Meh... not having much look now. The entries in the log tend to differ slightly I think? I think (though having a hard time proving as the environment I'm working on now is different to yesterday) some log lines in archives.log have extra spaces in the "agent->path ip" type bit, though not 100%.
This is giving me more look to be today... tail -n 2000 archives.log | sed 's/.*->[\/a-zA-Z0-9_\.\-]* //g' | /var/ossec/bin/ossec-logtest 2>&1 | grep "No decoder matched" -B3 | grep " log: " | sed 's/^ log: .//g;s/.$//g' | less
