On Fri, Jul 13, 2012 at 12:37 PM, Nick Davies <[email protected]> wrote: >><decoder name="date_test> >> >> >> You need to close the quotes above. >> > > Apologies, a typo when I was writing the post rather than a problem with the > file. > > >> Please give us the output from the archive.log. > > The relevant section of the archive log is: > > 2012 Jul 13 17:32:19 (win_cidr_test) > 158.234.0.0->C\\ossec_logtest\date_test.bat ossec: output: > 'C\\ossec_logtest\date_test.bat': C:\Program Files\ossec-agent>echo off > 2012 Jul 13 17:32:19 (win_cidr_test) > 158.234.0.0->C\\ossec_logtest\date_test.bat ossec: output: > 'C\\ossec_logtest\date_test.bat': date_test: > 2012 Jul 13 17:32:19 (win_cidr_test) > 158.234.0.0->C\\ossec_logtest\date_test.bat ossec: output: > 'C\\ossec_logtest\date_test.bat': 13/07/2012 >
All right, now run this through ossec-logtest: ossec: output: 'C\\ossec_logtest\date_test.bat': C:\Program Files\ossec-agent>echo off Everything before the ossec: is a header tacked onto the archive.log entries.
