question

SayedJunaid-5411 avatar image
0 Votes"
SayedJunaid-5411 asked YukiSun-MSFT commented

can see audit logs are cleared by NETWORK SERVICE. Want to know if this is expected or not.

Hi
Lately, I am seeing below logs from Exchange server:

"AgentDevice=WindowsLog AgentLogFile=Application Source=Microsoft-Filtering-FIPFS Computer=XYZ User=NETWORK SERVICE Domain=NETWORK SERVICE EventID=1102 EventIDCode=1102 EventType=4 EventCategory=0 RecordNumber=XYZ TimeGenerated=XYZ TimeWritten=XYZ Message=MS Filtering Engine Update process is running. "

Per event ID 1102 it means that audit logs are cleared. Can someone tell me why the audit logs are being cleared by NETWORK SERVICE? what exactly is causing it and whether it is expected? I confirmed with the team that they didn't make any changes.

office-exchange-server-administrationmsc-essentialsazure-ad-audit-logs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
1 Vote"
vipulsparsh-MSFT answered SayedJunaid-5411 commented

@SayedJunaid-5411 Thanks for reaching out.

You should not see event normally, I would highly recommend to investigate this as this might be a attempt to delete the proof of entry to the system or a breach.
There might be genuine scenarios as well like any service getting upgraded which might try to do this. (Rare case)

A thorough investigation needs to be happen either way.



Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you suggest some steps how I can go about it.

0 Votes 0 ·
YukiSun-MSFT avatar image
1 Vote"
YukiSun-MSFT answered YukiSun-MSFT commented

Hi @SayedJunaid-5411

As regards to the EventID 1102 which means that audit logs are cleared, based on my research it usually shows up in the SECURITY logs:
127396-1.png
But “AgentLogFile=Application” included in the logs you mentioned earlier indicates this is an Application event which will be located in the APPLICATION logs:
127367-2.png

Also according to description in this official document, this event log doesn't seem to be related to "Microsoft-Filtering-FIPFS" and "MS Filtering Engine Update process is running" mentioned in the logs you shared above:
127456-3.png

Therefore, it seems to me that the event ID 1102 in your case is different from the event which means "Windows Security audit log was cleared".

While after searching a lot there isn't an official article explaining this application event 1102 specifically for Exchange server, according to the clues I found from some other threads(like "That is the anti-malware update" in this thread ), events involving "MS Filtering Engine Update process" in the APPLICATION logs usually occurs when Exchange is downloading the antimalware engine and definition updates. I checked it in my test lab and also noticed some events for FIPFS, all these events have "NETWORK SERVICE" showing as the USER, so it looks normal that "User=NETWORK SERVICE" is contained in your events:
127379-4.png

With the above being said, and considering that the "Message=MS Filtering Engine Update process is running" in the event logs doesn't sound like there's anything wrong, I assume you can rest assured and just ignore this event.

Furthermore, noticed the thread below which discussed the application Event 1102, and the reply provided there by Joyce also indicates such kind of logs can be ingored safely:
Microsoft-Filtering-FIPFS
"So it should be different if it comes in security or application event id 1102. And the level of the log above is information, generally Information messages indicate a successful action. We can ignore such kind of logs safely."


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



1.png (8.7 KiB)
2.png (8.6 KiB)
3.png (43.9 KiB)
4.png (50.5 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you so much sir for all the efforts you have taken to provide this information. Glad that this is safe, I'll ignore this. However, if you come across any official article for 1102 for exchange in future, please drop the link.
Thank you so much.!! Really appreciate.!

0 Votes 0 ·

Hi @SayedJunaid-5411

Happy to know that the information above can be of some help. And sure, will keep you posted if I come across any official document for it in the future : )


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·