diff --git a/packages/1password/1.5.1/changelog.yml b/packages/1password/1.5.1/changelog.yml
new file mode 100755
index 0000000000..7de8e5ff69
--- /dev/null
+++ b/packages/1password/1.5.1/changelog.yml
@@ -0,0 +1,76 @@
+# newer versions go on top
+- version: "1.5.1"
+  changes:
+    - description: Update readme to improve English
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3534
+- version: "1.5.0"
+  changes:
+    - description: Update package to ECS 8.3.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3353
+- version: "1.4.0"
+  changes:
+    - description: Change name of package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3245
+- version: "1.3.0"
+  changes:
+    - description: Update to ECS 8.2
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2778
+- version: "1.2.2"
+  changes:
+    - description: Fix typo in config template for ignoring host enrichment
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3092
+- version: "1.2.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.2.0"
+  changes:
+    - description: Add new "event.action" to item_usages events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2775
+- version: "1.1.1"
+  changes:
+    - description: Fix field mapping conflict for ECS `event.created`.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2687
+- version: "1.1.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2368
+- version: "1.0.0"
+  changes:
+    - description: GA integration
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2360
+- version: "0.2.2"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "0.2.1"
+  changes:
+    - description: Change test public IPs to the supported subset
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2327
+- version: "0.2.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2214
+- version: "0.1.1"
+  changes:
+    - description: Update Title and Description.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1997
+- version: "0.1.0"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1722
diff --git a/packages/1password/1.5.1/data_stream/item_usages/agent/stream/httpjson.yml.hbs b/packages/1password/1.5.1/data_stream/item_usages/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..5a8a7d1ff4
--- /dev/null
+++ b/packages/1password/1.5.1/data_stream/item_usages/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,57 @@
+config_version: 2
+interval: {{interval}}
+request.url: {{url}}/api/v1/itemusages
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+  - set:
+      target: "header.Content-Type"
+      value: "application/json"
+  - set:
+      target: "header.User-Agent"
+      value: "1Password-Elastic-Filebeat/0.1.0"
+  - set:
+      target: "header.Authorization"
+      value: 'Bearer {{token}}'
+  - set:
+      target: body.cursor
+      value: '[[if not (eq (len .cursor) 0)]][[.cursor.last_cursor]][[end]]'
+  - set:
+      target: body.limit
+      value_type: int
+      value: '[[if eq (len .cursor) 0]]{{limit}}[[end]]'
+cursor:
+  last_cursor:
+    value: '[[.last_response.body.cursor]]'
+response.decode_as: application/json
+response.split:
+  target: body.items
+response.pagination:
+  - set:
+      target: body.cursor
+      value: '[[.last_response.body.cursor]]'
+      fail_on_template_error: true
+  - delete:
+      target: body.limit
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/1password/1.5.1/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml b/packages/1password/1.5.1/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..45e5a82b2d
--- /dev/null
+++ b/packages/1password/1.5.1/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,142 @@
+---
+description: Pipeline for normalizing 1Password Item Usage Events
+processors:
+  - rename:
+      field: message
+      target_field: event.original
+  - json:
+      field: event.original
+      target_field: onepassword
+  - drop:
+      description: Drop if no timestamp (invalid json)
+      if: "ctx?.onepassword?.timestamp == null"
+
+  #######################
+  ## ECS Event Mapping ##
+  #######################
+  - set:
+      field: ecs.version
+      value: "8.3.0"
+  # Sets event.created from the @timestamp field generated by filebeat before being overwritten further down
+  - set:
+      field: event.created
+      copy_from: "@timestamp"
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: [file]
+  - append:
+      field: event.type
+      value: [access]
+  - rename:
+      field: onepassword.action
+      target_field: event.action
+      ignore_missing: true
+
+  #########################
+  ## ECS Related Mapping ##
+  #########################
+  - append:
+      field: related.user
+      value: "{{onepassword.user.uuid}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.user?.uuid != null
+  - append:
+      field: related.user
+      value: "{{onepassword.user.email}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.user?.email != null
+  - append:
+      field: related.user
+      value: "{{onepassword.user.name}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.user?.name != null
+  - append:
+      field: related.ip
+      value: "{{onepassword.client.ip_address}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.client?.ip_address != null
+
+  ######################
+  ## ECS User Mapping ##
+  ######################
+  - rename:
+      field: onepassword.user.uuid
+      target_field: user.id
+      ignore_missing: true
+  - rename:
+      field: onepassword.user.name
+      target_field: user.full_name
+      ignore_missing: true
+  - rename:
+      field: onepassword.user.email
+      target_field: user.email
+      ignore_missing: true
+
+  ####################
+  ## ECS OS Mapping ##
+  ####################
+  - rename:
+      field: onepassword.client.os_name
+      target_field: os.name
+      ignore_missing: true
+  - rename:
+      field: onepassword.client.os_version
+      target_field: os.version
+      ignore_missing: true
+
+  ########################
+  ## ECS Source Mapping ##
+  ########################
+  - rename:
+      field: onepassword.client.ip_address
+      target_field: source.ip
+      ignore_missing: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+
+  ######################
+  ## ECS Base Mapping ##
+  ######################
+  - date:
+      field: onepassword.timestamp
+      formats:
+        - ISO8601
+
+  #############
+  ## Cleanup ##
+  #############
+  - remove:
+      field:
+        - onepassword.timestamp
+        - onepassword.user
+        - onepassword.location # Use the included GeoIP processor
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/1password/1.5.1/data_stream/item_usages/fields/base-fields.yml b/packages/1password/1.5.1/data_stream/item_usages/fields/base-fields.yml
new file mode 100755
index 0000000000..902686e8af
--- /dev/null
+++ b/packages/1password/1.5.1/data_stream/item_usages/fields/base-fields.yml
@@ -0,0 +1,23 @@
+- name: input.type
+  type: keyword
+  description: Input type
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: 1password
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: 1password.item_usages
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
diff --git a/packages/1password/1.5.1/data_stream/item_usages/fields/ecs.yml b/packages/1password/1.5.1/data_stream/item_usages/fields/ecs.yml
new file mode 100755
index 0000000000..a5fd6a2817
--- /dev/null
+++ b/packages/1password/1.5.1/data_stream/item_usages/fields/ecs.yml
@@ -0,0 +1,98 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.full_name
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: os.name
+  type: keyword
+- description: Operating system version as a raw string.
+  name: os.version
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  name: source.geo.location
+  type: geo_point
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
diff --git a/packages/1password/1.5.1/data_stream/item_usages/fields/fields.yml b/packages/1password/1.5.1/data_stream/item_usages/fields/fields.yml
new file mode 100755
index 0000000000..3c2f0bfa25
--- /dev/null
+++ b/packages/1password/1.5.1/data_stream/item_usages/fields/fields.yml
@@ -0,0 +1,30 @@
+- name: onepassword
+  type: group
+  fields:
+    - name: uuid
+      type: keyword
+      description: The UUID of the event
+    - name: used_version
+      type: integer
+      description: The version of the item that was accessed
+    - name: vault_uuid
+      type: keyword
+      description: The UUID of the vault the item is in
+    - name: item_uuid
+      type: keyword
+      description: The UUID of the item that was accessed
+    - name: client
+      type: group
+      fields:
+        - name: app_name
+          type: keyword
+          description: The name of the 1Password app the item was accessed from
+        - name: app_version
+          type: keyword
+          description: The version number of the 1Password app
+        - name: platform_name
+          type: keyword
+          description: The name of the platform the item was accessed from
+        - name: platform_version
+          type: keyword
+          description: The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed
diff --git a/packages/1password/1.5.1/data_stream/item_usages/manifest.yml b/packages/1password/1.5.1/data_stream/item_usages/manifest.yml
new file mode 100755
index 0000000000..1189af5c34
--- /dev/null
+++ b/packages/1password/1.5.1/data_stream/item_usages/manifest.yml
@@ -0,0 +1,47 @@
+title: "Collect 1Password item usages events"
+type: logs
+streams:
+  - input: httpjson
+    title: "Collect 1Password item usages events"
+    description: "Collect item usages from 1Password via the 1Password Events API"
+    enabled: true
+    template_path: httpjson.yml.hbs
+    vars:
+      - name: limit
+        type: integer
+        title: Limit
+        description: Number of events to fetch on each request
+        show_user: false
+        required: true
+        default: 1000
+      - name: interval
+        type: text
+        title: Interval to query 1Password Events API
+        description: Go Duration syntax (eg. 10s)
+        show_user: false
+        required: true
+        default: 10s
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        show_user: false
+        default:
+          - forwarded
+          - 1password-item_usages
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/1password/1.5.1/data_stream/item_usages/sample_event.json b/packages/1password/1.5.1/data_stream/item_usages/sample_event.json
new file mode 100755
index 0000000000..aee4d1ccde
--- /dev/null
+++ b/packages/1password/1.5.1/data_stream/item_usages/sample_event.json
@@ -0,0 +1,81 @@
+{
+    "@timestamp": "2021-08-30T18:57:42.484Z",
+    "agent": {
+        "ephemeral_id": "cbcdd98f-456d-47bb-9f43-cf589ccd810d",
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0"
+    },
+    "data_stream": {
+        "dataset": "1password.item_usages",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "snapshot": false,
+        "version": "8.0.0"
+    },
+    "event": {
+        "action": "reveal",
+        "agent_id_status": "verified",
+        "category": [
+            "file"
+        ],
+        "created": "2022-03-03T21:25:12.198Z",
+        "dataset": "1password.item_usages",
+        "ingested": "2022-03-03T21:25:13Z",
+        "kind": "event",
+        "type": [
+            "access"
+        ]
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "onepassword": {
+        "client": {
+            "app_name": "1Password Browser Extension",
+            "app_version": "1109",
+            "platform_name": "Chrome",
+            "platform_version": "93.0.4577.62"
+        },
+        "item_uuid": "bvwmmwxisuca7wbehrbyqhag54",
+        "used_version": 1,
+        "uuid": "MCQODBBWJD5HISKYNP3HJPV2DV",
+        "vault_uuid": "jaqxqf5qylslqiitnduawrndc5"
+    },
+    "os": {
+        "name": "Android",
+        "version": "10"
+    },
+    "related": {
+        "ip": [
+            "1.1.1.1"
+        ],
+        "user": [
+            "OJQGU46KAPROEJLCK674RHSAY5",
+            "email@1password.com",
+            "Name"
+        ]
+    },
+    "source": {
+        "ip": "1.1.1.1"
+    },
+    "tags": [
+        "forwarded",
+        "1password-item_usages"
+    ],
+    "user": {
+        "email": "email@1password.com",
+        "full_name": "Name",
+        "id": "OJQGU46KAPROEJLCK674RHSAY5"
+    }
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/data_stream/signin_attempts/agent/stream/httpjson.yml.hbs b/packages/1password/1.5.1/data_stream/signin_attempts/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..6a8f41aee5
--- /dev/null
+++ b/packages/1password/1.5.1/data_stream/signin_attempts/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,57 @@
+config_version: 2
+interval: {{interval}}
+request.url: {{url}}/api/v1/signinattempts
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+  - set:
+      target: "header.Content-Type"
+      value: "application/json"
+  - set:
+      target: "header.User-Agent"
+      value: "1Password-Elastic-Filebeat/0.1.0"
+  - set:
+      target: "header.Authorization"
+      value: 'Bearer {{token}}'
+  - set:
+      target: body.cursor
+      value: '[[if not (eq (len .cursor) 0)]][[.cursor.last_cursor]][[end]]'
+  - set:
+      target: body.limit
+      value_type: int
+      value: '[[if eq (len .cursor) 0]]{{limit}}[[end]]'
+cursor:
+  last_cursor:
+    value: '[[.last_response.body.cursor]]'
+response.decode_as: application/json
+response.split:
+  target: body.items
+response.pagination:
+  - set:
+      target: body.cursor
+      value: '[[.last_response.body.cursor]]'
+      fail_on_template_error: true
+  - delete:
+      target: body.limit
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/1password/1.5.1/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml b/packages/1password/1.5.1/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..2505e0562d
--- /dev/null
+++ b/packages/1password/1.5.1/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,152 @@
+---
+description: Pipeline for normalizing 1Password Sign-in Attempts Events
+processors:
+  - rename:
+      field: message
+      target_field: event.original
+  - json:
+      field: event.original
+      target_field: onepassword
+  - drop:
+      description: Drop if no timestamp (invalid json)
+      if: "ctx?.onepassword?.timestamp == null"
+
+  #######################
+  ## ECS Event Mapping ##
+  #######################
+  - set:
+      field: ecs.version
+      value: "8.3.0"
+  # Sets event.created from the @timestamp field generated by filebeat before being overwritten further down
+  - set:
+      field: event.created
+      copy_from: "@timestamp"
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: [authentication]
+  - append:
+      field: event.type
+      value: [info]
+  - rename:
+      field: onepassword.category
+      target_field: event.action
+      ignore_missing: true
+  - set:
+      field: event.outcome
+      value: success
+      if: "['success', 'firewall_reported_success'].contains(ctx.event?.action)"
+      ignore_failure: true
+  - set:
+      field: event.outcome
+      value: failure
+      if: "!['success', 'firewall_reported_success'].contains(ctx.event?.action)"
+      ignore_failure: true
+
+  #########################
+  ## ECS Related Mapping ##
+  #########################
+  - append:
+      field: related.user
+      value: "{{onepassword.target_user.uuid}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.target_user?.uuid != null
+  - append:
+      field: related.user
+      value: "{{onepassword.target_user.email}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.target_user?.email != null
+  - append:
+      field: related.user
+      value: "{{onepassword.target_user.name}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.target_user?.name != null
+  - append:
+      field: related.ip
+      value: "{{onepassword.client.ip_address}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.client?.ip_address != null
+
+  ######################
+  ## ECS User Mapping ##
+  ######################
+  - rename:
+      field: onepassword.target_user.uuid
+      target_field: user.id
+      ignore_missing: true
+  - rename:
+      field: onepassword.target_user.name
+      target_field: user.full_name
+      ignore_missing: true
+  - rename:
+      field: onepassword.target_user.email
+      target_field: user.email
+      ignore_missing: true
+
+  ####################
+  ## ECS OS Mapping ##
+  ####################
+  - rename:
+      field: onepassword.client.os_name
+      target_field: os.name
+      ignore_missing: true
+  - rename:
+      field: onepassword.client.os_version
+      target_field: os.version
+      ignore_missing: true
+
+  ########################
+  ## ECS Source Mapping ##
+  ########################
+  - rename:
+      field: onepassword.client.ip_address
+      target_field: source.ip
+      ignore_missing: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+
+  ######################
+  ## ECS Base Mapping ##
+  ######################
+  - date:
+      field: onepassword.timestamp
+      formats:
+        - ISO8601
+
+  #############
+  ## Cleanup ##
+  #############
+  - remove:
+      field:
+        - onepassword.timestamp
+        - onepassword.target_user
+        - onepassword.location # Use the included GeoIP processor
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/1password/1.5.1/data_stream/signin_attempts/fields/base-fields.yml b/packages/1password/1.5.1/data_stream/signin_attempts/fields/base-fields.yml
new file mode 100755
index 0000000000..7cd57ab5cd
--- /dev/null
+++ b/packages/1password/1.5.1/data_stream/signin_attempts/fields/base-fields.yml
@@ -0,0 +1,23 @@
+- name: input.type
+  type: keyword
+  description: Input type
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: 1password
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: 1password.signin_attempts
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
diff --git a/packages/1password/1.5.1/data_stream/signin_attempts/fields/ecs.yml b/packages/1password/1.5.1/data_stream/signin_attempts/fields/ecs.yml
new file mode 100755
index 0000000000..2d2bdc60f2
--- /dev/null
+++ b/packages/1password/1.5.1/data_stream/signin_attempts/fields/ecs.yml
@@ -0,0 +1,106 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.full_name
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: os.name
+  type: keyword
+- description: Operating system version as a raw string.
+  name: os.version
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  name: source.geo.location
+  type: geo_point
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
diff --git a/packages/1password/1.5.1/data_stream/signin_attempts/fields/fields.yml b/packages/1password/1.5.1/data_stream/signin_attempts/fields/fields.yml
new file mode 100755
index 0000000000..740d91aad1
--- /dev/null
+++ b/packages/1password/1.5.1/data_stream/signin_attempts/fields/fields.yml
@@ -0,0 +1,33 @@
+- name: onepassword
+  type: group
+  fields:
+    - name: uuid
+      type: keyword
+      description: The UUID of the event
+    - name: session_uuid
+      type: keyword
+      description: The UUID of the session that created the event
+    - name: type
+      type: keyword
+      description: Details about the sign-in attempt
+    - name: country
+      type: keyword
+      description: The country code of the event. Uses the ISO 3166 standard
+    - name: details
+      type: object
+      description: Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in
+    - name: client
+      type: group
+      fields:
+        - name: app_name
+          type: keyword
+          description: The name of the 1Password app that attempted to sign in to the account
+        - name: app_version
+          type: keyword
+          description: The version number of the 1Password app
+        - name: platform_name
+          type: keyword
+          description: The name of the platform running the 1Password app
+        - name: platform_version
+          type: keyword
+          description: The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed
diff --git a/packages/1password/1.5.1/data_stream/signin_attempts/manifest.yml b/packages/1password/1.5.1/data_stream/signin_attempts/manifest.yml
new file mode 100755
index 0000000000..fcbd59840a
--- /dev/null
+++ b/packages/1password/1.5.1/data_stream/signin_attempts/manifest.yml
@@ -0,0 +1,47 @@
+title: "1Password sign-in attempt events"
+type: logs
+streams:
+  - input: httpjson
+    title: "Collect 1Password sign-in attempt events"
+    description: "Collect sign-in attempts from 1Password via the 1Password Events API"
+    enabled: true
+    template_path: httpjson.yml.hbs
+    vars:
+      - name: limit
+        type: integer
+        title: Limit
+        description: Number of events to fetch on each request
+        show_user: false
+        required: true
+        default: 1000
+      - name: interval
+        type: text
+        title: Interval to query 1Password Events API
+        description: Go Duration syntax (eg. 10s)
+        show_user: false
+        required: true
+        default: 10s
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        show_user: false
+        default:
+          - forwarded
+          - 1password-signin_attempts
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/1password/1.5.1/data_stream/signin_attempts/sample_event.json b/packages/1password/1.5.1/data_stream/signin_attempts/sample_event.json
new file mode 100755
index 0000000000..ec1dadbdd7
--- /dev/null
+++ b/packages/1password/1.5.1/data_stream/signin_attempts/sample_event.json
@@ -0,0 +1,83 @@
+{
+    "@timestamp": "2021-08-11T14:28:03.000Z",
+    "agent": {
+        "ephemeral_id": "6a1b2121-406e-47fc-8ab0-3ab3b521f341",
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0"
+    },
+    "data_stream": {
+        "dataset": "1password.signin_attempts",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "snapshot": false,
+        "version": "8.0.0"
+    },
+    "event": {
+        "action": "success",
+        "agent_id_status": "verified",
+        "category": [
+            "authentication"
+        ],
+        "created": "2022-03-03T21:25:49.160Z",
+        "dataset": "1password.signin_attempts",
+        "ingested": "2022-03-03T21:25:52Z",
+        "kind": "event",
+        "outcome": "success",
+        "type": [
+            "info"
+        ]
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "onepassword": {
+        "client": {
+            "app_name": "1Password Browser Extension",
+            "app_version": "1109",
+            "platform_name": "Chrome",
+            "platform_version": "93.0.4577.62"
+        },
+        "country": "AR",
+        "details": null,
+        "session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7",
+        "type": "credentials_ok",
+        "uuid": "HGIF4OEWXDTVWKEQDIWTKV26HU"
+    },
+    "os": {
+        "name": "Android",
+        "version": "10"
+    },
+    "related": {
+        "ip": [
+            "1.1.1.1"
+        ],
+        "user": [
+            "OJQGU46KAPROEJLCK674RHSAY5",
+            "email@1password.com",
+            "Name"
+        ]
+    },
+    "source": {
+        "ip": "1.1.1.1"
+    },
+    "tags": [
+        "forwarded",
+        "1password-signin_attempts"
+    ],
+    "user": {
+        "email": "email@1password.com",
+        "full_name": "Name",
+        "id": "OJQGU46KAPROEJLCK674RHSAY5"
+    }
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/docs/README.md b/packages/1password/1.5.1/docs/README.md
new file mode 100755
index 0000000000..8666140fa8
--- /dev/null
+++ b/packages/1password/1.5.1/docs/README.md
@@ -0,0 +1,302 @@
+# 1Password Events Reporting
+
+With [1Password Business](https://support.1password.com/explore/business/), you can send your account activity to your security information and event management (SIEM) system, using the 1Password Events API. 
+
+Get reports about 1Password activity, such as sign-in attempts and item usage, while you manage all your company’s applications and services from a central location.
+
+With 1Password Events Reporting and Elastic SIEM, you can:
+
+-	Control your 1Password data retention
+-	Build custom graphs and dashboards
+-	Set up custom alerts that trigger specific actions
+-	Cross-reference 1Password events with the data from other services
+
+You can set up Events Reporting if you’re an owner or administrator.  
+Ready to get started? [Learn how to set up the Elastic Events Reporting integration](https://support.1password.com/events-reporting).
+
+Events
+------
+
+### Sign-in Attempts
+
+Use the 1Password Events API to retrieve information about sign-in attempts. Events include the name and IP address of the user who attempted to sign in to the account, when the attempt was made, and – for failed attempts – the cause of the failure.
+
+*Exported fields*
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| input.type | Input type | keyword |
+| onepassword.client.app_name | The name of the 1Password app that attempted to sign in to the account | keyword |
+| onepassword.client.app_version | The version number of the 1Password app | keyword |
+| onepassword.client.platform_name | The name of the platform running the 1Password app | keyword |
+| onepassword.client.platform_version | The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed | keyword |
+| onepassword.country | The country code of the event. Uses the ISO 3166 standard | keyword |
+| onepassword.details | Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in | object |
+| onepassword.session_uuid | The UUID of the session that created the event | keyword |
+| onepassword.type | Details about the sign-in attempt | keyword |
+| onepassword.uuid | The UUID of the event | keyword |
+| os.name | Operating system name, without the version. | keyword |
+| os.name.text | Multi-field of `os.name`. | match_only_text |
+| os.version | Operating system version as a raw string. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| user.email | User email address. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
+| user.id | Unique identifier of the user. | keyword |
+
+
+An example event for `signin_attempts` looks as following:
+
+```json
+{
+    "@timestamp": "2021-08-11T14:28:03.000Z",
+    "agent": {
+        "ephemeral_id": "6a1b2121-406e-47fc-8ab0-3ab3b521f341",
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0"
+    },
+    "data_stream": {
+        "dataset": "1password.signin_attempts",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "snapshot": false,
+        "version": "8.0.0"
+    },
+    "event": {
+        "action": "success",
+        "agent_id_status": "verified",
+        "category": [
+            "authentication"
+        ],
+        "created": "2022-03-03T21:25:49.160Z",
+        "dataset": "1password.signin_attempts",
+        "ingested": "2022-03-03T21:25:52Z",
+        "kind": "event",
+        "outcome": "success",
+        "type": [
+            "info"
+        ]
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "onepassword": {
+        "client": {
+            "app_name": "1Password Browser Extension",
+            "app_version": "1109",
+            "platform_name": "Chrome",
+            "platform_version": "93.0.4577.62"
+        },
+        "country": "AR",
+        "details": null,
+        "session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7",
+        "type": "credentials_ok",
+        "uuid": "HGIF4OEWXDTVWKEQDIWTKV26HU"
+    },
+    "os": {
+        "name": "Android",
+        "version": "10"
+    },
+    "related": {
+        "ip": [
+            "1.1.1.1"
+        ],
+        "user": [
+            "OJQGU46KAPROEJLCK674RHSAY5",
+            "email@1password.com",
+            "Name"
+        ]
+    },
+    "source": {
+        "ip": "1.1.1.1"
+    },
+    "tags": [
+        "forwarded",
+        "1password-signin_attempts"
+    ],
+    "user": {
+        "email": "email@1password.com",
+        "full_name": "Name",
+        "id": "OJQGU46KAPROEJLCK674RHSAY5"
+    }
+}
+```
+
+### Item Usages
+
+This uses the 1Password Events API to retrieve information about items in shared vaults that have been modified, accessed, or used. Events include the name and IP address of the user who accessed the item, when it was accessed, and the vault where the item is stored.
+
+*Exported fields*
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| input.type | Input type | keyword |
+| onepassword.client.app_name | The name of the 1Password app the item was accessed from | keyword |
+| onepassword.client.app_version | The version number of the 1Password app | keyword |
+| onepassword.client.platform_name | The name of the platform the item was accessed from | keyword |
+| onepassword.client.platform_version | The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed | keyword |
+| onepassword.item_uuid | The UUID of the item that was accessed | keyword |
+| onepassword.used_version | The version of the item that was accessed | integer |
+| onepassword.uuid | The UUID of the event | keyword |
+| onepassword.vault_uuid | The UUID of the vault the item is in | keyword |
+| os.name | Operating system name, without the version. | keyword |
+| os.name.text | Multi-field of `os.name`. | match_only_text |
+| os.version | Operating system version as a raw string. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| user.email | User email address. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
+| user.id | Unique identifier of the user. | keyword |
+
+
+An example event for `item_usages` looks as following:
+
+```json
+{
+    "@timestamp": "2021-08-30T18:57:42.484Z",
+    "agent": {
+        "ephemeral_id": "cbcdd98f-456d-47bb-9f43-cf589ccd810d",
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0"
+    },
+    "data_stream": {
+        "dataset": "1password.item_usages",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "8652330e-4de6-4596-a16f-4463a6c56e9e",
+        "snapshot": false,
+        "version": "8.0.0"
+    },
+    "event": {
+        "action": "reveal",
+        "agent_id_status": "verified",
+        "category": [
+            "file"
+        ],
+        "created": "2022-03-03T21:25:12.198Z",
+        "dataset": "1password.item_usages",
+        "ingested": "2022-03-03T21:25:13Z",
+        "kind": "event",
+        "type": [
+            "access"
+        ]
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "onepassword": {
+        "client": {
+            "app_name": "1Password Browser Extension",
+            "app_version": "1109",
+            "platform_name": "Chrome",
+            "platform_version": "93.0.4577.62"
+        },
+        "item_uuid": "bvwmmwxisuca7wbehrbyqhag54",
+        "used_version": 1,
+        "uuid": "MCQODBBWJD5HISKYNP3HJPV2DV",
+        "vault_uuid": "jaqxqf5qylslqiitnduawrndc5"
+    },
+    "os": {
+        "name": "Android",
+        "version": "10"
+    },
+    "related": {
+        "ip": [
+            "1.1.1.1"
+        ],
+        "user": [
+            "OJQGU46KAPROEJLCK674RHSAY5",
+            "email@1password.com",
+            "Name"
+        ]
+    },
+    "source": {
+        "ip": "1.1.1.1"
+    },
+    "tags": [
+        "forwarded",
+        "1password-item_usages"
+    ],
+    "user": {
+        "email": "email@1password.com",
+        "full_name": "Name",
+        "id": "OJQGU46KAPROEJLCK674RHSAY5"
+    }
+}
+```
diff --git a/packages/1password/1.5.1/img/1password-itemusages-screenshot.png b/packages/1password/1.5.1/img/1password-itemusages-screenshot.png
new file mode 100755
index 0000000000..1fa5c21e90
Binary files /dev/null and b/packages/1password/1.5.1/img/1password-itemusages-screenshot.png differ
diff --git a/packages/1password/1.5.1/img/1password-logo-light-bg.svg b/packages/1password/1.5.1/img/1password-logo-light-bg.svg
new file mode 100755
index 0000000000..27735b307c
--- /dev/null
+++ b/packages/1password/1.5.1/img/1password-logo-light-bg.svg
@@ -0,0 +1 @@
+<svg width="116" height="116" xmlns="http://www.w3.org/2000/svg"><g fill="none" fill-rule="evenodd"><path d="M2 58c0 30.929 25.072 56 56 56s56-25.071 56-56c0-30.928-25.072-56-56-56S2 27.072 2 58z" fill="#FFF"/><path d="M58 14c24.3 0 44 19.7 44 44 0 24.301-19.7 44-44 44S14 82.301 14 58c0-24.3 19.7-44 44-44" fill="#1A8CFF"/><path d="M0 58c0 32.034 25.967 58 58 58s58-25.966 58-58c0-32.033-25.967-58-58-58S0 25.967 0 58zm2 0C2 27.075 27.069 2 58 2s56 25.075 56 56-25.068 56-56 56S2 88.925 2 58z" fill="#000" fill-rule="nonzero" opacity=".5"/><path d="M113.921 55c.052.993.079 1.994.079 3 0 30.928-25.072 56-56 56S2 88.928 2 58c0-1.006.027-2.007.079-3 1.559 29.533 26 53 55.921 53 29.69 0 53.985-23.106 55.88-52.318l.041-.682zM58 8c27.062 0 49 21.938 49 49 0 15.13-6.857 28.657-17.632 37.646C98.37 86.249 104 74.282 104 61c0-25.405-20.595-46-46-46S12 35.595 12 61c0 13.282 5.629 25.249 14.631 33.646C15.857 85.657 9 72.129 9 57 9 29.938 30.938 8 58 8z" fill-opacity=".052" fill="#000"/><path d="M58 14c24.304 0 44 19.703 44 44 0 24.298-19.696 44-44 44-24.06 0-43.606-19.31-43.994-43.272L14 58c0-24.297 19.696-44 44-44zm0 2c-23.196 0-42 18.804-42 42 0 23.197 18.804 42 42 42s42-18.803 42-42c0-23.196-18.804-42-42-42z" fill="#000" fill-rule="nonzero" opacity=".256"/><path d="M58.223 23A35.096 35.096 0 0023 58.223C23 77.403 38.743 93 58.223 93 77.33 93 93 77.33 93 58.223 93 38.743 77.402 23 58.223 23zm-.002 2C76.225 25 91 39.775 91 58.221 91 76.226 76.225 91 58.221 91 39.775 91 25 76.226 25 58.221A33.096 33.096 0 0158.221 25z" fill-opacity=".25" fill="#000" fill-rule="nonzero"/><path d="M58.221 25C76.225 25 91 39.775 91 58.221 91 76.226 76.225 91 58.221 91 39.775 91 25 76.226 25 58.221A33.096 33.096 0 0158.221 25z" fill="#F7F7F7"/><g><path d="M73 58c0 8.284-6.716 15-15 15-8.284 0-15-6.716-15-15 0-8.284 6.716-15 15-15 8.284 0 15 6.716 15 15z" fill-opacity=".05" fill="#000"/><path d="M58 41c-9.389 0-17 7.611-17 17s7.611 17 17 17 17-7.611 17-17-7.611-17-17-17zm0 2c8.284 0 15 6.716 15 15 0 8.284-6.716 15-15 15-8.284 0-15-6.716-15-15 0-8.284 6.716-15 15-15z" fill="#FFF" fill-rule="nonzero"/><path d="M58 43c8.284 0 15 6.716 15 15 0 8.284-6.716 15-15 15-8.284 0-15-6.716-15-15 0-8.284 6.716-15 15-15zm0 2c-7.18 0-13 5.82-13 13s5.82 13 13 13 13-5.82 13-13-5.82-13-13-13z" fill-opacity=".15" fill="#000" fill-rule="nonzero"/></g><g><path d="M63.577 32H52.423C49.951 32 48 34.165 48 36.772v10.792c0 .982.354 1.93.996 2.642l1.64 1.819c.037.042.037.161 0 .204l-1.64 1.818A3.95 3.95 0 0048 56.69v22.539C48 81.835 49.951 84 52.423 84h11.154C66.049 84 68 81.835 68 79.228V68.436a3.95 3.95 0 00-.996-2.642l-1.64-1.819c-.037-.042-.037-.161 0-.204l1.64-1.818A3.95 3.95 0 0068 59.31V36.772C68 34.165 66.049 32 63.577 32zm-.127 2.038c1.408 0 2.55 1.294 2.55 2.89v22.374c0 .51-.18 1-.498 1.362l-1.594 1.806c-.664.752-.664 1.972 0 2.725L65.502 67c.319.361.498.851.498 1.362v10.71c0 1.595-1.142 2.89-2.55 2.89h-10.9c-1.408 0-2.55-1.295-2.55-2.89V56.697c0-.51.18-1 .498-1.362l1.594-1.806c.664-.752.664-1.972 0-2.725L50.498 49A2.064 2.064 0 0150 47.637v-10.71c0-1.595 1.142-2.89 2.55-2.89h10.9z" fill="#FFF" fill-rule="nonzero"/><path d="M50 47.62V36.895C50 35.296 51.142 34 52.55 34h10.9c1.408 0 2.55 1.296 2.55 2.894v22.41a2.07 2.07 0 01-.498 1.364l-1.594 1.81c-.664.753-.664 1.974 0 2.728l1.594 1.809c.319.362.498.853.498 1.364v10.727C66 80.704 64.858 82 63.45 82h-10.9C51.142 82 50 80.704 50 79.106v-22.41c0-.511.18-1.002.498-1.364l1.594-1.81c.664-.753.664-1.974 0-2.728l-1.594-1.809A2.07 2.07 0 0150 47.621z" fill="#0A2D4D"/><path d="M63.45 34c1.408 0 2.55 1.296 2.55 2.894v22.41a2.07 2.07 0 01-.498 1.364l-1.594 1.81c-.664.753-.664 1.974 0 2.728l1.594 1.809c.319.362.498.853.498 1.364v10.727C66 80.704 64.858 82 63.45 82h-10.9C51.142 82 50 80.704 50 79.106v-22.41c0-.511.18-1.002.498-1.364l1.594-1.81c.664-.753.664-1.974 0-2.728l-1.594-1.809A2.07 2.07 0 0150 47.621V36.894C50 35.296 51.142 34 52.55 34h10.9zm-.288 2.054l-10.324-.013c-.404 0-.784.38-.833.916l-.005.118v10.63c0 .032.007.059.015.078l.014.023L53.7 49.6c1.306 1.403 1.35 3.601.135 5.059l-.135.153-1.67 1.794c-.01.01-.02.031-.025.058l-.004.043v22.218c0 .559.353.975.752 1.028l.086.006 10.324.013c.404 0 .784-.379.833-.916l.005-.117V68.308a.196.196 0 00-.015-.078l-.014-.023-1.67-1.794c-1.306-1.403-1.35-3.6-.135-5.058l.135-.154 1.67-1.794c.01-.01.02-.03.025-.057l.004-.044V37.088c0-.558-.353-.975-.752-1.028l-.086-.006z" fill-opacity=".4" fill="#000" fill-rule="nonzero"/></g></g></svg>
\ No newline at end of file
diff --git a/packages/1password/1.5.1/img/1password-signinattempts-screenshot.png b/packages/1password/1.5.1/img/1password-signinattempts-screenshot.png
new file mode 100755
index 0000000000..4c7a9a0d7e
Binary files /dev/null and b/packages/1password/1.5.1/img/1password-signinattempts-screenshot.png differ
diff --git a/packages/1password/1.5.1/kibana/dashboard/1password-item-usages-full-dashboard.json b/packages/1password/1.5.1/kibana/dashboard/1password-item-usages-full-dashboard.json
new file mode 100755
index 0000000000..3dbf038ca3
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/dashboard/1password-item-usages-full-dashboard.json
@@ -0,0 +1,52 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"33e47a7b-72d2-4721-818c-8df8d710c5ea\",\"w\":31,\"x\":0,\"y\":0},\"panelIndex\":\"33e47a7b-72d2-4721-818c-8df8d710c5ea\",\"panelRefName\":\"panel_33e47a7b-72d2-4721-818c-8df8d710c5ea\",\"type\":\"search\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-360},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":0.5},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"5270ad02-a029-4aab-a42a-b0b38988d36d\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"5270ad02-a029-4aab-a42a-b0b38988d36d\",\"panelRefName\":\"panel_5270ad02-a029-4aab-a42a-b0b38988d36d\",\"type\":\"map\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"1591a01e-b61e-4f3a-88d5-f825e39e60b6\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1591a01e-b61e-4f3a-88d5-f825e39e60b6\",\"panelRefName\":\"panel_1591a01e-b61e-4f3a-88d5-f825e39e60b6\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"3e1ea7df-1443-41c2-a4b4-45389042d2d4\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"3e1ea7df-1443-41c2-a4b4-45389042d2d4\",\"panelRefName\":\"panel_3e1ea7df-1443-41c2-a4b4-45389042d2d4\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"36297d46-8bb5-476c-b772-479be5811393\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"36297d46-8bb5-476c-b772-479be5811393\",\"panelRefName\":\"panel_36297d46-8bb5-476c-b772-479be5811393\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"d7f0be27-d6ed-4ef6-a217-3ee1837a7988\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"d7f0be27-d6ed-4ef6-a217-3ee1837a7988\",\"panelRefName\":\"panel_d7f0be27-d6ed-4ef6-a217-3ee1837a7988\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"}]",
+    "timeRestore": false,
+    "title": "Item Usages [1Password]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-item-usages-full-dashboard",
+  "migrationVersion": {
+    "dashboard": "7.15.0"
+  },
+  "references": [
+    {
+      "id": "1password-item-usages",
+      "name": "33e47a7b-72d2-4721-818c-8df8d710c5ea:panel_33e47a7b-72d2-4721-818c-8df8d710c5ea",
+      "type": "search"
+    },
+    {
+      "id": "1password-item-usages-source-IPs-map",
+      "name": "5270ad02-a029-4aab-a42a-b0b38988d36d:panel_5270ad02-a029-4aab-a42a-b0b38988d36d",
+      "type": "map"
+    },
+    {
+      "id": "1password-item-usages-over-time",
+      "name": "1591a01e-b61e-4f3a-88d5-f825e39e60b6:panel_1591a01e-b61e-4f3a-88d5-f825e39e60b6",
+      "type": "visualization"
+    },
+    {
+      "id": "1password-item-usages-hot-users",
+      "name": "3e1ea7df-1443-41c2-a4b4-45389042d2d4:panel_3e1ea7df-1443-41c2-a4b4-45389042d2d4",
+      "type": "visualization"
+    },
+    {
+      "id": "1password-item-usages-hot-items",
+      "name": "36297d46-8bb5-476c-b772-479be5811393:panel_36297d46-8bb5-476c-b772-479be5811393",
+      "type": "visualization"
+    },
+    {
+      "id": "1password-item-usages-hot-vaults",
+      "name": "d7f0be27-d6ed-4ef6-a217-3ee1837a7988:panel_d7f0be27-d6ed-4ef6-a217-3ee1837a7988",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/kibana/dashboard/1password-signin-attempts-full-dashboard.json b/packages/1password/1.5.1/kibana/dashboard/1password-signin-attempts-full-dashboard.json
new file mode 100755
index 0000000000..6e44fcb0bb
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/dashboard/1password-signin-attempts-full-dashboard.json
@@ -0,0 +1,52 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"944e346e-36df-430b-9734-5d91da79bdc1\",\"w\":31,\"x\":0,\"y\":0},\"panelIndex\":\"944e346e-36df-430b-9734-5d91da79bdc1\",\"panelRefName\":\"panel_944e346e-36df-430b-9734-5d91da79bdc1\",\"type\":\"search\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-360},\"mapCenter\":{\"lat\":18.69679,\"lon\":-18.18807,\"zoom\":0.62},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"5a635dbb-4cb6-46f8-9d4c-dd12078b184f\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"5a635dbb-4cb6-46f8-9d4c-dd12078b184f\",\"panelRefName\":\"panel_5a635dbb-4cb6-46f8-9d4c-dd12078b184f\",\"type\":\"map\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"1249ea4b-cf49-4d87-8125-7f1dba37353f\",\"w\":11,\"x\":0,\"y\":15},\"panelIndex\":\"1249ea4b-cf49-4d87-8125-7f1dba37353f\",\"panelRefName\":\"panel_1249ea4b-cf49-4d87-8125-7f1dba37353f\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"51433376-546a-492a-906e-9ca7f5d34f68\",\"w\":20,\"x\":11,\"y\":15},\"panelIndex\":\"51433376-546a-492a-906e-9ca7f5d34f68\",\"panelRefName\":\"panel_51433376-546a-492a-906e-9ca7f5d34f68\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"8f8ae43c-e8d4-4425-b418-224a7db57e86\",\"w\":17,\"x\":31,\"y\":15},\"panelIndex\":\"8f8ae43c-e8d4-4425-b418-224a7db57e86\",\"panelRefName\":\"panel_8f8ae43c-e8d4-4425-b418-224a7db57e86\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"683d1c8e-bb0f-4048-8c15-e9dc3e40fcfd\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"683d1c8e-bb0f-4048-8c15-e9dc3e40fcfd\",\"panelRefName\":\"panel_683d1c8e-bb0f-4048-8c15-e9dc3e40fcfd\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"}]",
+    "timeRestore": false,
+    "title": "Sign-in Attempts [1Password]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-signin-attempts-full-dashboard",
+  "migrationVersion": {
+    "dashboard": "7.15.0"
+  },
+  "references": [
+    {
+      "id": "1password-signin-attempts",
+      "name": "944e346e-36df-430b-9734-5d91da79bdc1:panel_944e346e-36df-430b-9734-5d91da79bdc1",
+      "type": "search"
+    },
+    {
+      "id": "1password-signin-attempts-source-IPs-map",
+      "name": "5a635dbb-4cb6-46f8-9d4c-dd12078b184f:panel_5a635dbb-4cb6-46f8-9d4c-dd12078b184f",
+      "type": "map"
+    },
+    {
+      "id": "1password-signin-attempts-failed-gauge",
+      "name": "1249ea4b-cf49-4d87-8125-7f1dba37353f:panel_1249ea4b-cf49-4d87-8125-7f1dba37353f",
+      "type": "visualization"
+    },
+    {
+      "id": "1password-signin-attempts-count-over-time",
+      "name": "51433376-546a-492a-906e-9ca7f5d34f68:panel_51433376-546a-492a-906e-9ca7f5d34f68",
+      "type": "visualization"
+    },
+    {
+      "id": "1password-signin-attempts-categories-over-time",
+      "name": "8f8ae43c-e8d4-4425-b418-224a7db57e86:panel_8f8ae43c-e8d4-4425-b418-224a7db57e86",
+      "type": "visualization"
+    },
+    {
+      "id": "1password-signin-attempts-hot-users",
+      "name": "683d1c8e-bb0f-4048-8c15-e9dc3e40fcfd:panel_683d1c8e-bb0f-4048-8c15-e9dc3e40fcfd",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/kibana/map/1password-item-usages-source-IPs-map.json b/packages/1password/1.5.1/kibana/map/1password-item-usages-source-IPs-map.json
new file mode 100755
index 0000000000..eb52073389
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/map/1password-item-usages-source-IPs-map.json
@@ -0,0 +1,23 @@
+{
+  "attributes": {
+    "description": "",
+    "layerListJSON": "[{\"alpha\":1,\"id\":\"11a86591-809c-4c7b-9668-0d0cc31980c9\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"55025914-752d-4a12-88f4-c9fe89ddbb9d\",\"joins\":[],\"label\":\"Source Locations\",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:1password.item_usages\"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":true,\"geoField\":\"source.geo.location\",\"id\":\"ae93e398-4d52-4616-99c3-783c0f34d767\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\",\"sortField\":\"\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#41937c\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]",
+    "title": "Audit item usages Source Locations [1Password]",
+    "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"
+  },
+  "id": "1password-item-usages-source-IPs-map",
+  "migrationVersion": {
+    "map": "7.10.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "layer_1_source_index_pattern",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "map"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/kibana/map/1password-signin-attempts-source-IPs-map.json b/packages/1password/1.5.1/kibana/map/1password-signin-attempts-source-IPs-map.json
new file mode 100755
index 0000000000..93853df69f
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/map/1password-signin-attempts-source-IPs-map.json
@@ -0,0 +1,23 @@
+{
+  "attributes": {
+    "description": "",
+    "layerListJSON": "[{\"alpha\":1,\"id\":\"db596930-2b43-4b31-b555-5bfb2ef9a3b3\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"a912dae9-61dd-4f45-96d4-15968e14aa79\",\"joins\":[],\"label\":\"Source Locations\",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:1password.signin_attempts\"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":true,\"geoField\":\"source.geo.location\",\"id\":\"98b57871-9ec7-49ce-b371-bd052adaf795\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\",\"sortField\":\"\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#41937c\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]",
+    "title": "Audit sign-in attempts Source Locations [1Password]",
+    "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"
+  },
+  "id": "1password-signin-attempts-source-IPs-map",
+  "migrationVersion": {
+    "map": "7.10.0"
+  },
+  "namespaces": [
+    "default"
+  ],
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "layer_1_source_index_pattern",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "map"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/kibana/search/1password-all-events.json b/packages/1password/1.5.1/kibana/search/1password-all-events.json
new file mode 100755
index 0000000000..85af40414f
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/search/1password-all-events.json
@@ -0,0 +1,36 @@
+{
+  "attributes": {
+    "columns": [
+      "data_stream.dataset",
+      "user.email",
+      "onepassword.client.app_name",
+      "source.geo.country_iso_code"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.module:1password\"}}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "1Password all events [1Password]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.14.0",
+  "id": "1password-all-events",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/kibana/search/1password-item-usages.json b/packages/1password/1.5.1/kibana/search/1password-item-usages.json
new file mode 100755
index 0000000000..6079c79904
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/search/1password-item-usages.json
@@ -0,0 +1,37 @@
+{
+  "attributes": {
+    "columns": [
+      "user.email",
+      "event.action",
+      "onepassword.vault_uuid",
+      "onepassword.item_uuid",
+      "source.geo.country_iso_code"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:1password.item_usages\"}}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "1Password item usages [1Password]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.14.0",
+  "id": "1password-item-usages",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/kibana/search/1password-signin-attempts.json b/packages/1password/1.5.1/kibana/search/1password-signin-attempts.json
new file mode 100755
index 0000000000..c121397b83
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/search/1password-signin-attempts.json
@@ -0,0 +1,36 @@
+{
+  "attributes": {
+    "columns": [
+      "user.email",
+      "event.action",
+      "onepassword.type",
+      "source.geo.country_iso_code"
+    ],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:1password.signin_attempts\"}}"
+    },
+    "sort": [
+      [
+        "@timestamp",
+        "desc"
+      ]
+    ],
+    "title": "1Password sign-in attempts [1Password]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.14.0",
+  "id": "1password-signin-attempts",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/kibana/visualization/1password-item-usages-hot-items.json b/packages/1password/1.5.1/kibana/visualization/1password-item-usages-hot-items.json
new file mode 100755
index 0000000000..0107e1f8ce
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/visualization/1password-item-usages-hot-items.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Item Usages hot items [1Password]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Last usage\",\"field\":\"@timestamp\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Item UUID\",\"field\":\"onepassword.item_uuid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-item-usages-hot-items",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "1password-item-usages",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/kibana/visualization/1password-item-usages-hot-users.json b/packages/1password/1.5.1/kibana/visualization/1password-item-usages-hot-users.json
new file mode 100755
index 0000000000..4eafb5a3ee
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/visualization/1password-item-usages-hot-users.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Item Usages hot users [1Password]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"3\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Name\",\"field\":\"user.full_name\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"asc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Email\",\"field\":\"user.email\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"asc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User UUID\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-item-usages-hot-users",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "1password-item-usages",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/kibana/visualization/1password-item-usages-hot-vaults.json b/packages/1password/1.5.1/kibana/visualization/1password-item-usages-hot-vaults.json
new file mode 100755
index 0000000000..5917477f73
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/visualization/1password-item-usages-hot-vaults.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Item Usages hot vaults [1Password]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Top Item UUID\",\"field\":\"onepassword.item_uuid\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Vault UUID\",\"field\":\"onepassword.vault_uuid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-item-usages-hot-vaults",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "1password-item-usages",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/kibana/visualization/1password-item-usages-over-time.json b/packages/1password/1.5.1/kibana/visualization/1password-item-usages-over-time.json
new file mode 100755
index 0000000000..d8accf2ca9
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/visualization/1password-item-usages-over-time.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Item Usages over time [1Password]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d/d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"3h\"},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-item-usages-over-time",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "1password-item-usages",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/kibana/visualization/1password-signin-attempts-categories-over-time.json b/packages/1password/1.5.1/kibana/visualization/1password-signin-attempts-categories-over-time.json
new file mode 100755
index 0000000000..9e487de50d
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/visualization/1password-signin-attempts-categories-over-time.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Sign-in Attempts categories over time [1Password]",
+    "uiStateJSON": "{\"vis\":{\"colors\":{\"credentials_failed\":\"#e7664c\",\"firewall_failed\":\"#d36086\",\"firewall_reported_success\":\"#6092c0\",\"mfa_failed\":\"#9170b8\",\"modern_version_failed\":\"#d6bf57\",\"success\":\"#54b399\"}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d/d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"3h\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-signin-attempts-categories-over-time",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "1password-signin-attempts",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/kibana/visualization/1password-signin-attempts-count-over-time.json b/packages/1password/1.5.1/kibana/visualization/1password-signin-attempts-count-over-time.json
new file mode 100755
index 0000000000..05275f622b
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/visualization/1password-signin-attempts-count-over-time.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Sign-in Attempts over time [1Password]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d/d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"3h\"},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-signin-attempts-count-over-time",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "1password-signin-attempts",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/kibana/visualization/1password-signin-attempts-failed-gauge.json b/packages/1password/1.5.1/kibana/visualization/1password-signin-attempts-failed-gauge.json
new file mode 100755
index 0000000000..e03a57f605
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/visualization/1password-signin-attempts-failed-gauge.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Sign-in Attempts unsuccessful gauge [1Password]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"NOT event.action: (\\\"success\\\" \\\"firewall_reported_success\\\")\"},\"label\":\"Failed Sign-in attempts\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"alignment\":\"automatic\",\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10},{\"from\":10,\"to\":30},{\"from\":30,\"to\":100}],\"extendRange\":true,\"gaugeColorMode\":\"Labels\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Arc\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"rgba(105,112,125,0.2)\",\"labels\":false,\"show\":true},\"style\":{\"bgColor\":true,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgMask\":false,\"bgWidth\":0.9,\"fontSize\":60,\"mask\":false,\"maskBars\":50,\"subText\":\"\",\"width\":0.9},\"type\":\"meter\"},\"isDisplayWarning\":false,\"type\":\"gauge\"},\"title\":\"\",\"type\":\"gauge\"}"
+  },
+  "id": "1password-signin-attempts-failed-gauge",
+  "migrationVersion": {
+    "visualization": "7.7.0"
+  },
+  "references": [
+    {
+      "id": "1password-signin-attempts",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/kibana/visualization/1password-signin-attempts-hot-users.json b/packages/1password/1.5.1/kibana/visualization/1password-signin-attempts-hot-users.json
new file mode 100755
index 0000000000..1b1ed47dc1
--- /dev/null
+++ b/packages/1password/1.5.1/kibana/visualization/1password-signin-attempts-hot-users.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Sign-in Attempts hot users [1Password]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"3\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Name\",\"field\":\"user.full_name\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"asc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Email\",\"field\":\"user.email\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"asc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target User UUID\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "1password-signin-attempts-hot-users",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "1password-signin-attempts",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/1password/1.5.1/manifest.yml b/packages/1password/1.5.1/manifest.yml
new file mode 100755
index 0000000000..82f37bd530
--- /dev/null
+++ b/packages/1password/1.5.1/manifest.yml
@@ -0,0 +1,72 @@
+format_version: 1.0.0
+name: 1password
+title: "1Password"
+version: 1.5.1
+license: basic
+description: Collect events from 1Password Events API with Elastic Agent.
