Hi Alisha. A security log clearing fires up rule 18118.
I am assuming that you have received emails for other events? If so, try the following: <email_alerts> <email_to>your email address</email_to <[email protected]%3c/email_to>> <rule_id>18118</rule_id> <do_not_delay /> <do_not_group /> </email_alerts> If however you have never received any emails from ossec then you have to configure email in the global section like this right at the start of your ossec.conf file: <ossec_config> <global> <email_notification>yes</email_notification> <email_to>your email address</email_to> <smtp_server>your email server</smtp_server> <email_from>An email address, anything...</email_from> <email_maxperhour>20</email_maxperhour> </global> Tell me if this helped. Cheers Louis On Wed, Sep 2, 2009 at 5:05 AM, Alisha Kloc <[email protected]>wrote: > > Hi, > > I noticed recently that when I clear the security audit log on my > Windows XP and Server 2003 machines, no corresponding message shows up > in OSSEC (either the manager or the log) to report the event. I've > tested it repeatedly, and tried stopping and restarting both the OSSEC > manager and the agent, but there's still no message regarding the > audit log being cleared. > > The Windows event appears in the Security log every time, but no > messages are recorded in the OSSEC log, and when I used a packet > sniffer to watch the traffic between the agent and the manager, no > traffic was sent after I cleared the audit log. This suggests that for > some reason, the OSSEC Windows agent is not seeing the security log > entry for this event, and therefore is not sending it to the manager > to be processed by the rules. > > The OSSEC log file looks like: > > 2009/09/01 18:48:30 ossec-agent(4102): INFO: Connected to the server. > 2009/09/01 18:48:30 ossec-agent(1951): INFO: Analyzing event log: > ‘Application’ > 2009/09/01 18:48:30 ossec-agent(1951): INFO: Analyzing event log: > ‘Security’ > 2009/09/01 18:48:30 ossec-agent(1951): INFO: Analyzing event log: > ‘System’ > 2009/09/01 18:48:30 ossec-agent(1951): INFO: Analyzing file: ‘C:/ > Windows/pfirewall.log’ > 2009/09/01 18:48:30 ossec-agent: INFO: Started (pid: 1056) > > This is after stopping and restarting the manager and the agent, then > clearing the security audit log three times. Nothing was added to the > log after the agent was started. > > I noticed that another user had experienced this issue, but his > solution (cycling the agent and the manager) hasn't worked for me. I'd > greatly appreciate any advice on how to handle this and to find out > why the agent isn't seeing this event. > > Thanks in advance! > -Alisha >
