Hi Alisha, Which version of OSSEC are you using? It should create a log in the ossec.log (in the agent file) and an alert by default on the manager.
On version 2.2 we even added additional checks for that so even if you don't have auditing enabled you will get the alert. Try going to 2.2 and see if it works. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Sep 2, 2009 at 12:49 PM, Alisha Kloc <[email protected]> wrote: > > Hi, > > Thanks for the reply! However, the problem isn't that we're not > receiving an emailed alert from the OSSEC manager; we've got OSSEC > configured to send events to a MySQL database and then pass the > database on to another tool which pulls and tickets events, which > works fine for all other events and rules. The problem is that the > "audit log cleared" log entry isn't even making it into the MySQL > database. As far as I can tell, the agent isn't picking it up on the > client end - watching via Wireshark, there's no indication of any > communication between the agent and the manager for that specific log > entry, even though if I generate other events, there's immediately > communication, and the other events arrive in the MySQL database. If I > turn on debugging, there's also no sign in the OSSEC log to indicate > that the agent is finding the "audit log cleared" entry, or trying to > communicate with the manager regarding the event. > > So the problem appears to be that the OSSEC agent can't see the > Windows log event "audit log cleared" when it's generated into the > log, and therefore the entry never gets passed on to the manager to > fire rule 18118. > > Hope that clears things up! > > Thanks again for your help, > -Alisha >
