Microsoft-Windows-Eventlog

41 events across 4 channels

Event	Title	Channel	Sample
20	The event logging service encountered an error ErrorCode while obtaining or …	System	N
21	The event logging service encountered a configuration-related error …	System	N
22	The event logging service encountered an error while initializing publishing …	System	N
23	The event logging service encountered an error (res=ErrorCode) while …	System	N
25	The event logging service encountered a corrupt log file for channel …	System	N
26	The event logging service encountered a log file for channel ChannelPath which …	System	N
27	The event logging service encountered an error (res=ErrorCode) while opening log …	System	N
28	The event logging service encountered an error (res=ErrorCode) while parsing …	System	N
29	The event logging service encountered a fatal error (res=ErrorCode) when …	System	N
30	The event logging service encountered an error …	System	Y
31	The event logging service encountered an error (res=ErrorCode) while opening …	System	N
40	The event logging service encountered an error when attempting to apply one or …	System	N
100	The event logging service encountered an error while processing an incoming …	Analytic	N
102	The event logging service encountered an error while processing an incoming …	Analytic	N
103	Events have been dropped by the transport.	Analytic	N
104	The LogFileCleared.Channel log file was cleared.	System	Y
105	Event log automatic backup.	System	Y
106	Corruption was detected in the log for the Channel channel and some data was …	System	N
107	The event logging service encountered an error ErrorCode while going through …	Analytic	N
108	The previous system shutdown was unexpected.	System	N
109	The event logging service encountered an error while processing an incoming …	Analytic	N
110	Loading metadata for publisher PublisherName (PublisherGuid) and trying to …	Debug	N
111	Finished loading metadata for publisher PublisherName (PublisherGuid), with …	Debug	N
112	Failed to load metadata for publisher PublisherName (PublisherGuid).	Debug	N
200	Channel ChannelName (ChannelType) was enabled (Enabled) programmatically.	Analytic	N
201	A push subscription was created for ChannelName.	Analytic	N
202	A pull subscription was created for ChannelName.	Analytic	N
203	OpenEventLog legacy API was used to open ModuleName.	Analytic	N
204	RegisterEventSource legacy API was used to register ModuleName.	Analytic	Y
205	ReportEvent legacy API was used to write an event to ModuleName.	Analytic	Y
517	The audit log was cleared (legacy Windows 2000/XP/2003 event; superseded by …	Security	N
1100	The event logging service has shut down.	Security	Y
1101	Audit events have been dropped by the transport.	Security	Y
1102	The audit log was cleared.	Security	Y
1103	The security log is now PercentFull percent full.	Security	N
1104	The security log is now full.	Security	N
1105	Event log automatic backup.	Security	N
1106	Events have been dropped by the event logging service.	Security	N
1107	The event logging service encountered an error while processing an incoming …	Security	Y
1108	The event logging service encountered an error while processing an incoming …	Security	Y
6000	The Channel log file is full.	System	N

Event ID 20: The event logging service encountered an error ErrorCode while obtaining or processing configuration for channel Path.

Provider: Microsoft-Windows-Eventlog
Channel: System
Task: Servicestartup

Description

The event logging service encountered an error ErrorCode while obtaining or processing configuration for channel Path.

Message #

The event logging service encountered an error %1 while obtaining or processing configuration for channel %2.

Fields #

Name	Description
`ErrorCode` UInt32
`Path` UnicodeString

Event ID 21: The event logging service encountered a configuration-related error (res=ErrorCode) for channel ChannelPath.

Provider: Microsoft-Windows-Eventlog
Channel: System
Task: Servicestartup

Description

The event logging service encountered a configuration-related error (res=ErrorCode) for channel ChannelPath. The error was encountered while processing the ConfigProperty configuration property.

Message #

The event logging service encountered a configuration-related error (res=%1) for channel %2. The error was encountered while processing the %3 configuration property.

Fields #

Name	Description
`ErrorCode` UInt32
`ChannelPath` UnicodeString
`ConfigProperty` UnicodeString

Event ID 22: The event logging service encountered an error while initializing publishing resources for channel Path.

Provider: Microsoft-Windows-Eventlog
Channel: System
Task: Servicestartup

Description

The event logging service encountered an error while initializing publishing resources for channel Path. If channel type is Analytic or Debug, then this could mean there was an error initializing logging resources as well.

