Hi Derek,
It should certainly have fired something. This is the rule we have
looking for event id 517:
<rule id="18118" level="9">
<if_sid>18104</if_sid>
<id>^517</id>
<description>Windows audit log was cleared.</description>
<group>logs_cleared,</group>
</rule>
In addition to that, in the ossec.log from the agent, you should see:
2009/03/18 13:49:12 ossec-agentd WARN: Event log cleared: Security
Can you check for these? Btw, which Windows version do you have?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Mar 16, 2009 at 3:25 PM, Derek J. Morris
<[email protected]> wrote:
>
> I have been clearing Windows App, Sec and System logs all day today and not
> one
> alert. I have it set for 8 and email on 8's. I am running V2.0 on server and
> windows clients. Where can I look to see whats wrong?
>
> -Derek
>
>
>
