Hi team, I'm sure this should be easy, but I'm not having much luck finding the answer elsewhere, can any of you help me? So I have (McAfee Firewall) log entries that look like this: > Time: 10/23/2020 08:09:36 AM > Event: Traffic > IP Address: 172.19.0.113 > Description: SNMP SERVICE > Path: C:\Windows\System32\snmp.exe > Message: Allowed Incoming UDP - Source 172.19.0.113 : (52676) Destination 172.23.25.135 : snmp (161) > Matched Rule: Adaptive Rule - snmp.exe I've got this being parsed as a multiline log entry with the following: > > Module xm_multiline > HeaderLine /^Time:.*/ > EndLine /^Matched Rule:.*/ > > > Module im_file > File 'C:\ProgramData\McAfee\Endpoint Security\Logs\FirewallEventMonitor.log' > PollInterval 1 > SavePos True > ReadFromLast True > Recursive True > RenameCheck False > Exec $FileName = file_name(); # Send file name with each message > InputType 5f917c0781064d07c2e8486a-multiline > So far so good - I get a multiline message come through, but I'd now like to parse it. So my first step is to split out the individual lines - ideally in the above eample I'd split the above message into 7 fields: > 'Time' -> '10/23/2020 08:09:36 AM' > 'Event' -> 'Traffic' > 'IP Address' -> 172.19.0.113 > ...etc So I'm guessing there's an **Exec** section required and some regex work, but I've not managed to get anything to work yet - has anyone else done anything similar here? thanks in advance, Jim