Message #

The event logging service encountered an error while initializing publishing resources for channel %2. If channel type is Analytic or Debug, then this could mean there was an error initializing logging resources as well.

Fields #

Name	Description
`ErrorCode` UInt32
`Path` UnicodeString

Event ID 23: The event logging service encountered an error (res=ErrorCode) while initializing logging resources for channel Path.

Provider: Microsoft-Windows-Eventlog
Channel: System
Task: Servicestartup

Description

The event logging service encountered an error (res=ErrorCode) while initializing logging resources for channel Path.

Message #

The event logging service encountered an error (res=%1) while initializing logging resources for channel %2.

Fields #

Name	Description
`ErrorCode` UInt32
`Path` UnicodeString

Event ID 25: The event logging service encountered a corrupt log file for channel ChannelPath.

Provider: Microsoft-Windows-Eventlog
Channel: System
Task: Servicestartup

Description

The event logging service encountered a corrupt log file for channel ChannelPath. The log was renamed with a .corrupt extension.

Message #

The event logging service encountered a corrupt log file for channel %1. The log was renamed with a .corrupt extension.

Fields #

Name	Description
`ChannelPath` UnicodeString

Event ID 26: The event logging service encountered a log file for channel ChannelPath which is an unsupported version.

Provider: Microsoft-Windows-Eventlog
Channel: System
Task: Servicestartup

Description

The event logging service encountered a log file for channel ChannelPath which is an unsupported version. The log was renamed with a .UnsupportedVer extension.

Message #

The event logging service encountered a log file for channel %1 which is an unsupported version. The log was renamed with a .UnsupportedVer extension.

Fields #

Name	Description
`ChannelPath` UnicodeString

Event ID 27: The event logging service encountered an error (res=ErrorCode) while opening log file for channel ChannelPath.

Provider: Microsoft-Windows-Eventlog
Channel: System
Task: Servicestartup

Description

The event logging service encountered an error (res=ErrorCode) while opening log file for channel ChannelPath. Trying again using default log file path FailedLogFilePath.

Message #

The event logging service encountered an error (res=%1) while opening log file for channel %2. Trying again using default log file path %3.

Fields #

Name	Description
`ErrorCode` UInt32
`ChannelPath` UnicodeString
`FailedLogFilePath` UnicodeString
`NewLogFilePath` UnicodeString

Event ID 28: The event logging service encountered an error (res=ErrorCode) while parsing filter for channel ChannelPath.

Provider: Microsoft-Windows-Eventlog
Channel: System
Task: Servicestartup

Description

The event logging service encountered an error (res=ErrorCode) while parsing filter for channel ChannelPath. Will continue without filter.

Message #

The event logging service encountered an error (res=%1) while parsing filter for channel %2. Will continue without filter.

Fields #

Name	Description
`ErrorCode` UInt32
`ChannelPath` UnicodeString

Event ID 29: The event logging service encountered a fatal error (res=ErrorCode) when applying settings to the ChannelPath channel.

Provider: Microsoft-Windows-Eventlog
Channel: System

Description

The event logging service encountered a fatal error (res=ErrorCode) when applying settings to the ChannelPath channel. The service is shutting down since this channel is vital to its operation.

Message #

The event logging service encountered a fatal error (res=%1) when applying settings to the %2 channel. The service is shutting down since this channel is vital to its operation.

Fields #

Name	Description
`ErrorCode` UInt32
`ChannelPath` UnicodeString

Event ID 30: The event logging service encountered an error (InitChannelPublisherEnableFailure.ErrorCode) while enabling publisher InitChannelPublisherEnableFailure.PublisherGuid to channel InitChannelPublisher...

Provider: Microsoft-Windows-Eventlog
Channel: System
Level: Error
Task: Servicestartup

Description

The event logging service encountered an error (ErrorCode) while enabling publisher PublisherGuid to channel ChannelPath. This does not affect channel operation, but does affect the ability of the publisher to raise events to the channel. One common reason for this error is that the Provider is using ETW Provider Security and has not granted enable permissions to the Event Log service identity.

