Hi Jesus! I discovered the error. It was not the @, it was a space in the field Account Name: host$, sometimes the log comes with an extra space in this field. and therefore it did not fall in the rule. But i put an space in the regex.
It looked like this: <regex>Account Name: \S+\$|Account Name: \S+\$</regex> Thanks a lot for the help! Em terça-feira, 11 de outubro de 2016 04:22:43 UTC-3, Jesus Linares escreveu: > > I didn't test it, but it seems OSSEC tries to use "$\S+" as a variable. > > You could do something like: > <match>@domain</match> > <regex>Account Name: \S+\$</regex> > > Regards. > > On Monday, October 10, 2016 at 10:28:37 PM UTC+2, > roberto....@phoebustecnologia.com.br wrote: >> >> hi! >> I'm using this solution in my ossec. But I have another question. >> I also wanted to ignore the following entry: >> host$*@domain* >> >> Can anyone help? >> >> Already tried: >> >> <regex>Account Name: \S+\$@\S+</regex> >> <regex>Account Name: \S+\$\S+</regex> >> <regex>Account Name: \S+\$'@'\S+</regex> >> <regex>Account Name: \S+\$\S+</regex> >> <regex>Account Name: \S+\$\\S+</regex> >> <regex>Account Name: \S+\$\\w</regex> >> >> Always gives error. For example, when I use the ossec-logtest: >> >> *XMLERR: Unknown variable: '\S+'..* error for: >> <regex>Account Name: \S+\$\S+</regex> >> >> * XMLERR: Unknown variable: '@\S+'..* error for: >> <regex>Account Name: \S+\$@\S+</regex> >> >> >> Em terça-feira, 17 de abril de 2012 16:08:29 UTC-3, ash kumar escreveu: >>> >>> This should do it >>> >>> <regex>User Name: \S+\$|Account Name: \S+\$</regex> >>> >>> Ash Kumar >>> >>> On Monday, April 9, 2012 4:04:16 PM UTC-4, (unknown) wrote: >>>> >>>> Can someone help me with this rule to filter out computer logon and >>>> logoff events? Since all computer accounts end with the $ I figured I >>>> could just filter on that, for example >>>> >>>> WinEvtLog Rule: 18149 (level 3) -> 'Windows User Logoff.' Src IP: >>>> (none) User: *W-ABC-3ND88P1$* WinEvtLog: Security: AUDIT_SUCCESS(4634) >>>> >>>> >>>> Here is what I have but it is not working. I have tried several >>>> variations of the regex but no luck with anything. Sure it is something >>>> simple but I am just not hitting the right combination. >>>> >>>> <rule id="102002" level="0"> >>>> <if_sid>18149</if_sid> >>>> <regex>User: w+ \$</regex> >>>> <description>Ignore machine logoff</description> >>>> </rule> >>>> >>>> Thanks for the help. >>>> Karl >>>> >>>> The information transmitted is intended only for the person or entity to >>>> which it is addressed and may contain confidential and/or privileged >>>> material. Any review, retransmission, dissemination or other use of, or >>>> taking of any action in reliance upon this information by persons or >>>> entities other than the intended recipient is prohibited. If you >>>> received >>>> this in error, please contact the sender and destroy any copies of this >>>> document. >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.