Each application contains it's own log record format. For example:

web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"

Here we add new ossec decoder called “custom-apache-access-log”
# /var/ossec/etc/decoder.xml

<decoder name="custom-apache-access-log">
  <program_name>custom-apache-access-log</program_name>
</decoder>

Then test it:

# /var/ossec/bin/ossec-logtest

It says:

**Phase 2: Completed decoding.
       No decoder matched.

No matching found as we did not write match for our new custom log decoder still. Let write prematch for our decoder

<decoder name="custom-apache-access-log">
    <prematch>^web.madhuka.lk </prematch>
</decoder>

Then run again then it will hit our custom decoder as below:

Adding new child decoder:

<decoder name="custom1-apache-access-log">
  <parent>custom-apache-access-log</parent>
  <prematch offset="after_parent"> "POST \S+ \S+" </prematch>
  <regex offset="after_parent">^(\S+) - - [(\S+) (\S+)] "POST (\S+) (\S+)" (\d+) (\d+) "(\S+)" "(\S+)"$</regex>
  <order>srcip, extra_data, extra_data, url, srcuser, status, extra_data, extra_data, extra_data</order>
</decoder>

Testing with:

web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0"