+type: integration
+categories:
+  - security
+release: ga
+conditions:
+  kibana.version: "^7.16.0 || ^8.0.0"
+screenshots:
+  - src: /img/1password-signinattempts-screenshot.png
+    title: Sign-in attempts
+    size: 1918x963
+    type: image/png
+  - src: /img/1password-itemusages-screenshot.png
+    title: Item usages
+    size: 1916x965
+    type: image/png
+icons:
+  - src: /img/1password-logo-light-bg.svg
+    title: 1Password
+    size: 116x116
+    type: image/svg+xml
+policy_templates:
+  - name: 1password
+    title: 1Password Events
+    description: Collect events from 1Password Events Reporting
+    inputs:
+      - type: httpjson
+        title: Collect events from 1Password Events API
+        description: Collect sign-in attempt and item usages from 1Password via the 1Password Events API
+        vars:
+          - name: url
+            type: text
+            title: URL of 1Password Events API Server
+            description: |
+              options: https://events.1password.com, https://events.1password.ca, https://events.1password.eu, https://events.ent.1password.com. path is automatic
+            show_user: true
+            required: true
+            default: https://events.1password.com
+          - name: token
+            type: password
+            title: 1Password Authorization Token
+            description: |
+              Bearer Token, e.g. "eyJhbGciO..."
+            show_user: true
+            required: true
+          - name: http_client_timeout
+            type: text
+            title: HTTP Client Timeout
+            multi: false
+            required: false
+            show_user: true
+          - name: proxy_url
+            type: text
+            title: Proxy URL
+            description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>
+            multi: false
+            required: false
+            show_user: false
+          - name: ssl
+            type: yaml
+            title: SSL Configuration
+            description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+            multi: false
+            required: false
+            show_user: false
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/cloudflare/2.1.1/changelog.yml b/packages/cloudflare/2.1.1/changelog.yml
new file mode 100755
index 0000000000..fcd2fa0979
--- /dev/null
+++ b/packages/cloudflare/2.1.1/changelog.yml
@@ -0,0 +1,106 @@
+# newer versions go on top
+- version: "2.1.1"
+  changes:
+    - description: Fixing possible indefinite pagination
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3651
+- version: "2.1.0"
+  changes:
+    - description: Update package to ECS 8.3.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3353
+- version: "2.0.1"
+  changes:
+    - description: Add link to vendor documentation in readme
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3224
+- version: "2.0.0"
+  changes:
+    - description: Migrate map visualisation from tile_map to map object
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3263
+- version: "1.4.2"
+  changes:
+    - description: Update documentation
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3228
+- version: "1.4.1"
+  changes:
+    - description: Add `_id` field to the logpull data stream to deduplicate events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3187
+- version: "1.4.0"
+  changes:
+    - description: Update to ECS 8.2
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2779
+- version: "1.3.2"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.3.1"
+  changes:
+    - description: Allow logpull interval to be less than 2 minutes.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2787
+- version: "1.3.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2397
+- version: "1.2.1"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "1.2.0"
+  changes:
+    - description: Add audit logs
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2294
+- version: "1.1.1"
+  changes:
+    - description: Change test public IPs to the supported subset
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2327
+- version: "1.1.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2243
+- version: "1.0.3"
+  changes:
+    - description: Uniform with guidelines
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2020
+- version: "1.0.2"
+  changes:
+    - description: Update Title and Description.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1960
+- version: "1.0.1"
+  changes:
+    - description: Fix logic that checks for the 'forwarded' tag
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1811
+- version: "1.0.0"
+  changes:
+    - description: make GA
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1628
+- version: "0.2.0"
+  changes:
+    - description: Update to ECS 1.12.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1654
+- version: "0.1.1"
+  changes:
+    - description: Add proxy config
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1648
+- version: "0.1.0"
+  changes:
+    - description: initial release
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/984
diff --git a/packages/cloudflare/2.1.1/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/cloudflare/2.1.1/data_stream/audit/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..10424adad4
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/audit/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,62 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+request.url: {{api_url}}/client/v4/accounts/{{account}}/audit_logs?page=1&direction=desc
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+
+request.transforms:
+  - set:
+      target: header.X-Auth-Email
+      value: "{{auth_email}}"
+  - set:
+      target: header.X-Auth-Key
+      value: "{{auth_key}}"
+  - set:
+      target: url.params.since
+      value: "[[.cursor.last_timestamp]]"
+      default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]'
+
+response.split:
+  target: body.result
+response.pagination:
+- set:
+    target: url.params.page
+    value: '[[if (ne (len .last_response.body.response) 0)]][[add .last_response.page 1]][[end]]'
+    fail_on_template_error: true
+          
+cursor:
+  last_timestamp:
+    value: "[[.first_event.when]]"
+    fail_on_template_error: true
+
+{{#if tags.length}}
+tags:
+{{else if preserve_original_event}}
+tags:
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+
+processors:
+- add_fields:
+    target: _config
+    fields:
+      account_id: {{account}}
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare/2.1.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..e6eb6fd853
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,276 @@
+---
+description: Pipeline for parsing cloudflare audit logs
+processors:
+- set:
+    field: ecs.version
+    value: '8.3.0'
+- rename:
+    field: message
+    target_field: event.original
+- json:
+    field: event.original
+    target_field: json
+- set:
+    field: cloud.provider
+    value: cloudflare
+- set:
+    field: cloud.account.id
+    copy_from: _config.account_id
+    ignore_empty_value: true
+- date:
+    field: json.when
+    formats:
+    - ISO8601
+    timezone: UTC
+    target_field: "@timestamp"
+- rename:
+    field: json.action.type
+    target_field: event.action
+    ignore_missing: true
+- lowercase:
+    field: event.action
+    ignore_missing: true
+- set:
+    field: event.outcome
+    value: success
+    if: ctx.json?.action?.result
+- set:
+    field: event.outcome
+    value: failure
+    if: "!ctx.json?.action?.result"
+- rename:
+    field: json.actor.email
+    target_field: user.email
+    ignore_missing: true
+- rename:
+    field: json.actor.id
+    target_field: user.id
+    ignore_missing: true
+- rename:
+    field: json.actor.ip
+    target_field: source.address
+    ignore_missing: true
+- convert:
+    field: source.address
+    target_field: source.ip
+    type: ip
+    ignore_missing: true
+- geoip:
+    field: source.ip
+    target_field: source.geo
+    ignore_missing: true
+- geoip:
+    database_file: GeoLite2-ASN.mmdb
+    field: source.ip
+    target_field: source.as
+    properties:
+    - asn
+    - organization_name
+    ignore_missing: true
+- rename:
+    field: source.as.asn
+    target_field: source.as.number
+    ignore_missing: true
+- rename:
+    field: source.as.organization_name
+    target_field: source.as.organization.name
+    ignore_missing: true
+- rename:
+    field: json.actor.type
+    target_field: cloudflare.audit.actor.type
+    ignore_missing: true
+- rename:
+    field: json.id
+    target_field: event.id
+    ignore_missing: true
+- fingerprint:
+    fields:
+      - event.id
+    target_field: _id
+    ignore_missing: true
+- rename:
+    field: json.interface
+    target_field: event.provider
+    ignore_missing: true
+    if: ctx.json?.interface != ""
+- rename:
+    field: json.metadata
+    target_field: cloudflare.audit.metadata
+    ignore_missing: true
+- rename:
+    field: json.newValueJson
+    target_field: cloudflare.audit.new_value
+    ignore_missing: true
+- rename:
+    field: json.oldValueJson
+    target_field: cloudflare.audit.old_value
+    ignore_missing: true
+- rename:
+    field: json.newValue
+    target_field: cloudflare.audit.new_value.value
+    ignore_missing: true
+    if: ctx.json?.newValue != "null"
+- rename:
+    field: json.oldValue
+    target_field: cloudflare.audit.old_value.value
+    ignore_missing: true
+    if: ctx.json?.oldValue != "null"
+- rename:
+    field: json.owner.id
+    target_field: cloudflare.audit.owner.id
+    ignore_missing: true
+- rename:
+    field: json.resource
+    target_field: cloudflare.audit.resource
+    ignore_missing: true
+- append:
+    field: related.user
+    value: "{{user.id}}"
+    allow_duplicates: false
+    if: ctx.user?.id != null
+- append:
+    field: related.user
+    value: "{{cloudflare.audit.resource.id}}"
+    allow_duplicates: false
+    if: ctx.cloudflare?.audit?.resource?.id != null && ctx.cloudflare?.audit?.resource?.type == "user"
+- append:
+    field: related.ip
+    value: "{{source.ip}}"
+    if: ctx.source?.ip != null
+- script:
+    lang: painless
+    tag: Add ECS categorization
+    params:
+      login:
+        category:
+          - authentication
+        type:
+          - info
+        outcome: success
+      token_create:
+        category: 
+          - iam
+        type:
+          - creation
+      token_revoke:
+        category: 
+          - iam
+        type:
+          - deletion
+      token_roll:
+        category: 
+          - iam
+        type:
+          - change
+      api_key_view:
+        category: 
+          - iam
+        type:
+          - info
+      rotate_api_key:
+        category: 
+          - iam
+        type:
+          - change
+      api_key_created:
+        category: 
+          - iam
+        type:
+          - creation
+      purge:
+        category: 
+          - configuration
+        type:
+          - deletion
+      tls_settings_deployed:
+        category: 
+          - configuration
+        type:
+          - info
+      add:
+        category: 
+          - configuration
+        type:
+          - creation
+      delete:
+        category: 
+          - configuration
+        type:
+          - deletion
+      rec_add:
+        category: 
+          - configuration
+        type:
+          - creation
+      rec_del:
+        category: 
+          - configuration
+        type:
+          - deletion
+      pending:
+        category: 
+          - configuration
+        type:
+          - info
+      change_setting:
+        category: 
+          - configuration
+        type:
+          - change
+      add_enforce_twofactor:
+        category: 
+          - iam
+          - configuration
+        type:
+          - admin
+          - info
+    source: >-
+      ctx.event.kind = 'event';
+      ctx.event.type = 'info';
+      if (ctx?.event?.action == null) {
+          return;
+      }
+      if (params.get(ctx.event.action) == null) {
+          return;
+      }
+      def hm = new HashMap(params.get(ctx.event.action));
+      hm.forEach((k, v) -> ctx.event[k] = v);
+- remove:
+    field:
+      - json
+      - _config
+    ignore_missing: true  
+- remove:
+    field: event.original
+    if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+    ignore_failure: true
+    ignore_missing: true
+- script:
+    lang: painless
+    description: This script processor iterates over the whole document to remove fields with null values.
+    source: |
+      void handleMap(Map map) {
+        for (def x : map.values()) {
+          if (x instanceof Map) {
+              handleMap(x);
+          } else if (x instanceof List) {
+              handleList(x);
+          }
+        }
+        map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      void handleList(List list) {
+        for (def x : list) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+        }
+        list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      handleMap(ctx);
+on_failure:
+- set:
+    field: error.message
+    value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/cloudflare/2.1.1/data_stream/audit/fields/agent.yml b/packages/cloudflare/2.1.1/data_stream/audit/fields/agent.yml
new file mode 100755
index 0000000000..66991edfc0
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/audit/fields/agent.yml
@@ -0,0 +1,108 @@
+- description: |-
+    The cloud account or organization id used to identify different entities in a multi-tenant environment.
+    Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
+  name: cloud.account.id
+  type: keyword
+- description: Availability zone in which this host, resource, or service is located.
+  name: cloud.availability_zone
+  type: keyword
+- description: Instance ID of the host machine.
+  name: cloud.instance.id
+  type: keyword
+- description: Instance name of the host machine.
+  name: cloud.instance.name
+  type: keyword
+- description: Machine type of the host machine.
+  name: cloud.machine.type
+  type: keyword
+- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+  name: cloud.provider
+  type: keyword
+- description: Region in which this host, resource, or service is located.
+  name: cloud.region
+  type: keyword
+- description: |-
+    The cloud project identifier.
+    Examples: Google Cloud Project id, Azure Project id.
+  name: cloud.project.id
+  type: keyword
+- description: Image ID for the cloud instance.
+  name: cloud.image.id
+  type: keyword
+- description: Unique container id.
+  name: container.id
+  type: keyword
+- description: Name of the image the container was built on.
+  name: container.image.name
+  type: keyword
+- description: Image labels.
+  name: container.labels
+  type: object
+- description: Container name.
+  name: container.name
+  type: keyword
+- description: Operating system architecture.
+  name: host.architecture
+  type: keyword
+- description: |-
+    Name of the domain of which the host is a member.
+    For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
+  name: host.domain
+  type: keyword
+- description: |-
+    Hostname of the host.
+    It normally contains what the `hostname` command returns on the host machine.
+  name: host.hostname
+  type: keyword
+- description: |-
+    Unique host id.
+    As hostname is not always unique, use values that are meaningful in your environment.
+    Example: The current usage of `beat.name`.
+  name: host.id
+  type: keyword
+- description: Host ip addresses.
+  name: host.ip
+  type: ip
+- description: |-
+    Host MAC addresses.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: host.mac
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  type: keyword
+- description: |-
+    Name of the host.
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+  name: host.name
+  type: keyword
+- description: OS family (such as redhat, debian, freebsd, windows).
+  name: host.os.family
+  type: keyword
+- description: Operating system kernel version as a raw string.
+  name: host.os.kernel
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: host.os.name
+  type: keyword
+- description: Operating system platform (such centos, ubuntu, windows).
+  name: host.os.platform
+  type: keyword
+- description: Operating system version as a raw string.
+  name: host.os.version
+  type: keyword
+- description: |-
+    Type of host.
+    For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.
+  name: host.type
+  type: keyword
+- description: If the host is a container.
+  name: host.containerized
+  type: boolean
+- description: OS build information.
+  name: host.os.build
+  type: keyword
+- description: OS codename, if any.
+  name: host.os.codename
+  type: keyword
diff --git a/packages/cloudflare/2.1.1/data_stream/audit/fields/base-fields.yml b/packages/cloudflare/2.1.1/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..41565c62c3
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset name.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: cloudflare
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: cloudflare.audit
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/cloudflare/2.1.1/data_stream/audit/fields/beats.yml b/packages/cloudflare/2.1.1/data_stream/audit/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/audit/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
+- name: log.flags
+  type: keyword
+  description: Flags for the log file.
+- name: log.offset
+  type: long
+  description: Offset of the entry in the log file.
+- name: log.file.path
+  type: keyword
+  description: Path to the log file.
diff --git a/packages/cloudflare/2.1.1/data_stream/audit/fields/ecs.yml b/packages/cloudflare/2.1.1/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..6128c1d585
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,104 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  name: source.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: source.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
diff --git a/packages/cloudflare/2.1.1/data_stream/audit/fields/fields.yml b/packages/cloudflare/2.1.1/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..5036e91dbb
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/audit/fields/fields.yml
@@ -0,0 +1,40 @@
+- name: cloudflare.audit
+  type: group
+  description: >
+    Fields for Cloudflare Audit Logs
+
+  fields:
+    - name: metadata
+      type: flattened
+      description: >
+        An object which can lend more context to the action being logged. This is a flexible value and varies between different actions.
+
+    - name: actor.type
+      type: keyword
+      description: >
+        The type of actor, whether a User, Cloudflare Admin, or an Automated System. Valid values: user, admin, Cloudflare.
+
+    - name: owner.id
+      type: keyword
+      description: >
+        User identifier tag
+
+    - name: resource.id
+      type: keyword
+      description: >
+        An identifier for the resource that was affected by the action
+
+    - name: resource.type
+      type: keyword
+      description: >
+        A short string that describes the resource that was affected by the action
+
+    - name: new_value
+      type: flattened
+      description: >
+        The new value of the resource that was modified
+
+    - name: old_value
+      type: flattened
+      description: >-
+        The value of the resource before it was modified
diff --git a/packages/cloudflare/2.1.1/data_stream/audit/manifest.yml b/packages/cloudflare/2.1.1/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..b7ba0a75c4
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/audit/manifest.yml
@@ -0,0 +1,68 @@
+type: logs
+title: Cloudflare Audit Logs
+streams:
+  - input: httpjson
+    vars:
+      - name: auth_email
+        type: text
+        title: Auth Email
+        description: The Auth Email. Needs to be used with an Auth Key.
+        multi: false
+        required: true
+        show_user: true
+      - name: auth_key
+        type: password
+        title: Auth Key
+        description: The Auth Key. Needs to be used with an Auth Email.
+        multi: false
+        required: true
+        show_user: true
+      - name: account
+        type: text
+        title: Account ID
+        multi: false
+        required: true
+        show_user: true
+      - name: interval
+        type: text
+        title: Interval
+        multi: false
+        required: true
+        show_user: true
+        description: Interval at which the logs will be pulled. The value must be between 2m and 1h.
+        default: 1h
+      - name: initial_interval
+        type: text
+        title: Initial Interval
+        multi: false
+        required: true
+        show_user: false
+        description: Initial interval at which the logs will be pulled. Defaults to 30 days (720 hours). Max is 12960 hours (18 months).
+        default: 720h
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: true
+        default:
+          - forwarded
+          - cloudflare-audit
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n"
+    template_path: httpjson.yml.hbs
+    title: Cloudflare Audit logs
+    description: Collect Cloudflare Audit logs via the API
diff --git a/packages/cloudflare/2.1.1/data_stream/audit/sample_event.json b/packages/cloudflare/2.1.1/data_stream/audit/sample_event.json
new file mode 100755
index 0000000000..39d844d4d0
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/audit/sample_event.json
@@ -0,0 +1,84 @@
+{
+    "@timestamp": "2021-11-30T13:42:04.000Z",
+    "agent": {
+        "ephemeral_id": "be28c4d0-164a-4115-81b7-ace36fc400f4",
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "cloud": {
+        "account": {
+            "id": "aaabbbccc"
+        },
+        "provider": "cloudflare"
+    },
+    "cloudflare": {
+        "audit": {
+            "actor": {
+                "type": "user"
+            },
+            "owner": {
+                "id": "enl3j9du8rnx2swwd9l32qots7l54t9s"
+            },
+            "resource": {
+                "id": "enl3j9du8rnx2swwd9l32qots7l54t9s",
+                "type": "account"
+            }
+        }
+    },
+    "data_stream": {
+        "dataset": "cloudflare.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "rotate_api_key",
+        "agent_id_status": "verified",
+        "category": [
+            "iam"
+        ],
+        "created": "2021-12-30T04:58:37.412Z",
+        "dataset": "cloudflare.audit",
+        "id": "8d3396e8-c903-5a66-9421-00fc34570550",
+        "ingested": "2021-12-30T04:58:38Z",
+        "kind": "event",
+        "original": "{\"action\":{\"info\":\"key digest: c6b5d100d7ce492d24c5b13160fce1cc0092ce7e8d8430e9f5cf5468868be6f6\",\"result\":true,\"type\":\"rotate_API_key\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"52.91.36.10\",\"type\":\"user\"},\"id\":\"8d3396e8-c903-5a66-9421-00fc34570550\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T13:42:04Z\"}",
+        "outcome": "success",
+        "type": [
+            "change"
+        ]
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "related": {
+        "ip": [
+            "52.91.36.10"
+        ],
+        "user": [
+            "enl3j9du8rnx2swwd9l32qots7l54t9s"
+        ]
+    },
+    "source": {
+        "address": "52.91.36.10",
+        "ip": "52.91.36.10"
+    },
+    "tags": [
+        "forwarded",
+        "cloudflare-audit",
+        "preserve_original_event"
+    ],
+    "user": {
+        "email": "user@example.com",
+        "id": "enl3j9du8rnx2swwd9l32qots7l54t9s"
+    }
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/data_stream/logpull/agent/stream/httpjson.yml.hbs b/packages/cloudflare/2.1.1/data_stream/logpull/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..54eb358869
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/logpull/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,64 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+request.url: {{api_url}}/client/v4/zones/{{zone_id}}/logs/received
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+
+request.transforms:
+{{#if auth_token}}
+  - set:
+      target: header.Authorization
+      value: "Bearer {{auth_token}}"
+{{else}}
+  - set:
+      target: header.X-Auth-Email
+      value: "{{auth_email}}"
+  - set:
+      target: header.X-Auth-Key
+      value: "{{auth_key}}"
+{{/if}}
+  - set:
+      target: url.params.start
+      value: "[[.cursor.last_execution_datetime]]"
+      default: '[[formatDate (((now).Add (parseDuration "-1m")).Add (parseDuration "-{{interval}}"))]]'
+  - set:
+      target: url.params.end
+      value: '[[formatDate ((parseDate .cursor.last_execution_datetime).Add (parseDuration "{{interval}}"))]]'
+      default: '[[formatDate ((now).Add (parseDuration "-1m"))]]'
+  - set:
+      target: url.params.fields
+      value: CacheCacheStatus,CacheResponseBytes,CacheResponseStatus,CacheTieredFill,ClientASN,ClientCountry,ClientDeviceType,ClientIP,ClientIPClass,ClientRequestBytes,ClientRequestHost,ClientRequestMethod,ClientRequestPath,ClientRequestProtocol,ClientRequestReferer,ClientRequestURI,ClientRequestUserAgent,ClientSSLCipher,ClientSSLProtocol,ClientSrcPort,ClientXRequestedWith,EdgeColoCode,EdgeColoID,EdgeEndTimestamp,EdgePathingOp,EdgePathingSrc,EdgePathingStatus,EdgeRateLimitAction,EdgeRateLimitID,EdgeRequestHost,EdgeResponseBytes,EdgeResponseCompressionRatio,EdgeResponseContentType,EdgeResponseStatus,EdgeServerIP,EdgeStartTimestamp,FirewallMatchesActions,FirewallMatchesRuleIDs,FirewallMatchesSources,OriginIP,OriginResponseBytes,OriginResponseHTTPExpires,OriginResponseHTTPLastModified,OriginResponseStatus,OriginResponseTime,OriginSSLProtocol,ParentRayID,RayID,SecurityLevel,WAFAction,WAFFlags,WAFMatchedVar,WAFProfile,WAFRuleID,WAFRuleMessage,WorkerCPUTime,WorkerStatus,WorkerSubrequest,WorkerSubrequestCount,ZoneID,Action
+      
+response.decode_as: application/x-ndjson
+
+cursor:
+  last_execution_datetime:
+    value: '[[.last_response.url.params.Get "end"]]'
+
+{{#if tags.length}}
+tags:
+{{else if preserve_original_event}}
+tags:
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/data_stream/logpull/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare/2.1.1/data_stream/logpull/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..c718038236
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/logpull/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,64 @@
+---
+description: Pipeline for parsing cloudflare logs
+processors:
+- set:
+    field: ecs.version
+    value: '8.3.0'
+- rename:
+    field: message
+    target_field: event.original
+- json:
+    field: event.original
+    target_field: json
+- set:
+    field: observer.vendor
+    value: cloudflare
+- set:
+    field: observer.type
+    value: proxy
+- fingerprint:
+    fields: 
+        - event.original
+    target_field: "_id"
+    ignore_missing: true
+- pipeline:
+    name: '{{ IngestPipeline "http" }}'
+    if: "ctx.json?.EdgeRequestHost != null"
+- remove:
+    field:
+      - json
+    ignore_missing: true  
+- remove:
+    field: event.original
+    if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+    ignore_failure: true
+    ignore_missing: true
+- script:
+    lang: painless
+    description: This script processor iterates over the whole document to remove fields with null values.
+    source: |
+      void handleMap(Map map) {
+        for (def x : map.values()) {
+          if (x instanceof Map) {
+              handleMap(x);
+          } else if (x instanceof List) {
+              handleList(x);
+          }
+        }
+        map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      void handleList(List list) {
+        for (def x : list) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+        }
+        list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      handleMap(ctx);
+on_failure:
+- set:
+    field: error.message
+    value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/cloudflare/2.1.1/data_stream/logpull/elasticsearch/ingest_pipeline/http.yml b/packages/cloudflare/2.1.1/data_stream/logpull/elasticsearch/ingest_pipeline/http.yml
new file mode 100755
index 0000000000..afa6a45a5d
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/logpull/elasticsearch/ingest_pipeline/http.yml
@@ -0,0 +1,475 @@
+---
+description: Pipeline for parsing cloudflare http logs
+processors:
+# Event Time Fields
+- convert:
+    field: json.EdgeStartTimestamp
+    type: string
+- convert:
+    field: json.EdgeEndTimestamp
+    type: string
+- gsub:
+    field: json.EdgeStartTimestamp
+    pattern: "\\d{6}$"
+    replacement: ""
+    if: "ctx?.json?.EdgeStartTimestamp != null && (ctx?.json?.EdgeStartTimestamp).length() > 18"
+- gsub:
+    field: json.EdgeEndTimestamp
+    pattern: "\\d{6}$"
+    replacement: ""
+    if: "ctx?.json?.EdgeEndTimestamp != null && (ctx?.json?.EdgeEndTimestamp).length() > 18"
+- date:
+    field: json.EdgeStartTimestamp
+    formats:
+    - ISO8601
+    - uuuu-MM-dd'T'HH:mm:ssX
+    - uuuu-MM-dd'T'HH:mm:ss.SSSX
+    - yyyy-MM-dd'T'HH:mm:ssZ
+    - yyyy-MM-dd'T'HH:mm:ss.SSSZ
+    - UNIX_MS
+    timezone: UTC
+    target_field: "@timestamp"
+- date:
+    field: json.EdgeStartTimestamp
+    formats:
+    - uuuu-MM-dd'T'HH:mm:ssX
+    - uuuu-MM-dd'T'HH:mm:ss.SSSX
+    - yyyy-MM-dd'T'HH:mm:ssZ
+    - yyyy-MM-dd'T'HH:mm:ss.SSSZ
+    - UNIX_MS
+    timezone: UTC
+    target_field: "event.start"
+- date:
+    field: json.EdgeEndTimestamp
+    formats:
+    - uuuu-MM-dd'T'HH:mm:ssX
+    - uuuu-MM-dd'T'HH:mm:ss.SSSX
+    - yyyy-MM-dd'T'HH:mm:ssZ
+    - yyyy-MM-dd'T'HH:mm:ss.SSSZ
+    - UNIX_MS
+    timezone: UTC
+    target_field: "event.end"
+- script:
+    lang: painless
+    if: ctx?.event?.start != null && ctx?.event?.end != null
+    source: >-
+      ZonedDateTime start = ZonedDateTime.parse(ctx.event.start);
+      ZonedDateTime end = ZonedDateTime.parse(ctx.event.end);
+      ctx.event.duration = ChronoUnit.NANOS.between(start, end);
+# TLS Fields
+- rename:
+    field: json.ClientSSLProtocol
+    target_field: cloudflare.client.ssl.protocol
+    ignore_missing: true
+    if: ctx?.json?.ClientSSLProtocol.toLowerCase() != 'none'
+- rename:
+    field: json.ClientSSLCipher
+    target_field: tls.cipher
+    ignore_missing: true
+    if: ctx?.json?.ClientSSLCipher.toLowerCase() != 'none'
+- dissect:
+    field: cloudflare.client.ssl.protocol
+    pattern: "%{tls.version_protocol}v%{tls.version}"
+    ignore_failure: true
+    ignore_missing: true
+- lowercase:
+    field: tls.version_protocol
+    ignore_missing: true
+# URL Fields
+- uri_parts:
+    field: json.ClientRequestURI
+    ignore_failure: true
+    if: ctx?.json?.ClientRequestURI != null
+- set:
+    field: url.domain
+    copy_from: json.ClientRequestHost
+    ignore_empty_value: true
+    if: ctx?.url?.domain == null
+- set:
+    field: url.path
+    copy_from: json.ClientRequestPath
+    ignore_empty_value: true
+    if: ctx?.url?.path == null
+- set:
+    field: url.scheme
+    copy_from: json.ClientRequestScheme
+    ignore_empty_value: true
+    if: ctx?.url?.scheme == null
+- set:
+    field: url.scheme
+    value: https
+    ignore_empty_value: true
+    if: ctx?.url?.scheme == null && ctx?.cloudflare?.client?.ssl?.protocol != null
+- set:
+    field: url.scheme
+    value: http
+    ignore_empty_value: true
+    if: ctx?.url?.scheme == null
+- script:
+    lang: painless
+    description: This script builds the `url.full` field out of the available `url.*` parts.
+    source: |
+        def full = "";
+        if(ctx.url.scheme != null && ctx.url.scheme != "") {
+            full += ctx.url.scheme+"://";
+        }
+        if(ctx.url.domain != null && ctx.url.domain != "") {
+            full += ctx.url.domain;
+        }
+        if(ctx.url.path != null && ctx.url.path != "") {
+            full += ctx.url.path;
+        }
+        if(ctx.url.query != null && ctx.url.query != "") {
+            full += "?"+ctx.url.query;
+        }
+        if(full != "") {
+            ctx.url.full = full
+        }
+# User Agent Fields
+- user_agent:
+    field: json.ClientRequestUserAgent
+    target_field: user_agent
+    ignore_missing: true
+# Observer Fields
+- rename:
+    field: json.EdgeServerIP
+    target_field: observer.ip
+    ignore_missing: true
+    if: ctx?.json?.EdgeServerIP != ''
+- geoip:
+    field: observer.ip
+    target_field: observer.geo
+    ignore_missing: true
+# Cloudflare Cache Fields
+- rename:
+    field: json.CacheCacheStatus
+    target_field: cloudflare.cache.status
+    ignore_missing: true
+- rename:
+    field: json.CacheTieredFill
+    target_field: cloudflare.cache.tiered_fill
+    ignore_missing: true
+- convert:
+    field: json.CacheResponseBytes
+    target_field: cloudflare.cache.bytes
+    type: long
+    ignore_missing: true
+    if: ctx?.json?.CacheResponseBytes != 0
+- convert:
+    field: json.CacheResponseStatus
+    target_field: cloudflare.cache.status_code
+    type: long
+    ignore_missing: true
+    if: ctx?.json?.CacheResponseStatus != 0
+# Cloudflare Edge Fields
+- rename:
+    field: json.EdgeColoCode
+    target_field: cloudflare.edge.colo.code
+    ignore_missing: true
+- rename:
+    field: json.EdgeColoID
+    target_field: cloudflare.edge.colo.id
+    ignore_missing: true
+- rename:
+    field: json.EdgePathingOp
+    target_field: cloudflare.edge.pathing.op
+    ignore_missing: true
+- rename:
+    field: json.EdgePathingSrc
+    target_field: cloudflare.edge.pathing.src
+    ignore_missing: true
+- rename:
+    field: json.EdgePathingStatus
+    target_field: cloudflare.edge.pathing.status
+    ignore_missing: true
+- rename:
+    field: json.EdgeRateLimitAction
+    target_field: cloudflare.edge.rate_limit.action
+    ignore_missing: true
+- rename:
+    field: json.EdgeRateLimitID
+    target_field: cloudflare.edge.rate_limit.id
+    ignore_missing: true
+- rename:
+    field: json.EdgeRequestHost
+    target_field: cloudflare.edge.request.host
+    ignore_missing: true
+- convert:
+    field: json.EdgeResponseBytes
+    target_field: cloudflare.edge.response.bytes
+    type: long
+    ignore_missing: true
+- rename:
+    field: json.EdgeResponseStatus
+    target_field: cloudflare.edge.response.status_code
+    ignore_missing: true
+- rename:
+    field: json.EdgeResponseCompressionRatio
+    target_field: cloudflare.edge.response.compression_ratio
+    ignore_missing: true
+- rename:
+    field: json.EdgeResponseContentType
+    target_field: cloudflare.edge.response.content_type
+    ignore_missing: true
+- convert:
+    field: json.EdgeResponseBodyBytes
+    target_field: cloudflare.edge.response.body.bytes
+    type: long
+    ignore_missing: true
+# Cloudflare Firewall Fields
+- rename:
+    field: json.FirewallMatchesActions
+    target_field: cloudflare.firewall.actions
+    ignore_missing: true
+- rename:
+    field: json.FirewallMatchesSources
+    target_field: cloudflare.firewall.sources
+    ignore_missing: true
+- rename:
+    field: json.FirewallMatchesRuleIDs
+    target_field: cloudflare.firewall.rule_ids
+    ignore_missing: true
+# Cloudflare WAF Fields
+- rename:
+    field: json.WAFAction
+    target_field: cloudflare.waf.action
+    ignore_missing: true
+- rename:
+    field: json.WAFFlags
+    target_field: cloudflare.waf.flags
+    ignore_missing: true
+- rename:
+    field: json.WAFMatchedVar
+    target_field: cloudflare.waf.matched_var
+    ignore_missing: true
+- rename:
+    field: json.WAFProfile
+    target_field: cloudflare.waf.profile
+    ignore_missing: true
+- rename:
+    field: json.WAFRuleID
+    target_field: cloudflare.waf.rule.id
+    ignore_missing: true
+- rename:
+    field: json.WAFRuleMessage
+    target_field: cloudflare.waf.rule.message
+    ignore_missing: true
+# CLoudflare Worker Fields
+- convert:
+    field: json.WorkerCPUTime
+    target_field: cloudflare.worker.cpu_time
+    type: long
+    ignore_missing: true
+- rename:
+    field: json.WorkerStatus
+    target_field: cloudflare.worker.status
+    ignore_missing: true
+- rename:
+    field: json.WorkerSubrequest
+    target_field: cloudflare.worker.subrequest
+    ignore_missing: true
+- convert:
+    field: json.WorkerSubrequestCount
+    target_field: cloudflare.worker.subrequest_count
+    type: long
+    ignore_missing: true
+# Cloudflare Origin Fields
+- rename:
+    field: json.OriginResponseBytes
+    target_field: cloudflare.origin.response.bytes
+    ignore_missing: true
+- date:
+    field: json.OriginResponseHTTPExpires
+    formats:
+    - EEE, dd MMM yyyy HH:mm:ss z
+    timezone: UTC
+    target_field: cloudflare.origin.response.expires
+    if: ctx?.json?.OriginResponseHTTPExpires != null
+    ignore_failure: true
+- date:
+    field: json.OriginResponseHTTPLastModified
+    formats:
+    - EEE, dd MMM yyyy HH:mm:ss z
+    timezone: UTC
+    target_field: cloudflare.origin.response.last_modified
+    if: ctx?.json?.OriginResponseHTTPLastModified != null
+    ignore_failure: true
+- rename:
+    field: json.OriginResponseStatus
+    target_field: cloudflare.origin.response.status_code
+    ignore_missing: true
+- convert:
+    field: json.OriginResponseTime
+    target_field: cloudflare.origin.response.time
+    type: long
+    ignore_missing: true
+- rename:
+    field: json.OriginSSLProtocol
+    target_field: cloudflare.origin.ssl.protocol
+    ignore_missing: true
+# Cloudflare RayID Fields
+- rename:
+    field: json.ParentRayID
+    target_field: cloudflare.parent.ray_id
+    ignore_missing: true
+- rename:
+    field: json.RayID
+    target_field: cloudflare.ray_id
+    ignore_missing: true
+# Cloudflare Other Fields
+- rename:
+    field: json.ZoneID
+    target_field: cloudflare.zone.id
+    ignore_missing: true
+- rename:
+    field: json.ZoneName
+    target_field: cloudflare.zone.name
+    ignore_missing: true
+- rename:
+    field: json.SecurityLevel
+    target_field: cloudflare.security_level
+    ignore_missing: true
+- rename:
+    field: json.ClientDeviceType
+    target_field: cloudflare.device_type
+    ignore_missing: true
+# HTTP Fields
+- dissect:
+    field: json.ClientRequestProtocol
+    pattern: "%{network.protocol}/%{http.version}"
+    ignore_failure: true
+- set:
+    field: http.response.bytes
+    copy_from: cloudflare.edge.response.bytes
+    ignore_empty_value: true
+- set:
+    field: http.response.body.bytes
+    copy_from: cloudflare.edge.response.body.bytes
+    ignore_empty_value: true
+- convert:
+    field: json.ClientRequestBytes
+    target_field: http.request.bytes
+    type: long
+    ignore_missing: true
+- rename:
+    field: json.ClientRequestMethod
+    target_field: http.request.method
+    ignore_missing: true
+- rename:
+    field: json.ClientRequestReferer
+    target_field: http.request.referrer
+    ignore_missing: true
+- set:
+    field: http.response.status_code
+    copy_from: cloudflare.edge.response.status_code
+    ignore_empty_value: true
+- set:
+    field: http.response.status_code
+    copy_from: cloudflare.origin.response.status_code
+    ignore_empty_value: true
+    if: ctx?.http?.response?.status_code == null && ctx?.cloudflare?.origin?.response?.status_code != 0
+# Source Fields
+- rename:
+    field: json.ClientIP
+    target_field: source.address
+    ignore_missing: true
+- convert:
+    field: source.address
+    target_field: source.ip
+    type: ip
+    ignore_missing: true
+    ignore_failure: true
+- geoip:
+    field: source.ip
+    target_field: source.geo
+    ignore_missing: true
+- rename:
+    field: json.ClientCountry
+    target_field: source.geo.country_iso_code
+    ignore_missing: true
+    if: ctx?.source?.geo?.country_iso_code == null
+- geoip:
+    database_file: GeoLite2-ASN.mmdb
+    field: source.ip
+    target_field: source.as
+    properties:
+    - asn
+    - organization_name
+    ignore_missing: true
+- rename:
+    field: source.as.asn
+    target_field: source.as.number
+    ignore_missing: true
+- rename:
+    field: json.ClientASN
+    target_field: source.as.number
+    ignore_missing: true
+    if: ctx?.source?.as?.number == null
+- rename:
+    field: source.as.organization_name
+    target_field: source.as.organization.name
+    ignore_missing: true
+- set:
+    field: source.bytes
+    copy_from: http.request.bytes
+    ignore_empty_value: true
+- convert:
+    field: json.ClientSrcPort
+    target_field: source.port
+    type: long
+    ignore_missing: true
+# Client Fields
+- set:
+    field: client
+    copy_from: source
+- rename:
+    field: json.ClientIPClass
+    target_field: cloudflare.client.ip_class
+    ignore_missing: true
+# Destination Fields
+- rename:
+    field: json.OriginIP
+    target_field: destination.address
+    ignore_missing: true
+- convert:
+    field: destination.address
+    target_field: destination.ip
+    type: ip
+    ignore_missing: true
+    ignore_failure: true
+- set:
+    field: destination.bytes
+    copy_from: cloudflare.edge.response.bytes
+    ignore_empty_value: true
+# Server Fields
+- set:
+    field: server
+    copy_from: destination
+- set:
+    field: event.category
+    value: network
+- set:
+    field: event.kind
+    value: event
+- append:
+    field: event.type
+    value: denied
+    allow_duplicates: false
+    if: ctx?.cloudflare?.firewall?.actions.contains('block')
+# Network Fields
+- lowercase:
+    field: network.protocol
+    ignore_missing: true
+- set:
+    field: network.transport
+    value: tcp
+    if: ctx?.network?.protocol != null && ctx?.network?.protocol == 'http'
+- script:
+    lang: painless
+    source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes"
+    if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null"
+    ignore_failure: true
+on_failure:
+- set:
+    field: error.message
+    value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/cloudflare/2.1.1/data_stream/logpull/fields/agent.yml b/packages/cloudflare/2.1.1/data_stream/logpull/fields/agent.yml
new file mode 100755
index 0000000000..4d9a6f7b36
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/logpull/fields/agent.yml
@@ -0,0 +1,114 @@
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/cloudflare/2.1.1/data_stream/logpull/fields/base-fields.yml b/packages/cloudflare/2.1.1/data_stream/logpull/fields/base-fields.yml
new file mode 100755
index 0000000000..2905a4c5b4
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/logpull/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset name.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: cloudflare
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: cloudflare.logpull
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/cloudflare/2.1.1/data_stream/logpull/fields/beats.yml b/packages/cloudflare/2.1.1/data_stream/logpull/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/logpull/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
+- name: log.flags
+  type: keyword
+  description: Flags for the log file.