Message #

The event logging service encountered an error (%1) while enabling publisher %3 to channel %2. This does not affect channel operation, but does affect the ability of the publisher to raise events to the channel. One common reason for this error is that the Provider is using ETW Provider Security and has not granted enable permissions to the Event Log service identity.

Fields #

Name	Description
`ErrorCode` UInt32
`ChannelPath` UnicodeString
`PublisherGuid` GUID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Eventlog",
    "guid": "FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148",
    "event_source_name": "",
    "event_id": 30,
    "version": 0,
    "level": 2,
    "task": 100,
    "opcode": 0,
    "keywords": 9223372036854906880,
    "time_created": "2026-03-13T19:59:15.259008+00:00",
    "event_record_id": 11634,
    "correlation": {},
    "execution": {
      "process_id": 1844,
      "thread_id": 8176
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "InitChannelPublisherEnableFailure": {
      "ErrorCode": 5,
      "ChannelPath": "Microsoft-Windows-WinINet-Capture/Analytic",
      "PublisherGuid": "A70FF94F-570B-4979-BA5C-E59C9FEAB61B"
    }
  },
  "message": ""
}

Event ID 31: The event logging service encountered an error (res=ErrorCode) while opening configuration for primary channel ChannelPath.

Provider: Microsoft-Windows-Eventlog
Channel: System
Task: Servicestartup

Description

The event logging service encountered an error (res=ErrorCode) while opening configuration for primary channel ChannelPath. Trying again using default configuration. This problem usually occurs if registry has been corrupted or explicitly misconfigured.

Message #

The event logging service encountered an error (res=%1) while opening configuration for primary channel %2. Trying again using default configuration. This problem usually occurs if registry has been corrupted or explicitly misconfigured.

Fields #

Name	Description
`ErrorCode` UInt32
`ChannelPath` UnicodeString

Event ID 40: The event logging service encountered an error when attempting to apply one or more policy settings.

Provider: Microsoft-Windows-Eventlog
Channel: System

Description

The event logging service encountered an error when attempting to apply one or more policy settings.

Message #

The event logging service encountered an error when attempting to apply one or more policy settings.

Fields #

Name	Description
`ErrorCode` UInt32
`ChannelPath` UnicodeString

Event ID 100: The event logging service encountered an error while processing an incoming event published from PubID.

Provider: Microsoft-Windows-Eventlog
Channel: Analytic
Task: Eventprocessing

Description

The event logging service encountered an error while processing an incoming event published from PubID.

Message #

The event logging service encountered an error while processing an incoming event published from %3.

Fields #

Name	Description
`ErrorCode` UInt32
`EventID` UInt16
`PubID` UnicodeString

Event ID 102: The event logging service encountered an error while processing an incoming event from publisher PublisherName and trying to process the metadata for it.

Provider: Microsoft-Windows-Eventlog
Channel: Analytic
Task: Eventprocessing

Description

The event logging service encountered an error while processing an incoming event from publisher PublisherName and trying to process the metadata for it.

Message #

The event logging service encountered an error while processing an incoming event from publisher %3 and trying to process the metadata for it.

Fields #

Name	Description
`ErrorCode` UInt32
`EventID` UInt16
`PublisherName` UnicodeString
`PublisherGuid` GUID
`ProcessID` UInt32

Event ID 103: Events have been dropped by the transport.

Provider: Microsoft-Windows-Eventlog
Channel: Analytic
Task: Eventprocessing

Description

Events have been dropped by the transport. The session name is SessionName and the reason code is Reason.

Message #

Events have been dropped by the transport.  The session name is %2 and the reason code is %1.

Fields #

Name	Description
`Reason` UInt8
`SessionName` UnicodeString

Event ID 104: The LogFileCleared.Channel log file was cleared.

Provider: Microsoft-Windows-Eventlog
Channel: System
Level: Informational
Collection Priority: Recommended (Microsoft-WEF, others)
Task: Logclear

Description

The LogFileCleared.Channel log file was cleared.

Message #

The %3 log file was cleared.

