Thanks Yana,
With the original 'id_pcre2' in rules 31120 and 31122, and my custom decoder per the original post, I get this:
ossec-testrule: Type one log per line.
Jun 21 12:35:37
example.com nginx: 22.33.44.55 - - [21/Jun/2021:12:35:37 +0000] "GET /something?bad HTTP/1.1" 500 10372 "
https://something.com" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.26 Safari/537.36 Core/1.63.5083.400 QQBrowser/10.0.972.400"
**Phase 1: Completed pre-decoding.
full event: 'Jun 21 12:35:37
example.com nginx: 22.33.44.55 - - [21/Jun/2021:12:35:37 +0000] "GET /something?bad HTTP/1.1" 500 10372 "
https://something.com" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.26 Safari/537.36 Core/1.63.5083.400 QQBrowser/10.0.972.400"'
hostname: '
example.com'
program_name: 'nginx'
log: '22.33.44.55 - - [21/Jun/2021:12:35:37 +0000] "GET /something?bad HTTP/1.1" 500 10372 "
https://something.com" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.26 Safari/537.36 Core/1.63.5083.400 QQBrowser/10.0.972.400"'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
**Phase 3: Completed filtering (rules).
Rule id: '31100'
Level: '0'
Description: 'Access log messages grouped.'
If I change the <id_prce2> to <match> and remove the ^ in the 50/500 match string, for rules 31120 and 31122, I get this:
ossec-testrule: Type one log per line.
Jun 21 12:35:37
example.com nginx: 22.33.44.55 - - [21/Jun/2021:12:35:37 +0000] "GET /something?bad HTTP/1.1" 500 10372 "
https://something.com" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.26 Safari/537.36 Core/1.63.5083.400 QQBrowser/10.0.972.400"
**Phase 1: Completed pre-decoding.
full event: 'Jun 21 12:35:37
example.com nginx: 22.33.44.55 - - [21/Jun/2021:12:35:37 +0000] "GET /something?bad HTTP/1.1" 500 10372 "
https://something.com" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.26 Safari/537.36 Core/1.63.5083.400 QQBrowser/10.0.972.400"'
hostname: '
example.com'
program_name: 'nginx'
log: '22.33.44.55 - - [21/Jun/2021:12:35:37 +0000] "GET /something?bad HTTP/1.1" 500 10372 "
https://something.com" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.26 Safari/537.36 Core/1.63.5083.400 QQBrowser/10.0.972.400"'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
**Phase 3: Completed filtering (rules).
Rule id: '31122'
Level: '5'
Description: 'Web server 500 error code (Internal Error).'
**Alert to be generated.
Thanks