MonitorWare Knowledge Base

Hello, I'm in charge of a small shop with a few Windows 2003 Servers and some Linux (Ubuntu/RedHat AS/Fedora), and I'm trying to collect all syslog/eventlog into a single control point. I've installed Snare agent on Windows machine, RSyslog on Ubuntu ant phpLogCon on that same Ubuntu.
Everything seems OK, but...
When some Windows Event comes in it's displayed, but some field (facility, severity) is empty and the 'host' field contains strange data. As an exemple, with the incoming event is:
2008-05-29T16:42:29+02:00 bl6.istge.priv MSWinEventLog#0111#011Security#01130025#011Thu May 29 16:42:08 2008#011861#011Security#011SYSTEM#011User#011Failure Audit#011BL6#011Detailed Tracking#011#011The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\Program Files\Snare\SnareCore.exe Process identifier: 3076 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: TCP Port number: 6161 Allowed: No User notified: No #01129900
the HOST field contains
2008#011861#011Security#011SYSTEM#011User#011Failure Audit#011BL6#011Detailed
(which is the underlined part of the incoming data above), but should be bl6.istge.priv
Any suggestion?