sergzin/app.ini

## app.ini
[test1]
log 1 pass = Sep  6 16:19:35 hostname1 APP: user1;API: User logged in using API
rule = 990010
alert = 3
decoder = apiuser

[test2]
log 1 pass = Sep  6 16:19:35 hostname1 APP: apiuser1;API: User logged in using API
rule = 990020
alert = 0
decoder = apiuser

[test3]
log 1 pass = Sep  6 16:19:35 hostname999 APP: eviluser;API: User logged in using API
rule = 990099
alert = 10
decoder = apiuser

## test_app_decoders.xml
<decoder name="app">
    <program_name>APP</program_name>
</decoder>

<decoder name="apiuser">
    <use_own_name>true</use_own_name>
    <parent>app</parent>
    <prematch type="pcre2" offset="after_parent">^[A-Za-z0-9-]+;API</prematch>
    <regex type="pcre2" offset="after_parent">^([A-Za-z0-9-]+);API</regex>
    <order>user</order>
</decoder>

## test_app_rules.xml
<group name="syslog,APP,">

    <rule id="990001" level="0" noalert="1">
        <decoded_as>apiuser</decoded_as>
        <match type="pcre2">User logged (in|out)</match>
        <description>User login</description>
        <group>access_control,authentication_success</group>
    </rule>


    <rule id="990010" level="3">
        <if_sid>990001</if_sid>
        <hostname>hostname1|hostname2</hostname>
        <user>user1|user2</user>
        <description>Audit User login</description>
        <group>access_control,authentication_success</group>
    </rule>

    <rule id="990020" level="0">
        <if_sid>990001</if_sid>
        <hostname>hostname1|hostname3</hostname>
        <user>apiuser1|apiuser2</user>
        <description>Known User login</description>
        <group>access_control,authentication_success</group>
    </rule>

    <rule id="990099" level="10">
        <if_sid>990001</if_sid>
        <description>Unauthorized User login</description>
        <group>access_control,authentication_success</group>
    </rule>

</group>
	[test1]
	log 1 pass = Sep 6 16:19:35 hostname1 APP: user1;API: User logged in using API
	rule = 990010
	alert = 3
	decoder = apiuser

	[test2]
	log 1 pass = Sep 6 16:19:35 hostname1 APP: apiuser1;API: User logged in using API
	rule = 990020
	alert = 0
	decoder = apiuser

	[test3]
	log 1 pass = Sep 6 16:19:35 hostname999 APP: eviluser;API: User logged in using API
	rule = 990099
	alert = 10
	decoder = apiuser
	<decoder name="app">
	<program_name>APP</program_name>
	</decoder>

	<decoder name="apiuser">
	<use_own_name>true</use_own_name>
	<parent>app</parent>
	<prematch type="pcre2" offset="after_parent">^[A-Za-z0-9-]+;API</prematch>
	<regex type="pcre2" offset="after_parent">^([A-Za-z0-9-]+);API</regex>
	<order>user</order>
	</decoder>
	<group name="syslog,APP,">

	<rule id="990001" level="0" noalert="1">
	<decoded_as>apiuser</decoded_as>
	<match type="pcre2">User logged (in\|out)</match>
	<description>User login</description>
	<group>access_control,authentication_success</group>
	</rule>


	<rule id="990010" level="3">
	<if_sid>990001</if_sid>
	<hostname>hostname1\|hostname2</hostname>
	<user>user1\|user2</user>
	<description>Audit User login</description>
	<group>access_control,authentication_success</group>
	</rule>

	<rule id="990020" level="0">
	<if_sid>990001</if_sid>
	<hostname>hostname1\|hostname3</hostname>
	<user>apiuser1\|apiuser2</user>
	<description>Known User login</description>
	<group>access_control,authentication_success</group>
	</rule>

	<rule id="990099" level="10">
	<if_sid>990001</if_sid>
	<description>Unauthorized User login</description>
	<group>access_control,authentication_success</group>
	</rule>

	</group>