You can access : http://gskinner.com/RegExr/ to parser log .
i has example
i have event log query dns of BIND 9 :
<166>named: queries: info: client 192.168.16.75#55294: view localhost_resolver: query: microsoft.com IN A +
i parser rule parser as:
when at policy editor :
you can read : http://kb.mcafee.com/agent/index?page=content&id=KB78119 to can know rule parser