+- name: log.offset
+  type: long
+  description: Offset of the entry in the log file.
+- name: log.file.path
+  type: keyword
+  description: Path to the log file.
diff --git a/packages/cloudflare/2.1.1/data_stream/logpull/fields/ecs.yml b/packages/cloudflare/2.1.1/data_stream/logpull/fields/ecs.yml
new file mode 100755
index 0000000000..9653c5bc71
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/logpull/fields/ecs.yml
@@ -0,0 +1,451 @@
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: client.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: client.as.organization.name
+  type: keyword
+- description: |-
+    The domain name of the client system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: client.domain
+  type: keyword
+- description: City name.
+  name: client.geo.city_name
+  type: keyword
+- description: Country name.
+  name: client.geo.country_name
+  type: keyword
+- description: Country ISO code.
+  name: client.geo.country_iso_code
+  type: keyword
+- description: Name of the continent.
+  name: client.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: client.geo.country_iso_code
+  type: keyword
+- description: Region ISO code.
+  name: client.geo.region_iso_code
+  type: keyword
+- description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  name: client.geo.location
+  type: geo_point
+- description: Region name.
+  name: client.geo.region_name
+  type: keyword
+- description: IP address of the client (IPv4 or IPv6).
+  name: client.ip
+  type: ip
+- description: |-
+    Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: client.address
+  type: keyword
+- description: Bytes sent from the client to the server.
+  name: client.bytes
+  type: long
+- description: Port of the client.
+  name: client.port
+  type: long
+- description: Bytes sent from the destination to the source.
+  name: destination.bytes
+  type: long
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: destination.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.as.organization.name
+  type: keyword
+- description: City name.
+  name: destination.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: destination.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: destination.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: destination.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  name: destination.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: destination.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: destination.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: destination.geo.region_name
+  type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: |-
+    Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: destination.address
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: event.start contains the date when the event started or when the activity was first observed.
+  name: event.start
+  type: date
+- description: event.end contains the date when the event ended or when the activity was last observed.
+  name: event.end
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Duration of the event in nanoseconds.
+    If event.start and event.end are known this value should be the difference between the end and start time.
+  name: event.duration
+  type: long
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: Bytes sent from the source to the destination.
+  name: source.bytes
+  type: long
+- description: |-
+    The domain name of the source system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: source.domain
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  name: source.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: source.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: Unique identifier of the user.
+  name: source.user.id
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.user.full_name
+  type: keyword
+- description: Name of the device.
+  name: user_agent.device.name
+  type: keyword
+- description: Name of the user agent.
+  name: user_agent.name
+  type: keyword
+- description: Unparsed user_agent string.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.original
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.name
+  type: keyword
+- description: Operating system version as a raw string.
+  name: user_agent.os.version
+  type: keyword
+- description: Operating system name, including the version or code name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.full
+  type: keyword
+- description: Version of the user agent.
+  name: user_agent.version
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.domain
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.full_name
+  type: keyword
+- description: |-
+    Domain of the url, such as "www.elastic.co".
+    In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+    If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+  name: url.domain
+  type: keyword
+- description: |-
+    Unmodified original url as seen in the event source.
+    Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+    This field is meant to represent the URL as it was observed, complete or not.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.original
+  type: wildcard
+- description: Password of the request.
+  name: url.password
+  type: keyword
+- description: Port of the request, such as 443.
+  name: url.port
+  type: long
+- description: Username of the request.
+  name: url.username
+  type: keyword
+- description: Path of the request, such as "/search".
+  name: url.path
+  type: wildcard
+- description: |-
+    The query field describes the query string of the request, such as "q=elasticsearch".
+    The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+  name: url.query
+  type: keyword
+- description: |-
+    The field contains the file extension from the original request url, excluding the leading dot.
+    The file extension is only set if it exists, as not every url has a file extension.
+    The leading period must not be included. For example, the value must be "png", not ".png".
+    Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+  name: url.extension
+  type: keyword
+- description: |-
+    Scheme of the request, such as "https".
+    Note: The `:` is not part of the scheme.
+  name: url.scheme
+  type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.full
+  type: wildcard
+- description: String indicating the cipher used during the current connection.
+  name: tls.cipher
+  type: keyword
+- description: Numeric part of the version parsed from the original string.
+  name: tls.version
+  type: keyword
+- description: Normalized lowercase protocol name parsed from original string.
+  name: tls.version_protocol
+  type: keyword
+- description: |-
+    Total bytes transferred in both directions.
+    If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+  name: network.bytes
+  type: long
+- description: |-
+    In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+    The field value must be normalized to lowercase for querying.
+  name: network.protocol
+  type: keyword
+- description: |-
+    Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+    The field value must be normalized to lowercase for querying.
+  name: network.transport
+  type: keyword
+- description: HTTP response status code.
+  name: http.response.status_code
+  type: long
+- description: Size in bytes of the request body.
+  name: http.request.body.bytes
+  type: long
+- description: Size in bytes of the response body.
+  name: http.response.body.bytes
+  type: long
+- description: |-
+    HTTP request method.
+    The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+  name: http.request.method
+  type: keyword
+- description: Referrer for this HTTP request.
+  name: http.request.referrer
+  type: keyword
+- description: HTTP version.
+  name: http.version
+  type: keyword
+- description: Total size in bytes of the request (body and headers).
+  name: http.request.bytes
+  type: long
+- description: Total size in bytes of the response (body and headers).
+  name: http.response.bytes
+  type: long
+- description: |-
+    The type of the observer the data is coming from.
+    There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+  name: observer.type
+  type: keyword
+- description: Vendor name of the observer.
+  name: observer.vendor
+  type: keyword
+- description: City name.
+  name: observer.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: observer.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: observer.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: observer.geo.country_name
+  type: keyword
+- description: Region ISO code.
+  name: observer.geo.region_iso_code
+  type: keyword
+- description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  name: observer.geo.location
+  type: geo_point
+- description: Region name.
+  name: observer.geo.region_name
+  type: keyword
+- description: IP addresses of the observer.
+  name: observer.ip
+  type: ip
+- description: |-
+    Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: server.address
+  type: keyword
+- description: Bytes sent from the server to the client.
+  name: server.bytes
+  type: long
+- description: IP address of the server (IPv4 or IPv6).
+  name: server.ip
+  type: ip
diff --git a/packages/cloudflare/2.1.1/data_stream/logpull/fields/fields.yml b/packages/cloudflare/2.1.1/data_stream/logpull/fields/fields.yml
new file mode 100755
index 0000000000..0712d73ccb
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/logpull/fields/fields.yml
@@ -0,0 +1,319 @@
+- name: cloudflare
+  type: group
+  release: beta
+  default_field: false
+  description: >
+    Fields for Cloudflare Logs
+
+  fields:
+    - name: cache
+      type: group
+      description: >
+        Fields for Cloudflare Cache
+
+      fields:
+        - name: status
+          type: keyword
+          description: >
+            Status of cache
+
+        - name: tiered_fill
+          type: boolean
+          description: >
+            Tiered Cache was used to serve this request
+
+        - name: bytes
+          type: long
+          description: >
+            Number of bytes returned by the cache
+
+        - name: status_code
+          type: long
+          description: >
+            HTTP status code returned by the cache to the edge. All requests (including non-cacheable ones) go through the cache.
+
+    - name: edge
+      type: group
+      description: >
+        Fields for Cloudflare Edge
+
+      fields:
+        - name: colo
+          type: group
+          description: >
+            Fields for Cloudflare Edge Colo
+
+          fields:
+            - name: code
+              type: keyword
+              description: >
+                IATA airport code of data center that received the request
+
+            - name: id
+              type: long
+              description: >
+                Cloudflare edge colo id
+
+        - name: pathing
+          type: group
+          description: >
+            Fields for Cloudflare Edge Pathing
+
+          fields:
+            - name: op
+              type: keyword
+              description: >
+                Indicates what type of response was issued for this request (unknown = no specific action)
+
+            - name: src
+              type: keyword
+              description: >
+                Details how the request was classified based on security checks (unknown = no specific classification)
+
+            - name: status
+              type: keyword
+              description: >
+                Indicates what data was used to determine the handling of this request (unknown = no data)
+
+        - name: rate_limit
+          type: group
+          description: >
+            Fields for Cloudflare Edge Pathing
+
+          fields:
+            - name: action
+              type: keyword
+              description: >
+                The action taken by the blocking rule; empty if no action taken
+
+            - name: id
+              type: long
+              description: >
+                The internal rule ID of the rate-limiting rule that triggered a block (ban) or log action. 0 if no action taken.
+
+        - name: request
+          type: group
+          description: >
+            Fields for Cloudflare Edge Request
+
+          fields:
+            - name: host
+              type: keyword
+              description: >
+                Host header on the request from the edge to the origin
+
+        - name: response
+          type: group
+          description: >
+            Fields for Cloudflare Edge Response
+
+          fields:
+            - name: compression_ratio
+              type: long
+              description: >
+                Edge response compression ratio
+
+            - name: content_type
+              type: keyword
+              description: >
+                Edge response Content-Type header value
+
+            - name: bytes
+              type: long
+              description: >
+                Number of bytes returned by the edge to the client
+
+            - name: status_code
+              type: long
+              description: >
+                HTTP status code returned by Cloudflare to the client
+
+    - name: firewall
+      type: group
+      description: >
+        Fields for Cloudflare Firewall
+
+      fields:
+        - name: actions
+          type: array
+          description: >
+            Array of actions the Cloudflare firewall products performed on this request. The individual firewall products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources.
+
+        - name: sources
+          type: array
+          description: >
+            The firewall products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions.
+
+        - name: rule_ids
+          type: array
+          description: >
+            Array of RuleIDs of the firewall product that has matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources.
+
+    - name: waf
+      type: group
+      description: >
+        Fields for Cloudflare WAF
+
+      fields:
+        - name: action
+          type: keyword
+          description: >
+            Action taken by the WAF, if triggered
+
+        - name: flags
+          type: keyword
+          description: >
+            Additional configuration flags: simulate (0x1) | null
+
+        - name: matched_var
+          type: keyword
+          description: >
+            The full name of the most-recently matched variable
+
+        - name: profile
+          type: keyword
+          description: >
+            low | med | high
+
+        - name: rule
+          type: group
+          description: >
+            Fields for Cloudflare WAF Rule
+
+          fields:
+            - name: id
+              type: keyword
+              description: >
+                ID of the applied WAF rule
+
+            - name: message
+              type: keyword
+              description: >
+                Rule message associated with the triggered rule
+
+    - name: worker
+      type: group
+      description: >
+        Fields for Cloudflare Worker
+
+      fields:
+        - name: cpu_time
+          type: long
+          description: >
+            Amount of time in microseconds spent executing a worker, if any
+
+        - name: status
+          type: keyword
+          description: >
+            Status returned from worker daemon
+
+        - name: subrequest
+          type: boolean
+          description: >
+            Whether or not this request was a worker subrequest
+
+        - name: subrequest_count
+          type: long
+          description: >
+            Number of subrequests issued by a worker when handling this request
+
+    - name: origin
+      type: group
+      description: >
+        Fields for Cloudflare Origin
+
+      fields:
+        - name: ssl
+          type: group
+          description: >
+            Fields for Cloudflare Origin SSL
+
+          fields:
+            - name: protocol
+              type: keyword
+              description: >
+                SSL (TLS) protocol used to connect to the origin
+
+        - name: response
+          type: group
+          description: >
+            Fields for Cloudflare Origin Response
+
+          fields:
+            - name: time
+              type: long
+              description: >
+                Number of nanoseconds it took the origin to return the response to edge
+
+            - name: status_code
+              type: long
+              description: >
+                Status returned by the origin server
+
+            - name: last_modified
+              type: date
+              description: >
+                Value of the origin 'last-modified' header
+
+            - name: expires
+              type: date
+              description: >
+                Value of the origin 'expires' header
+
+            - name: bytes
+              type: long
+              description: >
+                Number of bytes returned by the origin server
+
+    - name: parent
+      type: group
+      description: >
+        Fields for Cloudflare Parent
+
+      fields:
+        - name: ray_id
+          type: keyword
+          description: >
+            Ray ID of the parent request if this request was made using a Worker script
+
+    - name: ray_id
+      type: keyword
+      description: >
+        Ray ID of the parent request if this request was made using a Worker script
+
+    - name: security_level
+      type: keyword
+      description: >
+        The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system.
+
+    - name: device_type
+      type: keyword
+      description: >
+        Client device type
+
+    - name: zone
+      type: group
+      description: >
+        Fields for Cloudflare Zone
+
+      fields:
+        - name: id
+          type: long
+          description: >
+            Internal zone ID
+
+        - name: name
+          type: keyword
+          description: >
+            The human-readable name of the zone (e.g. 'cloudflare.com').
+
+    - name: client.ip_class
+      type: keyword
+      description: >
+        Class of client, ex. badHost | searchEngine | allowlist | greylist....
+
+    - name: client.ssl.protocol
+      type: keyword
+      description: >
+        Client SSL (TLS) protocol
+
diff --git a/packages/cloudflare/2.1.1/data_stream/logpull/manifest.yml b/packages/cloudflare/2.1.1/data_stream/logpull/manifest.yml
new file mode 100755
index 0000000000..1a3eccd77a
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/logpull/manifest.yml
@@ -0,0 +1,67 @@
+type: logs
+title: Cloudflare Logpull
+streams:
+  - input: httpjson
+    vars:
+      - name: auth_email
+        type: text
+        title: Auth Email
+        description: The Auth Email. Needs to be used with an Auth Key. Do not fill if you are using an Auth Token.
+        multi: false
+        required: false
+        show_user: true
+      - name: auth_key
+        type: password
+        title: Auth Key
+        description: The Auth Key. Needs to be used with an Auth Email. Do not fill if you are using an Auth Token.
+        multi: false
+        required: false
+        show_user: true
+      - name: auth_token
+        type: password
+        title: Auth token
+        description: The auth token. If set, Auth Email and Auth Key will be ignored.
+        required: false
+        multi: false
+        show_user: true
+      - name: zone_id
+        type: text
+        title: Zone ID
+        multi: false
+        required: true
+        show_user: true
+      - name: interval
+        type: text
+        title: Interval
+        multi: false
+        required: true
+        show_user: true
+        description: Interval at which the logs will be pulled. The value must be between 1s and 1h.
+        default: 5m
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: true
+        default:
+          - forwarded
+          - cloudflare-logpull
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n"
+    template_path: httpjson.yml.hbs
+    title: Cloudflare logs
+    description: Collect Cloudflare logs via the Logpull API
diff --git a/packages/cloudflare/2.1.1/data_stream/logpull/sample_event.json b/packages/cloudflare/2.1.1/data_stream/logpull/sample_event.json
new file mode 100755
index 0000000000..625c77e088
--- /dev/null
+++ b/packages/cloudflare/2.1.1/data_stream/logpull/sample_event.json
@@ -0,0 +1,191 @@
+{
+    "@timestamp": "2019-08-02T15:29:08.000Z",
+    "agent": {
+        "ephemeral_id": "cc5a5e17-4689-49cd-a620-44997d7309a8",
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "client": {
+        "address": "35.232.161.245",
+        "as": {
+            "number": 15169
+        },
+        "bytes": 2577,
+        "geo": {
+            "country_iso_code": "us"
+        },
+        "ip": "35.232.161.245",
+        "port": 55028
+    },
+    "cloudflare": {
+        "cache": {
+            "status": "unknown",
+            "tiered_fill": false
+        },
+        "client": {
+            "ip_class": "noRecord",
+            "ssl": {
+                "protocol": "TLSv1.2"
+            }
+        },
+        "device_type": "desktop",
+        "edge": {
+            "colo": {
+                "id": 14
+            },
+            "pathing": {
+                "op": "chl",
+                "src": "filterBasedFirewall",
+                "status": "captchaNew"
+            },
+            "rate_limit": {
+                "id": 0
+            },
+            "response": {
+                "bytes": 2848,
+                "compression_ratio": 2.64,
+                "content_type": "text/html",
+                "status_code": 403
+            }
+        },
+        "firewall": {
+            "actions": [
+                "simulate",
+                "challenge"
+            ],
+            "rule_ids": [
+                "094b71fea25d4860a61fa0c6fbbd8d8b",
+                "e454fd4a0ce546b3a9a462536613692c"
+            ],
+            "sources": [
+                "firewallRules",
+                "firewallRules"
+            ]
+        },
+        "origin": {
+            "response": {
+                "bytes": 0,
+                "status_code": 0,
+                "time": 0
+            },
+            "ssl": {
+                "protocol": "unknown"
+            }
+        },
+        "parent": {
+            "ray_id": "00"
+        },
+        "ray_id": "500115ec386354d8",
+        "security_level": "med",
+        "waf": {
+            "action": "unknown",
+            "flags": "0",
+            "profile": "unknown"
+        },
+        "worker": {
+            "cpu_time": 0,
+            "status": "unknown",
+            "subrequest": false,
+            "subrequest_count": 0
+        },
+        "zone": {
+            "id": 155978002
+        }
+    },
+    "data_stream": {
+        "dataset": "cloudflare.logpull",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "bytes": 2848
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "category": "network",
+        "created": "2021-12-30T04:59:20.268Z",
+        "dataset": "cloudflare.logpull",
+        "duration": 0,
+        "end": "2019-08-02T15:29:08.000Z",
+        "ingested": "2021-12-30T04:59:21Z",
+        "kind": "event",
+        "original": "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":15169,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"35.232.161.245\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2577,\"ClientRequestHost\":\"cf-analytics.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/wp-cron.php\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestURI\":\"/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestUserAgent\":\"WordPress/5.2.2;https://cf-analytics.com\",\"ClientSSLCipher\":\"ECDHE-ECDSA-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":55028,\"EdgeColoID\":14,\"EdgeEndTimestamp\":\"2019-08-02T15:29:08Z\",\"EdgePathingOp\":\"chl\",\"EdgePathingSrc\":\"filterBasedFirewall\",\"EdgePathingStatus\":\"captchaNew\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"\",\"EdgeResponseBytes\":2848,\"EdgeResponseCompressionRatio\":2.64,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":\"2019-08-02T15:29:08Z\",\"FirewallMatchesActions\":[\"simulate\",\"challenge\"],\"FirewallMatchesRuleIDs\":[\"094b71fea25d4860a61fa0c6fbbd8d8b\",\"e454fd4a0ce546b3a9a462536613692c\"],\"FirewallMatchesSources\":[\"firewallRules\",\"firewallRules\"],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"500115ec386354d8\",\"SecurityLevel\":\"med\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":155978002}",
+        "start": "2019-08-02T15:29:08.000Z"
+    },
+    "http": {
+        "request": {
+            "bytes": 2577,
+            "method": "POST",
+            "referrer": "https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000"
+        },
+        "response": {
+            "bytes": 2848,
+            "status_code": 403
+        },
+        "version": "1.1"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "network": {
+        "bytes": 5425,
+        "protocol": "http",
+        "transport": "tcp"
+    },
+    "observer": {
+        "type": "proxy",
+        "vendor": "cloudflare"
+    },
+    "server": {
+        "bytes": 2848
+    },
+    "source": {
+        "address": "35.232.161.245",
+        "as": {
+            "number": 15169
+        },
+        "bytes": 2577,
+        "geo": {
+            "country_iso_code": "us"
+        },
+        "ip": "35.232.161.245",
+        "port": 55028
+    },
+    "tags": [
+        "forwarded",
+        "cloudflare-logpull",
+        "preserve_original_event"
+    ],
+    "tls": {
+        "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256",
+        "version": "1.2",
+        "version_protocol": "tls"
+    },
+    "url": {
+        "domain": "cf-analytics.com",
+        "extension": "php",
+        "full": "https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000",
+        "original": "/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000",
+        "path": "/wp-cron.php",
+        "query": "doing_wp_cron=1564759748.3962020874023437500000",
+        "scheme": "https"
+    },
+    "user_agent": {
+        "device": {
+            "name": "Spider"
+        },
+        "name": "WordPress",
+        "original": "WordPress/5.2.2;https://cf-analytics.com",
+        "version": "5.2.2"
+    }
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/docs/README.md b/packages/cloudflare/2.1.1/docs/README.md
new file mode 100755
index 0000000000..ea6e87a6c1
--- /dev/null
+++ b/packages/cloudflare/2.1.1/docs/README.md
@@ -0,0 +1,628 @@
+# Cloudflare Integration
+
+Cloudflare integration uses [Cloudflare's API](https://api.cloudflare.com/) to retrieve [audit logs](https://support.cloudflare.com/hc/en-us/articles/115002833612-Understanding-Cloudflare-Audit-Logs) and [traffic logs](https://developers.cloudflare.com/logs/logpull/understanding-the-basics/) from Cloudflare, for a particular zone, and ingest them into Elasticsearch. This allows you to search, observe and visualize the Cloudflare log events through Elasticsearch.
+
+Users of [Cloudflare](https://www.cloudflare.com/en-au/learning/what-is-cloudflare/) use Cloudflare services to increase the security and performance of their web sites and services. 
+
+## Configuration
+
+### Enabling the integration in Elastic
+
+1. In Kibana go to **Management > Integrations**
+2. In the "Search for integrations" search bar type **Cloudflare**.
+3. Click on "Cloudflare" integration from the search results.
+4. Click on **Add Cloudflare** button to add Cloudflare integration.
+
+### Configure Cloudflare audit logs data stream
+
+Enter values "Auth Email", "Auth Key" and "Account ID".
+
+1. **Auth Email** is the email address associated with your account. 
+2. [**Auth Key**](https://developers.cloudflare.com/api/keys/) is the API key generated on the "My Account" page.
+3. **Account ID** can be found on the Cloudflare dashboard. Follow the navigation documentation from [here](https://developers.cloudflare.com/fundamentals/get-started/basic-tasks/find-account-and-zone-ids/).
+
+NOTE: See for `X-AUTH-EMAIL` and `X-AUTH-KEY` [here](https://api.cloudflare.com/#getting-started-requests) for more information on Auth Email and Auth Key.
+
+### Configure Cloudflare logs
+
+These logs contain data related to the connecting client, the request path through the Cloudflare network, and the response from the origin web server. For more information see [here](https://developers.cloudflare.com/logs/logpull/).
+
+The integration can retrieve Cloudflare logs using -
+
+1. Auth Email and Auth Key
+2. API Token
+
+More information is available [here](https://developers.cloudflare.com/logs/logpull/requesting-logs/#required-authentication-headers)
+
+#### Configure using Auth Email and Auth Key
+
+Enter values "Auth Email", "Auth Key" and "Zone ID".
+
+1. **Auth Email** is the email address associated with your account. 
+2. [**Auth Key**](https://developers.cloudflare.com/api/keys/) is the API key generated on the "My Account" page.
+3. **Zone ID** can be found [here](https://developers.cloudflare.com/fundamentals/get-started/basic-tasks/find-account-and-zone-ids/).
+
+>  Note: See for `X-AUTH-EMAIL` and `X-AUTH-KEY` [here](https://api.cloudflare.com/#getting-started-requests) for more information on Auth Email and Auth Key.
+
+#### Configure using API Token
+
+Enter values "API Token" and "Zone ID".
+
+For the Cloudflare integration to be able to successfully get logs the following permissions must be granted to the API token -
+
+- Account.Access: Audit Logs: Read
+
+1. [**API Tokens**](https://developers.cloudflare.com/api/tokens/) allow for more granular permission settings. 
+2. **Zone ID** can be found [here](https://developers.cloudflare.com/fundamentals/get-started/basic-tasks/find-account-and-zone-ids/).
+
+## Logs
+
+### Audit
+
+Audit logs summarize the history of changes made within your Cloudflare account.  Audit logs include account-level actions like login and logout, as well as setting changes to DNS, Crypto, Firewall, Speed, Caching, Page Rules, Network, and Traffic features, etc.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host, resource, or service is located. | keyword |
+| cloudflare.audit.actor.type | The type of actor, whether a User, Cloudflare Admin, or an Automated System. Valid values: user, admin, Cloudflare. | keyword |
+| cloudflare.audit.metadata | An object which can lend more context to the action being logged. This is a flexible value and varies between different actions. | flattened |
+| cloudflare.audit.new_value | The new value of the resource that was modified | flattened |
+| cloudflare.audit.old_value | The value of the resource before it was modified | flattened |
+| cloudflare.audit.owner.id | User identifier tag | keyword |
+| cloudflare.audit.resource.id | An identifier for the resource that was affected by the action | keyword |
+| cloudflare.audit.resource.type | A short string that describes the resource that was affected by the action | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | match_only_text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| user.email | User email address. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+
+
+An example event for `audit` looks as following:
+
+```json
+{
+    "@timestamp": "2021-11-30T13:42:04.000Z",
+    "agent": {
+        "ephemeral_id": "be28c4d0-164a-4115-81b7-ace36fc400f4",
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "cloud": {
+        "account": {
+            "id": "aaabbbccc"
+        },
+        "provider": "cloudflare"
+    },
+    "cloudflare": {
+        "audit": {
+            "actor": {
+                "type": "user"
+            },
+            "owner": {
+                "id": "enl3j9du8rnx2swwd9l32qots7l54t9s"
+            },
+            "resource": {
+                "id": "enl3j9du8rnx2swwd9l32qots7l54t9s",
+                "type": "account"
+            }
+        }
+    },
+    "data_stream": {
+        "dataset": "cloudflare.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "rotate_api_key",
+        "agent_id_status": "verified",
+        "category": [
+            "iam"
+        ],
+        "created": "2021-12-30T04:58:37.412Z",
+        "dataset": "cloudflare.audit",
+        "id": "8d3396e8-c903-5a66-9421-00fc34570550",
+        "ingested": "2021-12-30T04:58:38Z",
+        "kind": "event",
+        "original": "{\"action\":{\"info\":\"key digest: c6b5d100d7ce492d24c5b13160fce1cc0092ce7e8d8430e9f5cf5468868be6f6\",\"result\":true,\"type\":\"rotate_API_key\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"52.91.36.10\",\"type\":\"user\"},\"id\":\"8d3396e8-c903-5a66-9421-00fc34570550\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T13:42:04Z\"}",
+        "outcome": "success",
+        "type": [
+            "change"
+        ]
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "related": {
+        "ip": [
+            "52.91.36.10"
+        ],
+        "user": [
+            "enl3j9du8rnx2swwd9l32qots7l54t9s"
+        ]
+    },
+    "source": {
+        "address": "52.91.36.10",
+        "ip": "52.91.36.10"
+    },
+    "tags": [
+        "forwarded",
+        "cloudflare-audit",
+        "preserve_original_event"
+    ],
+    "user": {
+        "email": "user@example.com",
+        "id": "enl3j9du8rnx2swwd9l32qots7l54t9s"
+    }
+}
+```
+
+### Logpull
+
+These logs contain data related to the connecting client, the request path through the Cloudflare network, and the response from the origin web server. For more information see [here](https://developers.cloudflare.com/logs/logpull/).
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| client.as.organization.name | Organization name. | keyword |
+| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text |
+| client.bytes | Bytes sent from the client to the server. | long |
+| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| client.geo.city_name | City name. | keyword |
+| client.geo.continent_name | Name of the continent. | keyword |
+| client.geo.country_iso_code | Country ISO code. | keyword |
+| client.geo.country_name | Country name. | keyword |
+| client.geo.location | Longitude and latitude. | geo_point |
+| client.geo.region_iso_code | Region ISO code. | keyword |
+| client.geo.region_name | Region name. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.port | Port of the client. | long |
+| cloudflare.cache.bytes | Number of bytes returned by the cache | long |
+| cloudflare.cache.status | Status of cache | keyword |
+| cloudflare.cache.status_code | HTTP status code returned by the cache to the edge. All requests (including non-cacheable ones) go through the cache. | long |
+| cloudflare.cache.tiered_fill | Tiered Cache was used to serve this request | boolean |
+| cloudflare.client.ip_class | Class of client, ex. badHost | searchEngine | allowlist | greylist.... | keyword |
+| cloudflare.client.ssl.protocol | Client SSL (TLS) protocol | keyword |
+| cloudflare.device_type | Client device type | keyword |
+| cloudflare.edge.colo.code | IATA airport code of data center that received the request | keyword |
+| cloudflare.edge.colo.id | Cloudflare edge colo id | long |
+| cloudflare.edge.pathing.op | Indicates what type of response was issued for this request (unknown = no specific action) | keyword |
+| cloudflare.edge.pathing.src | Details how the request was classified based on security checks (unknown = no specific classification) | keyword |
+| cloudflare.edge.pathing.status | Indicates what data was used to determine the handling of this request (unknown = no data) | keyword |
+| cloudflare.edge.rate_limit.action | The action taken by the blocking rule; empty if no action taken | keyword |
+| cloudflare.edge.rate_limit.id | The internal rule ID of the rate-limiting rule that triggered a block (ban) or log action. 0 if no action taken. | long |
+| cloudflare.edge.request.host | Host header on the request from the edge to the origin | keyword |
+| cloudflare.edge.response.bytes | Number of bytes returned by the edge to the client | long |
+| cloudflare.edge.response.compression_ratio | Edge response compression ratio | long |
+| cloudflare.edge.response.content_type | Edge response Content-Type header value | keyword |
+| cloudflare.edge.response.status_code | HTTP status code returned by Cloudflare to the client | long |
+| cloudflare.firewall.actions | Array of actions the Cloudflare firewall products performed on this request. The individual firewall products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources. | array |
+| cloudflare.firewall.rule_ids | Array of RuleIDs of the firewall product that has matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources. | array |
+| cloudflare.firewall.sources | The firewall products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. | array |
+| cloudflare.origin.response.bytes | Number of bytes returned by the origin server | long |
+| cloudflare.origin.response.expires | Value of the origin 'expires' header | date |
+| cloudflare.origin.response.last_modified | Value of the origin 'last-modified' header | date |
+| cloudflare.origin.response.status_code | Status returned by the origin server | long |
+| cloudflare.origin.response.time | Number of nanoseconds it took the origin to return the response to edge | long |
+| cloudflare.origin.ssl.protocol | SSL (TLS) protocol used to connect to the origin | keyword |
+| cloudflare.parent.ray_id | Ray ID of the parent request if this request was made using a Worker script | keyword |
+| cloudflare.ray_id | Ray ID of the parent request if this request was made using a Worker script | keyword |
+| cloudflare.security_level | The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system. | keyword |
+| cloudflare.waf.action | Action taken by the WAF, if triggered | keyword |
+| cloudflare.waf.flags | Additional configuration flags: simulate (0x1) | null | keyword |
+| cloudflare.waf.matched_var | The full name of the most-recently matched variable | keyword |
+| cloudflare.waf.profile | low | med | high | keyword |
+| cloudflare.waf.rule.id | ID of the applied WAF rule | keyword |
+| cloudflare.waf.rule.message | Rule message associated with the triggered rule | keyword |
+| cloudflare.worker.cpu_time | Amount of time in microseconds spent executing a worker, if any | long |
+| cloudflare.worker.status | Status returned from worker daemon | keyword |
+| cloudflare.worker.subrequest | Whether or not this request was a worker subrequest | boolean |
+| cloudflare.worker.subrequest_count | Number of subrequests issued by a worker when handling this request | long |
+| cloudflare.zone.id | Internal zone ID | long |
+| cloudflare.zone.name | The human-readable name of the zone (e.g. 'cloudflare.com'). | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| http.request.body.bytes | Size in bytes of the request body. | long |
+| http.request.bytes | Total size in bytes of the request (body and headers). | long |
+| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.bytes | Size in bytes of the response body. | long |
+| http.response.bytes | Total size in bytes of the response (body and headers). | long |
+| http.response.status_code | HTTP response status code. | long |
+| http.version | HTTP version. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| observer.geo.city_name | City name. | keyword |
+| observer.geo.continent_name | Name of the continent. | keyword |
+| observer.geo.country_iso_code | Country ISO code. | keyword |
+| observer.geo.country_name | Country name. | keyword |
+| observer.geo.location | Longitude and latitude. | geo_point |
+| observer.geo.region_iso_code | Region ISO code. | keyword |
+| observer.geo.region_name | Region name. | keyword |
+| observer.ip | IP addresses of the observer. | ip |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| server.bytes | Bytes sent from the server to the client. | long |
+| server.ip | IP address of the server (IPv4 or IPv6). | ip |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| source.user.full_name | User's full name, if available. | keyword |
+| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text |
+| source.user.id | Unique identifier of the user. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| tls.cipher | String indicating the cipher used during the current connection. | keyword |
+| tls.version | Numeric part of the version parsed from the original string. | keyword |
+| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| url.full.text | Multi-field of `url.full`. | match_only_text |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| url.password | Password of the request. | keyword |
+| url.path | Path of the request, such as "/search". | wildcard |
+| url.port | Port of the request, such as 443. | long |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+| url.username | Username of the request. | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.email | User email address. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user_agent.device.name | Name of the device. | keyword |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| user_agent.os.full | Operating system name, including the version or code name. | keyword |
+| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
+
+
+An example event for `logpull` looks as following:
+
+```json
+{
+    "@timestamp": "2019-08-02T15:29:08.000Z",
+    "agent": {
+        "ephemeral_id": "cc5a5e17-4689-49cd-a620-44997d7309a8",
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "client": {
+        "address": "35.232.161.245",
+        "as": {
+            "number": 15169
+        },
+        "bytes": 2577,
+        "geo": {
+            "country_iso_code": "us"
+        },
+        "ip": "35.232.161.245",
+        "port": 55028
+    },
+    "cloudflare": {
+        "cache": {
+            "status": "unknown",
+            "tiered_fill": false
+        },
+        "client": {
+            "ip_class": "noRecord",
+            "ssl": {
+                "protocol": "TLSv1.2"
+            }
+        },
+        "device_type": "desktop",
+        "edge": {
+            "colo": {
+                "id": 14
+            },
+            "pathing": {
+                "op": "chl",
+                "src": "filterBasedFirewall",
+                "status": "captchaNew"
+            },
+            "rate_limit": {
+                "id": 0
+            },
+            "response": {
+                "bytes": 2848,
+                "compression_ratio": 2.64,
+                "content_type": "text/html",
+                "status_code": 403
+            }
+        },
+        "firewall": {
+            "actions": [
+                "simulate",
+                "challenge"
+            ],
+            "rule_ids": [
+                "094b71fea25d4860a61fa0c6fbbd8d8b",
+                "e454fd4a0ce546b3a9a462536613692c"
+            ],
+            "sources": [
+                "firewallRules",
+                "firewallRules"
+            ]
+        },
+        "origin": {
+            "response": {
+                "bytes": 0,
+                "status_code": 0,
+                "time": 0
+            },
+            "ssl": {
+                "protocol": "unknown"
+            }
+        },
+        "parent": {
+            "ray_id": "00"
+        },
+        "ray_id": "500115ec386354d8",
+        "security_level": "med",
+        "waf": {
+            "action": "unknown",
+            "flags": "0",
+            "profile": "unknown"
+        },
+        "worker": {
+            "cpu_time": 0,
+            "status": "unknown",
+            "subrequest": false,
+            "subrequest_count": 0
+        },
+        "zone": {
+            "id": 155978002
+        }
+    },
+    "data_stream": {
+        "dataset": "cloudflare.logpull",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "bytes": 2848
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "category": "network",
+        "created": "2021-12-30T04:59:20.268Z",
+        "dataset": "cloudflare.logpull",
+        "duration": 0,
+        "end": "2019-08-02T15:29:08.000Z",
+        "ingested": "2021-12-30T04:59:21Z",
+        "kind": "event",
+        "original": "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":15169,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"35.232.161.245\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2577,\"ClientRequestHost\":\"cf-analytics.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/wp-cron.php\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestURI\":\"/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestUserAgent\":\"WordPress/5.2.2;https://cf-analytics.com\",\"ClientSSLCipher\":\"ECDHE-ECDSA-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":55028,\"EdgeColoID\":14,\"EdgeEndTimestamp\":\"2019-08-02T15:29:08Z\",\"EdgePathingOp\":\"chl\",\"EdgePathingSrc\":\"filterBasedFirewall\",\"EdgePathingStatus\":\"captchaNew\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"\",\"EdgeResponseBytes\":2848,\"EdgeResponseCompressionRatio\":2.64,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":\"2019-08-02T15:29:08Z\",\"FirewallMatchesActions\":[\"simulate\",\"challenge\"],\"FirewallMatchesRuleIDs\":[\"094b71fea25d4860a61fa0c6fbbd8d8b\",\"e454fd4a0ce546b3a9a462536613692c\"],\"FirewallMatchesSources\":[\"firewallRules\",\"firewallRules\"],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"500115ec386354d8\",\"SecurityLevel\":\"med\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":155978002}",
+        "start": "2019-08-02T15:29:08.000Z"
+    },
+    "http": {
+        "request": {
+            "bytes": 2577,
+            "method": "POST",
+            "referrer": "https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000"
+        },
+        "response": {
+            "bytes": 2848,
+            "status_code": 403
+        },
+        "version": "1.1"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "network": {
+        "bytes": 5425,
+        "protocol": "http",
+        "transport": "tcp"
+    },
+    "observer": {
+        "type": "proxy",
+        "vendor": "cloudflare"
+    },
+    "server": {
+        "bytes": 2848
+    },
+    "source": {
+        "address": "35.232.161.245",
+        "as": {
+            "number": 15169
+        },
+        "bytes": 2577,
+        "geo": {
+            "country_iso_code": "us"
+        },
+        "ip": "35.232.161.245",
+        "port": 55028
+    },
+    "tags": [
+        "forwarded",
+        "cloudflare-logpull",
+        "preserve_original_event"
+    ],
+    "tls": {
+        "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256",
+        "version": "1.2",
+        "version_protocol": "tls"
+    },
+    "url": {
+        "domain": "cf-analytics.com",
+        "extension": "php",
+        "full": "https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000",
+        "original": "/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000",
+        "path": "/wp-cron.php",
+        "query": "doing_wp_cron=1564759748.3962020874023437500000",
+        "scheme": "https"
+    },
+    "user_agent": {
+        "device": {
+            "name": "Spider"
+        },
+        "name": "WordPress",
+        "original": "WordPress/5.2.2;https://cf-analytics.com",
+        "version": "5.2.2"
+    }
+}
+```
diff --git a/packages/cloudflare/2.1.1/img/cf-logo-v.svg b/packages/cloudflare/2.1.1/img/cf-logo-v.svg
new file mode 100755
index 0000000000..35c7495a8a
--- /dev/null
+++ b/packages/cloudflare/2.1.1/img/cf-logo-v.svg
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 21.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 874.3 393.7" style="enable-background:new 0 0 874.3 393.7;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#404041;}
+	.st1{fill:#FFFFFF;}
+	.st2{fill:#F38020;}
+	.st3{fill:#FAAE40;}
+</style>
+<g>
+	<path class="st0" d="M790.6,271.9c-3.4,0-6.1-2.7-6.1-6.1c0-3.3,2.7-6.1,6.1-6.1c3.3,0,6.1,2.7,6.1,6.1
+		C796.7,269.1,793.9,271.9,790.6,271.9 M790.6,260.9c-2.7,0-4.9,2.2-4.9,4.9c0,2.7,2.2,4.9,4.9,4.9c2.7,0,4.9-2.2,4.9-4.9
+		C795.5,263.1,793.3,260.9,790.6,260.9 M793.7,269h-1.4l-1.2-2.3h-1.6v2.3h-1.3v-6.7h3.2c1.4,0,2.3,0.9,2.3,2.2c0,1-0.6,1.7-1.4,2
+		L793.7,269z M791.3,265.5c0.5,0,1-0.3,1-1c0-0.8-0.4-1-1-1h-2v2L791.3,265.5L791.3,265.5z"/>
+	<polygon class="st0" points="155.1,259.1 170.7,259.1 170.7,301.6 197.8,301.6 197.8,315.2 155.1,315.2 	"/>
+	<path class="st0" d="M213.9,287.3v-0.2c0-16.1,13-29.2,30.3-29.2s30.1,12.9,30.1,29v0.2c0,16.1-13,29.2-30.3,29.2
+		C226.7,316.3,213.9,303.4,213.9,287.3 M258.5,287.3v-0.2c0-8.1-5.8-15.1-14.4-15.1c-8.5,0-14.2,6.9-14.2,15v0.2
+		c0,8.1,5.8,15.1,14.3,15.1C252.8,302.3,258.5,295.4,258.5,287.3"/>
+	<path class="st0" d="M293.4,290.6v-31.5h15.8v31.2c0,8.1,4.1,11.9,10.3,11.9s10.3-3.7,10.3-11.5v-31.6h15.8v31.1
+		c0,18.1-10.3,26-26.3,26C303.4,316.2,293.4,308.2,293.4,290.6"/>
+	<path class="st0" d="M369.4,259.1H391c20,0,31.7,11.5,31.7,27.7v0.2c0,16.2-11.8,28.2-32,28.2h-21.3L369.4,259.1L369.4,259.1z
+		 M391.3,301.4c9.3,0,15.5-5.1,15.5-14.2v-0.2c0-9-6.2-14.2-15.5-14.2H385v28.5H391.3z"/>
+	<polygon class="st0" points="445.3,259.1 490.2,259.1 490.2,272.7 460.8,272.7 460.8,282.3 487.4,282.3 487.4,295.2 460.8,295.2 
+		460.8,315.2 445.3,315.2 	"/>
+	<polygon class="st0" points="511.8,259.1 527.3,259.1 527.3,301.6 554.5,301.6 554.5,315.2 511.8,315.2 	"/>
+	<path class="st0" d="M595.1,258.7h15l23.9,56.5h-16.7l-4.1-10h-21.6l-4,10h-16.3L595.1,258.7z M608.8,293.1l-6.2-15.9l-6.3,15.9
+		H608.8z"/>
+	<path class="st0" d="M654,259.1h26.5c8.6,0,14.5,2.2,18.3,6.1c3.3,3.2,5,7.5,5,13.1v0.2c0,8.6-4.6,14.3-11.5,17.2l13.4,19.6h-18
+		l-11.3-17h-6.8v17H654L654,259.1L654,259.1z M679.8,286c5.3,0,8.3-2.6,8.3-6.6v-0.2c0-4.4-3.2-6.6-8.4-6.6h-10.2V286L679.8,286
+		L679.8,286z"/>
+	<polygon class="st0" points="726.2,259.1 771.3,259.1 771.3,272.3 741.6,272.3 741.6,280.8 768.5,280.8 768.5,293.1 741.6,293.1 
+		741.6,302 771.7,302 771.7,315.2 726.2,315.2 	"/>
+	<path class="st0" d="M121.1,293.9c-2.2,4.9-6.8,8.4-12.8,8.4c-8.5,0-14.3-7.1-14.3-15.1V287c0-8.1,5.7-15,14.2-15
+		c6.4,0,11.3,3.9,13.3,9.3h16.4c-2.6-13.4-14.4-23.3-29.6-23.3c-17.3,0-30.3,13.1-30.3,29.2v0.2c0,16.1,12.8,29,30.1,29
+		c14.8,0,26.4-9.6,29.4-22.4L121.1,293.9L121.1,293.9z"/>
+	<g>
+		<polygon class="st1" points="752.9,169.6 710,145 702.6,141.8 527.1,143 527.1,232.1 752.9,232.1 		"/>
+		<path class="st2" d="M674.8,223.9c2.1-7.2,1.3-13.8-2.2-18.7c-3.2-4.5-8.6-7.1-15.1-7.4l-123.1-1.6c-0.8,0-1.5-0.4-1.9-1
+			c-0.4-0.6-0.5-1.4-0.3-2.2c0.4-1.2,1.6-2.1,2.9-2.2l124.2-1.6c14.7-0.7,30.7-12.6,36.3-27.2l7.1-18.5c0.3-0.8,0.4-1.6,0.2-2.4
+			c-8-36.2-40.3-63.2-78.9-63.2c-35.6,0-65.8,23-76.6,54.9c-7-5.2-15.9-8-25.5-7.1c-17.1,1.7-30.8,15.4-32.5,32.5
+			c-0.4,4.4-0.1,8.7,0.9,12.7c-27.9,0.8-50.2,23.6-50.2,51.7c0,2.5,0.2,5,0.5,7.5c0.2,1.2,1.2,2.1,2.4,2.1l227.2,0
+			c1.3,0,2.5-0.9,2.9-2.2L674.8,223.9z"/>
+		<path class="st3" d="M714,144.8c-1.1,0-2.3,0-3.4,0.1c-0.8,0-1.5,0.6-1.8,1.4l-4.8,16.7c-2.1,7.2-1.3,13.8,2.2,18.7
+			c3.2,4.5,8.6,7.1,15.1,7.4l26.2,1.6c0.8,0,1.5,0.4,1.9,1c0.4,0.6,0.5,1.5,0.3,2.2c-0.4,1.2-1.6,2.1-2.9,2.2l-27.3,1.6
+			c-14.8,0.7-30.7,12.6-36.3,27.2l-2,5.1c-0.4,1,0.3,2,1.4,2h93.8c1.1,0,2.1-0.7,2.4-1.8c1.6-5.8,2.5-11.9,2.5-18.2
+			C781.3,175,751.1,144.8,714,144.8"/>
+	</g>
+</g>
+</svg>
diff --git a/packages/cloudflare/2.1.1/img/cloudflare-performance.png b/packages/cloudflare/2.1.1/img/cloudflare-performance.png
new file mode 100755
index 0000000000..6c703e688d
Binary files /dev/null and b/packages/cloudflare/2.1.1/img/cloudflare-performance.png differ
diff --git a/packages/cloudflare/2.1.1/img/cloudflare-performance2.png b/packages/cloudflare/2.1.1/img/cloudflare-performance2.png
new file mode 100755
index 0000000000..e1b4509987
Binary files /dev/null and b/packages/cloudflare/2.1.1/img/cloudflare-performance2.png differ
diff --git a/packages/cloudflare/2.1.1/img/cloudflare-reliability.png b/packages/cloudflare/2.1.1/img/cloudflare-reliability.png
new file mode 100755
index 0000000000..b0a4dd4b49
Binary files /dev/null and b/packages/cloudflare/2.1.1/img/cloudflare-reliability.png differ
diff --git a/packages/cloudflare/2.1.1/img/cloudflare-security-overview.png b/packages/cloudflare/2.1.1/img/cloudflare-security-overview.png
new file mode 100755
index 0000000000..819196d8c5
Binary files /dev/null and b/packages/cloudflare/2.1.1/img/cloudflare-security-overview.png differ
diff --git a/packages/cloudflare/2.1.1/img/cloudflare-snapshot.png b/packages/cloudflare/2.1.1/img/cloudflare-snapshot.png
new file mode 100755
index 0000000000..60772e5bc3
Binary files /dev/null and b/packages/cloudflare/2.1.1/img/cloudflare-snapshot.png differ
diff --git a/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-095f3a00-23d6-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-095f3a00-23d6-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..cb34d553d1
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-095f3a00-23d6-11e9-ba08-c19298cded24.json
@@ -0,0 +1,117 @@
+{
+  "attributes": {
+    "description": "Get a quick overview of the most important metrics from your websites and applications on the Cloudflare network.\n",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"1\",\"w\":11,\"x\":1,\"y\":26},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":23,\"x\":1,\"y\":31},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"3\",\"w\":18,\"x\":29,\"y\":13},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"4\",\"w\":12,\"x\":12,\"y\":26},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"5\",\"w\":12,\"x\":35,\"y\":26},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"6\",\"w\":11,\"x\":24,\"y\":26},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":23,\"x\":24,\"y\":31},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"8\",\"w\":12,\"x\":1,\"y\":38},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"9\",\"w\":16,\"x\":13,\"y\":38},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"10\",\"w\":18,\"x\":29,\"y\":38},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"11\",\"w\":10,\"x\":1,\"y\":9},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"12\",\"w\":13,\"x\":11,\"y\":9},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"13\",\"w\":11,\"x\":24,\"y\":9},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":12,\"x\":35,\"y\":9},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"16\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"17\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"18\",\"w\":46,\"x\":1,\"y\":22},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"19\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"84e94c8e-19d9-4dfe-8e37-c43c004c3f05\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"5f05840e-eb7e-45bd-9319-e6746cc4fa49\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Traffic Countries Map [Cloudflare]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"0f8532d1-8c6a-4c1d-900e-8d6eb49112df\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"lucene\\\",\\\"query\\\":\\\"*\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Traffic Countries Map [Cloudflare]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":9,\"i\":\"bdc0fa59-ea05-4976-983a-70567c1fd2d6\",\"w\":28,\"x\":1,\"y\":13},\"panelIndex\":\"bdc0fa59-ea05-4976-983a-70567c1fd2d6\",\"type\":\"map\",\"version\":\"8.0.0\"}]",
+    "timeRestore": false,
+    "title": "Cloudflare - Snapshot",
+    "version": 1
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-095f3a00-23d6-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "dashboard": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-08c86890-2323-11e9-ba08-c19298cded24",
+      "name": "1:panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24",
+      "name": "2:panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24",
+      "name": "3:panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-27809b60-2326-11e9-ba08-c19298cded24",
+      "name": "4:panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24",
+      "name": "5:panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24",
+      "name": "6:panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24",
+      "name": "7:panel_7",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-4d637090-2327-11e9-ba08-c19298cded24",
+      "name": "8:panel_8",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-04dda790-2328-11e9-ba08-c19298cded24",
+      "name": "9:panel_9",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24",
+      "name": "10:panel_10",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24",
+      "name": "11:panel_11",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-88d54e70-232a-11e9-ba08-c19298cded24",
+      "name": "12:panel_12",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24",
+      "name": "13:panel_13",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f",
+      "name": "15:panel_15",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f",
+      "name": "16:panel_16",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f",
+      "name": "17:panel_17",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f",
+      "name": "18:panel_18",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f",
+      "name": "19:panel_19",
+      "type": "visualization"
+    },
+    {
+      "id": "logs-*",
+      "name": "bdc0fa59-ea05-4976-983a-70567c1fd2d6:layer_1_source_index_pattern",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-532a64c0-293a-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-532a64c0-293a-11e9-b959-4502c43b2e30.json
new file mode 100755
index 0000000000..36a8a139ec
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-532a64c0-293a-11e9-b959-4502c43b2e30.json
@@ -0,0 +1,92 @@
+{
+  "attributes": {
+    "description": "Get insights on threats to your websites and applications, including number of threats stopped, threats over time, top threat countries, and more.\n",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"1\",\"w\":16,\"x\":1,\"y\":9},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"2\",\"w\":15,\"x\":17,\"y\":9},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"3\",\"w\":15,\"x\":32,\"y\":9},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":16,\"x\":31,\"y\":14},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":17,\"x\":30,\"y\":32},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":29,\"x\":1,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"8\",\"w\":46,\"x\":1,\"y\":40},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"9\",\"w\":11,\"x\":20,\"y\":14},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":29,\"x\":1,\"y\":24},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":17,\"x\":30,\"y\":24},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"13\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"14\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"15\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"573a3d3e-987d-41b5-a714-2344535c0ca9\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"4d50c3a6-72f9-46f4-bb21-4d54fe1c9842\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Threat Countries Map [Cloudflare]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"25e907ec-31fb-40fe-9a10-49f002b31bf0\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"lucene\\\",\\\"query\\\":\\\"\\\"},\\\"filters\\\":[{\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"},\\\"meta\\\":{\\\"alias\\\":null,\\\"disabled\\\":false,\\\"key\\\":\\\"query\\\",\\\"negate\\\":false,\\\"type\\\":\\\"custom\\\",\\\"value\\\":\\\"{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"bic\\\\\\\"}}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"hot\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"unknown\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"hot\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ip\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"macro\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"unknown\\\\\\\"}}}]}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"macro\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"chl\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"captchaFail\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"macro\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"chl\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"jschlFail\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"zl\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"us\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"rateLimit\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"filterBasedFirewall\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"unknown\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"filterBasedFirewall\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"chl\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ctry\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ip\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"terms\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":[\\\\\\\"ipr16\\\\\\\",\\\\\\\"ipr24\\\\\\\",\\\\\\\"ip6\\\\\\\",\\\\\\\"ip6r64\\\\\\\",\\\\\\\"ip6r48\\\\\\\",\\\\\\\"ip6r32\\\\\\\"]}}]}}]},\\\\\\\"_source\\\\\\\":{\\\\\\\"excludes\\\\\\\":[],\\\\\\\"includes\\\\\\\":[\\\\\\\"source.geo.region_name\\\\\\\",\\\\\\\"cloudflare.client.ip_class\\\\\\\",\\\\\\\"url.path\\\\\\\",\\\\\\\"cloudflare.client.request.protocol\\\\\\\",\\\\\\\"http.request.referrer\\\\\\\",\\\\\\\"url.full\\\\\\\",\\\\\\\"user_agent.original\\\\\\\",\\\\\\\"cloudflare.client.ssl.cipher\\\\\\\",\\\\\\\"cloudflare.client.ssl.protocol\\\\\\\",\\\\\\\"cloudflare.edge.rate_limit.action\\\\\\\",\\\\\\\"cloudflare.edge.response.content_type\\\\\\\",\\\\\\\"cloudflare.origin.response.http.expires\\\\\\\",\\\\\\\"cloudflare.origin.response.http.last_modified\\\\\\\",\\\\\\\"cloudflare.origin.ssl.protocol\\\\\\\",\\\\\\\"user_agent.os.full\\\\\\\",\\\\\\\"user_agent.name\\\\\\\",\\\\\\\"cloudflare.waf.action\\\\\\\",\\\\\\\"cloudflare.waf.flags\\\\\\\",\\\\\\\"cloudflare.waf.matched_var\\\\\\\",\\\\\\\"cloudflare.waf.profile\\\\\\\",\\\\\\\"cloudflare.waf.rule.id\\\\\\\",\\\\\\\"cloudflare.waf.rule.message\\\\\\\",\\\\\\\"cloudflare.worker.status\\\\\\\",\\\\\\\"message\\\\\\\",\\\\\\\"tags\\\\\\\"]},\\\\\\\"docvalue_fields\\\\\\\":[{\\\\\\\"field\\\\\\\":\\\\\\\"@timestamp\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"epoch_millis\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"@version\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.cache.status\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.cache.response.bytes\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.cache.response.status\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.cache.tiered.fill\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.as.number\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.country_iso_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.device_type\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.city_name\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.continent_name\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.country_code2\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.country_code3\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.country_name\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.dma_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"client.ip\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.latitude\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.longitude\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.postal_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.region_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.timezone\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"http.request.bytes\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"url.domain\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"http.request.method\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"client.port\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.colo.id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.end.timestamp\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"epoch_millis\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.pathing.op\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.pathing.src\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.pathing.status\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.rate_limit.id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.request.host\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"destination.bytes\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.response.compression_ratio\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"http.response.status_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"observer.ip\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"@timestamp\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"epoch_millis\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"destination.ip\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"http.response.bytes\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.origin.response.status_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.origin.response.time\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.parent.ray_id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.ray_id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.security_level\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.build\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.device\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.major\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.minor\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.name\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.os_major\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.os_minor\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.patch\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.worker.cpu_time\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.worker.subrequest\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.worker.subrequest_count\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.zone_id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"}],\\\\\\\"size\\\\\\\":50,\\\\\\\"sort\\\\\\\":[{\\\\\\\"_doc\\\\\\\":{\\\\\\\"order\\\\\\\":\\\\\\\"asc\\\\\\\"}}]}\\\",\\\"index\\\":\\\"logs-*\\\"},\\\"query\\\":{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"bic\\\"}}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"hot\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"unknown\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"hot\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ip\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"macro\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"unknown\\\"}}}]}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"macro\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"chl\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"captchaFail\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"macro\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"chl\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"jschlFail\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"zl\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"us\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"rateLimit\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"filterBasedFirewall\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"unknown\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"filterBasedFirewall\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"chl\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ctry\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ip\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"terms\\\":{\\\"boost\\\":1,\\\"cloudflare.edge.pathing.status\\\":[\\\"ipr16\\\",\\\"ipr24\\\",\\\"ip6\\\",\\\"ip6r64\\\",\\\"ip6r48\\\",\\\"ip6r32\\\"]}}]}}]},\\\"_source\\\":{\\\"excludes\\\":[],\\\"includes\\\":[\\\"source.geo.region_name\\\",\\\"cloudflare.client.ip_class\\\",\\\"url.path\\\",\\\"cloudflare.client.request.protocol\\\",\\\"http.request.referrer\\\",\\\"url.full\\\",\\\"user_agent.original\\\",\\\"cloudflare.client.ssl.cipher\\\",\\\"cloudflare.client.ssl.protocol\\\",\\\"cloudflare.edge.rate_limit.action\\\",\\\"cloudflare.edge.response.content_type\\\",\\\"cloudflare.origin.response.http.expires\\\",\\\"cloudflare.origin.response.http.last_modified\\\",\\\"cloudflare.origin.ssl.protocol\\\",\\\"user_agent.os.full\\\",\\\"user_agent.name\\\",\\\"cloudflare.waf.action\\\",\\\"cloudflare.waf.flags\\\",\\\"cloudflare.waf.matched_var\\\",\\\"cloudflare.waf.profile\\\",\\\"cloudflare.waf.rule.id\\\",\\\"cloudflare.waf.rule.message\\\",\\\"cloudflare.worker.status\\\",\\\"message\\\",\\\"tags\\\"]},\\\"docvalue_fields\\\":[{\\\"field\\\":\\\"@timestamp\\\",\\\"format\\\":\\\"epoch_millis\\\"},{\\\"field\\\":\\\"@version\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.cache.status\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.cache.response.bytes\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.cache.response.status\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.cache.tiered.fill\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.as.number\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.country_iso_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.device_type\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.city_name\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.continent_name\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.country_code2\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.country_code3\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.country_name\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.dma_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"client.ip\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.latitude\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.longitude\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.postal_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.region_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.timezone\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"http.request.bytes\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"url.domain\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"http.request.method\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"client.port\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.colo.id\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.end.timestamp\\\",\\\"format\\\":\\\"epoch_millis\\\"},{\\\"field\\\":\\\"cloudflare.edge.pathing.op\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.pathing.src\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.pathing.status\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.rate_limit.id\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.request.host\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"destination.bytes\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.response.compression_ratio\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"http.response.status_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"observer.ip\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"@timestamp\\\",\\\"format\\\":\\\"epoch_millis\\\"},{\\\"field\\\":\\\"destination.ip\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"http.response.bytes\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.origin.response.status_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.origin.response.time\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.parent.ray_id\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.ray_id\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.security_level\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.build\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.device\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.major\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.minor\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.name\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.os_major\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.os_minor\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.patch\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.worker.cpu_time\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.worker.subrequest\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.worker.subrequest_count\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.zone_id\\\",\\\"format\\\":\\\"use_field_mapping\\\"}],\\\"size\\\":50,\\\"sort\\\":[{\\\"_doc\\\":{\\\"order\\\":\\\"asc\\\"}}]}}],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Threat Countries Map [Cloudflare]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":10,\"i\":\"240814e0-fc79-4c27-af94-fa9df006d441\",\"w\":19,\"x\":1,\"y\":14},\"panelIndex\":\"240814e0-fc79-4c27-af94-fa9df006d441\",\"type\":\"map\",\"version\":\"8.0.0\"}]",
