and files. Lack of a backed-up audit log will help trace an unauthorized user. Once deleted, an audit log is lost unless a copy was made and saved before deleting.

Always save copies of your audit logs before deleting them.
Reference LinksMicrosoft product: Windows Operating System Version: 5.0 Event Source: Security Event ID: 517

Alternate Event ID in Vista and Windows Server 2008 is 1102.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.