First I hate \w, second, there's no space between P1 and $ in the alert example you posted. If that doesn't fix it you may have to give us a log sample to test with (using ossec-logtest as always).
On Mon, Apr 9, 2012 at 4:04 PM, <[email protected]> wrote: > Can someone help me with this rule to filter out computer logon and logoff > events? Since all computer accounts end with the $ I figured I could just > filter on that, for example > > WinEvtLog Rule: 18149 (level 3) -> 'Windows User Logoff.' Src IP: (none) > User: W-ABC-3ND88P1$ WinEvtLog: Security: AUDIT_SUCCESS(4634) > > > Here is what I have but it is not working. I have tried several variations > of the regex but no luck with anything. Sure it is something simple but I > am just not hitting the right combination. > > <rule id="102002" level="0"> > <if_sid>18149</if_sid> > <regex>User: w+ \$</regex> > <description>Ignore machine logoff</description> > </rule> > > Thanks for the help. > Karl > > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review, retransmission, dissemination or other use of, or > taking of any action in reliance upon this information by persons or > entities other than the intended recipient is prohibited. If you received > this in error, please contact the sender and destroy any copies of this > document.