+    "timeRestore": false,
+    "title": "Cloudflare - Security (Overview)",
+    "version": 1
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-532a64c0-293a-11e9-b959-4502c43b2e30",
+  "migrationVersion": {
+    "dashboard": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24",
+      "name": "1:panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30",
+      "name": "2:panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f",
+      "name": "3:panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f",
+      "name": "4:panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f",
+      "name": "6:panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f",
+      "name": "7:panel_7",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f",
+      "name": "8:panel_8",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f",
+      "name": "9:panel_9",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f",
+      "name": "10:panel_10",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f",
+      "name": "11:panel_11",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f",
+      "name": "13:panel_13",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f",
+      "name": "14:panel_14",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f",
+      "name": "15:panel_15",
+      "type": "visualization"
+    },
+    {
+      "id": "logs-*",
+      "name": "240814e0-fc79-4c27-af94-fa9df006d441:layer_1_source_index_pattern",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-5a5d6b80-49b9-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-5a5d6b80-49b9-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..548a6b2545
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-5a5d6b80-49b9-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,57 @@
+{
+  "attributes": {
+    "description": "Get insights into your most popular hostnames, most requested content types, breakdown of request methods, and connection type.\n",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":46,\"x\":1,\"y\":21},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"2\",\"w\":46,\"x\":1,\"y\":33},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"3\",\"w\":46,\"x\":1,\"y\":44},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":46,\"x\":1,\"y\":9},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"6\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"8\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "Cloudflare - Performance (Hostname, Content Type, Request Methods, Connection Type)",
+    "version": 1
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-5a5d6b80-49b9-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "dashboard": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f",
+      "name": "1:panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f",
+      "name": "2:panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f",
+      "name": "3:panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f",
+      "name": "4:panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f",
+      "name": "5:panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f",
+      "name": "6:panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f",
+      "name": "8:panel_8",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-8d730ba0-3aa6-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-8d730ba0-3aa6-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..ad53a143a9
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-8d730ba0-3aa6-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,117 @@
+{
+  "attributes": {
+    "description": "Identify and address performance issues and caching misconfigurations. Metrics include total vs. cached bandwidth, saved bandwidth, total requests, cache ratio, top uncached requests, and more.\n",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":10,\"x\":1,\"y\":12},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"2\",\"w\":13,\"x\":11,\"y\":12},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"3\",\"w\":13,\"x\":24,\"y\":12},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":14,\"x\":1,\"y\":28},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":14,\"x\":15,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":18,\"x\":29,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"7\",\"w\":25,\"x\":1,\"y\":44},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8\",\"w\":21,\"x\":26,\"y\":44},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"9\",\"w\":21,\"x\":26,\"y\":50},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"12\",\"w\":24,\"x\":1,\"y\":16},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"13\",\"w\":22,\"x\":25,\"y\":16},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"14\",\"w\":25,\"x\":1,\"y\":32},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"15\",\"w\":21,\"x\":26,\"y\":32},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"16\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":3,\"i\":\"17\",\"w\":46,\"x\":1,\"y\":9},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":3,\"i\":\"18\",\"w\":46,\"x\":1,\"y\":25},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":3,\"i\":\"19\",\"w\":46,\"x\":1,\"y\":41},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"20\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"21\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "Cloudflare - Performance (Requests, Bandwidth, Cache)",
+    "version": 1
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-8d730ba0-3aa6-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "dashboard": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24",
+      "name": "1:panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f",
+      "name": "2:panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f",
+      "name": "3:panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-88d54e70-232a-11e9-ba08-c19298cded24",
+      "name": "4:panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24",
+      "name": "5:panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f",
+      "name": "6:panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f",
+      "name": "7:panel_7",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f",
+      "name": "8:panel_8",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f",
+      "name": "9:panel_9",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f",
+      "name": "12:panel_12",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f",
+      "name": "13:panel_13",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f",
+      "name": "14:panel_14",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f",
+      "name": "15:panel_15",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f",
+      "name": "16:panel_16",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f",
+      "name": "17:panel_17",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f",
+      "name": "18:panel_18",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f",
+      "name": "19:panel_19",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f",
+      "name": "20:panel_20",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f",
+      "name": "21:panel_21",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-9c4c3100-39df-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-9c4c3100-39df-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..1799a88fd7
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-9c4c3100-39df-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,92 @@
+{
+  "attributes": {
+    "description": "Get insights on the availability of your websites and applications. Metrics include origin response error ratio, origin response status over time, percentage of 3xx/4xx/5xx errors over time, and more.\n",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":34,\"x\":1,\"y\":18},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":34,\"x\":1,\"y\":26},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"3\",\"w\":15,\"x\":31,\"y\":9},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"4\",\"w\":17,\"x\":29,\"y\":37},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"6\",\"w\":28,\"x\":1,\"y\":37},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"7\",\"w\":28,\"x\":1,\"y\":46},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"8\",\"w\":17,\"x\":29,\"y\":46},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":11,\"x\":35,\"y\":26},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":11,\"x\":35,\"y\":18},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"11\",\"w\":30,\"x\":1,\"y\":9},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"12\",\"w\":45,\"x\":1,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"13\",\"w\":38,\"x\":8,\"y\":0},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"14\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":3,\"i\":\"15\",\"w\":45,\"x\":1,\"y\":34},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "Cloudflare - Reliability",
+    "version": 1
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-9c4c3100-39df-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "dashboard": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f",
+      "name": "1:panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f",
+      "name": "2:panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f",
+      "name": "3:panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f",
+      "name": "4:panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f",
+      "name": "6:panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f",
+      "name": "7:panel_7",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f",
+      "name": "8:panel_8",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f",
+      "name": "9:panel_9",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f",
+      "name": "10:panel_10",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f",
+      "name": "11:panel_11",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f",
+      "name": "12:panel_12",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f",
+      "name": "13:panel_13",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f",
+      "name": "14:panel_14",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f",
+      "name": "15:panel_15",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-a35b4880-49a9-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-a35b4880-49a9-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..a9662ea58c
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-a35b4880-49a9-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,57 @@
+{
+  "attributes": {
+    "description": "Get insights into the performance of your static and dynamic content, including slowest URLs.",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":46,\"x\":1,\"y\":9},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"2\",\"w\":46,\"x\":1,\"y\":19},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"3\",\"w\":46,\"x\":1,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"4\",\"w\":46,\"x\":1,\"y\":42},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"7\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "Cloudflare - Performance (Static vs. Dynamic Content)",
+    "version": 1
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-a35b4880-49a9-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "dashboard": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f",
+      "name": "1:panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f",
+      "name": "2:panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f",
+      "name": "3:panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f",
+      "name": "4:panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f",
+      "name": "5:panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f",
+      "name": "6:panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f",
+      "name": "7:panel_7",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-b221c710-2963-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-b221c710-2963-11e9-b959-4502c43b2e30.json
new file mode 100755
index 0000000000..729b9536a3
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-b221c710-2963-11e9-b959-4502c43b2e30.json
@@ -0,0 +1,57 @@
+{
+  "attributes": {
+    "description": "Get insights on rate limiting protection against denial-of-service attacks, brute-force login attempts, and other types of abusive behavior targeted at your websites or applications.",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":46,\"x\":1,\"y\":9},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"2\",\"w\":23,\"x\":1,\"y\":16},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"3\",\"w\":46,\"x\":1,\"y\":25},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"4\",\"w\":23,\"x\":24,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"7\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "Cloudflare - Security (Rate Limiting)",
+    "version": 1
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-b221c710-2963-11e9-b959-4502c43b2e30",
+  "migrationVersion": {
+    "dashboard": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30",
+      "name": "1:panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30",
+      "name": "2:panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-fe404730-2962-11e9-b959-4502c43b2e30",
+      "name": "3:panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30",
+      "name": "4:panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f",
+      "name": "5:panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f",
+      "name": "6:panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f",
+      "name": "7:panel_7",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-ded7e2c0-2955-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-ded7e2c0-2955-11e9-b959-4502c43b2e30.json
new file mode 100755
index 0000000000..2c678190bc
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/dashboard/cloudflare-ded7e2c0-2955-11e9-b959-4502c43b2e30.json
@@ -0,0 +1,77 @@
+{
+  "attributes": {
+    "description": "Get insights on threat identification and mitigation by our Web Application Firewall, including events like SQL injections, XSS, and more. Use this data to fine tune the firewall to target obvious threats and prevent false positives.\n",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"1\",\"w\":46,\"x\":1,\"y\":34},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"2\",\"w\":29,\"x\":18,\"y\":23},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"3\",\"w\":17,\"x\":1,\"y\":23},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":18,\"x\":29,\"y\":9},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"5\",\"w\":11,\"x\":18,\"y\":9},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"6\",\"w\":8,\"x\":10,\"y\":9},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":46,\"x\":1,\"y\":15},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8\",\"w\":9,\"x\":1,\"y\":9},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"9\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"10\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"11\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]",
+    "timeRestore": false,
+    "title": "Cloudflare - Security (WAF)",
+    "version": 1
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-ded7e2c0-2955-11e9-b959-4502c43b2e30",
+  "migrationVersion": {
+    "dashboard": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30",
+      "name": "1:panel_1",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30",
+      "name": "2:panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30",
+      "name": "3:panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30",
+      "name": "4:panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30",
+      "name": "5:panel_5",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30",
+      "name": "6:panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30",
+      "name": "7:panel_7",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24",
+      "name": "8:panel_8",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f",
+      "name": "9:panel_9",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f",
+      "name": "10:panel_10",
+      "type": "visualization"
+    },
+    {
+      "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f",
+      "name": "11:panel_11",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/search/cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3.json b/packages/cloudflare/2.1.1/kibana/search/cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3.json
new file mode 100755
index 0000000000..0e79f4e006
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/search/cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "columns": [],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"cloudflare.logpull\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.logpull\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+    },
+    "sort": [],
+    "title": "Discover [Cloudflare]",
+    "version": 1
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+  "migrationVersion": {
+    "search": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-04dda790-2328-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-04dda790-2328-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..6deef7fada
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-04dda790-2328-11e9-ba08-c19298cded24.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Traffic IPs [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Traffic IPs\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-04dda790-2328-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..89833b34a5
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Countries - Reliability [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top Countries - Reliability\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-08c86890-2323-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-08c86890-2323-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..51c24c2d0e
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-08c86890-2323-11e9-ba08-c19298cded24.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Traffic Type [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.device_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Traffic Type\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-08c86890-2323-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f.json
new file mode 100755
index 0000000000..09f8427894
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Threat Client IPs [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threat Client IPs\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..0476c0cc63
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{}"
+    },
+    "title": "Total Requests vs. Origin Requests in rps last 24 hours [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,204,202,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"total requests\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(253,161,255,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\" AND cloudflare.origin.response.status_code:\\u003e0\"},\"formatter\":\"number\",\"id\":\"fca6dbb0-4991-11e9-b6ee-0784825b4ddc\",\"label\":\"origin requests\",\"line_width\":1,\"metrics\":[{\"id\":\"fca6dbb1-4991-11e9-b6ee-0784825b4ddc\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Total Requests vs. Origin Requests in rps last 24 hours\",\"type\":\"metrics\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30.json
new file mode 100755
index 0000000000..8632157d21
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top WAF Rules Triggered [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.waf.rule.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.waf.rule.message\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top WAF Rules Triggered\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..320a2be360
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Cache Status Ratio [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.cache.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Cache Status Ratio\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..aa891dd0e0
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Client Requests by Hostname Over Time [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-24h\",\"mode\":\"quick\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Client Requests by Hostname Over Time\",\"type\":\"area\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..4c32681062
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "title": "Origin Requests By Hostname - Content Type - Request Methods - Connection Type - text [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Origin Requests By Hostname - Content Type - Request Methods - Connection Type**\",\"openLinksInNewTab\":false},\"title\":\"Origin Requests By Hostname - Content Type - Request Methods - Connection Type - text\",\"type\":\"markdown\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..80c716cb4f
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Hostnames - Reliability [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top Hostnames - Reliability\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..bb6bae84f4
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Referrer [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.request.referrer\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Referrer\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30.json
new file mode 100755
index 0000000000..89ecd8bd19
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "WAF Events Over Time [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"WAF Events Over Time\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..4c8bfdee9d
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Threats Over Time [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-24h\",\"mode\":\"quick\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Threats Over Time\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..88e454e5d7
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":[\"bypass\",\"unknown\"],\"type\":\"phrases\",\"value\":\"bypass, unknown\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"bypass\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"unknown\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Slowest URIs by cumulative time to first byte for dynamic requests [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"average_response_time\",\"field\":\"cloudflare.origin.response.time\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"wait_time\",\"field\":\"cloudflare.origin.response.time\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"field\":\"cloudflare.origin.response.time\",\"percents\":[99,99.9]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Slowest URIs by cumulative time to first byte for dynamic requests\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-27809b60-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-27809b60-2326-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..6c74a813b4
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-27809b60-2326-11e9-ba08-c19298cded24.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "HTTP Protocols [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"HTTP Protocols\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-27809b60-2326-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..68286ce235
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "title": "WAF Events triggered by the Web Application Firewall - text [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**WAF - Events triggered by the Web Application Firewall**\",\"openLinksInNewTab\":false},\"title\":\"WAF Events triggered by the Web Application Firewall - text\",\"type\":\"markdown\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..1b27233b9e
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top User Agents [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top User Agents\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..636f5f2e54
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":[\"hit\",\"stale\",\"updating\",\"ignored\",\"revalidated\"],\"type\":\"phrases\",\"value\":\"hit, stale, updating, ignored, revalidated\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"hit\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"stale\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"updating\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"ignored\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"revalidated\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Cached Bandwidth [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Cached Bandwidth\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Cached Bandwidth\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..42cd820659
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{}"
+    },
+    "title": "Total number of requests vs cached vs uncached over time [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,204,202,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"total requests\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"#68BC00\",\"filter\":{\"language\":\"lucene\",\"query\":\"metricset.name:cloudflare.cache.status\"},\"id\":\"e847cce0-4731-11e9-b6ee-0784825b4ddc\",\"label\":\"cached requests\"}],\"split_mode\":\"filter\",\"stacked\":\"none\",\"terms_field\":\"cloudflare.cache.status\",\"terms_order_by\":\"_term\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\" AND cloudflare.cache.status:(hit OR stale OR updating OR ignored)\"},\"formatter\":\"number\",\"id\":\"0d45cce0-498f-11e9-b6ee-0784825b4ddc\",\"label\":\"cached requests\",\"line_width\":1,\"metrics\":[{\"id\":\"0d45cce1-498f-11e9-b6ee-0784825b4ddc\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"#68BC00\",\"id\":\"14053f70-498f-11e9-b6ee-0784825b4ddc\"}],\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\" AND cloudflare.cache.status:(-hit OR -stale OR -updating OR -ignored)\"},\"formatter\":\"number\",\"id\":\"3edf18b0-498f-11e9-b6ee-0784825b4ddc\",\"label\":\"uncached requests\",\"line_width\":1,\"metrics\":[{\"id\":\"3edf18b1-498f-11e9-b6ee-0784825b4ddc\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Total number of requests vs cached vs uncached over time\",\"type\":\"metrics\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..b7bd165e0f
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "title": "Bandwidth - text [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Bandwidth**\",\"openLinksInNewTab\":false},\"title\":\"Bandwidth - text\",\"type\":\"markdown\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..4b321c4b8f
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "title": "Web Traffic Overview - text [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Web Traffic Overview**\",\"openLinksInNewTab\":false},\"title\":\"Web Traffic Overview - text\",\"type\":\"markdown\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..019a1d489a
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{}"
+    },
+    "title": "Total Bandwidth vs Origin Bandwidth in Mbps last 24 hours - 7.x [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"c520c1a0-1c6e-11ea-9387-9362a5ae410a\"}],\"bar_color_rules\":[{\"id\":\"c6258770-1c6e-11ea-9387-9362a5ae410a\"}],\"drop_last_bucket\":1,\"gauge_color_rules\":[{\"id\":\"c7b83560-1c6e-11ea-9387-9362a5ae410a\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,204,202,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"total bandwidth\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(253,161,255,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"cloudflare.origin.response.status_code:\\u003e0\"},\"formatter\":\"bytes\",\"id\":\"65f93df0-49a7-11e9-a870-03d340338f04\",\"label\":\"origin bandwidth\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"65f93df1-49a7-11e9-a870-03d340338f04\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Total Bandwidth vs Origin Bandwidth in Mbps last 24 hours - 7.x\",\"type\":\"metrics\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..84c8378342
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":{\"query\":\"miss\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"miss\"},\"query\":{\"match\":{\"cloudflare.cache.status\":{\"query\":\"miss\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top URIs with Cache Status Miss [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top URIs with Cache Status Miss\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..8fa929434e
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "title": "Rate Limiting Get insights into rate limiting events and banned IPs and URIs - text [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Rate Limiting - Get insights into rate limiting events and banned IPs and URIs**\",\"openLinksInNewTab\":false},\"title\":\"Rate Limiting Get insights into rate limiting events and banned IPs and URIs - text\",\"type\":\"markdown\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30.json
new file mode 100755
index 0000000000..c441021b2c
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.edge.rate_limit.action\",\"negate\":false,\"params\":{\"query\":\"ban\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ban\"},\"query\":{\"match\":{\"cloudflare.edge.rate_limit.action\":{\"query\":\"ban\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Banned Client IPs [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Banned Client IPs\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-44f03e10-2328-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-44f03e10-2328-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..12376966f2
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-44f03e10-2328-11e9-ba08-c19298cded24.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Total Number of Requests [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total Number of Requests\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..c4c92004a3
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "title": "Cache - text [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Cache**\",\"openLinksInNewTab\":false},\"title\":\"Cache - text\",\"type\":\"markdown\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..0f0494d481
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Request Methods [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.request.method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Request Methods\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..b0d17a8289
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Web Traffic Types - Text [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Web Traffic Types -\\nGet insight into the various types of traffic and content**\",\"openLinksInNewTab\":false},\"title\":\"Web Traffic Types - Text\",\"type\":\"markdown\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30.json
new file mode 100755
index 0000000000..78b0147220
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "WAF: Top User Agents [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.waf.rule.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user_agent.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"WAF: Top User Agents\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-4d637090-2327-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-4d637090-2327-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..6bc87a03e7
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-4d637090-2327-11e9-ba08-c19298cded24.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Traffic Type [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.client.ip_class\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Traffic Type\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-4d637090-2327-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..11c85327a6
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Edge Response Status Over Time [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Edge Response Status Over Time\",\"type\":\"area\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..8c0b7176a6
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "title": "Static vs Dynamic Content - text [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Static vs Dynamic Content**\",\"openLinksInNewTab\":false},\"title\":\"Static vs Dynamic Content - text\",\"type\":\"markdown\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..a09615ee11
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Client IPs and AS Number - Reliability [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.as.number\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Client IPs and AS Number - Reliability\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-623f3110-338b-11e9-ab62-2d2dc754fa8f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-623f3110-338b-11e9-ab62-2d2dc754fa8f.json
new file mode 100755
index 0000000000..63ad465553
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-623f3110-338b-11e9-ab62-2d2dc754fa8f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Threat Countries Map [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"isFilteredByCollar\":true,\"mapCenter\":[0,0],\"mapZoom\":2,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"\\u003cp\\u003e\\u0026#169; \\u003ca href=\\\"http://www.openstreetmap.org/copyright\\\"\\u003eOpenStreetMap\\u003c/a\\u003e contributors | \\u003ca href=\\\"https://www.elastic.co/elastic-maps-service\\\"\\u003eElastic Maps Service\\u003c/a\\u003e\\u003c/p\\u003e\\u0026#10;\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree\\u0026my_app_name=kibana\\u0026my_app_version=6.5.4\\u0026license=4552d43c-e532-47b1-9552-27fed12f7d1a\"}}},\"title\":\"Top Threat Countries Map\",\"type\":\"tile_map\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "cloudflare-623f3110-338b-11e9-ab62-2d2dc754fa8f",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30.json
new file mode 100755
index 0000000000..eab3fb830d
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "WAF: Top Hosts [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"WAF: Top Hosts\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..402ce71cd6
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"http.version\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.os.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Threat Target URIs [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threat Target URIs\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..f23dcd94eb
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "title": "Summary of Edge and Origin Response Status - text [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Summary of Edge and Origin Response Status**\\n\\nGet an overview of the edge and origin response status codes\",\"openLinksInNewTab\":false},\"title\":\"Summary of Edge and Origin Response Status - text\",\"type\":\"markdown\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..031607d1a9
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Origin Response Status Over Time [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.origin.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Origin Response Status Over Time\",\"type\":\"area\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30.json
new file mode 100755
index 0000000000..75d9c75ae0
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.edge.rate_limit.action\",\"negate\":false,\"params\":[\"ban\",\"simulate\",\"challenge\",\"jsChallenge\"],\"type\":\"phrases\",\"value\":\"ban, simulate, challenge, jsChallenge\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"ban\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"simulate\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"challenge\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"jsChallenge\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Rate Limit Over Time [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-6M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.edge.rate_limit.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2.5,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Rate Limit Over Time\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-88d54e70-232a-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-88d54e70-232a-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..60020f5987
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-88d54e70-232a-11e9-ba08-c19298cded24.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Total Bandwidth [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Bandwidth\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total Bandwidth\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-88d54e70-232a-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f.json
new file mode 100755
index 0000000000..1ff7620257
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Threats Stopped [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Threats Stopped\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30.json
new file mode 100755
index 0000000000..c196e260d5
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "WAF: Top Client IP [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"WAF: Top Client IP\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..6623eff5a1
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":[\"bypass\",\"unknown\"],\"type\":\"phrases\",\"value\":\"bypass, unknown\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"bypass\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"unknown\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Origin time to first byte dynamic requests [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"cloudflare.origin.response.time\",\"percents\":[50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-60d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of cloudflare.origin.response.time\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of OriginResponseTime\"},\"type\":\"value\"}]},\"title\":\"Origin time to first byte dynamic requests\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..44ea4ceac6
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "title": "Performance Overview - text [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Performance Overview**\",\"openLinksInNewTab\":false},\"title\":\"Performance Overview - text\",\"type\":\"markdown\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..9ce4f8c854
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "title": "Threats - Review threat activity - text [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Threats - Review threat activity**\",\"openLinksInNewTab\":false},\"title\":\"Threats - Review threat activity - text\",\"type\":\"markdown\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..f45e0e3b4d
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Content Type [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.edge.response.content_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Content Type\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..0f8ba8c4b6
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "title": "Cloudflare logo [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"![alt text](https://www.cloudflare.com/img/logo-cloudflare-dark.svg)\",\"openLinksInNewTab\":false},\"title\":\"Cloudflare logo\",\"type\":\"markdown\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30.json
new file mode 100755
index 0000000000..3482fa40cd
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.edge.rate_limit.action\",\"negate\":false,\"params\":[\"ban\",\"simulate\",\"jsChallenge\",\"challenge\"],\"type\":\"phrases\",\"value\":\"ban, simulate, jsChallenge, challenge\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"ban\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"simulate\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"jsChallenge\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"challenge\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Rate Limit Actions [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.edge.rate_limit.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.edge.rate_limit.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Rate Limit Actions\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..81eb744f48
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Origin Response Error Ratio [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.origin.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Origin Response Error Ratio\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..6b0d9664bf
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Client Requests by Content Type [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-24h\",\"mode\":\"quick\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.edge.response.content_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Client Requests by Content Type\",\"type\":\"area\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..09fb8f7e8b
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":true,\"params\":[\"hit\",\"stale\",\"updating\",\"ignored\",\"revalidated\"],\"type\":\"phrases\",\"value\":\"hit, stale, updating, ignored, revalidated\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"hit\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"stale\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"updating\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"ignored\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"revalidated\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Uncached Bandwidth [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Uncached Bandwidth\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..6270faa803
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Threat Countries [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threat Countries\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..dd54f85a2e
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":[\"hit\",\"stale\",\"updating\",\"ignored\"],\"type\":\"phrases\",\"value\":\"hit, stale, updating, ignored\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"hit\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"stale\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"updating\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"ignored\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Cached Requests [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Cached Requests\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30.json
new file mode 100755
index 0000000000..1ffedbbec6
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "WAF: Top Countries [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"WAF: Top Countries\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..d5e3635479
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Client Requests Methods Over Time [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.request.method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Client Requests Methods Over Time\",\"type\":\"area\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..bb76962042
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Errors Ratio (Edge) [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(0,104,55)\",\"50 - 75\":\"rgb(255,255,190)\",\"75 - 100\":\"rgb(165,0,38)\"}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"alignment\":\"horizontal\",\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":50},{\"from\":50,\"to\":75},{\"from\":75,\"to\":100}],\"extendRange\":true,\"gaugeColorMode\":\"Labels\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Arc\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true},\"style\":{\"bgColor\":false,\"bgFill\":\"#eee\",\"bgMask\":false,\"bgWidth\":0.9,\"fontSize\":60,\"labelColor\":true,\"mask\":false,\"maskBars\":50,\"subText\":\"\",\"width\":0.9},\"type\":\"meter\"},\"isDisplayWarning\":false,\"type\":\"gauge\"},\"title\":\"Errors Ratio (Edge)\",\"type\":\"gauge\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..ad111537be
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "title": "Detailed View Breakdown of Origin Response Status Codes by Various Metrics - text [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"fontSize\":14,\"markdown\":\"Detailed View\\nBreakdown of Origin Response Status Codes by Various Metrics\",\"openLinksInNewTab\":false},\"title\":\"Detailed View Breakdown of Origin Response Status Codes by Various Metrics - text\",\"type\":\"markdown\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..be29b07593
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Threat User Agents [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threat User Agents\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..b4b6d0cd3c
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Requested URI - Reliability [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top Requested URI - Reliability\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..fa9b2d83bc
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Traffic Countries [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Traffic Countries\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-caf67100-23d7-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-caf67100-23d7-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..fe30ad6d17
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-caf67100-23d7-11e9-ba08-c19298cded24.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Traffic Countries Map [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"isFilteredByCollar\":true,\"mapCenter\":[0,0],\"mapZoom\":2,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"\\u003cp\\u003e\\u0026#169; \\u003ca href=\\\"http://www.openstreetmap.org/copyright\\\"\\u003eOpenStreetMap\\u003c/a\\u003e contributors | \\u003ca href=\\\"https://www.elastic.co/elastic-maps-service\\\"\\u003eElastic Maps Service\\u003c/a\\u003e\\u003c/p\\u003e\\u0026#10;\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree\\u0026my_app_name=kibana\\u0026my_app_version=6.5.4\\u0026license=4552d43c-e532-47b1-9552-27fed12f7d1a\"}}},\"title\":\"Top Traffic Countries Map\",\"type\":\"tile_map\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "cloudflare-caf67100-23d7-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..178761e45b
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "title": "Requests - text [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Requests**\",\"openLinksInNewTab\":false},\"title\":\"Requests - text\",\"type\":\"markdown\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..f2f503bfed
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,25 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{}"
+    },
+    "title": "Cached vs Uncached Bandwidth Over Time [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"cloudflare.cache.status:(hit OR stale OR updating OR ignored OR revalidated)\"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"saved bandwidth\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"cloudflare.cache.status:(-hit OR -stale OR -updating OR -ignored OR -revalidated)\"},\"formatter\":\"bytes\",\"id\":\"73f43510-49a0-11e9-8499-d5aa4562b1c7\",\"label\":\"uncached bandwidth\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"73f43511-49a0-11e9-8499-d5aa4562b1c7\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Cached vs Uncached Bandwidth Over Time\",\"type\":\"metrics\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..a4b15ea573
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Edge Response Error Ratio [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Edge Response Error Ratio\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..81b9a6af94
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":true,\"params\":[\"bypass\",\"unknown\"],\"type\":\"phrases\",\"value\":\"bypass, unknown\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"bypass\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"unknown\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Origin time to first byte static requests [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"cloudflare.origin.response.time\",\"percents\":[50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-60d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of cloudflare.origin.response.time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":1.5,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of OriginResponseTime\"},\"type\":\"value\"}]},\"title\":\"Origin time to first byte static requests\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..9ddf576777
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Threats Stopped [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threats Stopped\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..6f9780ad23
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":true,\"params\":[\"hit\",\"stale\",\"updating\",\"ignored\"],\"type\":\"phrases\",\"value\":\"hit, stale, updating, ignored\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"hit\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"stale\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"updating\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"ignored\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Uncached Requests [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Uncached Requests\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..3c3bda44c7
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top User Agents - Reliability [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top User Agents - Reliability\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..ad0501c78f
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Client Requests by Connection Over Time [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-24h\",\"mode\":\"quick\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.client.ssl.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Client Requests by Connection Over Time\",\"type\":\"area\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..c68f5ba629
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,85 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"cloudflare.logpull\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.logpull\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "title": "Filters [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloudflare.device_type\",\"id\":\"1554899945457\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Device Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"source.geo.country_name\",\"id\":\"1554900041526\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"url.domain\",\"id\":\"1554900064098\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Hostname\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"client.ip\",\"id\":\"1554900102344\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client IP\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"user_agent.original\",\"id\":\"1554900136614\",\"indexPatternRefName\":\"control_4_index_pattern\",\"label\":\"User Agent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"url.full\",\"id\":\"1554900159944\",\"indexPatternRefName\":\"control_5_index_pattern\",\"label\":\"Request URI\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"http.response.status_code\",\"id\":\"1554900185676\",\"indexPatternRefName\":\"control_6_index_pattern\",\"label\":\"Edge Response Status\",\"options\":{\"dynamicOptions\":false,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloudflare.origin.response.status_code\",\"id\":\"1554900211881\",\"indexPatternRefName\":\"control_7_index_pattern\",\"label\":\"Origin Response Status\",\"options\":{\"dynamicOptions\":false,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"destination.ip\",\"id\":\"1556549231725\",\"indexPatternRefName\":\"control_8_index_pattern\",\"label\":\"Origin IP\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloudflare.ray_id\",\"id\":\"1554900244300\",\"indexPatternRefName\":\"control_9_index_pattern\",\"label\":\"RayID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloudflare.worker.subrequest\",\"id\":\"1554900268999\",\"indexPatternRefName\":\"control_10_index_pattern\",\"label\":\"Worker Subrequest\",\"options\":{\"dynamicOptions\":false,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"http.request.method\",\"id\":\"1554900324235\",\"indexPatternRefName\":\"control_11_index_pattern\",\"label\":\"Client Request Method\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":true,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"Filters\",\"type\":\"input_control_vis\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "control_0_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_1_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_2_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_3_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_4_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_5_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_6_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_7_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_8_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_9_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_10_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "control_11_index_pattern",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..6d5358e3a1
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Cache status over time [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.cache.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Cache status over time\",\"type\":\"line\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24.json
new file mode 100755
index 0000000000..38b0a34b1f
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Requested URI [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Requested URI\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..500e479c4b
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":true,\"params\":[\"unknown\",\"bypass\"],\"type\":\"phrases\",\"value\":\"unknown, bypass\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"unknown\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"bypass\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Slowest URIs by cumulative time to first byte for static requests [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"average_response_time\",\"field\":\"cloudflare.origin.response.time\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"wait_time\",\"field\":\"cloudflare.origin.response.time\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"cloudflare.origin.response.time\",\"percents\":[99,99.9]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Slowest URIs by cumulative time to first byte for static requests\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30.json
new file mode 100755
index 0000000000..69432d0f5d
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "WAF Events Triggered [Cloudflare]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"WAF Events Triggered\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-fe404730-2962-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-fe404730-2962-11e9-b959-4502c43b2e30.json
new file mode 100755
index 0000000000..adeade4e0f
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-fe404730-2962-11e9-b959-4502c43b2e30.json
@@ -0,0 +1,31 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.edge.rate_limit.action\",\"negate\":false,\"params\":[\"ban\",\"simulate\",\"jsChallenge\",\"challenge\"],\"type\":\"phrases\",\"value\":\"ban, simulate, jsChallenge, challenge\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"ban\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"simulate\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"jsChallenge\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"challenge\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Rate Limit Countries [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.edge.rate_limit.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Rate Limit Countries\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-fe404730-2962-11e9-b959-4502c43b2e30",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f.json
new file mode 100755
index 0000000000..04e881cbe5
--- /dev/null
+++ b/packages/cloudflare/2.1.1/kibana/visualization/cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Top Pathing Statuses [Cloudflare]",
+    "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.edge.pathing.src\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.edge.pathing.op\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"cloudflare.edge.pathing.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top Pathing Statuses\",\"type\":\"table\"}"
+  },
+  "coreMigrationVersion": "8.0.0",
+  "id": "cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f",
+  "migrationVersion": {
+    "visualization": "8.0.0"
+  },
+  "references": [
+    {
+      "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cloudflare/2.1.1/manifest.yml b/packages/cloudflare/2.1.1/manifest.yml
new file mode 100755
index 0000000000..1738145a58
--- /dev/null
+++ b/packages/cloudflare/2.1.1/manifest.yml
@@ -0,0 +1,76 @@
+name: cloudflare
+title: Cloudflare
+version: "2.1.1"
+release: ga
+description: Collect and parse logs from Cloudflare API with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security, network, web, cloud]
+conditions:
+  kibana.version: ^8.0.0
+icons:
+  - src: /img/cf-logo-v.svg
+    title: Cloudflare
+    size: 216x216
+    type: image/svg+xml
+screenshots:
+  - src: /img/cloudflare-snapshot.png
+    title: Cloudflare - Snapshot
+    size: 1847x950
+    type: image/png
+  - src: /img/cloudflare-reliability.png
+    title: Cloudflare - Reliability
+    size: 1850x948
+    type: image/png
+  - src: /img/cloudflare-security-overview.png
+    title: Cloudflare - Security
+    size: 1848x949
+    type: image/png
+  - src: /img/cloudflare-performance.png
+    title: Cloudflare - Performance (Requests, Bandwidth, Cache)
+    size: 1847x949
+    type: image/png
+  - src: /img/cloudflare-performance2.png
+    title: Cloudflare - Performance (Hostname, Content Type, Request Methods, Connection Type)
+    size: 1847x950
+    type: image/png
+policy_templates:
+  - name: cloudflare
+    title: Cloudflare logs
+    description: Collect logs from Cloudflare
+    inputs:
+      - type: httpjson
+        title: "Collect Cloudflare logs via API"
+        description: "Collecting logs from Cloudflare via API"
+        vars:
+          - name: api_url
+            type: text
+            title: API URL.
