Hi Dan, I used your custom windows-sub1 filter to properly decode usernames for all the various contexts of windows event logs. It works great, however, I end up with 2 username fields (ie srcuser and dstuser). OSSEC treats srcuser as username and thus I dont see a way to include the dstuser to see the top entries for dstuser. Is there a way to include this currently? If not, I'll post a request on the bug tracking site.
Thanks!
