1105 Event log automatic backup
Written when the log fills up, a new log file is created, and the old log is archived (saved aside). It is mostly informational, but it reflects the state of the retention setting.
Overview
The subcategory is Other Events and the source is Microsoft-Windows-Eventlog. When the retention method is “archive the log when full, do not overwrite,” reaching the size limit moves the old log into an .evtx file and records that fact as 1105. The archive path is included in the event.
How it is triggered
- The combination of the log reaching maximum size and an “archive when full” retention method.
- The archive file name follows
Archive-Security-YYYY-MM-DD-hh-mm-ss-nnn.evtx, and the time is always recorded in UTC.
Security review points
- It is mostly informational and needs no action. However, if 1105 appears when the baseline (the normal configuration) is not the archive method, it can indicate the retention setting was changed.
- The archive file is the past evidence itself. During an investigation, treat the
.evtxat the backup path as something to collect.
Notes for log review
- Check that archive files have not been deleted or overwritten unintentionally, together with the free space at the destination.
- If automatic backups suddenly become more frequent, follow up on what is filling the log so quickly (a burst of events).
Key fields
| Field | Meaning |
|---|---|
Log | The archived log name; always Security for the Security log |
File | The full path of the archived .evtx file |