Hi, Thanks for the reply! However, the problem isn't that we're not receiving an emailed alert from the OSSEC manager; we've got OSSEC configured to send events to a MySQL database and then pass the database on to another tool which pulls and tickets events, which works fine for all other events and rules. The problem is that the "audit log cleared" log entry isn't even making it into the MySQL database. As far as I can tell, the agent isn't picking it up on the client end - watching via Wireshark, there's no indication of any communication between the agent and the manager for that specific log entry, even though if I generate other events, there's immediately communication, and the other events arrive in the MySQL database. If I turn on debugging, there's also no sign in the OSSEC log to indicate that the agent is finding the "audit log cleared" entry, or trying to communicate with the manager regarding the event.
So the problem appears to be that the OSSEC agent can't see the Windows log event "audit log cleared" when it's generated into the log, and therefore the entry never gets passed on to the manager to fire rule 18118. Hope that clears things up! Thanks again for your help, -Alisha
