$re = '/(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d)\s+([a-zA-Z0-9\-]+)\s+[SFIMS:]{1,6}\s+\[([a-zA-Z0-9_\s]+)\s+\(([0-9a-z\-]+)\)\]\[(.+)\]\[(([0-9]+)\:([0-9]+)\:[0-9]+)\]\s+\"(.+)\"\s+\[Classification\:\s+(.+)\]\s+User\:\s+(.+)\,\s+Application\:\s+(.+)\,\s+Client:\s+(.+)\,\s+App Protocol\:\s+(.+)\,\s+Interface Ingress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Interface Egress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Security Zone Ingress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Security Zone Egress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Context\:\s+([a-zA-Z\-\_0-9]+)\,\s+\[Priority\:\s+([0-9]+)\]\s+\{([A-Z]+)\}\s+([0-9.]+):([0-9]+)\s->\s([0-9.]+):([0-9]+)/';
$str = 'Aug 7 17:47:38 Sourcefire3D SFIMS: [Primary Detection Engine (b363fd8a-2ec5-11de-91d7-e63c5c5fcc50)][ZurichConnect _ Osservazione][1:402:15] "PROTOCOL-ICMP Destination Unreachable Port Unreachable" [Classification: Misc Activity] User: Unknown, Application: Unknown, Client: Unknown, App Protocol: Unknown, Interface Ingress: s1p3, Interface Egress: s1p4, Security Zone Ingress: Internal, Security Zone Egress: External, Context: Unknown, SSL Flow Status: N/A, SSL Actual Action: N/A, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, [Priority: 3] {ICMP} 172.23.33.201 -> 172.23.34.74, type: Destination Unreachable, code: Port unreachable';
preg_match($re, $str, $matches, PREG_OFFSET_CAPTURE, 0);
// Print the entire match result
var_dump($matches);
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for PHP, please visit: http://php.net/manual/en/ref.pcre.php