+            description: The API URL without the path.
+            multi: false
+            required: true
+            show_user: false
+            default: https://api.cloudflare.com
+          - name: ssl
+            type: yaml
+            title: SSL
+            multi: false
+            required: false
+            show_user: false
+          - name: proxy_url
+            type: text
+            title: Proxy URL
+            multi: false
+            required: false
+            show_user: false
+            description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>
+          - name: http_client_timeout
+            type: text
+            title: HTTP Client Timeout
+            multi: false
+            required: false
+            show_user: true
+            default: 60s
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/httpjson/1.4.0/changelog.yml b/packages/httpjson/1.4.0/changelog.yml
new file mode 100755
index 0000000000..5a6c1f60c2
--- /dev/null
+++ b/packages/httpjson/1.4.0/changelog.yml
@@ -0,0 +1,50 @@
+- version: "1.4.0"
+  changes:
+    - description: Adds `oauth_google_jwt_json` option
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3545
+- version: "1.3.0"
+  changes:
+    - description: Update package to ECS 8.3.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3353
+- version: "1.2.4"
+  changes:
+    - description: Add correct field mapping for event.created
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3579
+- version: "1.2.3"
+  changes:
+    - description: Fixes oauth2 config rendering
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3518
+- version: "1.2.2"
+  changes:
+    - description: Fixes rendering issue for custom oauth2 scopes
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3295
+- version: "1.2.1"
+  changes:
+    - description: Adds missing `delegated_account` option for Google Oauth2
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3256
+- version: "1.2.0"
+  changes:
+    - description: Update ECS to 8.2
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2779
+- version: "1.1.1"
+  changes:
+    - description: Fixes typo in config template
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2883
+- version: "1.1.0"
+  changes:
+    - description: Fixes issues with certain configuration fields not working
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2815
+- version: "1.0.0"
+  changes:
+    - description: Initial Implementation
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2154
diff --git a/packages/httpjson/1.4.0/data_stream/generic/agent/stream/httpjson.yml.hbs b/packages/httpjson/1.4.0/data_stream/generic/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..98f6f125d9
--- /dev/null
+++ b/packages/httpjson/1.4.0/data_stream/generic/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,154 @@
+config_version: 2
+data_stream:
+  dataset: {{data_stream.dataset}}
+interval: {{request_interval}}
+
+{{#if username}}
+auth.basic.user: {{username}}
+{{/if}}
+{{#if password}}
+auth.basic.password: {{password}}
+{{/if}}
+
+{{#if pipeline}}
+pipeline: {{pipeline}}
+{{/if}}
+
+{{#unless username}}
+{{#unless password}}
+{{#if oauth_id}}
+auth.oauth2.client.id: {{oauth_id}}
+{{/if}}
+{{#if oauth_secret}}
+auth.oauth2.client.secret: {{oauth_secret}}
+{{/if}}
+{{#if oauth_token_url}}
+auth.oauth2.token_url: {{oauth_token_url}}
+{{/if}}
+{{#if oauth_provider}}
+auth.oauth2.provider: {{oauth_provider}}
+{{/if}}
+{{#if oauth_scopes}}
+auth.oauth2.scopes:
+{{#each oauth_scopes as |scope i|}}
+  - {{scope}}
+{{/each}}
+{{/if}}
+{{#if oauth_google_credentials_file}}
+auth.oauth2.google.credentials_file: {{oauth_google_credentials_file}}
+{{/if}}
+{{#if oauth_google_credentials_json}}
+auth.oauth2.google.credentials_json: '{{oauth_google_credentials_json}}'
+{{/if}}
+{{#if oauth_google_jwt_file}}
+auth.oauth2.google.jwt_file: {{oauth_google_jwt_file}}
+{{/if}}
+{{#if oauth_google_jwt_json}}
+auth.oauth2.google.jwt_json: {{oauth_google_jwt_json}}
+{{/if}}
+{{#if oauth_google_delegated_account}}
+auth.oauth2.google.delegated_account: {{oauth_google_delegated_account}}
+{{/if}}
+{{#if oauth_azure_tenant_id}}
+auth.oauth2.azure.tenant_id: {{oauth_azure_tenant_id}}
+{{/if}}
+{{#if oauth_azure_resource}}
+auth.oauth2.azure.resource: {{oauth_azure_resource}}
+{{/if}}
+{{#if oauth_endpoint_params}}
+auth.oauth2.endpoint_params: 
+  {{oauth_endpoint_params}}
+{{/if}}
+{{/unless}}
+{{/unless}}
+
+request.url: {{request_url}}
+request.method: {{request_method}}
+{{#if request_body}}
+request.body: 
+  {{request_body}}
+{{/if}}
+{{#if request_transforms}}
+request.transforms:
+  {{request_transforms}}
+{{/if}}
+{{#if request_ssl}}
+request.ssl: 
+  {{request_ssl}}
+{{/if}}
+{{#if request_encode_as}}
+request.encode_as: {{request_encode_as}}
+{{/if}}
+{{#if request_timeout}}
+request.timeout: {{request_timeout}}
+{{/if}}
+{{#if request_proxy_url}}
+request.proxy_url: {{request_proxy_url}}
+{{/if}}
+{{#if request_retry_max_attempts}}
+request.retry.max_attempts: {{request_retry_max_attempts}}
+{{/if}}
+{{#if request_retry_wait_min}}
+request.retry.wait_min: {{request_retry_wait_min}}
+{{/if}}
+{{#if request_retry_wait_max}}
+request.retry.wait_max: {{request_retry_wait_max}}
+{{/if}}
+{{#if request_redirect_forward_headers}}
+request.redirect.forward_headers: {{request_redirect_forward_headers}}
+{{/if}}
+{{#if request_redirect_headers_ban_list}}
+request.redirect.headers_ban_list:
+{{#each request_redirect_headers_ban_list as |item i|}}
+  - {{item}}
+{{/each}}
+{{/if}}
+{{#if request_redirect_max_redirects}}
+request.redirect.max_redirects: {{request_redirect_max_redirects}}
+{{/if}}
+{{#if request_rate_limit_limit}}
+request.rate_limit.limit: {{request_rate_limit_limit}}
+{{/if}}
+{{#if request_rate_limit_reset}}
+request.rate_limit.reset: {{request_rate_limit_reset}}
+{{/if}}
+{{#if request_rate_limit_remaining}}
+request.rate_limit.remaining: {{request_rate_limit_remaining}}
+{{/if}}
+
+{{#if response_transforms}}
+response.transforms: 
+  {{response_transforms}}
+{{/if}}
+{{#if response_split}}
+response.split: 
+  {{response_split}}
+{{/if}}
+{{#if response_pagination}}
+response.pagination: {{response_pagination}}
+{{/if}}
+{{#if response_decode_as}}
+response.decode_as: {{response_decode_as}}
+{{/if}}
+{{#if response_request_body_on_pagination}}
+response.request_body_on_pagination: {{response_request_body_on_pagination}}
+{{/if}}
+
+{{#if cursor}}
+cursor:
+  {{cursor}}
+{{/if}}
+
+{{#if tags}}
+tags:
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/httpjson/1.4.0/data_stream/generic/fields/base-fields.yml b/packages/httpjson/1.4.0/data_stream/generic/fields/base-fields.yml
new file mode 100755
index 0000000000..d8277624ff
--- /dev/null
+++ b/packages/httpjson/1.4.0/data_stream/generic/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: httpjson
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: httpjson.generic
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/httpjson/1.4.0/data_stream/generic/fields/beats.yml b/packages/httpjson/1.4.0/data_stream/generic/fields/beats.yml
new file mode 100755
index 0000000000..ede6958855
--- /dev/null
+++ b/packages/httpjson/1.4.0/data_stream/generic/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+  description: Type of Filebeat input.
+  type: keyword
+- name: tags
+  type: keyword
+  description: User defined tags
diff --git a/packages/httpjson/1.4.0/data_stream/generic/fields/ecs.yml b/packages/httpjson/1.4.0/data_stream/generic/fields/ecs.yml
new file mode 100755
index 0000000000..12c7fe1cd0
--- /dev/null
+++ b/packages/httpjson/1.4.0/data_stream/generic/fields/ecs.yml
@@ -0,0 +1,18 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
diff --git a/packages/httpjson/1.4.0/data_stream/generic/manifest.yml b/packages/httpjson/1.4.0/data_stream/generic/manifest.yml
new file mode 100755
index 0000000000..50cd0c6409
--- /dev/null
+++ b/packages/httpjson/1.4.0/data_stream/generic/manifest.yml
@@ -0,0 +1,347 @@
+title: Custom HTTPJSON Input
+type: logs
+streams:
+  - input: httpjson
+    description: Collect custom data from REST API's
+    template_path: httpjson.yml.hbs
+    title: Custom HTTPJSON Input
+    vars:
+      - name: data_stream.dataset
+        type: text
+        title: Dataset name
+        description: |
+          Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html).
+        default: httpjson.generic
+        required: true
+        show_user: true
+      - name: pipeline
+        type: text
+        title: Ingest Pipeline
+        description: |
+          The Ingest Node pipeline ID to be used by the integration.
+        required: false
+        show_user: true
+      - name: request_url
+        type: text
+        title: Request URL
+        description: i.e. scheme://host:port/path
+        show_user: true
+        required: true
+        default: https://server.example.com:8089/api
+      - name: request_interval
+        type: text
+        title: Request Interval
+        description: How often the API is polled, supports seconds, minutes and hours.
+        show_user: true
+        required: true
+        default: 1m
+      - name: request_method
+        type: text
+        title: Request HTTP Method
+        description: Supports either GET or POST
+        show_user: true
+        required: true
+        default: GET
+      - name: username
+        type: text
+        title: Basic Auth Username
+        show_user: true
+        required: false
+        description: The username to be used with Basic Auth headers
+      - name: password
+        type: password
+        title: Basic Auth Password
+        show_user: true
+        required: false
+        description: The password to be used with Basic Auth headers
+      - name: oauth_id
+        type: text
+        title: Oauth2 Client ID
+        description: Client ID used for Oauth2 authentication
+        show_user: true
+        required: false
+      - name: oauth_secret
+        type: password
+        title: Oauth2 Client Secret
+        description: Client secret used for Oauth2 authentication
+        show_user: true
+        required: false
+      - name: oauth_token_url
+        type: text
+        title: Oauth2 Token URL
+        description: The URL endpoint that will be used to generate the tokens during the oauth2 flow. It is required if no oauth_custom variable is set or provider is not specified in oauth_custom variable.
+        show_user: true
+        required: false
+      - name: request_body
+        type: yaml
+        title: Request Body
+        description: An optional HTTP body if the request method is POST. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_body)
+        show_user: true
+        multi: false
+        required: false
+        default: |
+          #query:
+          #  bool:
+          #    filter:
+          #      term:
+          #        type: authentication
+      - name: request_transforms
+        type: yaml
+        title: Request Transforms
+        description: Optional transformations to perform on the request before it is sent. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#request-transforms).
+        show_user: true
+        multi: false
+        required: false
+        default: |
+          #- set:
+          #    target: body.from
+          #    value: '[[now (parseDuration "-1h")]]'
+          #- set:
+          #    target: url.params.limit
+          #    value: 10
+      - name: response_transforms
+        type: yaml
+        title: Response Transforms
+        description: Optional transformations to perform on the response before it is sent to Elasticsearch. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#response-transforms).
+        show_user: true
+        multi: false
+        required: false
+        default: |
+          #- delete:
+          #    target: body.very_confidential
+      - name: response_split
+        type: yaml
+        title: Response Split
+        description: Optional transformations to perform on the response to split the response into separate documents before it is sent to Elasticsearch. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#response-split).
+        show_user: true
+        multi: false
+        required: false
+        default: |
+          #target: body.data
+          #keep_parent: true
+      - name: response_pagination
+        type: yaml
+        title: Response Pagination
+        description: Optional settings if pagination is required to retrieve all results. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#response-pagination).
+        show_user: true
+        multi: false
+        required: false
+        default: |
+          #- set:
+          #    target: url.value
+          #    value: http://localhost:9200/_search/scroll
+          #- set:
+          #    target: url.params.scroll_id
+          #    value: '[[.last_response.body._scroll_id]]'
+      - name: cursor
+        type: yaml
+        title: Custom request cursor
+        description: |
+          A cursor is used to keep state between each API request, and can be set to for example the value of something in the response body.
+          More information can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#cursor).
+        show_user: true
+        multi: false
+        required: false
+        default: |
+          #last_requested_at:
+          #  value: '[[now]]'
+      - name: request_ssl
+        type: yaml
+        title: Request SSL Configuration
+        description: i.e. certificate_authorities, supported_protocols, verification_mode etc, more examples found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config)
+        multi: false
+        required: false
+        show_user: false
+        default: |
+          #verification_mode: none
+      - name: request_encode_as
+        type: text
+        title: Request Encode As
+        description: ContentType used for encoding the request body. If set it will force the encoding in the specified format regardless of the Content-Type header value.
+        show_user: false
+        multi: false
+        required: false
+      - name: request_timeout
+        type: text
+        title: Request Timeout
+        description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. Default is "30"s.
+        show_user: false
+        multi: false
+        required: false
+      - name: request_proxy_url
+        type: text
+        title: Request Proxy
+        description: This specifies proxy configuration in the form of `http[s]://<user>:<password>@<server name/ip>:<port>`.
+        show_user: false
+        multi: false
+        required: false
+      - name: request_retry_max_attempts
+        type: text
+        title: Request Retry Max Attempts
+        description: The maximum number of retries for the HTTP client. Default is "5".
+        show_user: false
+        multi: false
+        required: false
+      - name: request_retry_wait_min
+        type: text
+        title: Request Retry Wait Min
+        description: The minimum time to wait before a retry is attempted. Default is "1s".
+        show_user: false
+        multi: false
+        required: false
+      - name: request_retry_wait_max
+        type: text
+        title: Request Retry Wait Max
+        description: The maximum time to wait before a retry is attempted. Default is "60s".
+        show_user: false
+        multi: false
+        required: false
+      - name: request_redirect_forward_headers
+        type: bool
+        title: Request Redirect Forward Headers
+        description: When set to true request headers are forwarded in case of a redirect. Default is "false".
+        show_user: false
+        multi: false
+        required: false
+      - name: request_redirect_headers_ban_list
+        type: text
+        title: Request Redirect Headers Ban List
+        description: When Redirect Forward Headers is set to true, all headers except the ones defined in this list will be forwarded. All headers are forwarded by default.
+        show_user: false
+        multi: true
+        required: false
+      - name: request_redirect_max_redirects
+        type: text
+        title: Request Redirect Max Redirects
+        description: The maximum number of redirects to follow for a request. Default is "10".
+        show_user: false
+        multi: false
+        required: false
+      - name: request_rate_limit_limit
+        type: text
+        title: Request Rate Limit
+        description: The value of the response that specifies the total limit. It is defined with a Go template value.
+        show_user: false
+        multi: false
+        required: false
+      - name: request_rate_limit_reset
+        type: text
+        title: Request Rate Limit Reset
+        description: The value of the response that specifies the epoch time when the rate limit will reset. It is defined with a Go template value.
+        show_user: false
+        multi: false
+        required: false
+      - name: request_rate_limit_remaining
+        type: text
+        title: Request Rate Limit Remaining
+        description: The value of the response that specifies the remaining quota of the rate limit. It is defined with a Go template value.
+        show_user: false
+        multi: false
+        required: false
+      - name: oauth_provider
+        type: text
+        title: Oauth2 Provider
+        description: Used to configure supported oauth2 providers. Each supported provider will require specific settings. It is not set by default. Supported providers are "azure" and "google".
+        show_user: false
+        multi: false
+        required: false
+      - name: oauth_scopes
+        type: text
+        title: Oauth2 Scopes
+        description: A list of scopes that will be requested during the oauth2 flow. It is optional for all providers.
+        show_user: false
+        multi: true
+        required: false
+      - name: oauth_google_credentials_file
+        type: text
+        title: Oauth2 Google Credentials File
+        description: The full path to the credentials file for Google.
+        show_user: false
+        multi: false
+        required: false
+      - name: oauth_google_credentials_json
+        type: text
+        title: Oauth2 Google Credentials JSON
+        description: Your Google credentials information as raw JSON.
+        show_user: false
+        multi: false
+        required: false
+      - name: oauth_google_jwt_file
+        type: text
+        title: Oauth2 Google JWT File
+        description: Full path to the JWT Account Key file for Google.
+        show_user: false
+        multi: false
+        required: false
+      - name: oauth_google_jwt_json
+        type: text
+        title: Oauth2 Google JWT JSON
+        description: Your Google JWT information as raw JSON.
+        multi: false
+        required: false
+        show_user: false
+      - name: oauth_google_delegated_account
+        type: text
+        title: Oauth2 Google Delegated account
+        description: Email of the delegated account used to create the credentials (usually an admin).
+        show_user: false
+        multi: false
+        required: false
+      - name: oauth_azure_tenant_id
+        type: text
+        title: Oauth2 Azure Tenant ID
+        description: Optional setting used for authentication when using Azure provider. Since it is used in the process to generate the token_url, it can’t be used in combination with it.
+        show_user: false
+        multi: false
+        required: false
+      - name: oauth_azure_resource
+        type: text
+        title: Oauth2 Azure Resource
+        description: Optional setting for the accessed WebAPI resource when using azure provider.
+        show_user: false
+        multi: false
+        required: false
+      - name: oauth_endpoint_params
+        type: yaml
+        title: Oauth2 Endpoint Params
+        description: Set of values that will be sent on each request to the token_url. Each param key can have multiple values. Can be set for all providers except google.
+        show_user: false
+        multi: false
+        required: false
+        default: |
+          #Param1:
+          #  - ValueA
+          #  - ValueB
+          #Param2:
+          #  - Value
+      - name: response_decode_as
+        type: text
+        title: Response decode settings
+        description: |
+          ContentType used for decoding the response body. Supported values: application/json, application/x-ndjson. By default it will use what is in the response Content-Type header.
+        show_user: false
+        required: false
+      - name: response_request_body_on_pagination
+        type: bool
+        title: Include request body on Pagination
+        description: |
+          If set to true, the values in request.body are sent with pagination requests.
+        show_user: false
+        multi: false
+        required: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        show_user: false
+        default:
+          - forwarded
diff --git a/packages/httpjson/1.4.0/data_stream/generic/sample_event.json b/packages/httpjson/1.4.0/data_stream/generic/sample_event.json
new file mode 100755
index 0000000000..97f5b56929
--- /dev/null
+++ b/packages/httpjson/1.4.0/data_stream/generic/sample_event.json
@@ -0,0 +1,36 @@
+{
+    "@timestamp": "2022-03-10T12:47:55.098Z",
+    "agent": {
+        "ephemeral_id": "03c96875-43cc-4abc-b998-99527ff31de3",
+        "id": "0ddbfef9-4d38-400d-8404-d2df456bddc0",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0"
+    },
+    "data_stream": {
+        "dataset": "httpjson.generic",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.2.0"
+    },
+    "elastic_agent": {
+        "id": "0ddbfef9-4d38-400d-8404-d2df456bddc0",
+        "snapshot": false,
+        "version": "8.0.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2022-03-10T12:47:55.098Z",
+        "dataset": "httpjson.generic",
+        "ingested": "2022-03-10T12:47:56Z"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "message": "{\"message\":\"success\",\"page\":2}",
+    "tags": [
+        "forwarded"
+    ]
+}
\ No newline at end of file
diff --git a/packages/httpjson/1.4.0/docs/README.md b/packages/httpjson/1.4.0/docs/README.md
new file mode 100755
index 0000000000..f575d64220
--- /dev/null
+++ b/packages/httpjson/1.4.0/docs/README.md
@@ -0,0 +1,20 @@
+# Custom HTTPJSON input integration
+
+The custom HTTPJSON input integration is used to ingest data from custom RESTful API's that do not currently have an existing integration.
+
+The input itself supports sending both GET and POST requests, transform requests and responses during runtime, paginate and keep a running state on information from the last collected events.
+
+## Configuration
+
+The extensive documentation for the input are currently available [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html).
+
+The most commonly used configuration options are available on the main integration page, while more advanced and customizable options currently resides under the "Advanced options" part of the integration settings page.
+
+Configuration is split into three main categories, Request, Response, and Cursor.
+
+The request part of the configuration handles points like which URL endpoint to communicate with, the request body, specific transformations that have to happen before a request is sent out and some custom options like request proxy, timeout and similar options.
+
+The response part of the configuration handles options like transformation, rate limiting, pagination, and splitting the response into different documents before it is sent to Elasticsearch.
+
+The cursor part of the configuration is used when there is a need to keep state between each of the API requests, for example if a timestamp is returned in the response, that should be used as a filter in the next request after that, the cursor is a place where this is stored.
+
diff --git a/packages/httpjson/1.4.0/manifest.yml b/packages/httpjson/1.4.0/manifest.yml
new file mode 100755
index 0000000000..b4804074bf
--- /dev/null
+++ b/packages/httpjson/1.4.0/manifest.yml
@@ -0,0 +1,22 @@
+format_version: 1.0.0
+name: httpjson
+title: Custom HTTPJSON Input
+description: Collect custom data from REST API's with Elastic Agent.
+type: integration
+version: "1.4.0"
+release: ga
+conditions:
+  kibana.version: "^8.4.0"
+license: basic
+categories:
+  - custom
+policy_templates:
+  - name: generic
+    title: Custom HTTPJSON Input
+    description: Collect custom data from REST API's
+    inputs:
+      - type: httpjson
+        title: Collect custom data from REST API's
+        description: Collect custom data from REST API's
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/juniper_netscreen/0.3.1/changelog.yml b/packages/juniper_netscreen/0.3.1/changelog.yml
new file mode 100755
index 0000000000..35cfb24cfb
--- /dev/null
+++ b/packages/juniper_netscreen/0.3.1/changelog.yml
@@ -0,0 +1,36 @@
+# newer versions go on top
+- version: "0.3.1"
+  changes:
+    - description: Add documentation link to juniper documentation
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3134
+- version: "0.3.0"
+  changes:
+    - description: Update package to ECS 8.3.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3353
+- version: "0.2.0"
+  changes:
+    - description: Update to ECS 8.2.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2779
+- version: "0.1.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "0.1.0"
+  changes:
+    - description: Update to ECS 8.0.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2590
+- version: "0.0.2"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "0.0.1"
+  changes:
+    - description: Initial release of new package split from oroginal Juniper package
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/2070
diff --git a/packages/juniper_netscreen/0.3.1/data_stream/log/agent/stream/logfile.yml.hbs b/packages/juniper_netscreen/0.3.1/data_stream/log/agent/stream/logfile.yml.hbs
new file mode 100755
index 0000000000..36eb610dff
--- /dev/null
+++ b/packages/juniper_netscreen/0.3.1/data_stream/log/agent/stream/logfile.yml.hbs
@@ -0,0 +1,26357 @@
+paths:
+{{#each paths as |path i|}}
+  - {{path}}
+{{/each}}
+prospector.scanner.exclude_files: ['\.gz$']
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Juniper"
+        product: "Netscreen"
+        type: "Firewall"
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+{{#if processors}}
+{{processors}}
+{{/if}}
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function match_copy(id, src, dst, on_success) {
+          dst = FIELDS_PREFIX + dst;
+          if (dst === FIELDS_PREFIX || dst === src) {
+              return function (evt) {
+                  if (debug) {
+                      console.debug("noop      OK: " + id + " field:" + src);
+                      console.debug("       input: <<" + evt.Get(src) + ">>");
+                  }
+                  if (on_success != null) on_success(evt);
+              }
+          }
+          return function (evt) {
+              var msg = evt.Get(src);
+              evt.Put(dst, msg);
+              if (debug) {
+                  console.debug("copy      OK: " + id + " field:" + src);
+                  console.debug("      target: '" + dst + "'");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null) on_success(evt);
+          }
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.debug(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      function tagval(id, src, cfg, keys, on_success) {
+          var fail = function(evt) {
+              evt.Put(FLAG_FIELD, "tagval_parsing_error");
+          }
+          if (cfg.kv_separator.length !== 1) {
+              throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)");
+          }
+          var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0?
+              cfg.open_quote.length + cfg.close_quote.length : 0;
+          var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$');
+          return function(evt) {
+              var msg = evt.Get(src);
+              if (msg === undefined) {
+                  console.warn("tagval: input field is missing");
+                  return fail(evt);
+              }
+              var pairs = msg.split(cfg.pair_separator);
+              var i;
+              var success = false;
+              var prev = "";
+              for (i=0; i<pairs.length; i++) {
+                  var m = pairs[i].match(kv_regex);
+                  var field;
+                  if (m === null || m.length !== 3 || m[1] === undefined || m[2] === undefined) {
+                      prev += pairs[i] + cfg.pair_separator;
+                      continue;
+                  }
+                  var key = prev + m[1];
+                  prev = "";
+                  if ( (field=keys[key]) === undefined && (field=keys[key.trim()])===undefined ) {
+                      continue;
+                  }
+                  var value = m[2].trim();
+                  if (quotes_len > 0 &&
+                      value.length >= cfg.open_quote.length + cfg.close_quote.length &&
+                      value.substr(0, cfg.open_quote.length) === cfg.open_quote &&
+                      value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) {
+                      value = value.substr(cfg.open_quote.length, value.length - quotes_len);
+                  }
+                  evt.Put(FIELDS_PREFIX + field, value);
+                  success = true;
+              }
+              if (!success) {
+                  return fail(evt);
+              }
+              if (on_success != null) {
+                  on_success(evt);
+              }
+          }
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_source": {to:[{field: "related.hosts", setter: fld_append}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "fqdn": {to:[{field: "related.hosts", setter: fld_append}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "message", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (value === "") continue;
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          test_tvm();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      // Tests the TAGVALMAP feature.
+      function test_tvm() {
+          var tests = [
+              {
+                  config: {
+                      pair_separator: ',',
+                      kv_separator: '=',
+                      open_quote: '[',
+                      close_quote: ']'
+                  },
+                  mappings: {
+                      "key a": "url",
+                      "key_b": "b",
+                      "Operation": "operation",
+                  },
+                  on_success: processor_chain([
+                                      setf("d","b")
+                                  ]),
+                  message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore",
+                  expected: {
+                      "nwparser.url": "http://example.com/",
+                      "nwparser.b": "value for=B",
+                      "nwparser.operation": "COPY",
+                      "nwparser.d": "value for=B",
+                      "log.flags": null,
+                  }
+              },
+              {
+                  config: {
+                      pair_separator: ',',
+                      kv_separator: '=',
+                      open_quote: '[',
+                      close_quote: ']'
+                  },
+                  mappings: {
+                      "key a": "url",
+                      "key_b": "b",
+                      "Operation": "operation"
+                  },
+                  on_success: processor_chain([
+                      setf("d","b")
+                  ]),
+                  message: "nothing to see here",
+                  expected: {
+                      "nwparser.url": null,
+                      "nwparser.d": null,
+                      "log.flags": "tagval_parsing_error",
+                  }
+              },
+              {
+                  config: {
+                      pair_separator: ' ',
+                      kv_separator: ':',
+                      open_quote: '"',
+                      close_quote: '"'
+                  },
+                  mappings: {
+                      "ICMP Type": "icmp_type",
+                      "ICMP Code": "icmp_code",
+                      "Operation": "operation",
+                  },
+                  on_success: processor_chain([
+                      setc("success","true")
+                  ]),
+                  message: "Operation:drop ICMP Type:5 ICMP Code:1 ",
+                  expected: {
+                      "nwparser.icmp_code": "1",
+                      "nwparser.icmp_type": "5",
+                      "nwparser.operation": "drop",
+                      "nwparser.success": "true",
+                      "log.flags": null,
+                  }
+              },
+          ];
+          var assertEqual = function(evt, key, expected) {
+              var value = evt.Get(key);
+              if (value !== expected)
+                  throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'");
+          };
+          tests.forEach(function (test, idx) {
+              var processor = tagval("test", "message", test.config, test.mappings, test.on_success);
+              var evt = new Event({
+                  "message": test.message,
+              });
+              processor(evt);
+              for (var key in test.expected) {
+                  assertEqual(evt, key, test.expected[key]);
+              }
+          });
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(restore_flags);
+      	builder.Add(populate_fields);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_dir2SumType = {
+      	keyvaluepairs: {
+      		"0": constant("2"),
+      		"1": constant("3"),
+      	},
+      	"default": constant("2"),
+      };
+      
+      var map_dir2Addr = {
+      	keyvaluepairs: {
+      		"0": field("saddr"),
+      		"1": field("daddr"),
+      	},
+      	"default": field("saddr"),
+      };
+      
+      var map_dir2Port = {
+      	keyvaluepairs: {
+      		"0": field("sport"),
+      		"1": field("dport"),
+      	},
+      	"default": field("sport"),
+      };
+      
+      var dup1 = setc("eventcategory","1701000000");
+      
+      var dup2 = setf("hardware_id","hfld2");
+      
+      var dup3 = setf("vsys","hvsys");
+      
+      var dup4 = setf("msg","$MSG");
+      
+      var dup5 = setf("severity","hseverity");
+      
+      var dup6 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}");
+      
+      var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}");
+      
+      var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})");
+      
+      var dup9 = date_time({
+      	dest: "event_time",
+      	args: ["fld1"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})");
+      
+      var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1");
+      
+      var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}");
+      
+      var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}");
+      
+      var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}");
+      
+      var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}");
+      
+      var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0");
+      
+      var dup17 = setc("eventcategory","1502000000");
+      
+      var dup18 = setc("eventcategory","1703000000");
+      
+      var dup19 = setc("eventcategory","1603000000");
+      
+      var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} ");
+      
+      var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", "");
+      
+      var dup22 = setc("eventcategory","1502050000");
+      
+      var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}");
+      
+      var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}");
+      
+      var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}");
+      
+      var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator");
+      
+      var dup27 = setc("eventcategory","1801010000");
+      
+      var dup28 = setc("eventcategory","1401060000");
+      
+      var dup29 = setc("ec_subject","User");
+      
+      var dup30 = setc("ec_activity","Logon");
+      
+      var dup31 = setc("ec_theme","Authentication");
+      
+      var dup32 = setc("ec_outcome","Success");
+      
+      var dup33 = setc("eventcategory","1401070000");
+      
+      var dup34 = setc("ec_activity","Logoff");
+      
+      var dup35 = setc("eventcategory","1303000000");
+      
+      var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition");
+      
+      var dup37 = setc("eventcategory","1402020200");
+      
+      var dup38 = setc("ec_theme","UserGroup");
+      
+      var dup39 = setc("ec_outcome","Error");
+      
+      var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}");
+      
+      var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})");
+      
+      var dup42 = setc("eventcategory","1402020300");
+      
+      var dup43 = setc("ec_activity","Modify");
+      
+      var dup44 = setc("eventcategory","1605000000");
+      
+      var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}");
+      
+      var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}");
+      
+      var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}");
+      
+      var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}");
+      
+      var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})");
+      
+      var dup50 = setc("eventcategory","1701020000");
+      
+      var dup51 = setc("ec_theme","Configuration");
+      
+      var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}");
+      
+      var dup53 = setc("eventcategory","1301000000");
+      
+      var dup54 = setc("ec_outcome","Failure");
+      
+      var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}");
+      
+      var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}");
+      
+      var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}");
+      
+      var dup58 = setc("eventcategory","1001000000");
+      
+      var dup59 = setc("dclass_counter1_string","Number of times the attack occurred");
+      
+      var dup60 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$OUT"),
+      		field("saddr"),
+      		field("daddr"),
+      	],
+      });
+      
+      var dup61 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$OUT"),
+      		field("saddr"),
+      		field("daddr"),
+      		field("sport"),
+      		field("dport"),
+      	],
+      });
+      
+      var dup62 = setc("eventcategory","1608010000");
+      
+      var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}");
+      
+      var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}");
+      
+      var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}");
+      
+      var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}");
+      
+      var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}");
+      
+      var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}");
+      
+      var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}");
+      
+      var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}");
+      
+      var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}");
+      
+      var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}");
+      
+      var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}");
+      
+      var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}");
+      
+      var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}");
+      
+      var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}");
+      
+      var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}");
+      
+      var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}");
+      
+      var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}");
+      
+      var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}");
+      
+      var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var dup84 = setc("eventcategory","1002020000");
+      
+      var dup85 = setc("eventcategory","1002000000");
+      
+      var dup86 = setc("eventcategory","1603110000");
+      
+      var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}");
+      
+      var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}");
+      
+      var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}");
+      
+      var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}");
+      
+      var dup91 = setc("eventcategory","1613040200");
+      
+      var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}");
+      
+      var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}");
+      
+      var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}");
+      
+      var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}");
+      
+      var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}");
+      
+      var dup97 = setc("eventcategory","1613050200");
+      
+      var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}");
+      
+      var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}");
+      
+      var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}");
+      
+      var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}");
+      
+      var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}");
+      
+      var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}");
+      
+      var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}");
+      
+      var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}");
+      
+      var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}");
+      
+      var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}");
+      
+      var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}");
+      
+      var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}");
+      
+      var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}");
+      
+      var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}");
+      
+      var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}");
+      
+      var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}");
+      
+      var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}");
+      
+      var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}");
+      
+      var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}");
+      
+      var dup117 = setc("eventcategory","1603090000");
+      
+      var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}");
+      
+      var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}");
+      
+      var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}");
+      
+      var dup121 = setc("eventcategory","1603030000");
+      
+      var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}");
+      
+      var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}");
+      
+      var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface");
+      
+      var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}");
+      
+      var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}");
+      
+      var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}");
+      
+      var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}.");
+      
+      var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}");
+      
+      var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}");
+      
+      var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}");
+      
+      var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}");
+      
+      var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}");
+      
+      var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}");
+      
+      var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}");
+      
+      var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}");
+      
+      var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}");
+      
+      var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}");
+      
+      var dup141 = setc("eventcategory","1702030000");
+      
+      var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}");
+      
+      var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}");
+      
+      var dup144 = setc("eventcategory","1601000000");
+      
+      var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) ");
+      
+      var dup146 = date_time({
+      	dest: "event_time",
+      	args: ["fld2"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup147 = setc("eventcategory","1103000000");
+      
+      var dup148 = setc("ec_subject","NetworkComm");
+      
+      var dup149 = setc("ec_activity","Scan");
+      
+      var dup150 = setc("ec_theme","TEV");
+      
+      var dup151 = setc("eventcategory","1103010000");
+      
+      var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}");
+      
+      var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}");
+      
+      var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}");
+      
+      var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}");
+      
+      var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}");
+      
+      var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}");
+      
+      var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}");
+      
+      var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}");
+      
+      var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}");
+      
+      var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}");
+      
+      var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}");
+      
+      var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}");
+      
+      var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})");
+      
+      var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}");
+      
+      var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}");
+      
+      var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}");
+      
+      var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}");
+      
+      var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}");
+      
+      var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}");
+      
+      var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}");
+      
+      var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}");
+      
+      var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}");
+      
+      var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}");
+      
+      var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}");
+      
+      var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}");
+      
+      var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}");
+      
+      var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}");
+      
+      var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}");
+      
+      var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}");
+      
+      var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}");
+      
+      var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}");
+      
+      var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}");
+      
+      var dup184 = setc("eventcategory","1603020000");
+      
+      var dup185 = setc("eventcategory","1803000000");
+      
+      var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}");
+      
+      var dup187 = setc("eventcategory","1603010000");
+      
+      var dup188 = setc("eventcategory","1603100000");
+      
+      var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}");
+      
+      var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}");
+      
+      var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}");
+      
+      var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}");
+      
+      var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}");
+      
+      var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}");
+      
+      var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}");
+      
+      var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}");
+      
+      var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}");
+      
+      var dup198 = setc("eventcategory","1801030000");
+      
+      var dup199 = setc("eventcategory","1302010200");
+      
+      var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}");
+      
+      var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}");
+      
+      var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}");
+      
+      var dup203 = setc("eventcategory","1304000000");
+      
+      var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}");
+      
+      var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}");
+      
+      var dup206 = setc("eventcategory","1401030000");
+      
+      var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}");
+      
+      var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}");
+      
+      var dup209 = setc("eventcategory","1605020000");
+      
+      var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}");
+      
+      var dup211 = setc("ec_subject","Certificate");
+      
+      var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}");
+      
+      var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}");
+      
+      var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}");
+      
+      var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}");
+      
+      var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}");
+      
+      var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}");
+      
+      var dup218 = setc("ec_subject","CryptoKey");
+      
+      var dup219 = setc("ec_subject","Configuration");
+      
+      var dup220 = setc("ec_activity","Request");
+      
+      var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}");
+      
+      var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}");
+      
+      var dup223 = setc("eventcategory","1612000000");
+      
+      var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}");
+      
+      var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}");
+      
+      var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}");
+      
+      var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}");
+      
+      var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}");
+      
+      var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}");
+      
+      var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}");
+      
+      var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})");
+      
+      var dup232 = setc("eventcategory","1201000000");
+      
+      var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}");
+      
+      var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}");
+      
+      var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}");
+      
+      var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}");
+      
+      var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}");
+      
+      var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}");
+      
+      var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup240 = setc("eventcategory","1401000000");
+      
+      var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}");
+      
+      var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}");
+      
+      var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}");
+      
+      var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}");
+      
+      var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}");
+      
+      var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}");
+      
+      var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}");
+      
+      var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}");
+      
+      var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}");
+      
+      var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}");
+      
+      var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}");
+      
+      var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}");
+      
+      var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}");
+      
+      var dup254 = setc("eventcategory","1608000000");
+      
+      var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}");
+      
+      var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}");
+      
+      var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}");
+      
+      var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}");
+      
+      var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}");
+      
+      var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}");
+      
+      var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}");
+      
+      var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}");
+      
+      var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}");
+      
+      var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}");
+      
+      var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}");
+      
+      var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}");
+      
+      var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}");
+      
+      var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}");
+      
+      var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}");
+      
+      var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state");
+      
+      var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}");
+      
+      var dup272 = setc("eventcategory","1805010000");
+      
+      var dup273 = setc("eventcategory","1805000000");
+      
+      var dup274 = date_time({
+      	dest: "starttime",
+      	args: ["fld2"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup275 = call({
+      	dest: "nwparser.bytes",
+      	fn: CALC,
+      	args: [
+      		field("sbytes"),
+      		constant("+"),
+      		field("rbytes"),
+      	],
+      });
+      
+      var dup276 = setc("action","Deny");
+      
+      var dup277 = setc("disposition","Deny");
+      
+      var dup278 = setc("direction","outgoing");
+      
+      var dup279 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$IN"),
+      		field("saddr"),
+      		field("daddr"),
+      		field("sport"),
+      		field("dport"),
+      	],
+      });
+      
+      var dup280 = setc("direction","incoming");
+      
+      var dup281 = setc("eventcategory","1801000000");
+      
+      var dup282 = setf("action","disposition");
+      
+      var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}");
+      
+      var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}");
+      
+      var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}");
+      
+      var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr");
+      
+      var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}");
+      
+      var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}");
+      
+      var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}");
+      
+      var dup290 = setc("eventcategory","1401050200");
+      
+      var dup291 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$IN"),
+      		field("daddr"),
+      		field("saddr"),
+      	],
+      });
+      
+      var dup292 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$IN"),
+      		field("daddr"),
+      		field("saddr"),
+      		field("dport"),
+      		field("sport"),
+      	],
+      });
+      
+      var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times.");
+      
+      var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.");
+      
+      var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}");
+      
+      var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup297 = setc("eventcategory","1204000000");
+      
+      var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}");
+      
+      var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})");
+      
+      var dup301 = setc("eventcategory","1801020000");
+      
+      var dup302 = setc("disposition","failed");
+      
+      var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}");
+      
+      var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}");
+      
+      var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}");
+      
+      var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}");
+      
+      var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}");
+      
+      var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}");
+      
+      var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}");
+      
+      var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}");
+      
+      var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}");
+      
+      var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}");
+      
+      var dup313 = setc("eventcategory","1803020000");
+      
+      var dup314 = setc("eventcategory","1613030000");
+      
+      var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}");
+      
+      var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}");
+      
+      var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}");
+      
+      var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}");
+      
+      var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}");
+      
+      var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}");
+      
+      var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}");
+      
+      var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}");
+      
+      var dup323 = setc("event_description","Cannot connect to NSM server");
+      
+      var dup324 = setc("eventcategory","1603040000");
+      
+      var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}");
+      
+      var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}");
+      
+      var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}");
+      
+      var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}");
+      
+      var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}");
+      
+      var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}");
+      
+      var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}");
+      
+      var dup332 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$OUT"),
+      		field("daddr"),
+      		field("saddr"),
+      		field("dport"),
+      		field("sport"),
+      	],
+      });
+      
+      var dup333 = linear_select([
+      	dup10,
+      	dup11,
+      ]);
+      
+      var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var dup335 = linear_select([
+      	dup13,
+      	dup14,
+      ]);
+      
+      var dup336 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup337 = linear_select([
+      	dup56,
+      	dup57,
+      ]);
+      
+      var dup338 = linear_select([
+      	dup65,
+      	dup66,
+      ]);
+      
+      var dup339 = linear_select([
+      	dup68,
+      	dup69,
+      ]);
+      
+      var dup340 = linear_select([
+      	dup71,
+      	dup72,
+      ]);
+      
+      var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var dup342 = linear_select([
+      	dup74,
+      	dup75,
+      ]);
+      
+      var dup343 = linear_select([
+      	dup81,
+      	dup82,
+      ]);
+      
+      var dup344 = linear_select([
+      	dup24,
+      	dup90,
+      ]);
+      
+      var dup345 = linear_select([
+      	dup94,
+      	dup95,
+      ]);
+      
+      var dup346 = linear_select([
+      	dup98,
+      	dup99,
+      ]);
+      
+      var dup347 = linear_select([
+      	dup100,
+      	dup101,
+      	dup102,
+      ]);
+      
+      var dup348 = linear_select([
+      	dup113,
+      	dup114,
+      ]);
+      
+      var dup349 = linear_select([
+      	dup111,
+      	dup16,
+      ]);
+      
+      var dup350 = linear_select([
+      	dup127,
+      	dup107,
+      ]);
+      
+      var dup351 = linear_select([
+      	dup8,
+      	dup21,
+      ]);
+      
+      var dup352 = linear_select([
+      	dup122,
+      	dup133,
+      ]);
+      
+      var dup353 = linear_select([
+      	dup142,
+      	dup143,
+      ]);
+      
+      var dup354 = linear_select([
+      	dup145,
+      	dup21,
+      ]);
+      
+      var dup355 = linear_select([
+      	dup127,
+      	dup106,
+      ]);
+      
+      var dup356 = linear_select([
+      	dup152,
+      	dup96,
+      ]);
+      
+      var dup357 = linear_select([
+      	dup154,
+      	dup155,
+      ]);
+      
+      var dup358 = linear_select([
+      	dup156,
+      	dup157,
+      ]);
+      
+      var dup359 = linear_select([
+      	dup99,
+      	dup134,
+      ]);
+      
+      var dup360 = linear_select([
+      	dup158,
+      	dup159,
+      ]);
+      
+      var dup361 = linear_select([
+      	dup161,
+      	dup162,
+      ]);
+      
+      var dup362 = linear_select([
+      	dup163,
+      	dup103,
+      ]);
+      
+      var dup363 = linear_select([
+      	dup162,
+      	dup161,
+      ]);
+      
+      var dup364 = linear_select([
+      	dup46,
+      	dup47,
+      ]);
+      
+      var dup365 = linear_select([
+      	dup166,
+      	dup167,
+      ]);
+      
+      var dup366 = linear_select([
+      	dup172,
+      	dup173,
+      ]);
+      
+      var dup367 = linear_select([
+      	dup174,
+      	dup175,
+      	dup176,
+      	dup177,
+      	dup178,
+      	dup179,
+      	dup180,
+      	dup181,
+      	dup182,
+      ]);
+      
+      var dup368 = linear_select([
+      	dup49,
+      	dup21,
+      ]);
+      
+      var dup369 = linear_select([
+      	dup189,
+      	dup190,
+      ]);
+      
+      var dup370 = linear_select([
+      	dup96,
+      	dup152,
+      ]);
+      
+      var dup371 = linear_select([
+      	dup196,
+      	dup197,
+      ]);
+      
+      var dup372 = linear_select([
+      	dup24,
+      	dup200,
+      ]);
+      
+      var dup373 = linear_select([
+      	dup103,
+      	dup163,
+      ]);
+      
+      var dup374 = linear_select([
+      	dup205,
+      	dup118,
+      ]);
+      
+      var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var dup376 = linear_select([
+      	dup212,
+      	dup213,
+      ]);
+      
+      var dup377 = linear_select([
+      	dup215,
+      	dup216,
+      ]);
+      
+      var dup378 = linear_select([
+      	dup222,
+      	dup215,
+      ]);
+      
+      var dup379 = linear_select([
+      	dup224,
+      	dup225,
+      ]);
+      
+      var dup380 = linear_select([
+      	dup231,
+      	dup124,
+      ]);
+      
+      var dup381 = linear_select([
+      	dup229,
+      	dup230,
+      ]);
+      
+      var dup382 = linear_select([
+      	dup233,
+      	dup234,
+      ]);
+      
+      var dup383 = linear_select([
+      	dup236,
+      	dup237,
+      ]);
+      
+      var dup384 = linear_select([
+      	dup242,
+      	dup243,
+      ]);
+      
+      var dup385 = linear_select([
+      	dup245,
+      	dup246,
+      ]);
+      
+      var dup386 = linear_select([
+      	dup247,
+      	dup248,
+      ]);
+      
+      var dup387 = linear_select([
+      	dup249,
+      	dup250,
+      ]);
+      
+      var dup388 = linear_select([
+      	dup251,
+      	dup252,
+      ]);
+      
+      var dup389 = linear_select([
+      	dup260,
+      	dup261,
+      ]);
+      
+      var dup390 = linear_select([
+      	dup264,
+      	dup265,
+      ]);
+      
+      var dup391 = linear_select([
+      	dup268,
+      	dup269,
+      ]);
+      
+      var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var dup393 = linear_select([
+      	dup284,
+      	dup285,
+      ]);
+      
+      var dup394 = linear_select([
+      	dup287,
+      	dup288,
+      ]);
+      
+      var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var dup397 = linear_select([
+      	dup300,
+      	dup26,
+      ]);
+      
+      var dup398 = linear_select([
+      	dup115,
+      	dup303,
+      ]);
+      
+      var dup399 = linear_select([
+      	dup125,
+      	dup96,
+      ]);
+      
+      var dup400 = linear_select([
+      	dup189,
+      	dup308,
+      	dup309,
+      ]);
+      
+      var dup401 = linear_select([
+      	dup310,
+      	dup16,
+      ]);
+      
+      var dup402 = linear_select([
+      	dup317,
+      	dup318,
+      ]);
+      
+      var dup403 = linear_select([
+      	dup319,
+      	dup315,
+      ]);
+      
+      var dup404 = linear_select([
+      	dup322,
+      	dup250,
+      ]);
+      
+      var dup405 = linear_select([
+      	dup327,
+      	dup329,
+      ]);
+      
+      var dup406 = linear_select([
+      	dup330,
+      	dup129,
+      ]);
+      
+      var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup60,
+      ]));
+      
+      var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup61,
+      ]));
+      
+      var dup411 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		dup266,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var dup412 = all_match({
+      	processors: [
+      		dup267,
+      		dup391,
+      		dup270,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var dup413 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup293,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var dup414 = all_match({
+      	processors: [
+      		dup296,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup297,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var dup415 = all_match({
+      	processors: [
+      		dup298,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup297,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}");
+      
+      var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}");
+      
+      var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}");
+      
+      var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}");
+      
+      var select1 = linear_select([
+      	part1,
+      	part2,
+      	part3,
+      ]);
+      
+      var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		hdr4,
+      		select1,
+      		part4,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0002"),
+      	]),
+      });
+      
+      var select2 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	all1,
+      ]);
+      
+      var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1 = msg("00001", part5);
+      
+      var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg2 = msg("00001:01", part6);
+      
+      var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}");
+      
+      var select3 = linear_select([
+      	part7,
+      	dup7,
+      ]);
+      
+      var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup6,
+      		select3,
+      		part8,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg3 = msg("00001:02", all2);
+      
+      var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg4 = msg("00001:03", part9);
+      
+      var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}");
+      
+      var select4 = linear_select([
+      	part10,
+      	dup7,
+      ]);
+      
+      var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}");
+      
+      var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}");
+      
+      var select5 = linear_select([
+      	dup8,
+      	part12,
+      ]);
+      
+      var all3 = all_match({
+      	processors: [
+      		dup6,
+      		select4,
+      		part11,
+      		select5,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg5 = msg("00001:04", all3);
+      
+      var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}");
+      
+      var all4 = all_match({
+      	processors: [
+      		part13,
+      		dup333,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg6 = msg("00001:05", all4);
+      
+      var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg7 = msg("00001:06", part14);
