1 of 1 people found this helpful
You have multiple questions here, so I'm going to break them out:
I think there have been reported quirks with this in the past, but currently doing a search with my LEM I'm able to search for a $ as a litteral character. So if I search *<machine name>$* it returns only the expected machine names (note this is a default MS configuration so hopefully your admin accounts don't have the $ as part of the convention or that may muddy the waters a bit).
Next, you ask about sorting out the admins vs regular logons. There are several ways to do this. For starters, you can create User Defined Groups (UDGs) which you may need to do for your local admin logins if they're a different name other than administrator. Secondly, you can pull in your domain admins via the Directory Service Query groups by pointing it at the default Domain Admins group or if you have created another group to track those users.
Here are a couple of KBs on groups if you need them. Please note there is also a template rule for this for Critical Account Logon Failures that pretty much does this already and can be quickly modified.
Finally for the last piece this isn't something that you're going to be able to resolve from the LEM side. You can validate this information by reviewing the local logs directly (if the Security logs, look in your event viewer or if it's another SQL log look at that source). I once had more information, but can't seem to find it at the moment so if you have a screenshot of the raw log, or information about the event ID and description I may be able to find more specific information for you otherwise you can reach out to Support directly and they should be able to show you this on your local logs. Unfortunately that's not something that the LEM is going to fill in the gaps on if it is being sourced from the local logs directly.
There may be other explanations so getting Support to review it directly or posting additional information could help identify it.
The KB's are great. It's been a little bit since i originally posted this but by trial and error and watching some videos on the LEM I have made some headway. My teammates within infrastructure are working on the reason for those logs and yes - it makes sense that the LEM wouldn't be able to clarify those details.