thanks cpetterborg but I don't want this hardcoded because then it would miss protocols that could be there but aren't in my sample.
^(?:[^:\n]*:){6}\s+\w+\w+\s+[a-z]+\s(?P\w+) is something I tried. What is in bold is the content thats needed to extract into the field.
Sep 7 15:47:28 10.1.1.99 Sep 07 2016 15:47:27 10.1.1.99 : %ASA-6-302014: Teardown TCP connection 3119818 for outside:209.98.44.193/49936 to inside:192.168.1.8/1547 duration 0:05:01 bytes 931 TCP Reset-I
Sep 7 15:47:28 10.1.1.99 Sep 07 2016 15:47:28 10.1.1.99 : %ASA-6-302020: Built outbound ICMP connection for faddr 192.168.151.96/512 gaddr 192.168.1.1/0 laddr 192.168.1.1/0
... View more