+      
+      var msg8 = msg("00001:07", dup334);
+      
+      var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}");
+      
+      var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup12,
+      		dup335,
+      		part15,
+      		dup336,
+      		part16,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg9 = msg("00001:08", all5);
+      
+      var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})");
+      
+      var all6 = all_match({
+      	processors: [
+      		dup12,
+      		dup335,
+      		part17,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg10 = msg("00001:09", all6);
+      
+      var select6 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      ]);
+      
+      var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg11 = msg("00002:03", part18);
+      
+      var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg12 = msg("00002:04", part19);
+      
+      var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg13 = msg("00002:05", part20);
+      
+      var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg14 = msg("00002:06", part21);
+      
+      var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg15 = msg("00002:07", part22);
+      
+      var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg16 = msg("00002:55", part23);
+      
+      var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg17 = msg("00002:08", part24);
+      
+      var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg18 = msg("00002:09", part25);
+      
+      var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg19 = msg("00002:10", part26);
+      
+      var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg20 = msg("00002:11", part27);
+      
+      var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg21 = msg("00002:12", part28);
+      
+      var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg22 = msg("00002:15", part29);
+      
+      var msg23 = msg("00002:17", dup334);
+      
+      var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}");
+      
+      var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}");
+      
+      var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}");
+      
+      var select7 = linear_select([
+      	part31,
+      	part32,
+      ]);
+      
+      var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):");
+      
+      var all7 = all_match({
+      	processors: [
+      		part30,
+      		select7,
+      		part33,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg24 = msg("00002:18", all7);
+      
+      var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg25 = msg("00002:19", part34);
+      
+      var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}");
+      
+      var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}");
+      
+      var select8 = linear_select([
+      	part36,
+      	dup20,
+      	dup21,
+      ]);
+      
+      var all8 = all_match({
+      	processors: [
+      		part35,
+      		select8,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg26 = msg("00002:20", all8);
+      
+      var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}");
+      
+      var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}");
+      
+      var select9 = linear_select([
+      	part37,
+      	part38,
+      ]);
+      
+      var select10 = linear_select([
+      	dup24,
+      	dup25,
+      ]);
+      
+      var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}");
+      
+      var all9 = all_match({
+      	processors: [
+      		select9,
+      		dup23,
+      		select10,
+      		part39,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg27 = msg("00002:21", all9);
+      
+      var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}");
+      
+      var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console");
+      
+      var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}");
+      
+      var select11 = linear_select([
+      	part41,
+      	part42,
+      	dup26,
+      ]);
+      
+      var all10 = all_match({
+      	processors: [
+      		part40,
+      		select11,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg28 = msg("00002:22", all10);
+      
+      var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}");
+      
+      var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}");
+      
+      var select12 = linear_select([
+      	dup20,
+      	part44,
+      	dup21,
+      ]);
+      
+      var all11 = all_match({
+      	processors: [
+      		part43,
+      		select12,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg29 = msg("00002:23", all11);
+      
+      var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}");
+      
+      var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}");
+      
+      var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}");
+      
+      var select13 = linear_select([
+      	part46,
+      	part47,
+      ]);
+      
+      var all12 = all_match({
+      	processors: [
+      		part45,
+      		select13,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg30 = msg("00002:24", all12);
+      
+      var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	setc("eventcategory","1402000000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg31 = msg("00002:25", part48);
+      
+      var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg32 = msg("00002:26", part49);
+      
+      var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg33 = msg("00002:27", part50);
+      
+      var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg34 = msg("00002:28", part51);
+      
+      var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg35 = msg("00002:29", part52);
+      
+      var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([
+      	dup28,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg36 = msg("00002:30", part53);
+      
+      var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([
+      	dup33,
+      	dup29,
+      	dup34,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg37 = msg("00002:41", part54);
+      
+      var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([
+      	dup35,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg38 = msg("00002:31", part55);
+      
+      var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}");
+      
+      var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}");
+      
+      var select14 = linear_select([
+      	part56,
+      	part57,
+      ]);
+      
+      var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}");
+      
+      var all13 = all_match({
+      	processors: [
+      		select14,
+      		part58,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg39 = msg("00002:32", all13);
+      
+      var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg40 = msg("00002:35", part59);
+      
+      var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}");
+      
+      var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}");
+      
+      var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}");
+      
+      var select15 = linear_select([
+      	part61,
+      	part62,
+      ]);
+      
+      var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}");
+      
+      var all14 = all_match({
+      	processors: [
+      		part60,
+      		select15,
+      		part63,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg41 = msg("00002:36", all14);
+      
+      var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}");
+      
+      var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}");
+      
+      var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}");
+      
+      var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}");
+      
+      var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}");
+      
+      var select16 = linear_select([
+      	part65,
+      	part66,
+      	part67,
+      	part68,
+      ]);
+      
+      var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}");
+      
+      var all15 = all_match({
+      	processors: [
+      		part64,
+      		select16,
+      		part69,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg42 = msg("00002:37", all15);
+      
+      var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}");
+      
+      var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}");
+      
+      var select17 = linear_select([
+      	part71,
+      	dup36,
+      ]);
+      
+      var all16 = all_match({
+      	processors: [
+      		part70,
+      		select17,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg43 = msg("00002:38", all16);
+      
+      var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg44 = msg("00002:39", part72);
+      
+      var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([
+      	dup37,
+      	dup29,
+      	setc("ec_activity","Create"),
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg45 = msg("00002:40", part73);
+      
+      var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([
+      	dup35,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg46 = msg("00002:44", part74);
+      
+      var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}");
+      
+      var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}");
+      
+      var select18 = linear_select([
+      	part76,
+      	dup40,
+      ]);
+      
+      var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}");
+      
+      var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}");
+      
+      var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}");
+      
+      var select19 = linear_select([
+      	part78,
+      	part79,
+      ]);
+      
+      var all17 = all_match({
+      	processors: [
+      		part75,
+      		select18,
+      		part77,
+      		select19,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup42,
+      		dup43,
+      		dup38,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg47 = msg("00002:42", all17);
+      
+      var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}");
+      
+      var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}");
+      
+      var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}");
+      
+      var select20 = linear_select([
+      	part81,
+      	part82,
+      ]);
+      
+      var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})");
+      
+      var all18 = all_match({
+      	processors: [
+      		part80,
+      		select20,
+      		part83,
+      	],
+      	on_success: processor_chain([
+      		dup42,
+      		dup29,
+      		dup43,
+      		dup38,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg48 = msg("00002:43", all18);
+      
+      var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([
+      	dup42,
+      	dup29,
+      	dup43,
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg49 = msg("00002:50", part84);
+      
+      var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([
+      	dup42,
+      	dup29,
+      	dup43,
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg50 = msg("00002:51", part85);
+      
+      var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg51 = msg("00002:45", part86);
+      
+      var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}");
+      
+      var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}");
+      
+      var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}");
+      
+      var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}");
+      
+      var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}");
+      
+      var select21 = linear_select([
+      	part87,
+      	part88,
+      	part89,
+      	part90,
+      	part91,
+      ]);
+      
+      var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})");
+      
+      var all19 = all_match({
+      	processors: [
+      		select21,
+      		part92,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg52 = msg("00002:47", all19);
+      
+      var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}");
+      
+      var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}");
+      
+      var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}");
+      
+      var select22 = linear_select([
+      	part94,
+      	part95,
+      ]);
+      
+      var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}");
+      
+      var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}");
+      
+      var select23 = linear_select([
+      	part97,
+      	dup45,
+      ]);
+      
+      var all20 = all_match({
+      	processors: [
+      		part93,
+      		select22,
+      		part96,
+      		select23,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg53 = msg("00002:48", all20);
+      
+      var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}");
+      
+      var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}");
+      
+      var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}");
+      
+      var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}");
+      
+      var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}");
+      
+      var select24 = linear_select([
+      	part99,
+      	part100,
+      	part101,
+      	part102,
+      ]);
+      
+      var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}");
+      
+      var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}");
+      
+      var select25 = linear_select([
+      	dup46,
+      	part104,
+      	dup47,
+      ]);
+      
+      var select26 = linear_select([
+      	dup48,
+      	dup45,
+      ]);
+      
+      var all21 = all_match({
+      	processors: [
+      		part98,
+      		select24,
+      		part103,
+      		select25,
+      		select26,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg54 = msg("00002:52", all21);
+      
+      var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([
+      	dup42,
+      	dup43,
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg55 = msg("00002:53", part105);
+      
+      var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}");
+      
+      var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}");
+      
+      var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}");
+      
+      var select27 = linear_select([
+      	part107,
+      	part108,
+      ]);
+      
+      var all22 = all_match({
+      	processors: [
+      		part106,
+      		select27,
+      		dup49,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg56 = msg("00002:54", all22);
+      
+      var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}");
+      
+      var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}");
+      
+      var select28 = linear_select([
+      	part110,
+      	dup52,
+      ]);
+      
+      var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}");
+      
+      var all23 = all_match({
+      	processors: [
+      		part109,
+      		select28,
+      		part111,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg57 = msg("00002", all23);
+      
+      var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([
+      	dup53,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg58 = msg("00002:56", part112);
+      
+      var select29 = linear_select([
+      	msg11,
+      	msg12,
+      	msg13,
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      	msg29,
+      	msg30,
+      	msg31,
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      	msg46,
+      	msg47,
+      	msg48,
+      	msg49,
+      	msg50,
+      	msg51,
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      	msg56,
+      	msg57,
+      	msg58,
+      ]);
+      
+      var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([
+      	dup53,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg59 = msg("00003", part113);
+      
+      var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([
+      	dup53,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg60 = msg("00003:01", part114);
+      
+      var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg61 = msg("00003:02", part115);
+      
+      var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg62 = msg("00003:03", part116);
+      
+      var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}");
+      
+      var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}");
+      
+      var select30 = linear_select([
+      	part117,
+      	part118,
+      ]);
+      
+      var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}.");
+      
+      var all24 = all_match({
+      	processors: [
+      		dup55,
+      		select30,
+      		part119,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg63 = msg("00003:05", all24);
+      
+      var select31 = linear_select([
+      	msg59,
+      	msg60,
+      	msg61,
+      	msg62,
+      	msg63,
+      ]);
+      
+      var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg64 = msg("00004", part120);
+      
+      var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg65 = msg("00004:01", part121);
+      
+      var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg66 = msg("00004:02", part122);
+      
+      var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg67 = msg("00004:03", part123);
+      
+      var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}");
+      
+      var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all25 = all_match({
+      	processors: [
+      		part124,
+      		dup337,
+      		part125,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup59,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg68 = msg("00004:04", all25);
+      
+      var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg69 = msg("00004:05", part126);
+      
+      var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg70 = msg("00004:06", part127);
+      
+      var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg71 = msg("00004:07", part128);
+      
+      var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg72 = msg("00004:08", part129);
+      
+      var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([
+      	dup62,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg73 = msg("00004:09", part130);
+      
+      var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([
+      	dup62,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg74 = msg("00004:10", part131);
+      
+      var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg75 = msg("00004:11", part132);
+      
+      var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg76 = msg("00004:12", part133);
+      
+      var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg77 = msg("00004:13", part134);
+      
+      var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}");
+      
+      var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}");
+      
+      var select32 = linear_select([
+      	part135,
+      	part136,
+      ]);
+      
+      var all26 = all_match({
+      	processors: [
+      		dup63,
+      		select32,
+      		dup49,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg78 = msg("00004:14", all26);
+      
+      var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg79 = msg("00004:15", part137);
+      
+      var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg80 = msg("00004:16", part138);
+      
+      var all27 = all_match({
+      	processors: [
+      		dup64,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup4,
+      		dup59,
+      		dup9,
+      		dup5,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg81 = msg("00004:17", all27);
+      
+      var select33 = linear_select([
+      	msg64,
+      	msg65,
+      	msg66,
+      	msg67,
+      	msg68,
+      	msg69,
+      	msg70,
+      	msg71,
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      	msg77,
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      ]);
+      
+      var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg82 = msg("00005", part139);
+      
+      var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg83 = msg("00005:01", part140);
+      
+      var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg84 = msg("00005:02", part141);
+      
+      var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}");
+      
+      var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}");
+      
+      var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}");
+      
+      var select34 = linear_select([
+      	part144,
+      	dup73,
+      ]);
+      
+      var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all28 = all_match({
+      	processors: [
+      		part142,
+      		dup339,
+      		dup70,
+      		dup340,
+      		part143,
+      		select34,
+      		part145,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup59,
+      		dup61,
+      	]),
+      });
+      
+      var msg85 = msg("00005:03", all28);
+      
+      var msg86 = msg("00005:04", dup341);
+      
+      var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([
+      	setc("eventcategory","1001020100"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg87 = msg("00005:05", part146);
+      
+      var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}.");
+      
+      var all29 = all_match({
+      	processors: [
+      		dup342,
+      		part147,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg88 = msg("00005:06", all29);
+      
+      var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}");
+      
+      var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}");
+      
+      var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}");
+      
+      var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}");
+      
+      var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}");
+      
+      var select35 = linear_select([
+      	part149,
+      	part150,
+      	dup76,
+      	part151,
+      	part152,
+      ]);
+      
+      var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}.");
+      
+      var all30 = all_match({
+      	processors: [
+      		part148,
+      		select35,
+      		part153,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg89 = msg("00005:07", all30);
+      
+      var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}");
+      
+      var select36 = linear_select([
+      	dup77,
+      	dup78,
+      ]);
+      
+      var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}.");
+      
+      var all31 = all_match({
+      	processors: [
+      		dup342,
+      		part154,
+      		select36,
+      		part155,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg90 = msg("00005:08", all31);
+      
+      var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg91 = msg("00005:09", part156);
+      
+      var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg92 = msg("00005:10", part157);
+      
+      var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}");
+      
+      var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}");
+      
+      var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}");
+      
+      var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}");
+      
+      var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}");
+      
+      var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}");
+      
+      var select37 = linear_select([
+      	part159,
+      	part160,
+      	part161,
+      	part162,
+      	part163,
+      ]);
+      
+      var all32 = all_match({
+      	processors: [
+      		part158,
+      		select37,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg93 = msg("00005:11", all32);
+      
+      var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg94 = msg("00005:12", part164);
+      
+      var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg95 = msg("00005:13", part165);
+      
+      var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg96 = msg("00005:14", part166);
+      
+      var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg97 = msg("00005:15", part167);
+      
+      var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg98 = msg("00005:16", part168);
+      
+      var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}");
+      
+      var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}");
+      
+      var select38 = linear_select([
+      	part169,
+      	part170,
+      ]);
+      
+      var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}.");
+      
+      var all33 = all_match({
+      	processors: [
+      		dup79,
+      		select38,
+      		part171,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg99 = msg("00005:17", all33);
+      
+      var all34 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup84,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg100 = msg("00005:18", all34);
+      
+      var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup84,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup61,
+      ]));
+      
+      var msg101 = msg("00005:19", part172);
+      
+      var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([
+      	dup84,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg102 = msg("00005:20", part173);
+      
+      var select39 = linear_select([
+      	msg82,
+      	msg83,
+      	msg84,
+      	msg85,
+      	msg86,
+      	msg87,
+      	msg88,
+      	msg89,
+      	msg90,
+      	msg91,
+      	msg92,
+      	msg93,
+      	msg94,
+      	msg95,
+      	msg96,
+      	msg97,
+      	msg98,
+      	msg99,
+      	msg100,
+      	msg101,
+      	msg102,
+      ]);
+      
+      var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup85,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg103 = msg("00006", part174);
+      
+      var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg104 = msg("00006:01", part175);
+      
+      var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg105 = msg("00006:02", part176);
+      
+      var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg106 = msg("00006:03", part177);
+      
+      var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}");
+      
+      var all35 = all_match({
+      	processors: [
+      		part178,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup84,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg107 = msg("00006:04", all35);
+      
+      var all36 = all_match({
+      	processors: [
+      		dup64,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup84,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg108 = msg("00006:05", all36);
+      
+      var select40 = linear_select([
+      	msg103,
+      	msg104,
+      	msg105,
+      	msg106,
+      	msg107,
+      	msg108,
+      ]);
+      
+      var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg109 = msg("00007", part179);
+      
+      var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg110 = msg("00007:01", part180);
+      
+      var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}");
+      
+      var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}");
+      
+      var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}");
+      
+      var select41 = linear_select([
+      	part182,
+      	part183,
+      ]);
+      
+      var all37 = all_match({
+      	processors: [
+      		part181,
+      		select41,
+      	],
+      	on_success: processor_chain([
+      		dup86,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg111 = msg("00007:02", all37);
+      
+      var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg112 = msg("00007:03", part184);
+      
+      var select42 = linear_select([
+      	dup88,
+      	dup89,
+      ]);
+      
+      var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}");
+      
+      var all38 = all_match({
+      	processors: [
+      		dup87,
+      		select42,
+      		dup23,
+      		dup344,
+      		part185,
+      	],
+      	on_success: processor_chain([
+      		dup91,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg113 = msg("00007:04", all38);
+      
+      var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg114 = msg("00007:05", part186);
+      
+      var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg115 = msg("00007:06", part187);
+      
+      var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg116 = msg("00007:07", part188);
+      
+      var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg117 = msg("00007:08", part189);
+      
+      var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg118 = msg("00007:09", part190);
+      
+      var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg119 = msg("00007:10", part191);
+      
+      var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}");
+      
+      var select43 = linear_select([
+      	dup92,
+      	dup93,
+      ]);
+      
+      var all39 = all_match({
+      	processors: [
+      		part192,
+      		select43,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg120 = msg("00007:11", all39);
+      
+      var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg121 = msg("00007:12", part193);
+      
+      var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg122 = msg("00007:13", part194);
+      
+      var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup85,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup60,
+      ]));
+      
+      var msg123 = msg("00007:14", part195);
+      
+      var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg124 = msg("00007:15", part196);
+      
+      var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg125 = msg("00007:16", part197);
+      
+      var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg126 = msg("00007:17", part198);
+      
+      var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}");
+      
+      var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}");
+      
+      var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}");
+      
+      var select44 = linear_select([
+      	part200,
+      	part201,
+      ]);
+      
+      var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}");
+      
+      var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}");
+      
+      var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}");
+      
+      var select45 = linear_select([
+      	part203,
+      	part204,
+      ]);
+      
+      var all40 = all_match({
+      	processors: [
+      		part199,
+      		select44,
+      		part202,
+      		select45,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg127 = msg("00007:18", all40);
+      
+      var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg128 = msg("00007:20", part205);
+      
+      var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}");
+      
+      var all41 = all_match({
+      	processors: [
+      		part206,
+      		dup345,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg129 = msg("00007:21", all41);
+      
+      var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg130 = msg("00007:22", part207);
+      
+      var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg131 = msg("00007:23", part208);
+      
+      var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg132 = msg("00007:24", part209);
+      
+      var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg133 = msg("00007:25", part210);
+      
+      var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}");
+      
+      var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}");
+      
+      var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}");
+      
+      var select46 = linear_select([
+      	part212,
+      	part213,
+      ]);
+      
+      var all42 = all_match({
+      	processors: [
+      		part211,
+      		select46,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg134 = msg("00007:26", all42);
+      
+      var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg135 = msg("00007:27", part214);
+      
+      var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg136 = msg("00007:28", part215);
+      
+      var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}");
+      
+      var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}");
+      
+      var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}");
+      
+      var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}");
+      
+      var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}");
+      
+      var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}");
+      
+      var select47 = linear_select([
+      	part217,
+      	part218,
+      	part219,
+      	part220,
+      	part221,
+      ]);
+      
+      var all43 = all_match({
+      	processors: [
+      		part216,
+      		select47,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg137 = msg("00007:29", all43);
+      
+      var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg138 = msg("00007:30", part222);
+      
+      var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}");
+      
+      var all44 = all_match({
+      	processors: [
+      		part223,
+      		dup345,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg139 = msg("00007:31", all44);
+      
+      var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}");
+      
+      var select48 = linear_select([
+      	dup89,
+      	dup88,
+      ]);
+      
+      var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}");
+      
+      var all45 = all_match({
+      	processors: [
+      		part224,
+      		select48,
+      		dup23,
+      		dup344,
+      		part225,
+      	],
+      	on_success: processor_chain([
+      		dup91,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg140 = msg("00007:32", all45);
+      
+      var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}");
+      
+      var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}");
+      
+      var select49 = linear_select([
+      	part226,
+      	part227,
+      ]);
+      
+      var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}");
+      
+      var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}");
+      
+      var select50 = linear_select([
+      	part229,
+      	dup96,
+      ]);
+      
+      var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode.");
+      
+      var all46 = all_match({
+      	processors: [
+      		select49,
+      		part228,
+      		select50,
+      		part230,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg141 = msg("00007:33", all46);
+      
+      var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([
+      	dup97,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg142 = msg("00007:34", part231);
+      
+      var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg143 = msg("00007:35", part232);
+      
+      var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg144 = msg("00007:36", part233);
+      
+      var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}");
+      
+      var all47 = all_match({
+      	processors: [
+      		part234,
+      		dup346,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg145 = msg("00007:37", all47);
+      
+      var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}");
+      
+      var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}");
+      
+      var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}");
+      
+      var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}");
+      
+      var select51 = linear_select([
+      	part237,
+      	part238,
+      ]);
+      
+      var all48 = all_match({
+      	processors: [
+      		part235,
+      		dup347,
+      		dup103,
+      		dup347,
+      		part236,
+      		select51,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg146 = msg("00007:38", all48);
+      
+      var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}");
+      
+      var all49 = all_match({
+      	processors: [
+      		part239,
+      		dup346,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg147 = msg("00007:39", all49);
+      
+      var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg148 = msg("00007:40", part240);
+      
+      var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg149 = msg("00007:41", part241);
+      
+      var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg150 = msg("00007:42", part242);
+      
+      var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg151 = msg("00007:43", part243);
+      
+      var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg152 = msg("00007:44", part244);
+      
+      var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg153 = msg("00007:45", part245);
+      
+      var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup85,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup60,
+      ]));
+      
+      var msg154 = msg("00007:46", part246);
+      
+      var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg155 = msg("00007:47", part247);
+      
+      var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([
+      	dup97,
+      	dup2,
+      	dup3,
+      	dup4,
+      	setc("disposition","dropped"),
+      	setc("result","Invalid encryption Password"),
+      ]));
+      
+      var msg156 = msg("00007:48", part248);
+      
+      var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([
+      	setc("eventcategory","1604000000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg157 = msg("00007:49", part249);
+      
+      var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}");
+      
+      var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}");
+      
+      var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}");
+      
+      var select52 = linear_select([
+      	part251,
+      	part252,
+      ]);
+      
+      var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}");
+      
+      var all50 = all_match({
+      	processors: [
+      		part250,
+      		select52,
+      		part253,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg158 = msg("00007:50", all50);
+      
+      var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}");
+      
+      var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}");
+      
+      var select53 = linear_select([
+      	dup104,
+      	part255,
+      ]);
+      
+      var select54 = linear_select([
+      	dup105,
+      	dup73,
+      ]);
+      
+      var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}");
+      
+      var select55 = linear_select([
+      	dup106,
+      	dup107,
+      ]);
+      
+      var all51 = all_match({
+      	processors: [
+      		part254,
+      		select53,
+      		dup23,
+      		select54,
+      		part256,
+      		select55,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg159 = msg("00007:51", all51);
+      
+      var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg160 = msg("00007:52", part257);
+      
+      var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg161 = msg("00007:53", part258);
+      
+      var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg162 = msg("00007:54", part259);
+      
+      var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg163 = msg("00007:55", part260);
+      
+      var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg164 = msg("00007:56", part261);
+      
+      var select56 = linear_select([
+      	dup109,
+      	dup110,
+      ]);
+      
+      var select57 = linear_select([
+      	dup111,
+      	dup112,
+      ]);
+      
+      var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}");
+      
+      var all52 = all_match({
+      	processors: [
+      		dup55,
+      		select56,
+      		dup23,
+      		select57,
+      		part262,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg165 = msg("00007:57", all52);
+      
+      var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg166 = msg("00007:58", part263);
+      
+      var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg167 = msg("00007:59", part264);
+      
+      var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg168 = msg("00007:60", part265);
+      
+      var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg169 = msg("00007:61", part266);
+      
+      var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg170 = msg("00007:62", part267);
+      
+      var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg171 = msg("00007:63", part268);
+      
+      var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}");
+      
+      var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}");
+      
+      var all53 = all_match({
+      	processors: [
+      		dup348,
+      		part269,
+      		dup349,
+      		part270,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg172 = msg("00007:64", all53);
+      
+      var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}");
+      
+      var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}");
+      
+      var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}");
+      
+      var select58 = linear_select([
+      	part272,
+      	part273,
+      ]);
+      
+      var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}");
+      
+      var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}");
+      
+      var all54 = all_match({
+      	processors: [
+      		dup348,
+      		part271,
+      		select58,
+      		part274,
+      		dup349,
+      		part275,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg173 = msg("00007:65", all54);
+      
+      var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}");
+      
+      var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}");
+      
+      var select59 = linear_select([
+      	part276,
+      	part277,
+      ]);
+      
+      var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}");
+      
+      var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}");
+      
+      var select60 = linear_select([
+      	part279,
+      	dup115,
+      ]);
+      
+      var all55 = all_match({
+      	processors: [
+      		select59,
+      		part278,
+      		select60,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg174 = msg("00007:66", all55);
+      
+      var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg175 = msg("00007:67", part280);
+      
+      var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}");
+      
+      var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}");
+      
+      var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}");
+      
+      var select61 = linear_select([
+      	part282,
+      	part283,
+      ]);
+      
+      var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}");
+      
+      var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}");
+      
+      var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}");
+      
+      var select62 = linear_select([
+      	part285,
+      	part286,
+      ]);
+      
+      var all56 = all_match({
+      	processors: [
+      		part281,
+      		select61,
+      		part284,
+      		select62,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg176 = msg("00007:68", all56);
+      
+      var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg177 = msg("00007:69", part287);
+      
+      var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg178 = msg("00007:70", part288);
+      
+      var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg179 = msg("00007:71", part289);
+      
+      var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg180 = msg("00007:72", part290);
+      
+      var select63 = linear_select([
+      	msg109,
+      	msg110,
+      	msg111,
+      	msg112,
+      	msg113,
+      	msg114,
+      	msg115,
+      	msg116,
+      	msg117,
+      	msg118,
+      	msg119,
+      	msg120,
+      	msg121,
+      	msg122,
+      	msg123,
+      	msg124,
+      	msg125,
+      	msg126,
+      	msg127,
+      	msg128,
+      	msg129,
+      	msg130,
+      	msg131,
+      	msg132,
+      	msg133,
+      	msg134,
+      	msg135,
+      	msg136,
+      	msg137,
+      	msg138,
+      	msg139,
+      	msg140,
+      	msg141,
+      	msg142,
+      	msg143,
+      	msg144,
+      	msg145,
+      	msg146,
+      	msg147,
+      	msg148,
+      	msg149,
+      	msg150,
+      	msg151,
+      	msg152,
+      	msg153,
+      	msg154,
+      	msg155,
+      	msg156,
+      	msg157,
+      	msg158,
+      	msg159,
+      	msg160,
+      	msg161,
+      	msg162,
+      	msg163,
+      	msg164,
+      	msg165,
+      	msg166,
+      	msg167,
+      	msg168,
+      	msg169,
+      	msg170,
+      	msg171,
+      	msg172,
+      	msg173,
+      	msg174,
+      	msg175,
+      	msg176,
+      	msg177,
+      	msg178,
+      	msg179,
+      	msg180,
+      ]);
+      
+      var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg181 = msg("00008", part291);
+      
+      var msg182 = msg("00008:01", dup341);
+      
+      var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg183 = msg("00008:02", part292);
+      
+      var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg184 = msg("00008:03", part293);
+      
+      var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}");
+      
+      var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}");
+      
+      var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}");
+      
+      var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}");
+      
+      var select64 = linear_select([
+      	part295,
+      	part296,
+      	part297,
+      ]);
+      
+      var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}");
+      
+      var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}");
+      
+      var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})");
+      
+      var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}");
+      
+      var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}");
+      
+      var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}");
+      
+      var select65 = linear_select([
+      	part299,
+      	part300,
+      	part301,
+      	part302,
+      	part303,
+      	dup21,
+      ]);
+      
+      var all57 = all_match({
+      	processors: [
+      		part294,
+      		select64,
+      		part298,
+      		select65,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg185 = msg("00008:04", all57);
+      
+      var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg186 = msg("00008:05", part304);
+      
+      var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup61,
+      ]));
+      
+      var msg187 = msg("00008:06", part305);
+      
+      var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup60,
+      ]));
+      
+      var msg188 = msg("00008:07", part306);
+      
+      var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup60,
+      ]));
+      
+      var msg189 = msg("00008:08", part307);
+      
+      var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg190 = msg("00008:09", part308);
+      
+      var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}");
+      
+      var all58 = all_match({
+      	processors: [
+      		part309,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup60,
+      	]),
+      });
+      
+      var msg191 = msg("00008:10", all58);
+      
+      var select66 = linear_select([
+      	msg181,
+      	msg182,
+      	msg183,
+      	msg184,
+      	msg185,
+      	msg186,
+      	msg187,
+      	msg188,
+      	msg189,
+      	msg190,
+      	msg191,
+      ]);
+      
+      var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg192 = msg("00009", part310);
+      
+      var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg193 = msg("00009:01", part311);
+      
+      var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg194 = msg("00009:02", part312);
+      
+      var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg195 = msg("00009:03", part313);
+      
+      var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg196 = msg("00009:05", part314);
+      
+      var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}");
+      
+      var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}");
+      
+      var select67 = linear_select([
+      	part315,
+      	part316,
+      ]);
+      
+      var select68 = linear_select([
+      	dup119,
+      	dup16,
+      ]);
+      
+      var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}");
+      
+      var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}");
+      
+      var select69 = linear_select([
+      	dup120,
+      	part318,
+      ]);
+      
+      var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}");
+      
+      var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info");
+      
+      var select70 = linear_select([
+      	part319,
+      	part320,
+      ]);
+      
+      var all59 = all_match({
+      	processors: [
+      		select67,
+      		dup118,
+      		select68,
+      		part317,
+      		select69,
+      		dup23,
+      		select70,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg197 = msg("00009:06", all59);
+      
+      var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}");
+      
+      var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}");
+      
+      var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}");
+      
+      var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}");
+      
+      var select71 = linear_select([
+      	part323,
+      	part324,
+      ]);
+      
+      var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}");
+      
+      var all60 = all_match({
+      	processors: [
+      		part321,
+      		dup337,
+      		part322,
+      		select71,
+      		part325,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg198 = msg("00009:07", all60);
+      
+      var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg199 = msg("00009:09", part326);
+      
+      var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}");
+      
+      var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}");
+      
+      var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}");
+      
+      var select72 = linear_select([
+      	part328,
+      	part329,
+      ]);
+      
+      var all61 = all_match({
+      	processors: [
+      		part327,
+      		select72,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg200 = msg("00009:10", all61);
+      
+      var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}");
+      
+      var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}");
+      
+      var select73 = linear_select([
+      	part330,
+      	part331,
+      ]);
+      
+      var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}");
+      
+      var all62 = all_match({
+      	processors: [
+      		select73,
+      		part332,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg201 = msg("00009:11", all62);
+      
+      var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg202 = msg("00009:12", part333);
+      
+      var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg203 = msg("00009:13", part334);
+      
+      var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}");
+      
+      var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}");
+      
+      var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}");
+      
+      var select74 = linear_select([
+      	part335,
+      	part336,
+      	part337,
+      ]);
+      
+      var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}");
+      
+      var select75 = linear_select([
+      	dup122,
+      	dup123,
+      ]);
+      
+      var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})");
+      
+      var select76 = linear_select([
+      	part339,
+      	dup124,
+      ]);
+      
+      var all63 = all_match({
+      	processors: [
+      		select74,
+      		part338,
+      		select75,
+      		dup23,
+      		select76,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg204 = msg("00009:14", all63);
+      
+      var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}");
+      
+      var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}");
+      
+      var select77 = linear_select([
+      	part341,
+      	dup125,
+      ]);
+      
+      var all64 = all_match({
+      	processors: [
+      		part340,
+      		select77,
+      		dup126,
+      		dup350,
+      		dup128,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg205 = msg("00009:15", all64);
+      
+      var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}");
+      
+      var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}");
+      
+      var select78 = linear_select([
+      	dup129,
+      	dup130,
+      	part343,
+      ]);
+      
+      var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}.");
+      
+      var all65 = all_match({
+      	processors: [
+      		part342,
+      		dup350,
+      		dup23,
+      		select78,
+      		part344,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg206 = msg("00009:16", all65);
+      
+      var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}");
+      
+      var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}");
+      
+      var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}");
+      
+      var select79 = linear_select([
+      	part346,
+      	part347,
+      ]);
+      
+      var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}.");
+      
+      var all66 = all_match({
+      	processors: [
+      		part345,
+      		select79,
+      		part348,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg207 = msg("00009:17", all66);
+      
+      var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg208 = msg("00009:18", part349);
+      
+      var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg209 = msg("00009:19", part350);
+      
+      var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg210 = msg("00009:27", part351);
+      
+      var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}");
+      
+      var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}");
+      
+      var select80 = linear_select([
+      	part352,
+      	part353,
+      ]);
+      
+      var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}");
+      
+      var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}");
+      
+      var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}");
+      
+      var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}");
+      
+      var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})");
+      
+      var select81 = linear_select([
+      	part355,
+      	part356,
+      	part357,
+      	part358,
+      ]);
+      
+      var all67 = all_match({
+      	processors: [
+      		select80,
+      		part354,
+      		select81,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg211 = msg("00009:20", all67);
+      
+      var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var all68 = all_match({
+      	processors: [
+      		part359,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup60,
+      	]),
+      });
+      
+      var msg212 = msg("00009:21", all68);
+      
+      var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg213 = msg("00009:22", part360);
+      
+      var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup9,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg214 = msg("00009:23", part361);
+      
+      var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}");
+      
+      var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}");
+      
+      var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}");
+      
+      var select82 = linear_select([
+      	part363,
+      	part364,
+      ]);
+      
+      var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}");
+      
+      var all69 = all_match({
+      	processors: [
+      		part362,
+      		select82,
+      		part365,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg215 = msg("00009:24", all69);
+      
+      var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup9,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg216 = msg("00009:25", part366);
+      
+      var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}");
+      
+      var all70 = all_match({
+      	processors: [
+      		part367,
+      		dup333,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg217 = msg("00009:26", all70);
+      
+      var select83 = linear_select([
+      	msg192,
+      	msg193,
+      	msg194,
+      	msg195,
+      	msg196,
+      	msg197,
+      	msg198,
+      	msg199,
+      	msg200,
+      	msg201,
+      	msg202,
+      	msg203,
+      	msg204,
+      	msg205,
+      	msg206,
+      	msg207,
+      	msg208,
+      	msg209,
+      	msg210,
+      	msg211,
+      	msg212,
+      	msg213,
+      	msg214,
+      	msg215,
+      	msg216,
+      	msg217,
+      ]);
+      
+      var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}");
+      
+      var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}");
+      
+      var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}");
+      
+      var select84 = linear_select([
+      	part369,
+      	part370,
+      ]);
+      
+      var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}");
+      
+      var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}");
+      
+      var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}");
+      
+      var select85 = linear_select([
+      	part372,
+      	part373,
+      	dup126,
+      ]);
+      
+      var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}");
+      
+      var all71 = all_match({
+      	processors: [
+      		part368,
+      		select84,
+      		part371,
+      		select85,
+      		part374,
+      		dup351,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup4,
+      		dup59,
+      		dup5,
+      		dup9,
+      		dup3,
+      		dup61,
+      	]),
+      });
+      
+      var msg218 = msg("00010", all71);
+      
+      var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg219 = msg("00010:01", part375);
+      
+      var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg220 = msg("00010:02", part376);
+      
+      var all72 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg221 = msg("00010:03", all72);
+      
+      var select86 = linear_select([
+      	msg218,
+      	msg219,
+      	msg220,
+      	msg221,
+      ]);
+      
+      var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg222 = msg("00011", part377);
+      
+      var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}");
+      
+      var select87 = linear_select([
+      	dup57,
+      	dup56,
+      ]);
+      
+      var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}");
+      
+      var all73 = all_match({
+      	processors: [
+      		part378,
+      		select87,
+      		part379,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg223 = msg("00011:01", all73);
+      
+      var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg224 = msg("00011:02", part380);
+      
+      var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}");
+      
+      var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}");
+      
+      var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}");
+      
+      var select88 = linear_select([
+      	part382,
+      	part383,
+      ]);
+      
+      var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}");
+      
+      var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}");
+      
+      var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}");
+      
+      var select89 = linear_select([
+      	part385,
+      	part386,
+      ]);
+      
+      var all74 = all_match({
+      	processors: [
+      		part381,
+      		select88,
+      		part384,
+      		select89,
+      		dup36,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg225 = msg("00011:03", all74);
+      
+      var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}");
+      
+      var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}");
+      
+      var all75 = all_match({
+      	processors: [
+      		part387,
+      		dup352,
+      		part388,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg226 = msg("00011:04", all75);
+      
+      var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}");
+      
+      var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}");
+      
+      var select90 = linear_select([
+      	part389,
+      	part390,
+      ]);
+      
+      var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}");
+      
+      var all76 = all_match({
+      	processors: [
+      		dup79,
+      		select90,
+      		part391,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg227 = msg("00011:05", all76);
+      
+      var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var msg228 = msg("00011:07", part392);
+      
+      var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg229 = msg("00011:08", part393);
+      
+      var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg230 = msg("00011:09", part394);
+      
+      var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg231 = msg("00011:10", part395);
+      
+      var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg232 = msg("00011:11", part396);
+      
+      var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg233 = msg("00011:12", part397);
+      
+      var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg234 = msg("00011:13", part398);
+      
+      var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}");
+      
+      var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}");
+      
+      var select91 = linear_select([
+      	dup134,
+      	part400,
+      ]);
+      
+      var all77 = all_match({
+      	processors: [
+      		part399,
+      		select91,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg235 = msg("00011:14", all77);
+      
+      var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg236 = msg("00011:15", part401);
+      
+      var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg237 = msg("00011:16", part402);
+      
+      var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}");
+      
+      var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}");
+      
+      var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}");
+      
+      var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}");
+      
+      var select92 = linear_select([
+      	part404,
+      	part405,
+      	part406,
+      ]);
+      
+      var all78 = all_match({
+      	processors: [
+      		part403,
+      		select92,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg238 = msg("00011:17", all78);
+      
+      var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}");
+      
+      var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}");
+      
+      var select93 = linear_select([
+      	part407,
+      	part408,
+      ]);
+      
+      var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}");
+      
+      var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}");
+      
+      var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}");
+      
+      var select94 = linear_select([
+      	part410,
+      	part411,
+      ]);
+      
+      var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}");
+      
+      var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}");
+      
+      var select95 = linear_select([
+      	part413,
+      	dup135,
+      ]);
+      
+      var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}");
+      
+      var all79 = all_match({
+      	processors: [
+      		select93,
+      		part409,
+      		select94,
+      		part412,
+      		select95,
+      		part414,
+      		dup350,
+      		dup128,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg239 = msg("00011:18", all79);
+      
+      var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}");
+      
+      var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}");
+      
+      var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}");
+      
+      var select96 = linear_select([
+      	part416,
+      	part417,
+      ]);
+      
+      var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}");
+      
+      var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}");
+      
+      var select97 = linear_select([
+      	part419,
+      	dup135,
+      ]);
+      
+      var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}");
+      
+      var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}");
+      
+      var select98 = linear_select([
+      	dup107,
+      	part421,
+      ]);
+      
+      var all80 = all_match({
+      	processors: [
+      		part415,
+      		select96,
+      		part418,
+      		select97,
+      		part420,
+      		select98,
+      		dup136,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg240 = msg("00011:19", all80);
+      
+      var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}");
+      
+      var select99 = linear_select([
+      	part422,
+      	dup79,
+      ]);
+      
+      var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\"");
+      
+      var all81 = all_match({
+      	processors: [
+      		select99,
+      		part423,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg241 = msg("00011:20", all81);
+      
+      var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg242 = msg("00011:21", part424);
+      
+      var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg243 = msg("00011:22", part425);
+      
+      var all82 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		call({
+      			dest: "nwparser.inout",
+      			fn: DIRCHK,
+      			args: [
+      				field("$IN"),
+      				field("saddr"),
+      				field("daddr"),
+      			],
+      		}),
+      	]),
+      });
+      
+      var msg244 = msg("00011:23", all82);
+      
+      var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg245 = msg("00011:24", part426);
+      
+      var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg246 = msg("00011:25", part427);
+      
+      var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg247 = msg("00011:26", part428);
+      
+      var select100 = linear_select([
+      	msg222,
+      	msg223,
+      	msg224,
+      	msg225,
+      	msg226,
+      	msg227,
+      	msg228,
+      	msg229,
+      	msg230,
+      	msg231,
+      	msg232,
+      	msg233,
+      	msg234,
+      	msg235,
+      	msg236,
+      	msg237,
+      	msg238,
+      	msg239,
+      	msg240,
+      	msg241,
+      	msg242,
+      	msg243,
+      	msg244,
+      	msg245,
+      	msg246,
+      	msg247,
+      ]);
+      
+      var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg248 = msg("00012:02", part429);
+      
+      var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg249 = msg("00012:03", part430);
+      
+      var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg250 = msg("00012:04", part431);
+      
+      var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg251 = msg("00012:05", part432);
+      
+      var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup61,
+      ]));
+      
+      var msg252 = msg("00012:06", part433);
+      
+      var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      	dup59,
+      ]));
+      
+      var msg253 = msg("00012:07", part434);
+      
+      var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg254 = msg("00012:08", part435);
+      
+      var all83 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg255 = msg("00012:09", all83);
+      
+      var all84 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg256 = msg("00012:10", all84);
+      
+      var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      	dup61,
+      ]));
+      
+      var msg257 = msg("00012:11", part436);
+      
+      var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg258 = msg("00012:12", part437);
+      
+      var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg259 = msg("00012", part438);
+      
+      var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg260 = msg("00012:01", part439);
+      
+      var select101 = linear_select([
+      	msg248,
+      	msg249,
