Hi Derek, I am not able to reproduce it in here... When I clear the event log, the first event I get is:
** Alert 1239126237.65659: mail - windows,logs_cleared, 2009 Apr 07 14:43:57 (xxxx) any->WinEvtLog Rule: 18118 (level 9) -> 'Windows audit log was cleared.' Src IP: (none) User: SYSTEM WinEvtLog: Security: AUDIT_SUCCESS(517): Security: SYSTEM: NT AUTHORITY: xxx-WIN2K3: The audit log was cleared Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E7) Client User Name: Administrator Client Domain: xxxxxx Client Logon ID: (0x0,0x66042) And on the agent log (after i cleared all three logs): WARN: Event log cleared: 'Security' WARN: Event log cleared: 'System' WARN: Event log cleared: 'Application' However one thing that I just noticed is that you only get the alert when you clear the Security event log, not the others. This is because the others don't generate the event id 517... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Apr 7, 2009 at 11:06 AM, Derek J. Morris <[email protected]> wrote: > > The event is not even in the ossec.log on the local machine, this happens on > Windows 2003 and 2008. That rule is set fine, havent changed it. Any help > would > be appreciated. > > -Derek > >> >> Hi Derek, >> >> It should certainly have fired something. This is the rule we have looking >> for > event id 517: >> >> <rule id="18118" level="9"> >> <if_sid>18104</if_sid> >> <id>^517</id> >> <description>Windows audit log was cleared.</description> >> <group>logs_cleared,</group> >> </rule> >> >> In addition to that, in the ossec.log from the agent, you should see: >> >> 2009/03/18 13:49:12 ossec-agentd WARN: Event log cleared: Security >> >> Can you check for these? Btw, which Windows version do you have? >> >> Thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> >> >> On Mon, Mar 16, 2009 at 3:25 PM, Derek J. Morris >> <[email protected]> wrote: >>> >>> I have been clearing Windows App, Sec and System logs all day today and not >>> one >>> alert. I have it set for 8 and email on 8's. I am running V2.0 on server and > windows clients. Where can I look to see whats wrong? >>> >>> -Derek >>> >>> >>> >> > > > >
