This looks an oversight that is a potential problem on a lot of the rules in msauth_rules.xml. The event log ID's can be 5 digits (they go up to 65535) and so any id in the rule set that's less than 5 digits should have both the ^ and the $, as you indicate. There might not be a 52901 yet but there may be some day.
On Apr 4, 5:34 am, Branimir Pačar <branimir.pa...@mbu.hr> wrote: > HI, > > I had some problems with alerting on Win server 2008 R2. i was constantly > getting alerts that windows station is shutting down. Since that wasn't case, > i've investigated it little and foun that problem was in rule 18117 and > matching of id 513. since 2008 has events that begin with 513 ( i.e. 5136, > 5137, ...) i've modified rule so it would just match id 513 > > <id>^513$|^4609</id> > > Best regards, > > Branimir