Derek, Can you confirm after clearing your log that there is a new log in the Windows Event Log that says the log has been cleared? Auditing might not be turned on in Windows for this...
-Andy -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Derek J. Morris Sent: Monday, March 30, 2009 5:59 AM To: [email protected] Subject: [ossec-list] Re: Clearing Event Log doesnt trigger anything! The event is not even in the ossec.log on the local machine, this happens on Windows 2003 and 2008. That rule is set fine, havent changed it. Any help would be appreciated. -Derek > > Hi Derek, > > It should certainly have fired something. This is the rule we have looking for event id 517: > > <rule id="18118" level="9"> > <if_sid>18104</if_sid> > <id>^517</id> > <description>Windows audit log was cleared.</description> > <group>logs_cleared,</group> > </rule> > > In addition to that, in the ossec.log from the agent, you should see: > > 2009/03/18 13:49:12 ossec-agentd WARN: Event log cleared: Security > > Can you check for these? Btw, which Windows version do you have? > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On Mon, Mar 16, 2009 at 3:25 PM, Derek J. Morris > <[email protected]> wrote: >> >> I have been clearing Windows App, Sec and System logs all day today and not >> one >> alert. I have it set for 8 and email on 8's. I am running V2.0 on server and windows clients. Where can I look to see whats wrong? >> >> -Derek >> >> >> > CONFIDENTIALITY NOTICE: This correspondence, and all attachments transmitted with it, may contain legally privileged and confidential information intended solely for the use of the intended recipient. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying or other use of this communication is strictly prohibited. If you have received this message in error, please notify the sender immediately by telephone at 580.213.1730, or by electronic mail [email protected], and delete this message and all copies and backups thereof. Failure to comply with this confidentiality notice may result in criminal or civil penalties and/or prosecution.
