This should do it
<regex>User Name: \S+\$|Account Name: \S+\$</regex>
Ash Kumar
On Monday, April 9, 2012 4:04:16 PM UTC-4, (unknown) wrote:
>
> Can someone help me with this rule to filter out computer logon and logoff
> events? Since all computer accounts end with the $ I figured I could just
> filter on that, for example
>
> WinEvtLog Rule: 18149 (level 3) -> 'Windows User Logoff.' Src IP: (none)
> User: *W-ABC-3ND88P1$* WinEvtLog: Security: AUDIT_SUCCESS(4634)
>
>
> Here is what I have but it is not working. I have tried several
> variations of the regex but no luck with anything. Sure it is something
> simple but I am just not hitting the right combination.
>
> <rule id="102002" level="0">
> <if_sid>18149</if_sid>
> <regex>User: w+ \$</regex>
> <description>Ignore machine logoff</description>
> </rule>
>
> Thanks for the help.
> Karl
>
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon this information by persons or
> entities other than the intended recipient is prohibited. If you received
> this in error, please contact the sender and destroy any copies of this
> document.
>
