I am working on deploying Ossec to monitor my failed login attempts from workstations now that I have deployed a password policy.  Everything for Ossec so far is working for what I need out of the box with no customization's.  What I have noticed now though is that all the other event id's related to login have the username where it shows (no user) in the following:

2014 Oct 31 12:18:56 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user):

4625 is the only one I've noticed so far that doesn't show the username.  Does anyone know why?  If I can fix that it would make this a lot easier.  Thanks!

Can you post the full event log ? 

You may also check this : https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625