In here I am using well known decoder in OSSEC if you need new OSSEC decoder you can write new decoder also [1]. Add new file to  rules directory in OSSEC.

Creating new OSSEC rule set

$ vi var/ossec/rules/custom_access_rules.xml

In here I am interest to monitor web user behavior model. So I only need 200 http status code and I mark that rule with level 05 as it is important to this use case.Mark sure that rule id is unique. I am using ‘accesslog’ decoder as I am reading web access log in here. Here is content of my new ossec rule xml files.

<!--ustom access rules -->

<group name="web,accesslog,">
  <rule id="70000" level="0">
    <category>web-log</category>
    <description>Access log messages grouped.</description>
  </rule>

  <rule id="70001" level="5">
    <if_sid>70000</if_sid>
    <id>^2</id>
    <description>Web server 200 respond code.</description>
  </rule>

</group>

Restart the OSSEC

./bin/ossec-control restart

Testing the Rules that we just created with OSSEC log test

./bin/ossec-logtest

Add 200 http status log record

Here is my sample log record

123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "GET /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0"

Here it is trigger the event of rules that we created for web access log