Fields #

Name	Description	Rules
`LogFileCleared.SubjectUserName`
`LogFileCleared.SubjectDomainName`
`LogFileCleared.Channel`
`LogFileCleared.BackupPath`
`SubjectUserName`
`SubjectDomainName`
`Channel`		12 detection rules
`BackupPath`
`ClientProcessId`
`ClientProcessStartKey`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Eventlog",
    "guid": "{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}",
    "event_source_name": "",
    "event_id": 104,
    "version": 0,
    "level": 4,
    "task": 104,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-28T00:50:57.4445174+00:00",
    "event_record_id": 6146,
    "correlation": {},
    "execution": {
      "process_id": 1616,
      "thread_id": 3308
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1000"
    }
  },
  "user_data": {
    "LogFileCleared": {
      "SubjectUserName": "localuser",
      "SubjectDomainName": "cell-a",
      "Channel": "Windows PowerShell",
      "BackupPath": ""
    }
  },
  "message": "The Windows PowerShell log file was cleared."
}

Detection Patterns #

Event Log Cleared

Eventlog Event ID 104: The LogFileCleared.Channel log file was cleared.OREvent ID 1102: The audit log was cleared.

4 rules

Sigma

Event log cleared (native) (source)

mdecrevoisier

Elastic

Windows Event Logs Cleared (source)

Elastic, Anabella Cristaldi

Splunk

Clear Windows Event Logs (Windows Event Log) (source)

Windows Event Log Cleared (source)

Rico Valdez, Michael Haag, Splunk

Event Logs

Eventlog Event ID 104: The LogFileCleared.Channel log file was cleared.OREvent ID 517: The audit log was cleared (legacy Windows 2000/XP/2003 event; superseded by 1102).OREvent ID 1102: The audit log was cleared.

3 rules

Sigma

Event log cleared (native) (source)

mdecrevoisier

Elastic

Windows Event Logs Cleared (source)

Elastic, Anabella Cristaldi

Splunk

Clear Windows Event Logs (Windows Event Log) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`Microsoft-Windows-Eventlog`	2 rules	sigma

Community Notes #

This will show System, Application, and other non-Security logs being cleared. Review the event to identify which one.

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Eventlog Cleared source medium: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
Important Windows Eventlog Cleared source high: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

Event ID 105: Event log automatic backup.

Provider: Microsoft-Windows-Eventlog
Channel: System
Level: Informational
Task: Logautomaticbackup

Description

Event log automatic backup.

Message #

Event log automatic backup
	Log: %1
	File: %2

Fields #

Name	Description
`Channel`
`BackupPath`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Eventlog",
    "guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
    "event_source_name": "",
    "event_id": 105,
    "version": 0,
    "level": 4,
    "task": 105,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2012-03-26T05:50:08.470644Z",
    "event_record_id": 13049,
    "correlation": {},
    "execution": {
      "process_id": 772,
      "thread_id": 4256
    },
    "channel": "System",
    "computer": "WKS-WIN764BITB.shieldbase.local",
    "security": {
      "user_id": ""
    }
  },
  "user_data": {
    "AutoBackup": {
      "xmlns:auto-ns3": "http://schemas.microsoft.com/win/2004/08/events",
      "Channel": "Application",
      "BackupPath": "C:\\Windows\\System32\\Winevt\\Logs\\Archive-Application-2012-03-26-05-50-01-755.evtx"
    }
  }
}

Event ID 106: Corruption was detected in the log for the Channel channel and some data was erased.

Provider: Microsoft-Windows-Eventlog
Channel: System

Description

Corruption was detected in the log for the Channel channel and some data was erased.

Message #

Corruption was detected in the log for the %1 channel and some data was erased.

Fields #

Name	Description
`Channel` UnicodeString

Event ID 107: The event logging service encountered an error ErrorCode while going through publisher configuration.

Provider: Microsoft-Windows-Eventlog
Channel: Analytic

Description

The event logging service encountered an error ErrorCode while going through publisher configuration. The publisher ProviderName is already installed with GUID PublisherGuid.

Message #

The event logging service encountered an error %1 while going through publisher configuration. The publisher %2 is already installed with GUID %3.

Fields #

Name	Description
`ErrorCode` UInt32
`ProviderName` UnicodeString
`PublisherGuid` GUID

Event ID 108: The previous system shutdown was unexpected.

Provider: Microsoft-Windows-Eventlog
Channel: System
Task: SystemAbnormalShutdown

Description

The previous system shutdown was unexpected.

Message #

The previous system shutdown was unexpected.

