Each application contains it's own log record format.
eg:
web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/""Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
Here we add new ossec decoder called “custom-apache-access-log”
# /var/ossec/etc/decoder.xml
<decoder name="custom-apache-access-log">
<program_name>custom-apache-access-log</program_name>
</decoder>
Then test it
# /var/ossec/bin/ossec-logtest
It says
**Phase 2: Completed decoding.
No decoder matched.
No matching found as we did not write match for our new custom log decoder still. Let write prematch for our decoder
<decoder name="custom-apache-access-log">
<prematch>^web.madhuka.lk </prematch>
</decoder>
Then run again then it will hit our custom decoder as below
Adding new child decoder
<decoder name="custom1-apache-access-log">
<parent>custom-apache-access-log</parent>
<prematch offset="after_parent"> "POST \S+ \S+"</prematch>
<regex offset="after_parent">^(\S+) - - [(\S+) (\S+)] "POST (\S+) (\S+)" (\d+) (\d+) "(\S+)""(\S+)"$</regex>
<order>srcip, extra_data, extra_data, url, srcuser, status, extra_data, extra_data, extra_data</order>
</decoder>
Testing with
web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/""Mozilla/5.0"
