eG Help

Administrators rely on event logs to capture and troubleshoot errors and warning events that occur on an Active Directory server. This is why, if a user inadvertently or wilfully clears an event log, many critical problem conditions may go unnoticed! Under such circumstances, it is only natural that administrators want to find out who cleared the logs, so that that user can be pulled up for questioning. The GrpPolyUpdateTest test helps with this. This test promptly alerts administrators if an application, system, or event log gets cleared. The detailed diagnosis of the test also points administrators to the user who cleared the log, thus assisting investigation.

Output of the test : One set of results for every Active Directory site that is being monitored

Measurement	Description	Measurement Unit	Interpretation
sysEvtLogClear	Indicates the number of times the application and/or system event log was cleared during the last measurement period.	Number	The detailed diagnosis of this measure reveals when and who cleared the application/system event log.
secEvtLogClear	Indicates the number of times the security event log was cleared during the last measurement period.	Number	The detailed diagnosis of this measure reveals when and who cleared the security event log.