$re = '/\"action\":\s*\"(?<action>[^\"]*).*\"dst\":\s*\{\s*\"ip\":\s*\"(?<dst_ip>[^\"]*)\",\s*\"mac\":\s*\"(?<dst_mac>[^\"]*)\",\s*\"port\":\s*\"(?<dst_port>[^\"]*)"\s*}.*\s*\"src\":\s*\{\s*\"ip\":\s*\"(?<src_ip>[^\"]*)\",\s*\"mac\":\s*\"(?<src_mac>[^\"]*)\",\s*\"port\":\s*\"(?<src_port>[^\"]*)\",\s*\"vlan\":\s*\"(?<src_vlan>[^\"]*)\"/m';
$str = 'Aug 24 13:16:20 192.168.2.24 fenotify-333875.warning: { "alert": { "ack": "no", "action": "blocked", "alert-url": "***************", "appliance-id": "C4:00:AD:B6:C5:33", "attack-time": "2023-08-24T04:16:08Z", "dst": { "ip": "192.168.2.148", "mac": "fc:34:97:03:fe:98", "port": "80" }, "explanation": { "analysis": "content", "cnc-services": { "cnc-service": { "address": "192.168.2.148", "channel": "POST /album.php HTTP/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nContent-Length: 273\\r\\nHost: 192.168.2.148\\r\\nPragma: no-cache\\r\\nCache-Control: no-cache\\r\\n\\r\\nc=jO0wkeKc25qk/jg9NkqHPYA1XRkb0eqAPErxNwK5fmcXnTY0m3qFMPT2&kaiikog=M4orW66CyB5IjuC7TFuXRXOu&uce=er+Z6Z0jmOjNDtX5cONg+rVQo6oNPYQ0leujF838&oa=JIcmHxXfQvOJUgRbe7md5RBz9uZx&ssqwy14=+gDzCdPBlfSipfJIxWZ/O6jp&mmmkii=Ejrq8elTUzQqMMrfBs2oCZkoqZFLbvdKd5YyiQgp50Qsaw+JBOzLVsxbAfJCDaY=", "host": "192.168.2.148", "port": "80", "protocol": "tcp", "sid": "86134347", "sname": "Trojan.Bedep", "type": "CncSigMatch", "url": "hxxp://192.168.2.148/album.php" } }, "malware-detected": { "malware": { "name": "Trojan.Bedep", "sid": "86134347", "stype": "bot-command" } }, "protocol": "tcp" }, "id": "333875", "interface": { "interface": "pether3", "label": "A1", "mode": "tap" }, "name": "malware-callback", "occurred": "2023-08-24T04:16:08Z", "product": "Web MPS", "root-infection": "7717", "sc-version": "1397.140", "sensor": "Coupers-NX", "sensor-ip": "192.168.2.21", "severity": "crit", "src": { "ip": "192.168.2.154", "mac": "00:0c:29:07:f9:d1", "port": "58061", "vlan": "0" }, "uuid": "62206b77-a649-4dfe-aba9-67debda3e52f", "version": "9.1.5.986166" }, "appliance": "Coupers-CM.couperscm.com", "appliance-id": "3C:EC:EF:8E:64:9E", "msg": "normal", "product": "CMS", "version": "9.1.5.986166" }';
preg_match_all($re, $str, $matches, PREG_SET_ORDER, 0);
// Print the entire match result
var_dump($matches);
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for PHP, please visit: http://php.net/manual/en/ref.pcre.php