Doing some testing and it looks like this rule is not firing.
<rule id="18118" level="9">
<if_sid>18104</if_sid>
<id>^517</id>
<options>alert_by_email</options>
<description>Windows audit log was cleared.</description>
<group>logs_cleared,</group>
</rule>
Here is my eventlog from Windows 2003 Server.
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 517
Date: 10/30/2008
Time: 1:23:47 PM
User: NT AUTHORITY\SYSTEM
Computer: GONAPASMG01
Description:
The audit log was cleared
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: GONAPASMG01
Client Logon ID: (0x0,0x2DA130A9)
Can anyone help? I just installed this application and would like to
know more about it.
thanks
