Skip to content

1102 The audit log was cleared

Written when the security audit log is cleared (wiped entirely). It should almost never occur in normal operation, so its mere presence is something to investigate.

Overview

The subcategory is Other Events and the source is Microsoft-Windows-Eventlog. It is recorded every time the Windows Security log is cleared. The key point is that the account that performed the clear (SubjectUserSid and SubjectUserName) is recorded: the clearing itself cannot be prevented, but “who cleared it” remains.

How it is triggered

  • The “Clear Log” action in Event Viewer.
  • wevtutil cl Security (a command-line tool that clears a log).
  • The PowerShell cmdlets Clear-EventLog / Remove-EventLog.

On every path, this 1102 is written just before the clear completes, so even the actor who wiped the log tends to leave the 1102 behind.

Security review points

  • It maps directly to MITRE ATT&CK T1070.001 (Clear Windows Event Logs: wiping event logs to remove traces), a hallmark defense-evasion event. It is often seen late in an attack or just before ransomware executes.
  • To identify how the clear was done, correlate with process creation 4688 and look for wevtutil.exe with the cl argument or powershell.exe running Clear-EventLog.
  • If the recorded account is one that has no business clearing logs, suspect abuse of its credentials.
  • Reading it alongside System log Event ID 104 (which also marks a log clear) makes it easier to see which log was wiped.

Notes for log review

  • There is almost no legitimate reason to clear the Security log by hand. Treat it not by volume but as a high-priority event where “even one occurrence must be investigated.”
  • If logs are forwarded to a SIEM in real time, evidence survives on the aggregation side even after the host log is wiped. Work on the assumption that a 1102 means the host’s own defenses were bypassed, and reconcile against the forwarded data.
  • Because the log is broken at the clear, reconstruct what happened around that time from forwarded logs or from other hosts.

Key fields

FieldMeaning
Subject\Security IDThe SID (an identifier unique to each account) of the account that cleared the log
Account Name / Account DomainThe name and domain of the account that performed the clear
Logon IDAn identifier for matching other events in the same session (such as 4624)

Glossary

  • MITRE ATT&CK — a knowledge base that organizes real attacker techniques, each labeled with an identifier beginning with T.
  • Defense evasion — the attack stage of hindering detection and logging to keep activity hidden.

References