I should have done this before but i cycled ossec server and all the agents and got it going now. I appreciate you looking into it.
-Derek > Hi Derek, > > I am not able to reproduce it in here... When I clear the event log, > the first event I get is: > > > ** Alert 1239126237.65659: mail - windows,logs_cleared, > 2009 Apr 07 14:43:57 (xxxx) any->WinEvtLog > Rule: 18118 (level 9) -> 'Windows audit log was cleared.' > Src IP: (none) > User: SYSTEM > WinEvtLog: Security: AUDIT_SUCCESS(517): Security: SYSTEM: NT > AUTHORITY: xxx-WIN2K3: The audit log was cleared Primary User > Name: SYSTEM Primary Domain: NT AUTHORITY Primary > Logon ID: (0x0,0x3E7) Client User Name: Administrator > Client Domain: xxxxxx Client Logon ID: (0x0,0x66042) > > > And on the agent log (after i cleared all three logs): > WARN: Event log cleared: 'Security' > WARN: Event log cleared: 'System' > WARN: Event log cleared: 'Application' > > > However one thing that I just noticed is that you only get the alert > when you clear the Security event log, not > the others. This is because the others don't generate the event id 517... > > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On Tue, Apr 7, 2009 at 11:06 AM, Derek J. Morris > <[email protected]> wrote: >> >> The event is not even in the ossec.log on the local machine, this happens on >> Windows 2003 and 2008. That rule is set fine, havent changed it. Any help >> would >> be appreciated. >> >> -Derek >> >>> >>> Hi Derek, >>> >>> It should certainly have fired something. This is the rule we have looking >>> for >> event id 517: >>> >>> <rule id="18118" level="9"> >>> <if_sid>18104</if_sid> >>> <id>^517</id> >>> <description>Windows audit log was cleared.</description> >>> <group>logs_cleared,</group> >>> </rule> >>> >>> In addition to that, in the ossec.log from the agent, you should see: >>> >>> 2009/03/18 13:49:12 ossec-agentd WARN: Event log cleared: Security >>> >>> Can you check for these? Btw, which Windows version do you have? >>> >>> Thanks, >>> >>> -- >>> Daniel B. Cid >>> dcid ( at ) ossec.net >>> >>> >>> >>> On Mon, Mar 16, 2009 at 3:25 PM, Derek J. Morris >>> <[email protected]> wrote: >>>> >>>> I have been clearing Windows App, Sec and System logs all day today and not >>>> one >>>> alert. I have it set for 8 and email on 8's. I am running V2.0 on server >>>> and >> windows clients. Where can I look to see whats wrong? >>>> >>>> -Derek >>>> >>>> >>>> >>> >> >> >> >> >
