While investigating logs coming in from an OSSEC server I found that the `SPLUNK_TA_ossec` alters data erroneously.
The investigated event is for Rule 18149 from a Windows server. The original user is `WINSERVER01$` - as we know a "machine account" as indicated by the trailing "$"-sign.
The `SPLUNK_TA_ossec` (current version is 4.1.0) just strips off the dollar sign in `transforms.conf` in the `[kv_for_default_ossec]` stanza and shows the user as `WINSERVER01` just like a normal username.
Now in a search that filters out machine accounts like `NOT user=*$` these accounts are shown and counted anyway.