I've recently started using the great util Eventlog-to-Syslog (http://code.google.com/p/eventlog-to-syslog/) and needed a parser. This pattern should do the job. A word of warning, I opted to go with no program match because I didn't want to write a pattern per event log source, so it's possible this would hit on other log sources. However, in testing, the pattern seems to work well and I haven't gotten any "false" matches. I also gave up trying to parse out the user name as the second param because it isn't always included and the semicolon used as a delimiter regularly shows up naturally in messages. One could write per-event-id message parsers which grabbed all kinds of fields, but this should get the ball rolling to at least grab the event id. <ruleset name="Windows" id='4'> <!-- no program pattern --> <rules> <rule provider="local" class='Windows' id='4'> <patterns> <pattern>@NUMBER:event_id:@: @ANYSTRING:msg:@</pattern> </patterns> <examples> <example> <test_message program="Service_Control_Manager">7035: NT AUTHORITY\SYSTEM: The COH_Mon service was successfully sent a start control.</test_message> <test_values> <test_value name="event_id">7035</test_value> <test_value name="msg">NT AUTHORITY\SYSTEM: The COH_Mon service was successfully sent a start control.</test_value> </test_values> </example> <example> <test_message program="SceCli">1202: Security policies were propagated with warning. 0x4b8 : An extended error has occurred. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".</test_message> <test_value name="event_id">1202</test_value> <test_value name="msg">Security policies were propagated with warning. 0x4b8 : An extended error has occurred. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".</test_value> </example> </examples> <tags> <tag>Windows</tag> </tags> </rule> </rules> </ruleset>