Fields #

Name	Description
`ShutdownTime` SYSTEMTIME
`ActualMaxInterval` UInt32
`DiskPmDisabledMaxInterval` UInt32
`DiskPmEnabledFlag` UInt32
`DiskPmEnabledMaxInterval` UInt32
`TimestampForced` UInt32
`DiskPmPolicy` UInt32
`BiasValid` UInt32
`StartBias` UInt32

Event ID 109: The event logging service encountered an error while processing an incoming event from publisher PublisherName and trying to process the metadata for it.

Provider: Microsoft-Windows-Eventlog
Channel: Analytic
Task: Eventprocessing

Description

The event logging service encountered an error while processing an incoming event from publisher PublisherName and trying to process the metadata for it.

Message #

The event logging service encountered an error while processing an incoming event from publisher %3 and trying to process the metadata for it.

Fields #

Name	Description
`ErrorCode` UInt32
`EventID` UInt16
`PublisherName` UnicodeString
`PublisherGuid` GUID
`ProcessID` UInt32
`EventName` UnicodeString

Event ID 110: Loading metadata for publisher PublisherName (PublisherGuid) and trying to process the metadata for it.

Provider: Microsoft-Windows-Eventlog
Channel: Debug
Task: Eventprocessing
Opcode: Start

Description

Loading metadata for publisher PublisherName (PublisherGuid) and trying to process the metadata for it.

Message #

Loading metadata for publisher %2 (%1) and trying to process the metadata for it.

Fields #

Name	Description
`PublisherGuid` GUID
`PublisherName` UnicodeString

Event ID 111: Finished loading metadata for publisher PublisherName (PublisherGuid), with EventMetaDataCount event metadatas processed.

Provider: Microsoft-Windows-Eventlog
Channel: Debug
Task: Eventprocessing
Opcode: Stop

Description

Finished loading metadata for publisher PublisherName (PublisherGuid), with EventMetaDataCount event metadatas processed.

Message #

Finished loading metadata for publisher %2 (%1), with %3 event metadatas processed.

Fields #

Name	Description
`PublisherGuid` GUID
`PublisherName` UnicodeString
`EventMetaDataCount` UInt32

Event ID 112: Failed to load metadata for publisher PublisherName (PublisherGuid).

Provider: Microsoft-Windows-Eventlog
Channel: Debug
Task: Eventprocessing
Opcode: Stop

Description

Failed to load metadata for publisher PublisherName (PublisherGuid). The reason code is ErrorCode.

Message #

Failed to load metadata for publisher %2 (%1). The reason code is %3.

Fields #

Name	Description
`PublisherGuid` GUID
`PublisherName` UnicodeString
`ErrorCode` UInt32

Event ID 200: Channel ChannelName (ChannelType) was enabled (Enabled) programmatically.

Provider: Microsoft-Windows-Eventlog
Channel: Analytic
Task: ServiceUsageAudit

Description

Channel ChannelName (ChannelType) was enabled (Enabled) programmatically.

Message #

Channel %1 (%2) was enabled (%3) programmatically.

Fields #

Name	Description
`ChannelName` UnicodeString
`ChannelType` UInt8
`Enabled` Boolean

Event ID 201: A push subscription was created for ChannelName.

Provider: Microsoft-Windows-Eventlog
Channel: Analytic
Task: ServiceUsageAudit

Description

A push subscription was created for ChannelName.

Message #

A push subscription was created for %1.

Fields #

Name	Description
`ChannelName` UnicodeString
`Query` UnicodeString

Event ID 202: A pull subscription was created for ChannelName.

Provider: Microsoft-Windows-Eventlog
Channel: Analytic
Task: ServiceUsageAudit

Description

A pull subscription was created for ChannelName.

Message #

A pull subscription was created for %1.

Fields #

Name	Description
`ChannelName` UnicodeString
`Query` UnicodeString

Event ID 203: OpenEventLog legacy API was used to open ModuleName.

Provider: Microsoft-Windows-Eventlog
Channel: Analytic
Task: ServiceUsageAudit

Description

OpenEventLog legacy API was used to open ModuleName.

Message #

OpenEventLog legacy API was used to open %2.

Fields #

Name	Description
`ModuleNameLen` UInt8
`ModuleName` UnicodeString

Event ID 204: RegisterEventSource legacy API was used to register ModuleName.

