HI,
I had some problems with alerting on Win server 2008 R2. i was constantly getting alerts that windows station is shutting down. Since that wasn't case, i've investigated it little and foun that problem was in rule 18117 and matching of id 513. since 2008 has events that begin with 513 ( i.e. 5136, 5137, ...) i've modified rule so it would just match id 513 <id>^513$|^4609</id> Best regards, Branimir
