We are using the default msauth_rules.xml file, version 1.33, with no
modifications from the original download package, and no custom rules
in the local_rules.xml file.
The ossec.conf file is also default except the following addition:
<!-- Extra log file -->
<ossec_config>
<localfile>
<location>[path to firewall log]</location>
<log_format>syslog</log_format>
</localfile>
</ossec_config>
And the Syscheck - Integrity Checking config disabled switch is set to
"no", so that we are running Syscheck with all default values.
Everything else is default off-the-shelf (part of the reason I'm
running my tests is to determine what needs to be modified).
Thanks!
-Alisha
On Sep 17, 2:29 pm, Cyberlink <[email protected]> wrote:
> Is there a chance you can send me an extract of your ossec.conf file and a
> copy of the msauth.xml rule file?
>
> You can just blank out you ip addresses and I'll have a look at the configs
> for you.
>
> Cheers.
>
> Louis
>
> On Fri, Sep 18, 2009 at 3:11 AM, Alisha Kloc <[email protected]>wrote:
>
>
>
> > Hello,
>
> > I haven't heard anything in a while so I thought I'd ask again. My
> > office is still having trouble with the Ossec Windows agent. For some
> > reason, the Windows agent appears not to see the Security log entry
> > "Windows audit log cleared." No notification of this entry is sent to
> > the Ossec manager (and therefore, no rules are fired), and no activity
> > is recorded in the Ossec logs when this event is generated. All other
> > log events are seen and recorded normally.
>
> > Why would the Ossec Windows agent ignore this specific message, and
> > how can I get it to see the event and pass it on to the manager?
>
> > Thanks very much!
> > -Alisha
