I am having the same problem
MWG logs are mapped to rule messages based on the Block ID associated with the event. There are a number of "canned" Block IDs in MWG that should automatically map to explicit messages. For example, here's a shot of what my lab looks like right now:
Here's a sample log for "Blocked due to a virus being found":
<30>Sep 19 19:02:43 mwg01 mwg: [19/Sep/2013:19:02:43 +0000] "" 172.25.109.161 403 "GET http://www.eicar.org/download/eicar.com HTTP/1.1" "Information Security" "Minimal Risk" "" 8524 399 "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" "McAfeeGW: EICAR test file" "80" ""
In this case the block id is "80". This maps to a signature ID of 326-80 (326 = MWG device ID, 80 = sig ID), which is where the rule message ultimately comes from.
For anything with a block ID of "0", you will see the "A web request was allowed" message. For anything with an unknown block ID, I believe it will get mapped to an instance of "A web request was blocked". Unknown block IDs may be ones that your MWG administrators have defined locally, or they may be new types that have been implemented by MWG and have not yet been incorporated into the MWG parser. For the latter case, I'd encourage you to file a quick PER so that we can ensure the parser is properly dealing with the default events generated by MWG.
Any custom block IDs your admins have created will have a unique signature ID, and you can modify the rule message seen as needed via the Policy Editor (select event, open menu, select "Show Rule 326-xxx").