OSSEC Agent messages mixing up..

[sri...@opsveda.com]

Hello Experts,

We are running OSSEC Server 2.8.3 on SUSE 12 SP2 with few agents on Windows 2008 and Linux (SUSE 12 SP1).

When we receive notification emails from Linux agents for example with Subject:

OSSEC Alert - (xxx-osagt-nat) 10.1.0.188 - Level 14 - Successful sudo to ROOT executed

But the email contains only messages like:

OSSEC HIDS Notification.

2017 Aug 25 05:57:35

 

Received From: (xxx-osagt-rdp6) 10.1.0.99->WinEvtLog

Rule: 18138 fired (level 7) -> "Logon Failure - Account locked out."

Portion of the log(s):

 

2017 Aug 25 05:57:04 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-C49P2039Q3K: An account failed to log on. Subject:  Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Type:   3  Account For Which Logon Failed:  Security ID:  S-1-0-0  Account Name:  xxxxxxxx Account Domain:    Failure Information:  Failure Reason:  %%2313  Status:   0xc000006d  Sub Status:  0xc000006a  Process Information:  Caller Process ID: 0x0  Caller Process Name: -  Network Information:  Workstation Name:   Source Network Address: -  Source Port:  -  Detailed Authentication Information:  Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon request fails. It is generated on the computer where access was attempted. 

 

 --END OF NOTIFICATION

Can someone advise why the linux agent email contains the Windows login error logs ? 

Note: I have removed grouping of e-mails in my ossec.conf file.

Is there any basic settings I am missing ?

Regards,

Srikar