Hello, I haven't heard anything in a while so I thought I'd ask again. My office is still having trouble with the Ossec Windows agent. For some reason, the Windows agent appears not to see the Security log entry "Windows audit log cleared." No notification of this entry is sent to the Ossec manager (and therefore, no rules are fired), and no activity is recorded in the Ossec logs when this event is generated. All other log events are seen and recorded normally.
Why would the Ossec Windows agent ignore this specific message, and how can I get it to see the event and pass it on to the manager? Thanks very much! -Alisha