Provider: Microsoft-Windows-Eventlog
Channel: Analytic
Also via: realtime ETW trace
Level: Verbose
Task: ServiceUsageAudit

Description

RegisterEventSource legacy API was used to register ModuleName.

Message #

RegisterEventSource legacy API was used to register %2.

Fields #

Name	Description
`ModuleNameLen` UInt8
`ModuleName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Eventlog",
    "guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
    "event_source_name": "",
    "event_id": "204",
    "version": "0",
    "level": "5",
    "task": "109",
    "opcode": "0",
    "keywords": 576460752304472064,
    "time_created": "2026-03-15T04:33:36.389555800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00102311-0000-0000-0000-0000bebcad59}"
    },
    "execution": {
      "process_id": "5820",
      "thread_id": "8064"
    },
    "channel": "Microsoft-Windows-EventLog/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ModuleNameLen": "10",
    "ModuleName": "PowerShell"
  },
  "message": ""
}

Event ID 205: ReportEvent legacy API was used to write an event to ModuleName.

Provider: Microsoft-Windows-Eventlog
Channel: Analytic
Also via: realtime ETW trace
Level: Verbose
Task: ServiceUsageAudit

Description

ReportEvent legacy API was used to write an event to ModuleName.

Message #

ReportEvent legacy API was used to write an event to %2.

Fields #

Name	Description
`ModuleNameLen` UInt8
`ModuleName` AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Eventlog",
    "guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
    "event_source_name": "",
    "event_id": "205",
    "version": "1",
    "level": "5",
    "task": "109",
    "opcode": "0",
    "keywords": 576460752304472064,
    "time_created": "2026-03-15T04:33:36.390335800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00102311-0000-0000-0000-0000bebcad59}"
    },
    "execution": {
      "process_id": "5820",
      "thread_id": "8064"
    },
    "channel": "Microsoft-Windows-EventLog/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ModuleNameLen": "10",
    "ModuleName": "PowerShell"
  },
  "message": ""
}

Event ID 517: The audit log was cleared (legacy Windows 2000/XP/2003 event; superseded by 1102).

Provider: Microsoft-Windows-Eventlog
Channel: Security

Description

Legacy security-log clear event from Windows 2000/XP/2003. Superseded by EventID 1102 in Vista+.

Detection Patterns #

Stealth: Clear Windows Event Logs

1 rule

Splunk

Clear Windows Event Logs (Windows Event Log) (source)

Defense Impairment: Clear Windows Event Logs

Eventlog Event ID 517: The audit log was cleared (legacy Windows 2000/XP/2003 event; superseded by 1102).OREvent ID 1102: The audit log was cleared.

1 rule

Sigma

Security Eventlog Cleared (source)

Florian Roth (Nextron Systems)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`Microsoft-Windows-Eventlog`	1 rule	sigma

Event ID 1100: The event logging service has shut down.

Provider: Microsoft-Windows-Eventlog
Channel: Security
Level: Informational
Collection Priority: Recommended (JSCU-NL)
Task: Serviceshutdown

Description

The event logging service has shut down.

Message #

The event logging service has shut down.

Fields #

Name	Description
`ServiceShutdown`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Eventlog",
    "guid": "{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}",
    "event_source_name": "",
    "event_id": 1100,
    "version": 0,
    "level": 4,
    "task": 103,
    "opcode": 0,
    "keywords": 4620693217682128896,
    "time_created": "2026-06-13T05:22:34.5804660+00:00",
    "event_record_id": 2929211,
    "correlation": {},
    "execution": {
      "process_id": 1468,
      "thread_id": 7088
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "user_data": {
    "ServiceShutdown": {}
  },
  "message": "The event logging service has shut down."
}

Detection Rules #

View all rules referencing this event →

Splunk # view in coverage

Windows Event Logging Service Has Shutdown source: The following analytic detects the shutdown of the Windows Event Log service by leveraging Windows Event ID 1100. This event is logged every time the service stops, including during normal system shutdowns. Monitoring this activity is…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1100
NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection

Event ID 1101: Audit events have been dropped by the transport.

Provider: Microsoft-Windows-Eventlog
Channel: Security
Level: Error
Task: Eventprocessing

Description

Audit events have been dropped by the transport. AuditEventsDropped.Reason.