+      	msg250,
+      	msg251,
+      	msg252,
+      	msg253,
+      	msg254,
+      	msg255,
+      	msg256,
+      	msg257,
+      	msg258,
+      	msg259,
+      	msg260,
+      ]);
+      
+      var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg261 = msg("00013", part440);
+      
+      var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      	setc("signame","An Attempt to connect to NetScreen-Global Manager Port."),
+      ]));
+      
+      var msg262 = msg("00013:01", part441);
+      
+      var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg263 = msg("00013:02", part442);
+      
+      var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg264 = msg("00013:03", part443);
+      
+      var select102 = linear_select([
+      	msg261,
+      	msg262,
+      	msg263,
+      	msg264,
+      ]);
+      
+      var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg265 = msg("00014", part444);
+      
+      var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}");
+      
+      var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}");
+      
+      var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}");
+      
+      var select103 = linear_select([
+      	part446,
+      	part447,
+      ]);
+      
+      var all85 = all_match({
+      	processors: [
+      		part445,
+      		select103,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg266 = msg("00014:01", all85);
+      
+      var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg267 = msg("00014:02", part448);
+      
+      var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg268 = msg("00014:03", part449);
+      
+      var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg269 = msg("00014:04", part450);
+      
+      var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg270 = msg("00014:05", part451);
+      
+      var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg271 = msg("00014:06", part452);
+      
+      var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg272 = msg("00014:07", part453);
+      
+      var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg273 = msg("00014:08", part454);
+      
+      var select104 = linear_select([
+      	msg265,
+      	msg266,
+      	msg267,
+      	msg268,
+      	msg269,
+      	msg270,
+      	msg271,
+      	msg272,
+      	msg273,
+      ]);
+      
+      var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg274 = msg("00015", part455);
+      
+      var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg275 = msg("00015:01", part456);
+      
+      var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}");
+      
+      var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}");
+      
+      var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}");
+      
+      var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}");
+      
+      var select105 = linear_select([
+      	part458,
+      	dup137,
+      	part459,
+      	part460,
+      ]);
+      
+      var all86 = all_match({
+      	processors: [
+      		part457,
+      		select105,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg276 = msg("00015:02", all86);
+      
+      var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg277 = msg("00015:03", part461);
+      
+      var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}");
+      
+      var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}");
+      
+      var select106 = linear_select([
+      	dup139,
+      	dup140,
+      	part463,
+      ]);
+      
+      var all87 = all_match({
+      	processors: [
+      		part462,
+      		select106,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg278 = msg("00015:04", all87);
+      
+      var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}");
+      
+      var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}");
+      
+      var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}");
+      
+      var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}");
+      
+      var select107 = linear_select([
+      	part465,
+      	part466,
+      	dup76,
+      	part467,
+      ]);
+      
+      var all88 = all_match({
+      	processors: [
+      		part464,
+      		select107,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg279 = msg("00015:05", all88);
+      
+      var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}");
+      
+      var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}");
+      
+      var select108 = linear_select([
+      	part468,
+      	part469,
+      ]);
+      
+      var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}");
+      
+      var all89 = all_match({
+      	processors: [
+      		select108,
+      		part470,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg280 = msg("00015:06", all89);
+      
+      var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg281 = msg("00015:07", part471);
+      
+      var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([
+      	dup141,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg282 = msg("00015:08", part472);
+      
+      var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}");
+      
+      var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}");
+      
+      var select109 = linear_select([
+      	part473,
+      	part474,
+      ]);
+      
+      var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}");
+      
+      var all90 = all_match({
+      	processors: [
+      		select109,
+      		part475,
+      	],
+      	on_success: processor_chain([
+      		dup141,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg283 = msg("00015:09", all90);
+      
+      var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg284 = msg("00015:10", part476);
+      
+      var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg285 = msg("00015:11", part477);
+      
+      var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}");
+      
+      var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}");
+      
+      var select110 = linear_select([
+      	part478,
+      	part479,
+      ]);
+      
+      var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}");
+      
+      var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})");
+      
+      var all91 = all_match({
+      	processors: [
+      		dup87,
+      		select110,
+      		part480,
+      		dup353,
+      		dup103,
+      		dup353,
+      		part481,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg286 = msg("00015:12", all91);
+      
+      var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([
+      	dup144,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg287 = msg("00015:13", part482);
+      
+      var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}");
+      
+      var all92 = all_match({
+      	processors: [
+      		part483,
+      		dup353,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg288 = msg("00015:14", all92);
+      
+      var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg289 = msg("00015:15", part484);
+      
+      var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg290 = msg("00015:16", part485);
+      
+      var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg291 = msg("00015:17", part486);
+      
+      var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([
+      	dup121,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("change_attribute","RTO mirror group"),
+      ]));
+      
+      var msg292 = msg("00015:18", part487);
+      
+      var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg293 = msg("00015:19", part488);
+      
+      var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg294 = msg("00015:20", part489);
+      
+      var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}");
+      
+      var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}");
+      
+      var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}");
+      
+      var select111 = linear_select([
+      	part491,
+      	part492,
+      ]);
+      
+      var all93 = all_match({
+      	processors: [
+      		part490,
+      		select111,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg295 = msg("00015:21", all93);
+      
+      var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}");
+      
+      var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}");
+      
+      var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}");
+      
+      var select112 = linear_select([
+      	part493,
+      	part494,
+      	part495,
+      ]);
+      
+      var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}");
+      
+      var all94 = all_match({
+      	processors: [
+      		select112,
+      		part496,
+      		dup354,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg296 = msg("00015:22", all94);
+      
+      var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg297 = msg("00015:23", part497);
+      
+      var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg298 = msg("00015:24", part498);
+      
+      var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([
+      	setc("eventcategory","1613050100"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg299 = msg("00015:25", part499);
+      
+      var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([
+      	dup97,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg300 = msg("00015:29", part500);
+      
+      var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}");
+      
+      var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}");
+      
+      var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}");
+      
+      var select113 = linear_select([
+      	part502,
+      	part503,
+      ]);
+      
+      var all95 = all_match({
+      	processors: [
+      		part501,
+      		select113,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg301 = msg("00015:26", all95);
+      
+      var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup146,
+      ]));
+      
+      var msg302 = msg("00015:33", part504);
+      
+      var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg303 = msg("00015:27", part505);
+      
+      var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg304 = msg("00015:28", part506);
+      
+      var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}");
+      
+      var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})");
+      
+      var all96 = all_match({
+      	processors: [
+      		part507,
+      		dup355,
+      		part508,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg305 = msg("00015:30", all96);
+      
+      var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg306 = msg("00015:31", part509);
+      
+      var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg307 = msg("00015:32", part510);
+      
+      var select114 = linear_select([
+      	msg274,
+      	msg275,
+      	msg276,
+      	msg277,
+      	msg278,
+      	msg279,
+      	msg280,
+      	msg281,
+      	msg282,
+      	msg283,
+      	msg284,
+      	msg285,
+      	msg286,
+      	msg287,
+      	msg288,
+      	msg289,
+      	msg290,
+      	msg291,
+      	msg292,
+      	msg293,
+      	msg294,
+      	msg295,
+      	msg296,
+      	msg297,
+      	msg298,
+      	msg299,
+      	msg300,
+      	msg301,
+      	msg302,
+      	msg303,
+      	msg304,
+      	msg305,
+      	msg306,
+      	msg307,
+      ]);
+      
+      var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup147,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg308 = msg("00016", part511);
+      
+      var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg309 = msg("00016:01", part512);
+      
+      var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([
+      	dup1,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg310 = msg("00016:02", part513);
+      
+      var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([
+      	dup147,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg311 = msg("00016:03", part514);
+      
+      var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg312 = msg("00016:05", part515);
+      
+      var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup147,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg313 = msg("00016:06", part516);
+      
+      var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}");
+      
+      var all97 = all_match({
+      	processors: [
+      		part517,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup147,
+      		dup148,
+      		dup149,
+      		dup150,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg314 = msg("00016:07", all97);
+      
+      var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	setc("eventcategory","1001020305"),
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg315 = msg("00016:08", part518);
+      
+      var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	setc("eventcategory","1001030305"),
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg316 = msg("00016:09", part519);
+      
+      var select115 = linear_select([
+      	msg308,
+      	msg309,
+      	msg310,
+      	msg311,
+      	msg312,
+      	msg313,
+      	msg314,
+      	msg315,
+      	msg316,
+      ]);
+      
+      var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup151,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg317 = msg("00017", part520);
+      
+      var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}");
+      
+      var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}");
+      
+      var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}");
+      
+      var select116 = linear_select([
+      	part522,
+      	part523,
+      ]);
+      
+      var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}");
+      
+      var all98 = all_match({
+      	processors: [
+      		part521,
+      		select116,
+      		part524,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg318 = msg("00017:23", all98);
+      
+      var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}");
+      
+      var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}");
+      
+      var select117 = linear_select([
+      	part525,
+      	part526,
+      ]);
+      
+      var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}");
+      
+      var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}");
+      
+      var all99 = all_match({
+      	processors: [
+      		select117,
+      		part527,
+      		dup356,
+      		part528,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg319 = msg("00017:01", all99);
+      
+      var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg320 = msg("00017:02", part529);
+      
+      var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg321 = msg("00017:03", part530);
+      
+      var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}");
+      
+      var all100 = all_match({
+      	processors: [
+      		dup153,
+      		dup357,
+      		part531,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg322 = msg("00017:04", all100);
+      
+      var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg323 = msg("00017:05", part532);
+      
+      var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}");
+      
+      var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}");
+      
+      var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}");
+      
+      var select118 = linear_select([
+      	part534,
+      	dup101,
+      	part535,
+      ]);
+      
+      var all101 = all_match({
+      	processors: [
+      		part533,
+      		select118,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg324 = msg("00017:06", all101);
+      
+      var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}");
+      
+      var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}");
+      
+      var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}");
+      
+      var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}");
+      
+      var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}");
+      
+      var select119 = linear_select([
+      	part537,
+      	part538,
+      	dup98,
+      	part539,
+      	part540,
+      ]);
+      
+      var all102 = all_match({
+      	processors: [
+      		part536,
+      		select119,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg325 = msg("00017:07", all102);
+      
+      var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg326 = msg("00017:08", part541);
+      
+      var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}");
+      
+      var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}");
+      
+      var select120 = linear_select([
+      	part542,
+      	part543,
+      ]);
+      
+      var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}");
+      
+      var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}");
+      
+      var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}");
+      
+      var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}");
+      
+      var select121 = linear_select([
+      	part545,
+      	part546,
+      	part547,
+      ]);
+      
+      var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}");
+      
+      var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit");
+      
+      var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}");
+      
+      var select122 = linear_select([
+      	part549,
+      	part550,
+      	dup36,
+      ]);
+      
+      var all103 = all_match({
+      	processors: [
+      		select120,
+      		part544,
+      		select121,
+      		part548,
+      		select122,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg327 = msg("00017:09", all103);
+      
+      var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}");
+      
+      var all104 = all_match({
+      	processors: [
+      		part551,
+      		dup358,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg328 = msg("00017:10", all104);
+      
+      var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg329 = msg("00017:11", part552);
+      
+      var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}");
+      
+      var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}");
+      
+      var select123 = linear_select([
+      	dup109,
+      	dup110,
+      	part554,
+      ]);
+      
+      var all105 = all_match({
+      	processors: [
+      		part553,
+      		select123,
+      		dup127,
+      		dup359,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg330 = msg("00017:12", all105);
+      
+      var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg331 = msg("00017:26", part555);
+      
+      var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg332 = msg("00017:13", part556);
+      
+      var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup9,
+      	dup5,
+      ]));
+      
+      var msg333 = msg("00017:14", part557);
+      
+      var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}");
+      
+      var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}.");
+      
+      var all106 = all_match({
+      	processors: [
+      		part558,
+      		dup360,
+      		part559,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg334 = msg("00017:15", all106);
+      
+      var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}");
+      
+      var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}.");
+      
+      var all107 = all_match({
+      	processors: [
+      		part560,
+      		dup360,
+      		part561,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg335 = msg("00017:31", all107);
+      
+      var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}");
+      
+      var all108 = all_match({
+      	processors: [
+      		part562,
+      		dup359,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg336 = msg("00017:16", all108);
+      
+      var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}");
+      
+      var select124 = linear_select([
+      	dup99,
+      	dup93,
+      ]);
+      
+      var all109 = all_match({
+      	processors: [
+      		part563,
+      		select124,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg337 = msg("00017:17", all109);
+      
+      var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}");
+      
+      var all110 = all_match({
+      	processors: [
+      		dup153,
+      		dup357,
+      		part564,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg338 = msg("00017:18", all110);
+      
+      var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}");
+      
+      var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all111 = all_match({
+      	processors: [
+      		part565,
+      		dup337,
+      		part566,
+      	],
+      	on_success: processor_chain([
+      		dup151,
+      		dup2,
+      		dup3,
+      		dup59,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg339 = msg("00017:19", all111);
+      
+      var all112 = all_match({
+      	processors: [
+      		dup64,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup151,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg340 = msg("00017:20", all112);
+      
+      var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup151,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg341 = msg("00017:21", part567);
+      
+      var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg342 = msg("00017:22", part568);
+      
+      var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg343 = msg("00017:24", part569);
+      
+      var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg344 = msg("00017:25", part570);
+      
+      var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg345 = msg("00017:28", part571);
+      
+      var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg346 = msg("00017:29", part572);
+      
+      var select125 = linear_select([
+      	msg317,
+      	msg318,
+      	msg319,
+      	msg320,
+      	msg321,
+      	msg322,
+      	msg323,
+      	msg324,
+      	msg325,
+      	msg326,
+      	msg327,
+      	msg328,
+      	msg329,
+      	msg330,
+      	msg331,
+      	msg332,
+      	msg333,
+      	msg334,
+      	msg335,
+      	msg336,
+      	msg337,
+      	msg338,
+      	msg339,
+      	msg340,
+      	msg341,
+      	msg342,
+      	msg343,
+      	msg344,
+      	msg345,
+      	msg346,
+      ]);
+      
+      var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg347 = msg("00018", part573);
+      
+      var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([
+      	setc("eventcategory","1502010000"),
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg348 = msg("00018:01", part574);
+      
+      var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg349 = msg("00018:02", part575);
+      
+      var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg350 = msg("00018:04", part576);
+      
+      var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg351 = msg("00018:16", part577);
+      
+      var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}");
+      
+      var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}");
+      
+      var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}");
+      
+      var select126 = linear_select([
+      	part579,
+      	part580,
+      ]);
+      
+      var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}");
+      
+      var all113 = all_match({
+      	processors: [
+      		part578,
+      		select126,
+      		part581,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg352 = msg("00018:06", all113);
+      
+      var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg353 = msg("00018:08", part582);
+      
+      var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup3,
+      	dup2,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg354 = msg("00018:09", part583);
+      
+      var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}");
+      
+      var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}");
+      
+      var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}");
+      
+      var select127 = linear_select([
+      	part585,
+      	part586,
+      ]);
+      
+      var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})");
+      
+      var all114 = all_match({
+      	processors: [
+      		part584,
+      		select127,
+      		part587,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup3,
+      		dup2,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg355 = msg("00018:10", all114);
+      
+      var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}");
+      
+      var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}");
+      
+      var select128 = linear_select([
+      	part588,
+      	part589,
+      ]);
+      
+      var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}");
+      
+      var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}");
+      
+      var select129 = linear_select([
+      	part591,
+      	dup16,
+      ]);
+      
+      var all115 = all_match({
+      	processors: [
+      		dup160,
+      		select128,
+      		part590,
+      		select129,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg356 = msg("00018:11", all115);
+      
+      var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}");
+      
+      var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}");
+      
+      var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}");
+      
+      var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}");
+      
+      var select130 = linear_select([
+      	part593,
+      	part594,
+      	part595,
+      ]);
+      
+      var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})");
+      
+      var all116 = all_match({
+      	processors: [
+      		part592,
+      		select130,
+      		part596,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg357 = msg("00018:12", all116);
+      
+      var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}");
+      
+      var all117 = all_match({
+      	processors: [
+      		dup361,
+      		part597,
+      		dup362,
+      		dup164,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg358 = msg("00018:32", all117);
+      
+      var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}");
+      
+      var all118 = all_match({
+      	processors: [
+      		dup361,
+      		part598,
+      		dup362,
+      		dup164,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg359 = msg("00018:22", all118);
+      
+      var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}");
+      
+      var select131 = linear_select([
+      	dup78,
+      	dup77,
+      ]);
+      
+      var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer");
+      
+      var all119 = all_match({
+      	processors: [
+      		part599,
+      		select131,
+      		part600,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg360 = msg("00018:15", all119);
+      
+      var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}");
+      
+      var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}");
+      
+      var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}");
+      
+      var select132 = linear_select([
+      	part602,
+      	part603,
+      ]);
+      
+      var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}");
+      
+      var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}");
+      
+      var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}");
+      
+      var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}");
+      
+      var select133 = linear_select([
+      	part605,
+      	part606,
+      	part607,
+      ]);
+      
+      var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})");
+      
+      var all120 = all_match({
+      	processors: [
+      		part601,
+      		select132,
+      		part604,
+      		select133,
+      		part608,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg361 = msg("00018:14", all120);
+      
+      var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg362 = msg("00018:29", part609);
+      
+      var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg363 = msg("00018:07", part610);
+      
+      var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg364 = msg("00018:18", part611);
+      
+      var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg365 = msg("00018:17", part612);
+      
+      var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg366 = msg("00018:19", part613);
+      
+      var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}");
+      
+      var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}");
+      
+      var select134 = linear_select([
+      	part614,
+      	part615,
+      ]);
+      
+      var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}");
+      
+      var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}");
+      
+      var select135 = linear_select([
+      	part617,
+      	dup103,
+      ]);
+      
+      var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}");
+      
+      var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}");
+      
+      var select136 = linear_select([
+      	part618,
+      	part619,
+      ]);
+      
+      var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})");
+      
+      var all121 = all_match({
+      	processors: [
+      		select134,
+      		part616,
+      		select135,
+      		dup23,
+      		select136,
+      		part620,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg367 = msg("00018:23", all121);
+      
+      var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg368 = msg("00018:21", part621);
+      
+      var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg369 = msg("00018:24", part622);
+      
+      var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})");
+      
+      var all122 = all_match({
+      	processors: [
+      		dup363,
+      		part623,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg370 = msg("00018:25", all122);
+      
+      var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})");
+      
+      var all123 = all_match({
+      	processors: [
+      		dup363,
+      		part624,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg371 = msg("00018:30", all123);
+      
+      var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}");
+      
+      var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}");
+      
+      var select137 = linear_select([
+      	dup48,
+      	part626,
+      ]);
+      
+      var all124 = all_match({
+      	processors: [
+      		part625,
+      		dup364,
+      		select137,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg372 = msg("00018:26", all124);
+      
+      var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg373 = msg("00018:27", part627);
+      
+      var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      	setc("info","the DI attack component was modified"),
+      ]));
+      
+      var msg374 = msg("00018:28", part628);
+      
+      var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg375 = msg("00018:03", part629);
+      
+      var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg376 = msg("00018:31", part630);
+      
+      var select138 = linear_select([
+      	msg347,
+      	msg348,
+      	msg349,
+      	msg350,
+      	msg351,
+      	msg352,
+      	msg353,
+      	msg354,
+      	msg355,
+      	msg356,
+      	msg357,
+      	msg358,
+      	msg359,
+      	msg360,
+      	msg361,
+      	msg362,
+      	msg363,
+      	msg364,
+      	msg365,
+      	msg366,
+      	msg367,
+      	msg368,
+      	msg369,
+      	msg370,
+      	msg371,
+      	msg372,
+      	msg373,
+      	msg374,
+      	msg375,
+      	msg376,
+      ]);
+      
+      var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg377 = msg("00019", part631);
+      
+      var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured");
+      
+      var all125 = all_match({
+      	processors: [
+      		dup165,
+      		dup365,
+      		part632,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg378 = msg("00019:01", all125);
+      
+      var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}");
+      
+      var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}");
+      
+      var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}");
+      
+      var select139 = linear_select([
+      	part634,
+      	part635,
+      ]);
+      
+      var all126 = all_match({
+      	processors: [
+      		part633,
+      		select139,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg379 = msg("00019:02", all126);
+      
+      var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([
+      	dup91,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg380 = msg("00019:03", part636);
+      
+      var select140 = linear_select([
+      	dup169,
+      	dup78,
+      ]);
+      
+      var select141 = linear_select([
+      	dup139,
+      	dup170,
+      	dup137,
+      	dup122,
+      ]);
+      
+      var all127 = all_match({
+      	processors: [
+      		dup168,
+      		select140,
+      		dup23,
+      		select141,
+      		dup171,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg381 = msg("00019:04", all127);
+      
+      var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}");
+      
+      var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}");
+      
+      var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}");
+      
+      var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}");
+      
+      var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}");
+      
+      var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}");
+      
+      var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}");
+      
+      var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}");
+      
+      var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}");
+      
+      var select142 = linear_select([
+      	part638,
+      	part639,
+      	part640,
+      	part641,
+      	part642,
+      	part643,
+      	part644,
+      	part645,
+      ]);
+      
+      var all128 = all_match({
+      	processors: [
+      		part637,
+      		select142,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg382 = msg("00019:05", all128);
+      
+      var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}");
+      
+      var all129 = all_match({
+      	processors: [
+      		dup168,
+      		dup366,
+      		part646,
+      		dup367,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg383 = msg("00019:06", all129);
+      
+      var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([
+      	dup91,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg384 = msg("00019:07", part647);
+      
+      var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg385 = msg("00019:08", part648);
+      
+      var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}");
+      
+      var select143 = linear_select([
+      	dup139,
+      	dup170,
+      	dup137,
+      ]);
+      
+      var all130 = all_match({
+      	processors: [
+      		part649,
+      		select143,
+      		dup171,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg386 = msg("00019:09", all130);
+      
+      var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}");
+      
+      var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}");
+      
+      var select144 = linear_select([
+      	part650,
+      	part651,
+      ]);
+      
+      var all131 = all_match({
+      	processors: [
+      		dup183,
+      		select144,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg387 = msg("00019:10", all131);
+      
+      var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined");
+      
+      var all132 = all_match({
+      	processors: [
+      		dup165,
+      		dup365,
+      		part652,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg388 = msg("00019:11", all132);
+      
+      var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg389 = msg("00019:12", part653);
+      
+      var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}");
+      
+      var select145 = linear_select([
+      	dup107,
+      	dup106,
+      ]);
+      
+      var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}");
+      
+      var all133 = all_match({
+      	processors: [
+      		part654,
+      		select145,
+      		part655,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg390 = msg("00019:13", all133);
+      
+      var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}");
+      
+      var all134 = all_match({
+      	processors: [
+      		dup168,
+      		dup366,
+      		part656,
+      		dup367,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg391 = msg("00019:14", all134);
+      
+      var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg392 = msg("00019:15", part657);
+      
+      var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([
+      	setc("eventcategory","1701030000"),
+      	setc("ec_activity","Delete"),
+      	dup51,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg393 = msg("00019:16", part658);
+      
+      var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg394 = msg("00019:17", part659);
+      
+      var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}");
+      
+      var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}");
+      
+      var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}");
+      
+      var select146 = linear_select([
+      	part661,
+      	part662,
+      ]);
+      
+      var all135 = all_match({
+      	processors: [
+      		part660,
+      		select146,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg395 = msg("00019:18", all135);
+      
+      var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg396 = msg("00019:19", part663);
+      
+      var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg397 = msg("00019:20", part664);
+      
+      var select147 = linear_select([
+      	msg377,
+      	msg378,
+      	msg379,
+      	msg380,
+      	msg381,
+      	msg382,
+      	msg383,
+      	msg384,
+      	msg385,
+      	msg386,
+      	msg387,
+      	msg388,
+      	msg389,
+      	msg390,
+      	msg391,
+      	msg392,
+      	msg393,
+      	msg394,
+      	msg395,
+      	msg396,
+      	msg397,
+      ]);
+      
+      var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg398 = msg("00020", part665);
+      
+      var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}");
+      
+      var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}");
+      
+      var select148 = linear_select([
+      	dup152,
+      	part667,
+      ]);
+      
+      var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}");
+      
+      var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes");
+      
+      var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total");
+      
+      var select149 = linear_select([
+      	part669,
+      	part670,
+      ]);
+      
+      var all136 = all_match({
+      	processors: [
+      		part666,
+      		select148,
+      		part668,
+      		select149,
+      	],
+      	on_success: processor_chain([
+      		dup184,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg399 = msg("00020:01", all136);
+      
+      var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([
+      	dup184,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg400 = msg("00020:02", part671);
+      
+      var select150 = linear_select([
+      	msg398,
+      	msg399,
+      	msg400,
+      ]);
+      
+      var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg401 = msg("00021", part672);
+      
+      var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg402 = msg("00021:01", part673);
+      
+      var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg403 = msg("00021:02", part674);
+      
+      var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg404 = msg("00021:03", part675);
+      
+      var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg405 = msg("00021:04", part676);
+      
+      var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg406 = msg("00021:05", part677);
+      
+      var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      	setc("info","DIP port-translation stickiness was modified"),
+      ]));
+      
+      var msg407 = msg("00021:06", part678);
+      
+      var select151 = linear_select([
+      	msg401,
+      	msg402,
+      	msg403,
+      	msg404,
+      	msg405,
+      	msg406,
+      	msg407,
+      ]);
+      
+      var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}");
+      
+      var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}");
+      
+      var select152 = linear_select([
+      	part679,
+      	part680,
+      ]);
+      
+      var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly");
+      
+      var all137 = all_match({
+      	processors: [
+      		dup186,
+      		select152,
+      		part681,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg408 = msg("00022", all137);
+      
+      var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}");
+      
+      var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}");
+      
+      var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}");
+      
+      var select153 = linear_select([
+      	part682,
+      	part683,
+      	part684,
+      ]);
+      
+      var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}");
+      
+      var all138 = all_match({
+      	processors: [
+      		select153,
+      		part685,
+      		dup368,
+      	],
+      	on_success: processor_chain([
+      		dup187,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg409 = msg("00022:01", all138);
+      
+      var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg410 = msg("00022:02", part686);
+      
+      var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg411 = msg("00022:03", part687);
+      
+      var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}");
+      
+      var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}");
+      
+      var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}");
+      
+      var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}");
+      
+      var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}");
+      
+      var select154 = linear_select([
+      	part689,
+      	part690,
+      	part691,
+      	part692,
+      ]);
+      
+      var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}");
+      
+      var all139 = all_match({
+      	processors: [
+      		part688,
+      		select154,
+      		part693,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg412 = msg("00022:04", all139);
+      
+      var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg413 = msg("00022:05", part694);
+      
+      var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}");
+      
+      var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}");
+      
+      var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}");
+      
+      var select155 = linear_select([
+      	part696,
+      	part697,
+      ]);
+      
+      var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}");
+      
+      var all140 = all_match({
+      	processors: [
+      		part695,
+      		select155,
+      		part698,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg414 = msg("00022:06", all140);
+      
+      var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg415 = msg("00022:07", part699);
+      
+      var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}");
+      
+      var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}");
+      
+      var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}");
+      
+      var select156 = linear_select([
+      	part700,
+      	part701,
+      	part702,
+      ]);
+      
+      var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}");
+      
+      var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}");
+      
+      var select157 = linear_select([
+      	part704,
+      	dup96,
+      ]);
+      
+      var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}");
+      
+      var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}");
+      
+      var select158 = linear_select([
+      	part706,
+      	dup96,
+      ]);
+      
+      var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}");
+      
+      var all141 = all_match({
+      	processors: [
+      		select156,
+      		part703,
+      		select157,
+      		part705,
+      		select158,
+      		part707,
+      	],
+      	on_success: processor_chain([
+      		dup188,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg416 = msg("00022:08", all141);
+      
+      var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}");
+      
+      var select159 = linear_select([
+      	dup191,
+      	dup192,
+      ]);
+      
+      var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}");
+      
+      var all142 = all_match({
+      	processors: [
+      		dup55,
+      		dup369,
+      		part708,
+      		select159,
+      		part709,
+      	],
+      	on_success: processor_chain([
+      		dup188,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg417 = msg("00022:09", all142);
+      
+      var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}");
+      
+      var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}");
+      
+      var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}");
+      
+      var select160 = linear_select([
+      	part711,
+      	part712,
+      ]);
+      
+      var all143 = all_match({
+      	processors: [
+      		part710,
+      		select160,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg418 = msg("00022:10", all143);
+      
+      var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}");
+      
+      var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}");
+      
+      var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}");
+      
+      var select161 = linear_select([
+      	part714,
+      	part715,
+      ]);
+      
+      var all144 = all_match({
+      	processors: [
+      		part713,
+      		select161,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg419 = msg("00022:11", all144);
+      
+      var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}");
+      
+      var select162 = linear_select([
+      	dup192,
+      	dup191,
+      ]);
+      
+      var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}");
+      
+      var all145 = all_match({
+      	processors: [
+      		part716,
+      		select162,
+      		part717,
+      	],
+      	on_success: processor_chain([
+      		dup188,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg420 = msg("00022:12", all145);
+      
+      var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg421 = msg("00022:13", part718);
+      
+      var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg422 = msg("00022:14", part719);
+      
+      var select163 = linear_select([
+      	msg408,
+      	msg409,
+      	msg410,
+      	msg411,
+      	msg412,
+      	msg413,
+      	msg414,
+      	msg415,
+      	msg416,
+      	msg417,
+      	msg418,
+      	msg419,
+      	msg420,
+      	msg421,
+      	msg422,
+      ]);
+      
+      var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([
+      	dup187,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg423 = msg("00023", part720);
+      
+      var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([
+      	dup187,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg424 = msg("00023:01", part721);
+      
+      var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([
+      	dup187,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg425 = msg("00023:02", part722);
+      
+      var select164 = linear_select([
+      	msg423,
+      	msg424,
+      	msg425,
+      ]);
+      
+      var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}");
+      
+      var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}");
+      
+      var select165 = linear_select([
+      	part723,
+      	part724,
+      ]);
+      
+      var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}");
+      
+      var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}");
+      
+      var select166 = linear_select([
+      	part725,
+      	part726,
+      ]);
+      
+      var all146 = all_match({
+      	processors: [
+      		select165,
+      		dup193,
+      		select166,
+      		dup52,
+      		dup368,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg426 = msg("00024", all146);
+      
+      var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}");
+      
+      var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}");
+      
+      var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}");
+      
+      var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}");
+      
+      var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}");
+      
+      var select167 = linear_select([
+      	part727,
+      	part728,
+      	part729,
+      	part730,
+      	part731,
+      ]);
+      
+      var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}");
+      
+      var all147 = all_match({
+      	processors: [
+      		select167,
+      		part732,
+      	],
+      	on_success: processor_chain([
+      		dup117,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg427 = msg("00024:01", all147);
+      
+      var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}");
+      
+      var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}");
+      
+      var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}");
+      
+      var select168 = linear_select([
+      	part734,
+      	part735,
+      ]);
+      
+      var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})");
+      
+      var all148 = all_match({
+      	processors: [
+      		part733,
+      		select168,
+      		part736,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg428 = msg("00024:02", all148);
+      
+      var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}");
+      
+      var select169 = linear_select([
+      	dup194,
+      	dup106,
+      ]);
+      
+      var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})");
+      
+      var all149 = all_match({
+      	processors: [
+      		part737,
+      		select169,
+      		part738,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg429 = msg("00024:03", all149);
+      
+      var select170 = linear_select([
+      	msg426,
+      	msg427,
+      	msg428,
+      	msg429,
+      ]);
+      
+      var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg430 = msg("00025", part739);
+      
+      var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg431 = msg("00025:01", part740);
+      
+      var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg432 = msg("00025:02", part741);
+      
+      var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg433 = msg("00025:03", part742);
+      
+      var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg434 = msg("00025:04", part743);
+      
+      var select171 = linear_select([
+      	msg430,
+      	msg431,
+      	msg432,
+      	msg433,
+      	msg434,
+      ]);
+      
+      var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg435 = msg("00026", part744);
+      
+      var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg436 = msg("00026:13", part745);
+      
+      var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}");
+      
+      var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})");
+      
+      var all150 = all_match({
+      	processors: [
+      		dup195,
+      		dup370,
+      		part746,
+      		dup371,
+      		part747,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg437 = msg("00026:01", all150);
+      
+      var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}");
+      
+      var select172 = linear_select([
+      	part748,
+      	dup96,
+      ]);
+      
+      var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}");
+      
+      var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}");
+      
+      var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}");
+      
+      var select173 = linear_select([
+      	part750,
+      	part751,
+      ]);
+      
+      var all151 = all_match({
+      	processors: [
+      		dup195,
+      		select172,
+      		part749,
+      		select173,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg438 = msg("00026:02", all151);
+      
+      var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}");
+      
+      var all152 = all_match({
+      	processors: [
+      		dup195,
+      		dup370,
+      		part752,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg439 = msg("00026:03", all152);
+      
+      var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([
+      	dup198,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg440 = msg("00026:04", part753);
+      
+      var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([
+      	dup198,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg441 = msg("00026:05", part754);
+      
+      var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([
+      	dup199,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg442 = msg("00026:06", part755);
+      
+      var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([
+      	dup199,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg443 = msg("00026:07", part756);
+      
+      var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}");
+      
+      var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]");
+      
+      var all153 = all_match({
+      	processors: [
+      		part757,
+      		dup372,
+      		part758,
+      	],
+      	on_success: processor_chain([
+      		dup199,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg444 = msg("00026:08", all153);
+      
+      var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg445 = msg("00026:09", part759);
+      
+      var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}");
+      
+      var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}");
+      
+      var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}");
+      
+      var select174 = linear_select([
+      	part761,
+      	part762,
+      ]);
+      
+      var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}");
+      
+      var select175 = linear_select([
+      	part763,
+      	dup201,
+      ]);
+      
+      var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})");
+      
+      var all154 = all_match({
+      	processors: [
+      		part760,
+      		select174,
+      		dup103,
+      		select175,
+      		dup202,
+      		dup373,
+      		part764,
+      	],
+      	on_success: processor_chain([
+      		dup203,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg446 = msg("00026:10", all154);
+      
+      var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg447 = msg("00026:11", part765);
+      
+      var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg448 = msg("00026:12", part766);
+      
+      var select176 = linear_select([
+      	msg435,
+      	msg436,
+      	msg437,
+      	msg438,
+      	msg439,
+      	msg440,
+      	msg441,
+      	msg442,
+      	msg443,
+      	msg444,
+      	msg445,
+      	msg446,
+      	msg447,
+      	msg448,
+      ]);
+      
+      var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}");
+      
+      var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}");
+      
+      var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}");
+      
+      var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}");
+      
+      var select177 = linear_select([
+      	part768,
+      	part769,
+      	part770,
+      ]);
+      
+      var all155 = all_match({
+      	processors: [
+      		dup204,
+      		dup374,
+      		part767,
+      		select177,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup30,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg449 = msg("00027", all155);
+      
+      var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg450 = msg("00027:01", part771);
+      
+      var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg451 = msg("00027:02", part772);
+      
+      var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg452 = msg("00027:03", part773);
+      
+      var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg453 = msg("00027:04", part774);
+      
+      var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}");
+      
+      var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}");
+      
+      var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}");
+      
+      var select178 = linear_select([
+      	part776,
+      	part777,
+      ]);
+      
+      var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}");
+      
+      var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}");
+      
+      var select179 = linear_select([
+      	part779,
+      	dup127,
+      ]);
+      
+      var select180 = linear_select([
+      	dup207,
+      	dup208,
+      ]);
+      
+      var all156 = all_match({
+      	processors: [
+      		part775,
+      		select178,
+      		part778,
+      		select179,
+      		dup23,
+      		select180,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg454 = msg("00027:05", all156);
+      
+      var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}");
+      
+      var select181 = linear_select([
+      	dup208,
+      	dup207,
+      ]);
+      
+      var all157 = all_match({
+      	processors: [
+      		part780,
+      		select181,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1606000000"),
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg455 = msg("00027:06", all157);
+      
+      var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg456 = msg("00027:07", part781);
+      
+      var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg457 = msg("00027:08", part782);
+      
+      var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg458 = msg("00027:09", part783);
+      
+      var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg459 = msg("00027:10", part784);
+      
+      var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg460 = msg("00027:11", part785);
+      
+      var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}");
+      
+      var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}");
+      
+      var select182 = linear_select([
+      	part787,
+      	dup193,
+      ]);
+      
+      var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}");
+      
+      var all158 = all_match({
+      	processors: [
+      		part786,
+      		select182,
+      		part788,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg461 = msg("00027:12", all158);
+      
+      var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}");
+      
+      var all159 = all_match({
+      	processors: [
+      		dup204,
+      		dup374,
+      		part789,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup30,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg462 = msg("00027:13", all159);
+      
+      var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}");
+      
+      var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}");
+      
+      var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}");
+      
+      var select183 = linear_select([
+      	part791,
+      	part792,
+      ]);
+      
+      var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})");
+      
+      var all160 = all_match({
+      	processors: [
+      		part790,
+      		select183,
+      		part793,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg463 = msg("00027:14", all160);
+      
+      var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg464 = msg("00027:15", part794);
+      
+      var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg465 = msg("00027:16", part795);
+      
+      var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg466 = msg("00027:17", part796);
+      
+      var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg467 = msg("00027:18", part797);
+      
+      var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg468 = msg("00027:19", part798);
+      
+      var select184 = linear_select([
+      	msg449,
+      	msg450,
+      	msg451,
+      	msg452,
+      	msg453,
+      	msg454,
+      	msg455,
+      	msg456,
+      	msg457,
+      	msg458,
+      	msg459,
+      	msg460,
+      	msg461,
+      	msg462,
+      	msg463,
+      	msg464,
+      	msg465,
+      	msg466,
+      	msg467,
+      	msg468,
+      ]);
+      
+      var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}");
+      
+      var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}");
+      
+      var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}");
+      
+      var select185 = linear_select([
+      	part799,
+      	part800,
+      	part801,
+      ]);
+      
+      var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all161 = all_match({
+      	processors: [
+      		select185,
+      		part802,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      		setc("signame","Attempt to Connect to the NetScreen-Global Port"),
+      	]),
+      });
+      
+      var msg469 = msg("00028", all161);
+      
+      var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg470 = msg("00029", part803);
+      
+      var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([
+      	dup184,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg471 = msg("00029:01", part804);
+      
+      var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}");
+      
+      var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}");
+      
+      var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}");
+      
+      var select186 = linear_select([
+      	part806,
+      	part807,
+      ]);
+      
+      var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}");
+      
+      var all162 = all_match({
+      	processors: [
+      		part805,
+      		select186,
+      		part808,
+      	],
+      	on_success: processor_chain([
+      		dup117,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg472 = msg("00029:02", all162);
+      
+      var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}");
+      
+      var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}");
+      
+      var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}");
+      
+      var select187 = linear_select([
+      	part810,
+      	part811,
+      ]);
+      
+      var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}");
+      
+      var all163 = all_match({
+      	processors: [
+      		dup210,
+      		dup337,
+      		part809,
+      		select187,
+      		part812,
+      	],
+      	on_success: processor_chain([
+      		dup117,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg473 = msg("00029:03", all163);
+      
+      var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg474 = msg("00029:04", part813);
+      
+      var select188 = linear_select([
+      	msg470,
+      	msg471,
+      	msg472,
+      	msg473,
+      	msg474,
+      ]);
+      
+      var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg475 = msg("00030", part814);
+      
+      var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}");
+      
+      var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}");
+      
+      var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}");
+      
+      var select189 = linear_select([
+      	part816,
+      	part817,
+      ]);
+      
+      var all164 = all_match({
+      	processors: [
+      		part815,
+      		select189,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg476 = msg("00030:01", all164);
+      
+      var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg477 = msg("00030:05", part818);
+      
+      var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg478 = msg("00030:06", part819);
+      
+      var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg479 = msg("00030:07", part820);
+      
+      var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg480 = msg("00030:10", part821);
+      
+      var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg481 = msg("00030:12", part822);
+      
+      var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}");
+      
+      var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}");
+      
+      var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}");
+      
+      var select190 = linear_select([
+      	part824,
+      	part825,
+      ]);
+      
+      var all165 = all_match({
+      	processors: [
+      		part823,
+      		select190,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg482 = msg("00030:13", all165);
+      
+      var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}");
+      
+      var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}");
+      
+      var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}");
+      
+      var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}");
+      
+      var select191 = linear_select([
+      	part826,
+      	part827,
+      	part828,
+      	part829,
+      ]);
+      
+      var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}");
+      
+      var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}");
+      
+      var select192 = linear_select([
+      	part831,
+      	dup16,
+      ]);
+      
+      var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}");
+      
+      var all166 = all_match({
+      	processors: [
+      		dup55,
+      		select191,
+      		part830,
+      		select192,
+      		part832,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg483 = msg("00030:14", all166);
+      
+      var msg484 = msg("00030:02", dup375);
+      
+      var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg485 = msg("00030:15", part833);
+      
+      var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg486 = msg("00030:16", part834);
+      
+      var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg487 = msg("00030:18", part835);
+      
+      var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}");
+      
+      var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}");
+      
+      var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}");
+      
+      var select193 = linear_select([
+      	part837,
+      	part838,
+      ]);
+      
+      var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}");
+      
+      var all167 = all_match({
+      	processors: [
+      		part836,
+      		select193,
+      		part839,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg488 = msg("00030:19", all167);
+      
+      var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg489 = msg("00030:30", part840);
+      
+      var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg490 = msg("00030:31", part841);
+      
+      var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg491 = msg("00030:32", part842);
+      
+      var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg492 = msg("00030:33", part843);
+      
+      var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg493 = msg("00030:34", part844);
+      
+      var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg494 = msg("00030:35", part845);
+      
+      var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg495 = msg("00030:36", part846);
+      
+      var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg496 = msg("00030:37", part847);
+      
+      var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg497 = msg("00030:38", part848);
+      
+      var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}");
+      
+      var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}");
+      
+      var select194 = linear_select([
+      	part850,
+      	dup16,
+      ]);
+      
+      var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}");
+      
+      var all168 = all_match({
+      	processors: [
+      		part849,
+      		select194,
