I'm trying to get a blacklisted log entry that works on Universal Forwarders to filter out specific event codes with user fields that end in $ in their value.
What I have now, works on my test environment with uploaded sample logs, but not directly on the Universal Forwarder itself:
blacklist1 = EventCode="(4624|4634)" user=".*\$"
blacklist2 = EventCode="4672" Account_Name=".*\$"
What can I do to get this right so it actually works? I know that in the event log, raw, the matching line actually is space indented and something like:
...
Subject:
Security ID: S-1-5-18
Account Name: something$
Account Domain: domain
...
Thank you!
↧