Incorrect regex match #1708
Description
Using Ossec 3.3.0.
I defined a decoder:
<decoder name="newdecoder">
<prematch>{"reqId":"</prematch>
<regex>"level":(\d+),"time":"\S+","remoteAddr":"(\S*)","user":"\.+","app":"(\S+)","method":"\S*","url":"\S+","message":"(\.+)"</regex>
<order>status, srcip, action, extra_data</order>
</decoder>
Matching a string with an empty srcip, e.g.
{"reqId":"whatever","level":2,"time":"2019-05-07T12:00:00+02:00","remoteAddr":"","user":"--","app":"news","method":"","url":"--","message":"error message","userAgent":"--","version":"15.0.7.0"}
results in news being identified as 'srcip'.