Greetings Andy: If the same keywords and phrases are in the apache log file vs. raw email (/var/spool/mail/apache) then you can probably use an existing rule id (as a foundation) from /var/ossec/rules (check apache_rules.xml, attack_rules.xml, and web_rules.xml), and then use a "if sid" rule id match to narrow things down.
Example:
<rule id="100210" level="12">
<if_sid>31100</if_sid>
<match>(Nikto/</match>
<description>Nikto vulnerability scan</description>
</rule>
Thank you.
