Hi, I noticed recently that when I clear the security audit log on my Windows XP and Server 2003 machines, no corresponding message shows up in OSSEC (either the manager or the log) to report the event. I've tested it repeatedly, and tried stopping and restarting both the OSSEC manager and the agent, but there's still no message regarding the audit log being cleared.
The Windows event appears in the Security log every time, but no messages are recorded in the OSSEC log, and when I used a packet sniffer to watch the traffic between the agent and the manager, no traffic was sent after I cleared the audit log. This suggests that for some reason, the OSSEC Windows agent is not seeing the security log entry for this event, and therefore is not sending it to the manager to be processed by the rules. The OSSEC log file looks like: 2009/09/01 18:48:30 ossec-agent(4102): INFO: Connected to the server. 2009/09/01 18:48:30 ossec-agent(1951): INFO: Analyzing event log: ‘Application’ 2009/09/01 18:48:30 ossec-agent(1951): INFO: Analyzing event log: ‘Security’ 2009/09/01 18:48:30 ossec-agent(1951): INFO: Analyzing event log: ‘System’ 2009/09/01 18:48:30 ossec-agent(1951): INFO: Analyzing file: ‘C:/ Windows/pfirewall.log’ 2009/09/01 18:48:30 ossec-agent: INFO: Started (pid: 1056) This is after stopping and restarting the manager and the agent, then clearing the security audit log three times. Nothing was added to the log after the agent was started. I noticed that another user had experienced this issue, but his solution (cycling the agent and the manager) hasn't worked for me. I'd greatly appreciate any advice on how to handle this and to find out why the agent isn't seeing this event. Thanks in advance! -Alisha