Message #

Audit events have been dropped by the transport.  %1

Fields #

Name	Description
`Reason` UInt8

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Eventlog",
    "guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
    "event_source_name": "",
    "event_id": 1101,
    "version": 0,
    "level": 2,
    "task": 101,
    "opcode": 0,
    "keywords": 4620693217682128896,
    "time_created": "2026-03-06T19:18:41.161306+00:00",
    "event_record_id": 13453892,
    "correlation": {},
    "execution": {
      "process_id": 1788,
      "thread_id": 2828
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "user_data": {
    "AuditEventsDropped": {
      "Reason": 0
    }
  },
  "message": ""
}

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1101

Event ID 1102: The audit log was cleared.

Provider: Microsoft-Windows-Eventlog
Channel: Security
Level: Informational
Collection Priority: Recommended (ASD, others)
Task: Logclear

Description

The audit log was cleared.

Message #

The audit log was cleared.
Subject:
	Security ID: %1
	Account Name: %2
	Domain Name: %3
	Logon ID: %4

Fields #

Name	Description
`LogFileCleared.SubjectUserSid`
`LogFileCleared.SubjectUserName`
`LogFileCleared.SubjectDomainName`
`LogFileCleared.SubjectLogonId`
`SubjectUserSid`
`SubjectUserName`
`SubjectDomainName`
`SubjectLogonId`
`ClientProcessId`
`ClientProcessStartKey`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Eventlog",
    "guid": "{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}",
    "event_source_name": "",
    "event_id": 1102,
    "version": 0,
    "level": 4,
    "task": 104,
    "opcode": 0,
    "keywords": 4620693217682128896,
    "time_created": "2026-05-28T00:50:56.9132673+00:00",
    "event_record_id": 1401962,
    "correlation": {},
    "execution": {
      "process_id": 1616,
      "thread_id": 3308
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "user_data": {
    "LogFileCleared": {
      "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1000",
      "SubjectUserName": "localuser",
      "SubjectDomainName": "cell-a",
      "SubjectLogonId": "0x196099a"
    }
  },
  "message": "The audit log was cleared.\r\nSubject:\r\n\tSecurity ID:\tS-1-5-21-1006758700-2167138679-1475694448-1000\r\n\tAccount Name:\tlocaluser\r\n\tDomain Name:\tcell-a\r\n\tLogon ID:\t0x196099A"
}

Detection Patterns #

Event Log Cleared

Eventlog Event ID 104: The LogFileCleared.Channel log file was cleared.OREvent ID 1102: The audit log was cleared.

4 rules

Sigma

Event log cleared (native) (source)

mdecrevoisier

Elastic

Windows Event Logs Cleared (source)

Elastic, Anabella Cristaldi

Splunk

Clear Windows Event Logs (Windows Event Log) (source)

Windows Event Log Cleared (source)

Rico Valdez, Michael Haag, Splunk

Event Logs

3 rules

Sigma

Event log cleared (native) (source)

mdecrevoisier

Elastic

Windows Event Logs Cleared (source)

Elastic, Anabella Cristaldi

Splunk

Clear Windows Event Logs (Windows Event Log) (source)

Defense Impairment: Clear Windows Event Logs

Eventlog Event ID 517: The audit log was cleared (legacy Windows 2000/XP/2003 event; superseded by 1102).OREvent ID 1102: The audit log was cleared.

1 rule

Sigma

Security Eventlog Cleared (source)

Florian Roth (Nextron Systems)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Category`	eq	`Microsoft-Windows-Eventlog`	2 rules	kusto
`Provider_Name`	eq	`Microsoft-Windows-Eventlog`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

Security Event log cleared source medium: Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name "Microsoft-Windows-Eventlog" to avoid generating false positives from other sources, like AD FS servers for instance.
NRT Security Event log cleared source medium: Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name "Microsoft-Windows-Eventlog" to avoid generating false positives from other sources, like AD FS servers for instance.

YARA-L # view in coverage

Windows Event Log Cleared source: Detects the clearing of event logs within the Windows Event Viewer.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1102
NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection

Event ID 1103: The security log is now PercentFull percent full.

