Yes everything is set fine in the windows end. I get nothing on the ossec side.
> > Derek, > > Can you confirm after clearing your log that there is a new log in the Windows > Event Log that says the log has been cleared? > Auditing might not be turned on in Windows for this... > > -Andy > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf > Of Derek J. Morris > Sent: Monday, March 30, 2009 5:59 AM > To: [email protected] > Subject: [ossec-list] Re: Clearing Event Log doesnt trigger anything! > > > The event is not even in the ossec.log on the local machine, this happens on > Windows 2003 and 2008. That rule is set fine, havent changed it. Any help > would > be appreciated. > > -Derek > >> >> Hi Derek, >> >> It should certainly have fired something. This is the rule we have looking >> for > event id 517: >> >> <rule id="18118" level="9"> >> <if_sid>18104</if_sid> >> <id>^517</id> >> <description>Windows audit log was cleared.</description> >> <group>logs_cleared,</group> >> </rule> >> >> In addition to that, in the ossec.log from the agent, you should see: >> >> 2009/03/18 13:49:12 ossec-agentd WARN: Event log cleared: Security >> >> Can you check for these? Btw, which Windows version do you have? >> >> Thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> >> >> On Mon, Mar 16, 2009 at 3:25 PM, Derek J. Morris >> <[email protected]> wrote: >>> >>> I have been clearing Windows App, Sec and System logs all day today and not >>> one >>> alert. I have it set for 8 and email on 8's. I am running V2.0 on server and > windows clients. Where can I look to see whats wrong? >>> >>> -Derek >>> >>> >>> >> > > > > > CONFIDENTIALITY NOTICE: This correspondence, and all attachments transmitted > with it, may contain legally privileged and confidential information intended > solely for the use of the intended recipient. If the reader of this message > is > not the intended recipient or the employee or agent responsible to deliver it > to > the intended recipient, you are hereby notified that any reading, > dissemination, > distribution, copying or other use of this communication is strictly > prohibited. > If you have received this message in error, please notify the sender > immediately by telephone at 580.213.1730, or by electronic mail > [email protected], and delete this message and all copies and backups > thereof. > Failure to comply with this confidentiality notice may result in criminal or > civil penalties and/or prosecution. >
