The regex you are using for the first example should be ok. The only improvement I could suggest is to make the second field (message) not greedy with (? .*?). With the second regex, it looks like it just needs a few touches (There was an escaped dot in there):
|rex field=_raw .*PES0:\s(?<machine>\w+),(?<srvr_action_taken>\w+),,(?<user_action_taken>\w+\s\w+),Begin:.*?Rule:\s(?<rule_used>.*?),\d+,(?<process_called>.*?),\d+,No\sModule\sName,(?<filename>.*?),User:\s(?<user>\w+),Domain:\s(?<domain>\w+)
... View more