Dan, I think the reason you have no archive.log is because you need to add <global> <logall>yes</logall> </global>
to ossec.conf. Great way when you're debugging to get a thorough record of all events sent to the server. Unfortunately, the event I'm trying to reproduce is a Windows Event log record, so I've no file (that I know of) where I can retrieve the raw log entry. - Dave
