Just an FYI as I couldn't find anything about it on the OSSEC wiki for PIX logs. If you are using names in your PIX/ASA config the decoder seems to be broken as it is trying to match y.y.y.y but if you are using names (which is helpful when you have a few thousand rules to manage) you could have string instead i.e. "y.y.y.y" would instead be "someservername". You can turn off names by issuing the no names command or do what I did and change the decoder to match on a non white space string, which hasn't seemed to cause any issues for me anyway ;-)
Regards, Will
