Hi Daniel, We are currently using version 1.6.1 (we can't upgrade at this time due to policy, unfortunately).
What I'm really confused about is that all other Windows events are logged and processed normally. The only thing I can think of, which I haven't managed to repeat and record, is that at one point during the tests we noticed that the Ossec Windows agent wasn't seeing the first event in any log - Application, Security, or System. It appeared to fix itself in the other two logs after a few more tests, but since the "audit log cleared" event is by default the first log in the Security log, and cannot be anything other than the first (and no other event can be the first in the Security log), perhaps that's the reason? I'll keep trying to get it to repeat and if I can, I'll post the logs... Thanks! -Alisha On Sep 18, 10:41 am, Daniel Cid <[email protected]> wrote: > Hi Alisha, > > Which version of OSSEC are you using? It should create a log in the > ossec.log (in the agent > file) and an alert by default on the manager. > > On version 2.2 we even added additional checks for that so even if you > don't have auditing > enabled you will get the alert. Try going to 2.2 and see if it works. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Wed, Sep 2, 2009 at 12:49 PM, Alisha Kloc <[email protected]> wrote: > > > Hi, > > > Thanks for the reply! However, the problem isn't that we're not > > receiving an emailed alert from the OSSEC manager; we've got OSSEC > > configured to send events to a MySQL database and then pass the > > database on to another tool which pulls and tickets events, which > > works fine for all other events and rules. The problem is that the > > "audit log cleared" log entry isn't even making it into the MySQL > > database. As far as I can tell, the agent isn't picking it up on the > > client end - watching via Wireshark, there's no indication of any > > communication between the agent and the manager for that specific log > > entry, even though if I generate other events, there's immediately > > communication, and the other events arrive in the MySQL database. If I > > turn on debugging, there's also no sign in the OSSEC log to indicate > > that the agent is finding the "audit log cleared" entry, or trying to > > communicate with the manager regarding the event. > > > So the problem appears to be that the OSSEC agent can't see the > > Windows log event "audit log cleared" when it's generated into the > > log, and therefore the entry never gets passed on to the manager to > > fire rule 18118. > > > Hope that clears things up! > > > Thanks again for your help, > > -Alisha
