The current symantec-av decoder appears to be too generic.

We have multiple clients who have unifi devices that send non-standard syslog in a format that matches the Symantec-AV decoder. In order to write custom decoders/rules for these devices, we have to exclude the stock Symantec decoders and rules. This could present a problem when a customer uses both Unifi devices and Symantec-AV or Web Security.

Here are a couple of sample Unifi logs:
Aug 17 10:51:57 some-unifi-AP-dns-name 74acb9bc33f5,UAP-AC-Lite-5.43.36+12724: kernel: [1359238.979852] [wifi1] FWLOG: [49676369] WAL_DBGID_TX_BA_SETUP ( 0x4365a4, 0x0, 0x0, 0x10040, 0xfe4271fd )

Aug 17 10:51:12 some-unifi-switch-dns-name e063dacde998,US-16-150W-5.64.8+13083: switch: DOT1S: inst(0) has elected a new STP root: FF:AA:BB:DD:DD:0D:32:1C

Here is the output of wazuh-logtest:
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.1.5
Type one log per line

Aug 17 10:51:57 some-unifi-AP-dns-name 74acb9bc33f5,UAP-AC-Lite-5.43.36+12724: kernel: [1359238.979852] [w ifi1] FWLOG: [49676369] WAL_DBGID_TX_BA_SETUP ( 0x4365a4, 0x0, 0x0, 0x10040, 0xfe4271fd )

**Phase 1: Completed pre-decoding.
full event: 'Aug 17 10:51:57 some-unifi-AP-dns-name 74acb9bc33f5,UAP-AC-Lite-5.43.36+12724: kernel : [1359238.979852] [wifi1] FWLOG: [49676369] WAL_DBGID_TX_BA_SETUP ( 0x4365a4, 0x0, 0x0, 0x10040, 0xfe4271 fd )'
timestamp: 'Aug 17 10:51:57'
hostname: 'some-unifi-AP-dns-name'

**Phase 2: Completed decoding.
name: 'symantec-av'

**Phase 3: Completed filtering (rules).
id: '7300'
level: '0'
description: 'Grouping of Symantec AV rules.'
groups: '['symantec']'
firedtimes: '1'
mail: 'False'

It would be helpful if the symantec-av decoder contained more specific criteria instead of simply <prematch>^\w\w\w\w\w\w\w\w\w\w\w\w,</prematch>