$re = '/^<134> CEF:0\|(?<product>[^|]+)\|(?<subproduct>[^|]+)\|(?<otro>[^|]+)\|(?<category>[^|]+)\|(?<subcategory>[^|]+)\|(?<numero>[^|]+)\|cs3=\s(?<cs3>\w+)\sSessStart=\s(?<SessStart>\w+)\sSessEnd=\s(?<SessEnd>\w+)\scs4=\s+sproc=\s\\\\(?<sproc>[^\s]+)\sSessProcID2=\s+filePath=\s\\\\(?<filepath>[^\s]+)\sAncesProcID=\s+src=\s(?<src>[^\s]+)\sc6a2=\s(?<c6a2>[^\s]+)\ssourceDnsDomain=\s+CurrDir=\s+dst=\s+dhost=\s+(?<dhost>[^\s]+)\scs2=\s(?<cs2>[^\s]+)\s(?<destinationDnsDomain>[^\s]+)\s+deviceCustomDate1=\s(?<deviceCustomDate1>\w+\-\w+\-\w+\s\d+\:\d+\:\d+\.\d+)\srt=\s(?<rt>\w+\-\w+\-\w+\s\d+\:\d+\:\d+\.\d+)\sexternalId=\s(?<externalId>[^\s]+)\scn1=\s/m';
$str = '<134> CEF:0|XYPRO|NONSTOP|XMA|SOFTWARE-NORM-MSGS|SAFEGUARD-NORMAL-MESSAGES|2|cs3= FFFF02F289FAAE5EE62A SessStart= N SessEnd= N cs4= sproc= \\PROKIO.$Z7H3 SessProcID2= filePath= \\PROKIO.$SYSTEM.SYS02.TACL AncesProcID= src= 127.0.0.1 c6a2= 127.0.0.1 sourceDnsDomain= CurrDir= dst= dhost= \\PROKIO
cs2= $SYSTEM.SAFE destinationDnsDomain= deviceCustomDate1= 2020-12-04 18:42:32.462813 rt= 2020-12-04 12:42:32.462813 externalId= 000000002 cn1= 1 cs6= N / N cn2= 1 Alerted= A deviceFacility= SAFEGUARD suid= 000 , 000 duid= 255 , 143 suser= 000.000 (does not exist) shost= \\PROKIO duser= SUPER.JANAVARR fileType= USER fname= SUPER.JANAVARR 255.143 act= VERIFYUSER cs5= \\PROKIO.$ZTN9.#PT44JMU cat= 54 reason= 400 cs1= msg= Logon Fail count 1 to 0 cn1Label=Outcomecn2Label=XMA_Severitycs1Label=Rulenamecs2Label=ProductLocationcs3Label=SessionIDcs4Label=SessionNamecs5Label=Terminalcs6Label=Test/WarndeviceCustomDate1Label=RecordGMTc6a2Label=SessionIP';
preg_match_all($re, $str, $matches, PREG_SET_ORDER, 0);
// Print the entire match result
var_dump($matches);
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for PHP, please visit: http://php.net/manual/en/ref.pcre.php