I've noticed two small issues on the latest 1.2.1 app version.
Accordingly with the latest CIM-Email (4.3.1), the field currently extracted as sender should be named src_user instead:
[sender_field_for_cisco_esa]
REGEX = From:\s+<([^>]*)>
FORMAT = src_user::$1
The src_ip field is not extracted properly, in the regex + should be used instead of * just before the src IP address part, otherwise the first part of the IP will not end up in the matching group.
[src_dest_fields_for_cisco_esa]
REGEX = (?:DCID|ICID)\s+\d+\s+interface\s+.[\s(]+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}).\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:\s+port\s+(\d+))?
FORMAT = src_ip::$1 dest_ip::$2 dest_port::$3
... View more