Is there a chance you can send me an extract of your ossec.conf file and a copy of the msauth.xml rule file?
You can just blank out you ip addresses and I'll have a look at the configs for you. Cheers. Louis On Fri, Sep 18, 2009 at 3:11 AM, Alisha Kloc <[email protected]>wrote: > > Hello, > > I haven't heard anything in a while so I thought I'd ask again. My > office is still having trouble with the Ossec Windows agent. For some > reason, the Windows agent appears not to see the Security log entry > "Windows audit log cleared." No notification of this entry is sent to > the Ossec manager (and therefore, no rules are fired), and no activity > is recorded in the Ossec logs when this event is generated. All other > log events are seen and recorded normally. > > Why would the Ossec Windows agent ignore this specific message, and > how can I get it to see the event and pass it on to the manager? > > Thanks very much! > -Alisha >
