LogsDBLogsDB
Windows logo

Windows Event ID 1102 - Security Log Cleared

Records when the Security event log is cleared. Critical indicator of potential anti-forensics activity, as attackers often clear logs to hide their tracks after compromising a system

View SamplesEdit

Quick Facts

Default Path (Linux)
N/A (Windows Event Forwarding to SIEM)
Default Format
Windows Event Log (EVTX)
JSON Native
No
Rotation
Windows Event Log settings (default 20MB)

Log Example

Default format: Windows Event Log Format

Example Log Entrylog
Log Name:      Security
Source:        Microsoft-Windows-Eventlog
Date:          2/1/2026 03:15:45 AM
Event ID:      1102
Task Category: Log clear
Level:         Information
Keywords:      Audit Success
User:          CORP\attacker
Computer:      WORKSTATION01.corp.local
Description:
The audit log was cleared.

Subject:
    Security ID:        S-1-5-21-1234567890-1234567890-1234567890-1234
    Account Name:       attacker
    Domain Name:        CORP
    Logon ID:           0x87654321

Structure:

XML-based binary format

Paths by Platform

Available Formats

Windows Event Log Format

Default

Example:

Log Name:      Security
Source:        Microsoft-Windows-Eventlog
Date:          2/1/2026 03:15:45 AM
Event ID:      1102
Task Category: Log clear
Level:         Information
Keywords:      Audit Success
User:          CORP\attacker
Computer:      WORKSTATION01.corp.local
Description:
The audit log was cleared.

Subject:
    Security ID:        S-1-5-21-1234567890-1234567890-1234567890-1234
    Account Name:       attacker
    Domain Name:        CORP
    Logon ID:           0x87654321

Structure:

XML-based binary format

XML Format

Example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"/>
    <EventID>1102</EventID>
    <TimeCreated SystemTime="2026-02-01T03:15:45.123456789Z"/>
    <EventRecordID>1</EventRecordID>
    <Computer>WORKSTATION01.corp.local</Computer>
  </System>
  <UserData>
    <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
      <SubjectUserSid>S-1-5-21-1234567890-1234567890-1234567890-1234</SubjectUserSid>
      <SubjectUserName>attacker</SubjectUserName>
      <SubjectDomainName>CORP</SubjectDomainName>
      <SubjectLogonId>0x87654321</SubjectLogonId>
    </LogFileCleared>
  </UserData>
</Event>

Structure:

Native XML representation of the event

JSON (Winlogbeat/NXLog)

Example:

{
  "event_id": 1102,
  "log_name": "Security",
  "source_name": "Microsoft-Windows-Eventlog",
  "computer_name": "WORKSTATION01.corp.local",
  "time_created": "2026-02-01T03:15:45.123Z",
  "user_data": {
    "SubjectUserName": "attacker",
    "SubjectDomainName": "CORP",
    "SubjectLogonId": "0x87654321"
  }
}

Structure:

Structured JSON from log forwarders

Fields Reference

FieldTypeDescriptionExample
EventID
integer
Event identifier (always 1102 for security log cleared)1102
TimeCreated
datetime
Timestamp when the log was cleared2026-02-01T03:15:45.123Z
Computer
string
Computer where the log was clearedWORKSTATION01.corp.local
SubjectUserName
string
Account that cleared the logattacker
SubjectDomainName
string
Domain of the accountCORP
SubjectLogonId
string
Logon session ID for correlation0x87654321

Parsing Patterns

Grok Patterns

xml:

<SubjectUserName>%{DATA:subject_user}</SubjectUserName>.*<SubjectDomainName>%{DATA:subject_domain}</SubjectDomainName>

Regular Expressions

xml:

SubjectUserName>(?P<subject_user>[^<]+)</SubjectUserName>.*SubjectDomainName>(?P<subject_domain>[^<]+)</SubjectDomainName>

Collector Configurations

splunkyaml
1# Security log cleared events - HIGH PRIORITY
2index=wineventlog EventCode=1102
3| table _time, Computer, SubjectUserName, SubjectDomainName

Configuration

Enable Logging

Log clearing events are always recorded when the Security log is cleared

# This event is automatically generated and cannot be disabled

Log To Syslog

Forward via Windows Event Forwarding (WEF) - CRITICAL to capture before local deletion

# Include in WEF subscription with high priority

Use Cases

Track log maintenance

Document legitimate log clearing for compliance

TimeCreated
SubjectUserName
Computer

Troubleshooting

Tested On

vWindows Server 2022 on Windows Server 2022
admin - 2026-02-01
Last updated: 2026-02-01 by admin
1 contributor

Community Discussions

Help improve this documentation

Found an error or want to add more examples? Contributions are welcome!

EditReport Issue