I was going reviewing the windows decoder and noticed "<fts>name, location, user, system_name</fts>" I could not find any reference in the documentation as to what this was for.
I finally found a reference to it in one of the message on this mailing list, need help on writing rules (http://groups.google.com/ group/ossec-list/browse_thread/thread/ b8bdc5dae941eb18/77f39262b2e416a3?lnk=gst&q=first-time+cache#) >From my understanding in the decoder <fts> says which attributes should be added to the First-time cache. Then in the rules you can use <if_fts> to check if this is the first time this attribute value has been seen. Please correct me if I am wrong. I wanted to mention it here for others to easily find. Also can this be added to the documentation somewhere? The closest I came to finding it in the documentation was here: http://www.ossec.net/doc/syntax/head_decoders.html#element-decoder
