Alas rec_type=71 are for all kinds of messages - Allow, Trust, Block. Block with reset.

I.e.
rec_type=71 file_count=0 client_app="SSL client" mac_address=00:00:00:00:00:00 dest_ip=...
...
ssl_server_name="" ssl_cert_fingerprint=0000000000000000000000000000000000000000 has_ipv6=1 fw_rule_action="Block with reset" ssl_rule_id=0 netbios_domain="" fw_rule="Bacis access - Deny Traffic"
...

Actually I either need to discard messages with fw_rule_action= equals Allow or Trust or keep only
Block and *Block with reset"

You could try :

[discard_rec_type_71]
REGEX=fw_rule_action=("Allow"|"Trust")
DEST_KEY=queue
FORMAT=nullQueue

Actually - this one worked just need to remove quote marks REGEX=fw_rule_action=(Allow|Trust).

Great pls accept the answer 🙂

Small update, if you are interessed:

you can add this to make sure its only valid for rec_type 71

^rec_type=71.*?fw_rule_action=(Allow|Trust)

No success.

Btw, just in case I tried "REGEX=^rec_type=71" and it worked - all such messages were filter out. So in general the idea is correct.

The question is in specific REGEX?

Here is whole typical "Allow" message:
rec_type=71 web_app=Weborama dest_port=443 file_count=0 dest_autonomous_system=0 sec_intel_ip=N/A netflow_src=00000000-0000-0000-0000-000000000000 http_response=0 dest_bytes=992 user_agent="" dns_resp_id=0 event_type=1003 dns_rec_id=0 client_app="SSL client" ssl_flow_error=0 legacy_ip_address=0.0.0.0 event_usec=0 vlan_id=0 ssl_actual_action=Unknown dns_query="" dest_ip_country=france snmp_out=0 ssl_flow_status=Unknown event_desc="Flow Statistics" src_mask=0 num_ioc=0 rec_type_desc="Connection Statistics" sensor=Onego event_subtype=1 security_context=00000000000000000000000000000000 sinkhole_uuid=00000000-0000-0000-0000-000000000000 fw_rule_action=Allow dest_pkts=4 fw_policy=00000000-0000-0000-0000-00005c47a1f6 url=https://adv.solution.weborama.fr tcp_flags=0 mac_address=00:00:00:00:00:00 has_ipv6=1 ssl_server_cert_status="Not Checked" fw_rule_reason=N/A ssl_version=Unknown dns_ttl=0 ssl_rule_id=0 app_proto=HTTPS ssl_flow_messages=0 ssl_cert_fingerprint=0000000000000000000000000000000000000000 iface_ingress=inside src_tos=0 referenced_host="" iface_egress=outside monitor_rule_1=N/A monitor_rule_3=N/A monitor_rule_2=N/A monitor_rule_5=N/A monitor_rule_4=N/A monitor_rule_7=N/A monitor_rule_6=N/A monitor_rule_8=0 instance_id=1 dest_ip=91.216.195.18 ip_layer=0 last_pkt_sec=1548241758 ssl_session_id=0000000000000000000000000000000000000000000000000000000000000000 src_pkts=6 sec_intel_event=No dest_mask=0 snmp_in=0 rec_type_simple=RNA first_pkt_sec=1548241758 fw_rule="Extended access" ssl_policy_id=00000000000000000000000000000000 url_category=Uncategorized url_reputation="Risk unknown" ssl_url_category=0 ip_proto=TCP ssl_flow_flags=0 src_bytes=2022 event_sec=1548241938 sec_zone_ingress=Sanctum ssl_cipher_suite=TLS_NULL_WITH_NULL_NULL netbios_domain="" src_autonomous_system=0 client_version="" src_ip_country=unknown ssl_ticket_id=0000000000000000000000000000000000000000 dest_tos=0 src_port=52189 http_referrer="" sec_zone_egress=Exodus src_ip=192.168.111.111 user=blahblahuser ips_count=0 ssl_server_name="" ssl_expected_action=Unknown connection_id=28348

Did you try this?

Please accept the answer if it helped