decoder regex works with wazuh-logtest but gets directed to rule 1002

[GaupeLnx]

Its probably me being a total noob in regex but i cant get it to work, and hope for someones help.
I am trying to get openwrt remote syslog to wazuh and have configured ossec.conf .
I have taken mikrotik example in the Wazuh blog as a starting point and worked from there.
<! **** openwrt rsyslog **** --> <ossec_config> <remote> <connection>syslog</connection> <port>514</port> <protocol>tcp</protocol> <allowed-ips>192.168.72.254</allowed-ips> <local_ip>0.0.0.0</local_ip> </remote> </ossec_config>
This works and i see log lines in archives.log
I have this decoder.xml

<decoder name="OpenWrt">
  <prematch>HHOpenWrt</prematch>
</decoder>

<decoder name="OpenWrt1">
  <parent>OpenWrt</parent>
  <regex type="pcre2">(\w+\s+\d+\s+\d+:\d+:\d+)\s+(\S+)\s+(\S+)\[\d+\]:\s+(.*?):\s+(.*)</regex>
  <order>routername, subsystem, logprefix, messagebody</order>
</decoder>

With the following rules.xml

<group name="OpenWrt,">

  <rule id="100010" level="0">
    <decoded_as>OpenWrt</decoded_as>
    <description>OpenWrt-Event</description>
  </rule>

  <rule id="100013" level="5" >
    <if_sid>100010</if_sid>
    <match>possible DNS-rebind attack detected</match>
    <description>OpenWrt dnsmasq possible DNS-rebind attack detected $(messagebody) </description>
    <category>syslog</category>
  </rule>

</group>

I am testing with a easy to generate log line that looks like: (from archives.log)
2024 Apr 10 01:48:42 HHOpenWrt->192.168.72.254 Apr 10 01:48:42 HHOpenWrt dnsmasq[1]: possible DNS-rebind attack detected: log.medietall.no

If i now feed the string
Apr 10 01:48:42 HHOpenWrt dnsmasq[1]: possible DNS-rebind attack detected: log.medietall.no
or
Apr 10 01:48:42 HHOpenWrt dnsmasq[1]: possible DNS-rebind attack detected: log.medietall.no

In wazuh logtest the output is different if i start it with a space or not

 sudo /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.3
Type one log per line

Apr 10 01:48:42 HHOpenWrt dnsmasq[1]: possible DNS-rebind attack detected: log.medietall.no

**Phase 1: Completed pre-decoding.
        full event: 'Apr 10 01:48:42 HHOpenWrt dnsmasq[1]: possible DNS-rebind attack detected: log.medietall.no'
        timestamp: 'Apr 10 01:48:42'
        hostname: 'HHOpenWrt'
        program_name: 'dnsmasq'

**Phase 2: Completed decoding.
        No decoder matched.

**Phase 3: Completed filtering (rules).
        id: '1002'
        level: '2'
        description: 'Unknown problem somewhere in the system.'
        groups: '['syslog', 'errors']'
        firedtimes: '1'
        gpg13: '['4.3']'
        mail: 'False'
**Alert to be generated.

 Apr 10 01:48:42 HHOpenWrt dnsmasq[1]: possible DNS-rebind attack detected: log.medietall.no

**Phase 1: Completed pre-decoding.
        full event: ' Apr 10 01:48:42 HHOpenWrt dnsmasq[1]: possible DNS-rebind attack detected: log.medietall.no'

**Phase 2: Completed decoding.
        name: 'OpenWrt'
        logprefix: 'dnsmasq'
        messagebody: 'possible DNS-rebind attack detected'
        routername: 'Apr 10 01:48:42'
        subsystem: 'HHOpenWrt'

**Phase 3: Completed filtering (rules).
        id: '100013'
        level: '5'
        description: 'OpenWrt dnsmasq possible DNS-rebind attack detected possible DNS-rebind attack detected '
        groups: '['OpenWrt']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

So it seems like Wazuh evaluates its without the space in front as what i get in alert log
when i put it to where i get level 2 in the logs
But i do not understand how this works as i am not matching with a space for as far as i understand the whole regex abracadabra

** Alert 1712707543.196076: - syslog,errors,gpg13_4.3,
2024 Apr 10 02:05:43 HHOpenWrt->192.168.72.254
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.
Apr 10 02:05:43 HHOpenWrt dnsmasq[1]: possible DNS-rebind attack detected: log.medietall.no