Provider: Microsoft-Windows-Eventlog
Channel: Security
Task: Eventprocessing

Description

The security log is now PercentFull percent full.

Message #

The security log is now %1 percent full.

Fields #

Name	Description
`PercentFull` UInt32

Event ID 1104: The security log is now full.

Provider: Microsoft-Windows-Eventlog
Channel: Security
Collection Priority: Recommended (Palantir)
Task: Eventprocessing

Description

The security log is now full.

Message #

The security log is now full.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1104
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1104

Event ID 1105: Event log automatic backup.

Provider: Microsoft-Windows-Eventlog
Channel: Security
Task: Logautomaticbackup

Description

Event log automatic backup.

Message #

Event log automatic backup
	Log: %1
	File: %2

Fields #

Name	Description
`Channel` UnicodeString
`BackupPath` UnicodeString

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1105
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1105

Event ID 1106: Events have been dropped by the event logging service.

Provider: Microsoft-Windows-Eventlog
Channel: Security
Task: Eventprocessing

Description

Events have been dropped by the event logging service. The reason code is Reason.

Message #

Events have been dropped by the event logging service. The reason code is %1.

Fields #

Name	Description
`Reason` HexInt32

Event ID 1107: The event logging service encountered an error while processing an incoming event from publisher PublisherName and trying to process the metadata for it.

Provider: Microsoft-Windows-Eventlog
Channel: Security
Level: Error
Task: Eventprocessing

Description

The event logging service encountered an error while processing an incoming event from publisher PublisherName and trying to process the metadata for it.

Message #

The event logging service encountered an error while processing an incoming event from publisher %3 and trying to process the metadata for it.

Fields #

Name	Description
`ErrorCode` UInt32
`EventID` UInt16
`PublisherName` UnicodeString
`PublisherGuid` GUID
`ProcessID` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Eventlog",
    "guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
    "event_source_name": "",
    "event_id": 1107,
    "version": 0,
    "level": 2,
    "task": 101,
    "opcode": 0,
    "keywords": 4620693217682128896,
    "time_created": "2016-08-18T16:53:04.313375Z",
    "event_record_id": 5538,
    "correlation": {},
    "execution": {
      "process_id": 716,
      "thread_id": 1128
    },
    "channel": "Security",
    "computer": "IE10Win7",
    "security": {
      "user_id": ""
    }
  },
  "user_data": {
    "EventPublisherMetaDataFailure": {
      "#attributes": {
        "xmlns:auto-ns3": "http://schemas.microsoft.com/win/2004/08/events",
        "xmlns": "http://manifests.microsoft.com/win/2004/08/windows/eventlog"
      },
      "Error": {
        "#attributes": {
          "Code": 15002
        }
      },
      "EventID": 0,
      "PublisherName": null,
      "PublisherGuid": "54849625-5478-4994-A5BA-3E3B0328C30D",
      "ProcessID": 0
    }
  }
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1108: The event logging service encountered an error while processing an incoming event published from EventProcessingFailure.PublisherID.

Provider: Microsoft-Windows-Eventlog
Channel: Security
Level: Error
Task: Eventprocessing

Description

The event logging service encountered an error while processing an incoming event published from EventProcessingFailure.PublisherID.

Message #

The event logging service encountered an error while processing an incoming event published from %3.

Fields #

Name	Description
`ErrorCode` UInt32
`EventID` UInt16
`PubID` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Eventlog",
    "guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
    "event_source_name": "",
    "event_id": 1108,
    "version": 0,
    "level": 2,
    "task": 101,
    "opcode": 0,
    "keywords": 4620693217682128896,
    "time_created": "2026-03-12T03:08:47.632904+00:00",
    "event_record_id": 2761579,
    "correlation": {},
    "execution": {
      "process_id": 1916,
      "thread_id": 2348
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "user_data": {
    "EventProcessingFailure": {
      "ErrorCode": 15003,
      "EventID": 4688,
      "PublisherID": "Microsoft-Windows-Security-Auditing"
    }
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1108
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1108

Event ID 6000: The Channel log file is full.

Provider: Microsoft-Windows-Eventlog
Channel: System

Description

The Channel log file is full.

Message #

The %1 log file is full.

Fields #

Name	Description
`Channel` UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}

Defined in wevtsvc.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4946, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)