Wazuh Decoder and Rules Fortiadc

[CyberSISA]

Hello;

I want to add a Fortiadc to Wazuh, but I see that there is no decoder and rules created, and I tried to make some but they don't work for me.

I created the following Rule and Decoder, but I want to extract more information from the Syslog, but this is the only thing that works for me.

FADC http_retcode fortiadc http_retcode="200" HTTP 200 OK en FortiADC detectado.

<!-- Regla básica para detectar HTTP 500 Internal Server Error en FortiADC -->
<rule id="100002" level="4">
    <decoded_as>fortiadc</decoded_as>
    <regex>http_retcode="500"</regex>
    <description>HTTP 500 Internal Server Error en FortiADC detectado.</description>
</rule>

But now I want to extract the URL field, and it doesn't bring it, I've tried a thousand ways

FADC http_url="([^"]+)" http_url fortiadc URL accedida en FortiADC: ${http_url} [^"]+