Windows Event 1102 — Security Audit Log Cleared

WindowsEvents Windows Security Anti-Forensics / Evidence Tampering

What This Means

Investigate Windows Event 1102, logged when the Security event log is cleared. This is a critical indicator of anti-forensic activity and evidence tampering by attackers or insiders.

Example Log

The audit log was cleared.

Subject:
  Security ID:    S-1-5-21-3398...-500
  Account Name:   Administrator
  Account Domain: CONTOSO
  Logon ID:       0x3E7

Indicators of Suspicious Activity

Any occurrence of Event 1102 should be treated as high-priority
Log clearing immediately after suspicious logon events or privilege escalation
Log clearing by non-authorized accounts or from unexpected workstations
Log clearing outside of scheduled maintenance windows
Multiple Event 1102 entries across different systems around the same time
Log clearing followed by system reboot (Event 6006) to further reduce evidence

How to Investigate

Immediately identify the Subject account that cleared the log
Check SIEM or centralized log storage for events that occurred before the clearing
Review Event 4624 for the logon session (Logon ID) that performed the clear
Investigate what activity occurred on the system in the hour before the clear
Check other servers for similar log clearing activity (coordinated attack)
Preserve any remaining forensic artifacts (memory, prefetch, shimcache)

Recommended Mitigations

Forward all Security events to a SIEM or centralized log server in real-time
Restrict audit log management permissions to a minimal set of accounts
Alert immediately on any Event 1102 occurrence with P1 severity
Configure log size to overwrite-as-needed rather than allowing manual clearing
Enable WEC (Windows Event Collection) for tamper-resistant centralized logging
Consider making audit log clearing a terminable offense in security policy

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 5 + 8?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

Why is Event 1102 so important? ▼

Event 1102 is one of the strongest indicators of malicious activity because attackers clear security logs to destroy evidence of their actions. It is one of the few events that should trigger an immediate investigation every time it occurs.

Can I prevent the Security log from being cleared? ▼

You cannot fully prevent it if the attacker has admin privileges, but you can mitigate it by forwarding events to a SIEM in real-time. The 1102 event itself is written before the log is cleared, so it will be captured.

What information is lost when the Security log is cleared? ▼

All Security events prior to the clear are destroyed from the local log. This includes logon events, privilege use, process creation, and policy changes. Only events forwarded to a central system before the clear will survive.