diff --git a/decoders/0040-auditd_decoders.xml b/decoders/0040-auditd_decoders.xml
index 590048cfd..97cd4b417 100644
--- a/decoders/0040-auditd_decoders.xml
+++ b/decoders/0040-auditd_decoders.xml
@@ -300,7 +300,7 @@ type=TEST_GENERIC msg=audit(1234567890.123:1234): addr=10.10.10.10 ses=20 exe="l
 
 <decoder name="auditd-generic">
     <parent>auditd</parent>
-    <regex>uid=(\S+)</regex>
+    <regex> uid=(\S+)</regex>
     <order>audit.uid</order>
 </decoder>