NX .conf - Drop Windows events based on hostname
I have the following EXEC IF statement in my configuration file to drop events if username fields are equal to the computer account name. As you know Windows computer account names always end in $. host1$ host2$ etc.
if $EventID == 4624 AND ($TargetUserName == 'DESKTOP-XY43$' OR $SubjectUserName == 'DESKTOP-XY43$') drop();
Above IF statement works perfectly, however, I have several other IF statements for various event ID's AND several hundred Windows hosts. You can imagine the time and effort required to customize several hundred .conf files for each Windows desktop.
Does anyone know if I could use REGEX or some other technique like wildcard to simply say if TargetUserName or SubjectUserName string ends in $, then drop the event.
IF $EventID == 4624 AND ($TargetUserName == *$ OR $SubjectUserName == *$) drop();
You could definitely use REGEX to find values that match local accounts or computer names that terminate with $.
if $EventID == 4624 AND ($TargetUserName =~ /(.)$/ OR $SubjectUserName =~ /(.)$/) drop();