I don't think this is limited to ossec-logtest. When using
decoded_as in a rule where the decoded_as value is the name of a child decoder that also has use_own_name defined, it does't work. However, if you change the decoded_as element to the parent decoder name, then the rule works.

I don't remember the use_own_name stuff ever working the way I thought it
should work. So either it's busted or I don't understand it. Either way,
I've ignored it for 4 years.

On Wed, Mar 26, 2014 at 12:58 PM, mstarks01 notifications@github.comwrote:

I don't think this is limited to ossec-logtest. When using
decoded_as in a rule where the decoded_as value is the name of a child
decoder that also has use_own_name defined, it does't work. However, if you
change the decoded_as element to the parent decoder name, then the rule
works.

Reply to this email directly or view it on GitHubhttps://github.com//issues/162#issuecomment-38709849
.

Yeah, I haven't had a need to focus on IIS logs until recently. I, like many others I'm sure, assumed it "just worked." It looks like it probably never worked.