2
responses

Given:

<Exec>
        if ($EventID == 5156) OR ($EventID == 5158)
            drop();
        else if ($Channel == 'Security') and ($EventID == 4624)
            $Message =~ s/\s*This event is generated when a logon session is created.*$//s;
        else if ($Channel == 'Security') and ($EventID == 4634)
            $Message =~ s/\s*This event is generated when a logon session is destroyed.*$//s;

        # Update the $raw_event field
        $raw_event = $EventTime + ' ' + $Message;
    </Exec>;

If I understand this correctly when an eventID of 4624 or 4634 is received a substitution is performed on the message field and the orginal contents are replaced with nothing(null). Am I correct or at least close? If so, what is does 's' before the ';' mean?

AskedFebruary 3, 2022 - 3:26am

Answer (1)