The event is not even in the ossec.log on the local machine, this happens on Windows 2003 and 2008. That rule is set fine, havent changed it. Any help would be appreciated.
-Derek > > Hi Derek, > > It should certainly have fired something. This is the rule we have > looking for event id 517: > > <rule id="18118" level="9"> > <if_sid>18104</if_sid> > <id>^517</id> > <description>Windows audit log was cleared.</description> > <group>logs_cleared,</group> > </rule> > > In addition to that, in the ossec.log from the agent, you should see: > > 2009/03/18 13:49:12 ossec-agentd WARN: Event log cleared: Security > > Can you check for these? Btw, which Windows version do you have? > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On Mon, Mar 16, 2009 at 3:25 PM, Derek J. Morris > <[email protected]> wrote: >> >> I have been clearing Windows App, Sec and System logs all day today and not >> one >> alert. I have it set for 8 and email on 8's. I am running V2.0 on server and >> windows clients. Where can I look to see whats wrong? >> >> -Derek >> >> >> >
