Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Event ID: 517 not forwarded

 I'm required to alert on Security Event Log ID: 517 , audit log clearing events, and for some reason they are not forwarded using the event log forwarder.  I verified the security log is set to be forwarded.  I map a drive to to the system to create security events and I see them in the syslog viewer and on orion portal.  I clear the log without saving, causing a 517 event in the security event log, but that single event is never forwarded.   It allows individuals to cover their tracks without notification.  Has anyone else experienced this issue?

 Event Log info from MS:


Thanks in advance, 

0 Kudos
0 Replies