Q: What is the event ID and description in Windows Vista for audit logs that have been cleared?
A: The event ID for audit logs cleared in Vista is 1102. The event description begins with The audit log was cleared and provides information about the user who caused the event, including the user's SID, account name, domain, and logon ID. You can use the logon ID to trace backwards in the Security log for the logon event, which provides further information, such as whether the user logged on interactively or via the network and the IP address if the user is remote. Most Vista event IDs are the old event ID added to 4,096; however, Microsoft obviously wasn’t consistent in the case of this event. Windows logs event ID 1102 when logs are cleared even if auditing is disabled, ensuring that users can't disable auditing and then clear the Security log without leaving a trail.
