I'm required to alert on Security Event Log ID: 517 , audit log clearing events, and for some reason they are not forwarded using the event log forwarder. I verified the security log is set to be forwarded. I map a drive to to the system to create security events and I see them in the syslog viewer and on orion portal. I clear the log without saving, causing a 517 event in the security event log, but that single event is never forwarded. It allows individuals to cover their tracks without notification. Has anyone else experienced this issue?
Event Log info from MS:
www.microsoft.com/.../transform.aspx
Thanks in advance,
