I noticed that the "startswith" expression does not match exactly.
startswith="Sophos Anti-Virus service entered the stopped"
The statement above created transactions containing this string:
Message=The Sophos Anti-Virus Statusreporter service entered the stopped state.
Notice that the word "Statusreporter" does not appear in the string defined as the start of the transaction. Is there a way to make it match exactly?