I have a Server 2008 R2 64 domain controller,
I am auditing c:\windows\system32\winevt\logs 'security' file for Everyone FAIL, and auditing in GPO
Clearing and saving the Event Log 'Security', removes the \windows\system32\winevt\logs group 'everyone' from auditing.
I can add the group 'everyone' back in and have FAIL all, but, when I clear and save the security log from event viewer again, the group 'everyone' gets removed from auditing again.
ps the current rights to this folder are System, Administrators and Eventlog