+      		part851,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg498 = msg("00030:39", all168);
+      
+      var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}");
+      
+      var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}");
+      
+      var all169 = all_match({
+      	processors: [
+      		part852,
+      		dup376,
+      		part853,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg499 = msg("00030:17", all169);
+      
+      var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}");
+      
+      var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}");
+      
+      var select195 = linear_select([
+      	dup214,
+      	part855,
+      ]);
+      
+      var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}");
+      
+      var all170 = all_match({
+      	processors: [
+      		part854,
+      		select195,
+      		part856,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg500 = msg("00030:40", all170);
+      
+      var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg501 = msg("00030:41", part857);
+      
+      var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg502 = msg("00030:42", part858);
+      
+      var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg503 = msg("00030:43", part859);
+      
+      var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg504 = msg("00030:44", part860);
+      
+      var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg505 = msg("00030:45", part861);
+      
+      var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg506 = msg("00030:46", part862);
+      
+      var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg507 = msg("00030:47", part863);
+      
+      var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg508 = msg("00030:48", part864);
+      
+      var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg509 = msg("00030:49", part865);
+      
+      var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg510 = msg("00030:50", part866);
+      
+      var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg511 = msg("00030:51", part867);
+      
+      var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg512 = msg("00030:52", part868);
+      
+      var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg513 = msg("00030:53", part869);
+      
+      var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([
+      	dup44,
+      	dup211,
+      	dup31,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg514 = msg("00030:54", part870);
+      
+      var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}");
+      
+      var all171 = all_match({
+      	processors: [
+      		part871,
+      		dup377,
+      		dup217,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg515 = msg("00030:55", all171);
+      
+      var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg516 = msg("00030:56", part872);
+      
+      var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([
+      	dup35,
+      	dup218,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg517 = msg("00030:57", part873);
+      
+      var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([
+      	dup86,
+      	dup218,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg518 = msg("00030:58", part874);
+      
+      var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([
+      	dup35,
+      	dup218,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg519 = msg("00030:59", part875);
+      
+      var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([
+      	dup35,
+      	dup218,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg520 = msg("00030:60", part876);
+      
+      var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg521 = msg("00030:61", part877);
+      
+      var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg522 = msg("00030:62", part878);
+      
+      var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([
+      	dup18,
+      	dup219,
+      	dup51,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg523 = msg("00030:63", part879);
+      
+      var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([
+      	dup18,
+      	dup218,
+      	dup51,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg524 = msg("00030:64", part880);
+      
+      var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([
+      	dup18,
+      	dup218,
+      	dup51,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg525 = msg("00030:65", part881);
+      
+      var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg526 = msg("00030:66", part882);
+      
+      var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg527 = msg("00030:67", part883);
+      
+      var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg528 = msg("00030:68", part884);
+      
+      var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg529 = msg("00030:69", part885);
+      
+      var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}");
+      
+      var all172 = all_match({
+      	processors: [
+      		part886,
+      		dup377,
+      		dup217,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg530 = msg("00030:70", all172);
+      
+      var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg531 = msg("00030:71", part887);
+      
+      var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg532 = msg("00030:72", part888);
+      
+      var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}");
+      
+      var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}");
+      
+      var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}");
+      
+      var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}");
+      
+      var select196 = linear_select([
+      	part890,
+      	part891,
+      	part892,
+      ]);
+      
+      var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}.");
+      
+      var all173 = all_match({
+      	processors: [
+      		part889,
+      		select196,
+      		part893,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg533 = msg("00030:73", all173);
+      
+      var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg534 = msg("00030:74", part894);
+      
+      var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg535 = msg("00030:75", part895);
+      
+      var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}");
+      
+      var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}.");
+      
+      var all174 = all_match({
+      	processors: [
+      		part896,
+      		dup376,
+      		part897,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg536 = msg("00030:76", all174);
+      
+      var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([
+      	dup18,
+      	dup218,
+      	dup51,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg537 = msg("00030:77", part898);
+      
+      var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup220,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg538 = msg("00030:78", part899);
+      
+      var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup220,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg539 = msg("00030:79", part900);
+      
+      var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg540 = msg("00030:80", part901);
+      
+      var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg541 = msg("00030:81", part902);
+      
+      var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg542 = msg("00030:82", part903);
+      
+      var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg543 = msg("00030:83", part904);
+      
+      var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg544 = msg("00030:84", part905);
+      
+      var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([
+      	setc("eventcategory","1603080000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg545 = msg("00030:85", part906);
+      
+      var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})");
+      
+      var all175 = all_match({
+      	processors: [
+      		dup221,
+      		dup378,
+      		part907,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg546 = msg("00030:86", all175);
+      
+      var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg547 = msg("00030:87", part908);
+      
+      var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>");
+      
+      var all176 = all_match({
+      	processors: [
+      		dup221,
+      		dup378,
+      		part909,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg548 = msg("00030:88", all176);
+      
+      var select197 = linear_select([
+      	msg475,
+      	msg476,
+      	msg477,
+      	msg478,
+      	msg479,
+      	msg480,
+      	msg481,
+      	msg482,
+      	msg483,
+      	msg484,
+      	msg485,
+      	msg486,
+      	msg487,
+      	msg488,
+      	msg489,
+      	msg490,
+      	msg491,
+      	msg492,
+      	msg493,
+      	msg494,
+      	msg495,
+      	msg496,
+      	msg497,
+      	msg498,
+      	msg499,
+      	msg500,
+      	msg501,
+      	msg502,
+      	msg503,
+      	msg504,
+      	msg505,
+      	msg506,
+      	msg507,
+      	msg508,
+      	msg509,
+      	msg510,
+      	msg511,
+      	msg512,
+      	msg513,
+      	msg514,
+      	msg515,
+      	msg516,
+      	msg517,
+      	msg518,
+      	msg519,
+      	msg520,
+      	msg521,
+      	msg522,
+      	msg523,
+      	msg524,
+      	msg525,
+      	msg526,
+      	msg527,
+      	msg528,
+      	msg529,
+      	msg530,
+      	msg531,
+      	msg532,
+      	msg533,
+      	msg534,
+      	msg535,
+      	msg536,
+      	msg537,
+      	msg538,
+      	msg539,
+      	msg540,
+      	msg541,
+      	msg542,
+      	msg543,
+      	msg544,
+      	msg545,
+      	msg546,
+      	msg547,
+      	msg548,
+      ]);
+      
+      var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([
+      	dup121,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg549 = msg("00031:13", part910);
+      
+      var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg550 = msg("00031", part911);
+      
+      var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg551 = msg("00031:01", part912);
+      
+      var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}");
+      
+      var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}");
+      
+      var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}");
+      
+      var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}");
+      
+      var all177 = all_match({
+      	processors: [
+      		part913,
+      		dup379,
+      		part914,
+      		dup379,
+      		part915,
+      		dup379,
+      		part916,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg552 = msg("00031:02", all177);
+      
+      var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}");
+      
+      var select198 = linear_select([
+      	dup130,
+      	dup129,
+      ]);
+      
+      var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}");
+      
+      var all178 = all_match({
+      	processors: [
+      		part917,
+      		select198,
+      		part918,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg553 = msg("00031:03", all178);
+      
+      var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}");
+      
+      var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}");
+      
+      var select199 = linear_select([
+      	part920,
+      	dup226,
+      ]);
+      
+      var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}");
+      
+      var all179 = all_match({
+      	processors: [
+      		part919,
+      		select199,
+      		part921,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg554 = msg("00031:04", all179);
+      
+      var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}");
+      
+      var select200 = linear_select([
+      	dup226,
+      	dup25,
+      ]);
+      
+      var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})");
+      
+      var all180 = all_match({
+      	processors: [
+      		part922,
+      		select200,
+      		part923,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg555 = msg("00031:11", all180);
+      
+      var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}");
+      
+      var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}");
+      
+      var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}");
+      
+      var select201 = linear_select([
+      	part925,
+      	part926,
+      ]);
+      
+      var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}");
+      
+      var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}");
+      
+      var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}");
+      
+      var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}");
+      
+      var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}");
+      
+      var select202 = linear_select([
+      	part931,
+      	dup96,
+      ]);
+      
+      var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}");
+      
+      var all181 = all_match({
+      	processors: [
+      		part924,
+      		select201,
+      		part927,
+      		dup379,
+      		part928,
+      		dup379,
+      		part929,
+      		dup379,
+      		part930,
+      		select202,
+      		part932,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg556 = msg("00031:08", all181);
+      
+      var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}");
+      
+      var all182 = all_match({
+      	processors: [
+      		part933,
+      		dup337,
+      		dup227,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg557 = msg("00031:05", all182);
+      
+      var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}");
+      
+      var select203 = linear_select([
+      	part934,
+      	dup229,
+      	dup230,
+      ]);
+      
+      var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}");
+      
+      var select204 = linear_select([
+      	dup105,
+      	dup96,
+      ]);
+      
+      var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}");
+      
+      var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}");
+      
+      var all183 = all_match({
+      	processors: [
+      		dup228,
+      		select203,
+      		part935,
+      		select204,
+      		part936,
+      		dup356,
+      		part937,
+      		dup352,
+      		dup23,
+      		dup380,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg558 = msg("00031:06", all183);
+      
+      var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}");
+      
+      var all184 = all_match({
+      	processors: [
+      		dup228,
+      		dup381,
+      		part938,
+      		dup337,
+      		dup227,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg559 = msg("00031:07", all184);
+      
+      var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}");
+      
+      var all185 = all_match({
+      	processors: [
+      		dup228,
+      		dup381,
+      		part939,
+      		dup380,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg560 = msg("00031:09", all185);
+      
+      var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg561 = msg("00031:10", part940);
+      
+      var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg562 = msg("00031:12", part941);
+      
+      var select205 = linear_select([
+      	msg549,
+      	msg550,
+      	msg551,
+      	msg552,
+      	msg553,
+      	msg554,
+      	msg555,
+      	msg556,
+      	msg557,
+      	msg558,
+      	msg559,
+      	msg560,
+      	msg561,
+      	msg562,
+      ]);
+      
+      var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg563 = msg("00032", part942);
+      
+      var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg564 = msg("00032:01", part943);
+      
+      var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}");
+      
+      var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}");
+      
+      var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}");
+      
+      var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}");
+      
+      var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}");
+      
+      var select206 = linear_select([
+      	part945,
+      	part946,
+      	part947,
+      	part948,
+      ]);
+      
+      var all186 = all_match({
+      	processors: [
+      		part944,
+      		select206,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg565 = msg("00032:03", all186);
+      
+      var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg566 = msg("00032:04", part949);
+      
+      var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg567 = msg("00032:05", part950);
+      
+      var msg568 = msg("00032:02", dup375);
+      
+      var select207 = linear_select([
+      	msg563,
+      	msg564,
+      	msg565,
+      	msg566,
+      	msg567,
+      	msg568,
+      ]);
+      
+      var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("agent","NSM"),
+      ]));
+      
+      var msg569 = msg("00033:25", part951);
+      
+      var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}");
+      
+      var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}");
+      
+      var select208 = linear_select([
+      	dup52,
+      	part953,
+      ]);
+      
+      var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}");
+      
+      var all187 = all_match({
+      	processors: [
+      		dup382,
+      		part952,
+      		select208,
+      		part954,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg570 = msg("00033", all187);
+      
+      var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}");
+      
+      var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}");
+      
+      var select209 = linear_select([
+      	part955,
+      	part956,
+      ]);
+      
+      var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}");
+      
+      var all188 = all_match({
+      	processors: [
+      		dup160,
+      		select209,
+      		dup23,
+      		dup369,
+      		part957,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg571 = msg("00033:03", all188);
+      
+      var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}");
+      
+      var all189 = all_match({
+      	processors: [
+      		dup382,
+      		dup23,
+      		dup369,
+      		part958,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg572 = msg("00033:02", all189);
+      
+      var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg573 = msg("00033:04", part959);
+      
+      var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg574 = msg("00033:05", part960);
+      
+      var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg575 = msg("00033:06", part961);
+      
+      var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	setc("dclass_counter1_string","Number of times the threshold was exceeded"),
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg576 = msg("00033:01", part962);
+      
+      var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg577 = msg("00033:07", part963);
+      
+      var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}");
+      
+      var all190 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part964,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg578 = msg("00033:08", all190);
+      
+      var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}");
+      
+      var all191 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part965,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg579 = msg("00033:09", all191);
+      
+      var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}");
+      
+      var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}");
+      
+      var select210 = linear_select([
+      	part967,
+      	dup238,
+      ]);
+      
+      var all192 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part966,
+      		select210,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg580 = msg("00033:10", all192);
+      
+      var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}");
+      
+      var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}");
+      
+      var all193 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part968,
+      		dup383,
+      		part969,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg581 = msg("00033:11", all193);
+      
+      var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}");
+      
+      var select211 = linear_select([
+      	dup101,
+      	dup238,
+      ]);
+      
+      var all194 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part970,
+      		select211,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg582 = msg("00033:12", all194);
+      
+      var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}");
+      
+      var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}");
+      
+      var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}.");
+      
+      var select212 = linear_select([
+      	part972,
+      	part973,
+      ]);
+      
+      var all195 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part971,
+      		select212,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg583 = msg("00033:13", all195);
+      
+      var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}.");
+      
+      var all196 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part974,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg584 = msg("00033:14", all196);
+      
+      var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}.");
+      
+      var all197 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part975,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg585 = msg("00033:15", all197);
+      
+      var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}.");
+      
+      var all198 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part976,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg586 = msg("00033:16", all198);
+      
+      var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}");
+      
+      var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}");
+      
+      var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}");
+      
+      var select213 = linear_select([
+      	part978,
+      	part979,
+      ]);
+      
+      var all199 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part977,
+      		select213,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg587 = msg("00033:17", all199);
+      
+      var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}");
+      
+      var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.");
+      
+      var all200 = all_match({
+      	processors: [
+      		part980,
+      		dup339,
+      		dup70,
+      		dup340,
+      		part981,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup59,
+      		dup61,
+      	]),
+      });
+      
+      var msg588 = msg("00033:19", all200);
+      
+      var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([
+      	dup27,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup59,
+      	dup60,
+      ]));
+      
+      var msg589 = msg("00033:20", part982);
+      
+      var all201 = all_match({
+      	processors: [
+      		dup239,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg590 = msg("00033:21", all201);
+      
+      var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var all202 = all_match({
+      	processors: [
+      		part983,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg591 = msg("00033:22", all202);
+      
+      var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg592 = msg("00033:23", part984);
+      
+      var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([
+      	setc("eventcategory","1001030500"),
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg593 = msg("00033:24", part985);
+      
+      var select214 = linear_select([
+      	msg569,
+      	msg570,
+      	msg571,
+      	msg572,
+      	msg573,
+      	msg574,
+      	msg575,
+      	msg576,
+      	msg577,
+      	msg578,
+      	msg579,
+      	msg580,
+      	msg581,
+      	msg582,
+      	msg583,
+      	msg584,
+      	msg585,
+      	msg586,
+      	msg587,
+      	msg588,
+      	msg589,
+      	msg590,
+      	msg591,
+      	msg592,
+      	msg593,
+      ]);
+      
+      var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}");
+      
+      var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}");
+      
+      var select215 = linear_select([
+      	part986,
+      	part987,
+      ]);
+      
+      var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}");
+      
+      var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}");
+      
+      var select216 = linear_select([
+      	part988,
+      	dup201,
+      	part989,
+      ]);
+      
+      var select217 = linear_select([
+      	dup196,
+      	dup103,
+      	dup163,
+      ]);
+      
+      var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})");
+      
+      var all203 = all_match({
+      	processors: [
+      		select215,
+      		dup103,
+      		select216,
+      		dup202,
+      		select217,
+      		part990,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg594 = msg("00034", all203);
+      
+      var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}");
+      
+      var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}");
+      
+      var select218 = linear_select([
+      	part991,
+      	part992,
+      ]);
+      
+      var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}");
+      
+      var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}");
+      
+      var select219 = linear_select([
+      	part994,
+      	dup241,
+      ]);
+      
+      var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}");
+      
+      var all204 = all_match({
+      	processors: [
+      		select218,
+      		part993,
+      		select219,
+      		part995,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg595 = msg("00034:01", all204);
+      
+      var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg596 = msg("00034:02", part996);
+      
+      var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}");
+      
+      var all205 = all_match({
+      	processors: [
+      		dup384,
+      		part997,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg597 = msg("00034:03", all205);
+      
+      var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg598 = msg("00034:04", part998);
+      
+      var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg599 = msg("00034:05", part999);
+      
+      var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}");
+      
+      var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}");
+      
+      var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}");
+      
+      var select220 = linear_select([
+      	part1001,
+      	part1002,
+      ]);
+      
+      var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}");
+      
+      var all206 = all_match({
+      	processors: [
+      		dup384,
+      		part1000,
+      		select220,
+      		part1003,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg600 = msg("00034:06", all206);
+      
+      var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg601 = msg("00034:07", part1004);
+      
+      var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg602 = msg("00034:08", part1005);
+      
+      var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg603 = msg("00034:09", part1006);
+      
+      var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}");
+      
+      var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}");
+      
+      var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}");
+      
+      var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}");
+      
+      var select221 = linear_select([
+      	part1009,
+      	part1010,
+      ]);
+      
+      var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}");
+      
+      var all207 = all_match({
+      	processors: [
+      		dup244,
+      		dup385,
+      		part1007,
+      		dup352,
+      		part1008,
+      		select221,
+      		part1011,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg604 = msg("00034:10", all207);
+      
+      var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}");
+      
+      var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}");
+      
+      var all208 = all_match({
+      	processors: [
+      		dup244,
+      		dup385,
+      		part1012,
+      		dup386,
+      		part1013,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg605 = msg("00034:12", all208);
+      
+      var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}");
+      
+      var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}");
+      
+      var all209 = all_match({
+      	processors: [
+      		dup244,
+      		dup385,
+      		part1014,
+      		dup386,
+      		part1015,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg606 = msg("00034:11", all209);
+      
+      var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg607 = msg("00034:15", part1016);
+      
+      var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}");
+      
+      var all210 = all_match({
+      	processors: [
+      		dup244,
+      		dup387,
+      		part1017,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg608 = msg("00034:18", all210);
+      
+      var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge");
+      
+      var all211 = all_match({
+      	processors: [
+      		dup244,
+      		dup387,
+      		part1018,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg609 = msg("00034:20", all211);
+      
+      var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}");
+      
+      var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}");
+      
+      var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}");
+      
+      var select222 = linear_select([
+      	part1021,
+      	dup156,
+      ]);
+      
+      var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}");
+      
+      var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}");
+      
+      var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}");
+      
+      var select223 = linear_select([
+      	part1023,
+      	part1024,
+      ]);
+      
+      var all212 = all_match({
+      	processors: [
+      		dup244,
+      		dup387,
+      		part1019,
+      		dup372,
+      		part1020,
+      		select222,
+      		part1022,
+      		select223,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg610 = msg("00034:21", all212);
+      
+      var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg611 = msg("00034:22", part1025);
+      
+      var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}");
+      
+      var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}");
+      
+      var select224 = linear_select([
+      	part1026,
+      	part1027,
+      ]);
+      
+      var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}");
+      
+      var all213 = all_match({
+      	processors: [
+      		dup160,
+      		select224,
+      		part1028,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg612 = msg("00034:23", all213);
+      
+      var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg613 = msg("00034:24", part1029);
+      
+      var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg614 = msg("00034:25", part1030);
+      
+      var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg615 = msg("00034:26", part1031);
+      
+      var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg616 = msg("00034:27", part1032);
+      
+      var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg617 = msg("00034:28", part1033);
+      
+      var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg618 = msg("00034:29", part1034);
+      
+      var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg619 = msg("00034:30", part1035);
+      
+      var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg620 = msg("00034:31", part1036);
+      
+      var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg621 = msg("00034:32", part1037);
+      
+      var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg622 = msg("00034:33", part1038);
+      
+      var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg623 = msg("00034:34", part1039);
+      
+      var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg624 = msg("00034:35", part1040);
+      
+      var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg625 = msg("00034:36", part1041);
+      
+      var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg626 = msg("00034:37", part1042);
+      
+      var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg627 = msg("00034:38", part1043);
+      
+      var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg628 = msg("00034:39", part1044);
+      
+      var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg629 = msg("00034:40", part1045);
+      
+      var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}");
+      
+      var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}");
+      
+      var all214 = all_match({
+      	processors: [
+      		part1046,
+      		dup373,
+      		part1047,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg630 = msg("00034:41", all214);
+      
+      var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg631 = msg("00034:42", part1048);
+      
+      var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg632 = msg("00034:43", part1049);
+      
+      var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg633 = msg("00034:44", part1050);
+      
+      var select225 = linear_select([
+      	msg594,
+      	msg595,
+      	msg596,
+      	msg597,
+      	msg598,
+      	msg599,
+      	msg600,
+      	msg601,
+      	msg602,
+      	msg603,
+      	msg604,
+      	msg605,
+      	msg606,
+      	msg607,
+      	msg608,
+      	msg609,
+      	msg610,
+      	msg611,
+      	msg612,
+      	msg613,
+      	msg614,
+      	msg615,
+      	msg616,
+      	msg617,
+      	msg618,
+      	msg619,
+      	msg620,
+      	msg621,
+      	msg622,
+      	msg623,
+      	msg624,
+      	msg625,
+      	msg626,
+      	msg627,
+      	msg628,
+      	msg629,
+      	msg630,
+      	msg631,
+      	msg632,
+      	msg633,
+      ]);
+      
+      var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg634 = msg("00035", part1051);
+      
+      var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg635 = msg("00035:01", part1052);
+      
+      var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg636 = msg("00035:02", part1053);
+      
+      var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg637 = msg("00035:03", part1054);
+      
+      var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}");
+      
+      var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}");
+      
+      var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}");
+      
+      var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}");
+      
+      var select226 = linear_select([
+      	part1056,
+      	part1057,
+      	part1058,
+      ]);
+      
+      var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}");
+      
+      var all215 = all_match({
+      	processors: [
+      		part1055,
+      		select226,
+      		part1059,
+      	],
+      	on_success: processor_chain([
+      		dup117,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg638 = msg("00035:04", all215);
+      
+      var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg639 = msg("00035:05", part1060);
+      
+      var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}");
+      
+      var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}");
+      
+      var all216 = all_match({
+      	processors: [
+      		part1061,
+      		dup388,
+      		part1062,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg640 = msg("00035:06", all216);
+      
+      var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg641 = msg("00035:07", part1063);
+      
+      var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg642 = msg("00035:08", part1064);
+      
+      var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}");
+      
+      var select227 = linear_select([
+      	part1065,
+      	dup92,
+      ]);
+      
+      var all217 = all_match({
+      	processors: [
+      		dup253,
+      		select227,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg643 = msg("00035:09", all217);
+      
+      var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}");
+      
+      var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}");
+      
+      var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}");
+      
+      var select228 = linear_select([
+      	part1067,
+      	part1068,
+      ]);
+      
+      var all218 = all_match({
+      	processors: [
+      		part1066,
+      		select228,
+      	],
+      	on_success: processor_chain([
+      		dup184,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg644 = msg("00035:10", all218);
+      
+      var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}");
+      
+      var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}");
+      
+      var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}");
+      
+      var select229 = linear_select([
+      	part1070,
+      	part1071,
+      ]);
+      
+      var all219 = all_match({
+      	processors: [
+      		part1069,
+      		select229,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg645 = msg("00035:11", all219);
+      
+      var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}");
+      
+      var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}");
+      
+      var all220 = all_match({
+      	processors: [
+      		part1072,
+      		dup388,
+      		part1073,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg646 = msg("00035:12", all220);
+      
+      var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}");
+      
+      var select230 = linear_select([
+      	dup101,
+      	part1074,
+      ]);
+      
+      var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}");
+      
+      var all221 = all_match({
+      	processors: [
+      		dup253,
+      		select230,
+      		part1075,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg647 = msg("00035:13", all221);
+      
+      var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg648 = msg("00035:14", part1076);
+      
+      var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}");
+      
+      var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}");
+      
+      var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}");
+      
+      var select231 = linear_select([
+      	part1078,
+      	part1079,
+      ]);
+      
+      var all222 = all_match({
+      	processors: [
+      		part1077,
+      		select231,
+      	],
+      	on_success: processor_chain([
+      		dup184,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg649 = msg("00035:15", all222);
+      
+      var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg650 = msg("00035:16", part1080);
+      
+      var select232 = linear_select([
+      	msg634,
+      	msg635,
+      	msg636,
+      	msg637,
+      	msg638,
+      	msg639,
+      	msg640,
+      	msg641,
+      	msg642,
+      	msg643,
+      	msg644,
+      	msg645,
+      	msg646,
+      	msg647,
+      	msg648,
+      	msg649,
+      	msg650,
+      ]);
+      
+      var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg651 = msg("00036", part1081);
+      
+      var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}");
+      
+      var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}");
+      
+      var select233 = linear_select([
+      	dup214,
+      	part1083,
+      ]);
+      
+      var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}");
+      
+      var all223 = all_match({
+      	processors: [
+      		part1082,
+      		select233,
+      		part1084,
+      	],
+      	on_success: processor_chain([
+      		dup254,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg652 = msg("00036:01", all223);
+      
+      var select234 = linear_select([
+      	msg651,
+      	msg652,
+      ]);
+      
+      var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}");
+      
+      var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}");
+      
+      var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}");
+      
+      var select235 = linear_select([
+      	part1086,
+      	part1087,
+      ]);
+      
+      var all224 = all_match({
+      	processors: [
+      		part1085,
+      		select235,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg653 = msg("00037", all224);
+      
+      var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}");
+      
+      var select236 = linear_select([
+      	dup255,
+      	dup256,
+      ]);
+      
+      var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}");
+      
+      var all225 = all_match({
+      	processors: [
+      		part1088,
+      		select236,
+      		part1089,
+      		dup351,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg654 = msg("00037:01", all225);
+      
+      var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg655 = msg("00037:02", part1090);
+      
+      var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}");
+      
+      var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}");
+      
+      var select237 = linear_select([
+      	part1091,
+      	part1092,
+      ]);
+      
+      var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}");
+      
+      var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})");
+      
+      var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}.");
+      
+      var select238 = linear_select([
+      	part1094,
+      	part1095,
+      ]);
+      
+      var all226 = all_match({
+      	processors: [
+      		dup113,
+      		select237,
+      		dup371,
+      		part1093,
+      		select238,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg656 = msg("00037:03", all226);
+      
+      var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg657 = msg("00037:04", part1096);
+      
+      var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}");
+      
+      var select239 = linear_select([
+      	dup256,
+      	dup255,
+      ]);
+      
+      var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}");
+      
+      var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space");
+      
+      var select240 = linear_select([
+      	dup10,
+      	part1099,
+      ]);
+      
+      var all227 = all_match({
+      	processors: [
+      		part1097,
+      		select239,
+      		part1098,
+      		select240,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg658 = msg("00037:05", all227);
+      
+      var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg659 = msg("00037:06", part1100);
+      
+      var select241 = linear_select([
+      	msg653,
+      	msg654,
+      	msg655,
+      	msg656,
+      	msg657,
+      	msg658,
+      	msg659,
+      ]);
+      
+      var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}");
+      
+      var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}");
+      
+      var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}");
+      
+      var select242 = linear_select([
+      	part1102,
+      	part1103,
+      ]);
+      
+      var all228 = all_match({
+      	processors: [
+      		part1101,
+      		select242,
+      		dup36,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg660 = msg("00038", all228);
+      
+      var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg661 = msg("00039", part1104);
+      
+      var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}");
+      
+      var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}");
+      
+      var select243 = linear_select([
+      	part1105,
+      	part1106,
+      ]);
+      
+      var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}");
+      
+      var all229 = all_match({
+      	processors: [
+      		select243,
+      		part1107,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg662 = msg("00040", all229);
+      
+      var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg663 = msg("00040:01", part1108);
+      
+      var select244 = linear_select([
+      	msg662,
+      	msg663,
+      ]);
+      
+      var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg664 = msg("00041", part1109);
+      
+      var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg665 = msg("00041:01", part1110);
+      
+      var select245 = linear_select([
+      	msg664,
+      	msg665,
+      ]);
+      
+      var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg666 = msg("00042", part1111);
+      
+      var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup60,
+      ]));
+      
+      var msg667 = msg("00042:01", part1112);
+      
+      var select246 = linear_select([
+      	msg666,
+      	msg667,
+      ]);
+      
+      var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg668 = msg("00043", part1113);
+      
+      var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}");
+      
+      var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}");
+      
+      var select247 = linear_select([
+      	dup257,
+      	part1115,
+      ]);
+      
+      var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}");
+      
+      var all230 = all_match({
+      	processors: [
+      		part1114,
+      		select247,
+      		part1116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg669 = msg("00044", all230);
+      
+      var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg670 = msg("00044:01", part1117);
+      
+      var select248 = linear_select([
+      	msg669,
+      	msg670,
+      ]);
+      
+      var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg671 = msg("00045", part1118);
+      
+      var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}");
+      
+      var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}");
+      
+      var select249 = linear_select([
+      	part1119,
+      	part1120,
+      ]);
+      
+      var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})");
+      
+      var all231 = all_match({
+      	processors: [
+      		dup183,
+      		select249,
+      		part1121,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg672 = msg("00047", all231);
+      
+      var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}");
+      
+      var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}");
+      
+      var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}");
+      
+      var select250 = linear_select([
+      	part1123,
+      	part1124,
+      ]);
+      
+      var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}");
+      
+      var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}");
+      
+      var select251 = linear_select([
+      	part1126,
+      	dup112,
+      ]);
+      
+      var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}");
+      
+      var select252 = linear_select([
+      	part1127,
+      	dup139,
+      ]);
+      
+      var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}");
+      
+      var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}");
+      
+      var select253 = linear_select([
+      	part1129,
+      	dup16,
+      ]);
+      
+      var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}");
+      
+      var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}");
+      
+      var select254 = linear_select([
+      	part1131,
+      	dup129,
+      ]);
+      
+      var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})");
+      
+      var all232 = all_match({
+      	processors: [
+      		part1122,
+      		select250,
+      		part1125,
+      		select251,
+      		dup257,
+      		select252,
+      		part1128,
+      		select253,
+      		part1130,
+      		select254,
+      		part1132,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1501000000"),
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg673 = msg("00048", all232);
+      
+      var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}");
+      
+      var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}");
+      
+      var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}");
+      
+      var select255 = linear_select([
+      	part1134,
+      	part1135,
+      ]);
+      
+      var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}");
+      
+      var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}");
+      
+      var select256 = linear_select([
+      	part1137,
+      	dup105,
+      ]);
+      
+      var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})");
+      
+      var all233 = all_match({
+      	processors: [
+      		part1133,
+      		select255,
+      		part1136,
+      		select256,
+      		part1138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg674 = msg("00048:01", all233);
+      
+      var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg675 = msg("00048:02", part1139);
+      
+      var select257 = linear_select([
+      	msg673,
+      	msg674,
+      	msg675,
+      ]);
+      
+      var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg676 = msg("00049", part1140);
+      
+      var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg677 = msg("00049:01", part1141);
+      
+      var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg678 = msg("00049:02", part1142);
+      
+      var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg679 = msg("00049:03", part1143);
+      
+      var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg680 = msg("00049:04", part1144);
+      
+      var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg681 = msg("00049:05", part1145);
+      
+      var select258 = linear_select([
+      	msg676,
+      	msg677,
+      	msg678,
+      	msg679,
+      	msg680,
+      	msg681,
+      ]);
+      
+      var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg682 = msg("00050", part1146);
+      
+      var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg683 = msg("00051", part1147);
+      
+      var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg684 = msg("00052", part1148);
+      
+      var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}");
+      
+      var select259 = linear_select([
+      	dup169,
+      	part1149,
+      ]);
+      
+      var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}.");
+      
+      var all234 = all_match({
+      	processors: [
+      		dup258,
+      		select259,
+      		part1150,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg685 = msg("00055", all234);
+      
+      var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}");
+      
+      var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}");
+      
+      var select260 = linear_select([
+      	part1151,
+      	part1152,
+      ]);
+      
+      var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}.");
+      
+      var all235 = all_match({
+      	processors: [
+      		dup258,
+      		select260,
+      		part1153,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg686 = msg("00055:01", all235);
+      
+      var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}.");
+      
+      var all236 = all_match({
+      	processors: [
+      		dup259,
+      		dup389,
+      		part1154,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg687 = msg("00055:02", all236);
+      
+      var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}.");
+      
+      var all237 = all_match({
+      	processors: [
+      		dup259,
+      		dup389,
+      		part1155,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg688 = msg("00055:03", all237);
+      
+      var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg689 = msg("00055:04", part1156);
+      
+      var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}");
+      
+      var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}");
+      
+      var select261 = linear_select([
+      	dup110,
+      	part1158,
+      ]);
+      
+      var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}");
+      
+      var all238 = all_match({
+      	processors: [
+      		part1157,
+      		select261,
+      		part1159,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg690 = msg("00055:05", all238);
+      
+      var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}");
+      
+      var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}");
+      
+      var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}");
+      
+      var select262 = linear_select([
+      	part1161,
+      	part1162,
+      ]);
+      
+      var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}.");
+      
+      var all239 = all_match({
+      	processors: [
+      		part1160,
+      		select262,
+      		part1163,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg691 = msg("00055:06", all239);
+      
+      var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}");
+      
+      var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}");
+      
+      var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}");
+      
+      var select263 = linear_select([
+      	part1164,
+      	part1165,
+      	part1166,
+      ]);
+      
+      var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}.");
+      
+      var all240 = all_match({
+      	processors: [
+      		dup258,
+      		select263,
+      		part1167,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg692 = msg("00055:07", all240);
+      
+      var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}");
+      
+      var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}");
+      
+      var select264 = linear_select([
+      	part1168,
+      	part1169,
+      ]);
+      
+      var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}.");
+      
+      var all241 = all_match({
+      	processors: [
+      		dup258,
+      		select264,
+      		part1170,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg693 = msg("00055:08", all241);
+      
+      var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg694 = msg("00055:09", part1171);
+      
+      var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg695 = msg("00055:10", part1172);
+      
+      var select265 = linear_select([
+      	msg685,
+      	msg686,
+      	msg687,
+      	msg688,
+      	msg689,
+      	msg690,
+      	msg691,
+      	msg692,
+      	msg693,
+      	msg694,
+      	msg695,
+      ]);
+      
+      var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg696 = msg("00056", part1173);
+      
+      var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg697 = msg("00057", part1174);
+      
+      var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg698 = msg("00058", part1175);
+      
+      var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}");
+      
+      var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}");
+      
+      var select266 = linear_select([
+      	part1177,
+      	dup262,
+      	dup157,
+      	dup156,
+      ]);
+      
+      var all242 = all_match({
+      	processors: [
+      		part1176,
+      		select266,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg699 = msg("00059", all242);
+      
+      var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}");
+      
+      var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}");
+      
+      var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}");
+      
+      var select267 = linear_select([
+      	part1179,
+      	part1180,
+      ]);
+      
+      var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}");
+      
+      var all243 = all_match({
+      	processors: [
+      		part1178,
+      		select267,
+      		part1181,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg700 = msg("00059:02", all243);
+      
+      var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg701 = msg("00059:03", part1182);
+      
+      var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg702 = msg("00059:04", part1183);
+      
+      var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}");
+      
+      var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}");
+      
+      var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}");
+      
+      var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}");
+      
+      var select268 = linear_select([
+      	part1184,
+      	part1185,
+      	part1186,
+      	part1187,
+      ]);
+      
+      var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared.");
+      
+      var all244 = all_match({
+      	processors: [
+      		select268,
+      		part1188,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg703 = msg("00059:05", all244);
+      
+      var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg704 = msg("00059:06", part1189);
+      
+      var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg705 = msg("00059:07", part1190);
+      
+      var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}");
+      
+      var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}");
+      
+      var select269 = linear_select([
+      	part1191,
+      	part1192,
+      ]);
+      
+      var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3}).");
+      
+      var all245 = all_match({
+      	processors: [
+      		select269,
+      		part1193,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg706 = msg("00059:08", all245);
+      
+      var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}");
+      
+      var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}");
+      
+      var select270 = linear_select([
+      	part1194,
+      	part1195,
+      ]);
+      
+      var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}");
+      
+      var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}");
+      
+      var select271 = linear_select([
+      	dup261,
+      	part1197,
+      ]);
+      
+      var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\"");
+      
+      var all246 = all_match({
+      	processors: [
+      		dup160,
+      		select270,
+      		part1196,
+      		select271,
+      		part1198,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg707 = msg("00059:09", all246);
+      
+      var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg708 = msg("00059:01", part1199);
+      
+      var select272 = linear_select([
+      	msg699,
+      	msg700,
+      	msg701,
+      	msg702,
+      	msg703,
+      	msg704,
+      	msg705,
+      	msg706,
+      	msg707,
+      	msg708,
+      ]);
+      
+      var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Track IP failed"),
+      ]));
+      
+      var msg709 = msg("00062:01", part1200);
+      
+      var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Track IP failure reached threshold"),
+      ]));
+      
+      var msg710 = msg("00062:02", part1201);
+      
+      var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Track IP succeeded"),
+      ]));
+      
+      var msg711 = msg("00062:03", part1202);
+      
+      var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg712 = msg("00062", part1203);
+      
+      var select273 = linear_select([
+      	msg709,
+      	msg710,
+      	msg711,
+      	msg712,
+      ]);
+      
+      var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg713 = msg("00063", part1204);
+      
+      var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg714 = msg("00064", part1205);
+      
+      var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg715 = msg("00064:01", part1206);
+      
+      var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg716 = msg("00064:02", part1207);
+      
+      var select274 = linear_select([
+      	msg714,
+      	msg715,
+      	msg716,
+      ]);
+      
+      var msg717 = msg("00070", dup411);
+      
+      var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}");
+      
+      var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}");
+      
+      var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})");
+      
+      var select275 = linear_select([
+      	part1209,
+      	part1210,
+      ]);
+      
+      var all247 = all_match({
+      	processors: [
+      		dup267,
+      		dup391,
+      		part1208,
+      		select275,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg718 = msg("00070:01", all247);
+      
+      var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg719 = msg("00070:02", part1211);
+      
+      var select276 = linear_select([
+      	msg717,
+      	msg718,
+      	msg719,
+      ]);
+      
+      var msg720 = msg("00071", dup411);
+      
+      var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg721 = msg("00071:01", part1212);
+      
+      var select277 = linear_select([
+      	msg720,
+      	msg721,
+      ]);
+      
+      var msg722 = msg("00072", dup411);
+      
+      var msg723 = msg("00072:01", dup412);
+      
+      var select278 = linear_select([
+      	msg722,
+      	msg723,
+      ]);
+      
+      var msg724 = msg("00073", dup411);
+      
+      var msg725 = msg("00073:01", dup412);
+      
+      var select279 = linear_select([
+      	msg724,
+      	msg725,
+      ]);
+      
+      var msg726 = msg("00074", dup392);
+      
+      var all248 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		dup271,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg727 = msg("00075", all248);
+      
+      var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("event_description","local device in the Virtual Security Device group changed state to inoperable"),
+      ]));
+      
+      var msg728 = msg("00075:02", part1213);
+      
+      var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg729 = msg("00075:01", part1214);
+      
+      var select280 = linear_select([
+      	msg727,
+      	msg728,
+      	msg729,
+      ]);
+      
+      var msg730 = msg("00076", dup392);
+      
+      var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}");
+      
+      var all249 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		part1215,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg731 = msg("00076:01", all249);
+      
+      var select281 = linear_select([
+      	msg730,
+      	msg731,
+      ]);
+      
+      var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([
+      	dup144,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg732 = msg("00077", part1216);
+      
+      var all250 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		dup271,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg733 = msg("00077:01", all250);
+      
+      var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([
+      	setc("eventcategory","1607000000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg734 = msg("00077:02", part1217);
+      
+      var select282 = linear_select([
+      	msg732,
+      	msg733,
+      	msg734,
+      ]);
+      
+      var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg735 = msg("00084", part1218);
+      
+      var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}");
+      
+      var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}");
+      
+      var select283 = linear_select([
+      	part1219,
+      	part1220,
+      ]);
+      
+      var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}");
+      
+      var all251 = all_match({
+      	processors: [
+      		select283,
+      		dup103,
+      		dup369,
+      		part1221,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg736 = msg("00090", all251);
+      
+      var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg737 = msg("00200", part1222);
+      
+      var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg738 = msg("00201", part1223);
+      
+      var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([
+      	dup272,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg739 = msg("00202", part1224);
+      
+      var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([
+      	dup272,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg740 = msg("00203", part1225);
+      
+      var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}");
+      
+      var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}");
+      
+      var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}");
+      
+      var select284 = linear_select([
+      	part1227,
+      	part1228,
+      ]);
+      
+      var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})");
+      
+      var all252 = all_match({
+      	processors: [
+      		part1226,
+      		select284,
+      		part1229,
+      	],
+      	on_success: processor_chain([
+      		dup272,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg741 = msg("00206", all252);
+      
+      var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}");
+      
+      var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet.");
+      
+      var all253 = all_match({
+      	processors: [
+      		part1230,
+      		dup352,
+      		part1231,
+      	],
+      	on_success: processor_chain([
+      		dup273,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg742 = msg("00206:01", all253);
+      
+      var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}");
+      
+      var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet.");
+      
+      var all254 = all_match({
+      	processors: [
+      		part1232,
+      		dup352,
+      		part1233,
+      	],
+      	on_success: processor_chain([
+      		dup273,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg743 = msg("00206:02", all254);
+      
+      var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg744 = msg("00206:03", part1234);
+      
+      var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg745 = msg("00206:04", part1235);
+      
+      var select285 = linear_select([
+      	msg741,
+      	msg742,
+      	msg743,
+      	msg744,
+      	msg745,
+      ]);
+      
+      var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg746 = msg("00207", part1236);
+      
+      var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg747 = msg("00207:01", part1237);
+      
+      var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg748 = msg("00207:02", part1238);
+      
+      var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg749 = msg("00207:03", part1239);
+      
+      var select286 = linear_select([
+      	msg746,
+      	msg747,
+      	msg748,
+      	msg749,
+      ]);
+      
+      var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup276,
+      	dup277,
+      	dup278,
+      ]));
+      
+      var msg750 = msg("00257", part1240);
+      
+      var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup279,
+      	dup276,
+      	dup277,
+      	dup280,
+      ]));
+      
+      var msg751 = msg("00257:14", part1241);
+      
+      var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup282,
+      	dup278,
+      ]));
+      
+      var msg752 = msg("00257:01", part1242);
+      
+      var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup279,
+      	dup282,
+      	dup280,
+      ]));
+      
+      var msg753 = msg("00257:15", part1243);
+      
+      var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup276,
+      	dup277,
+      ]));
+      
+      var msg754 = msg("00257:02", part1244);
+      
+      var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg755 = msg("00257:03", part1245);
+      
+      var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup276,
+      	dup277,
+      ]));
+      
+      var msg756 = msg("00257:04", part1246);
+      
+      var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg757 = msg("00257:05", part1247);
+      
+      var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}");
+      
+      var all255 = all_match({
+      	processors: [
+      		dup283,
+      		dup393,
+      		part1248,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup282,
+      	]),
+      });
+      
+      var msg758 = msg("00257:19", all255);
+      
+      var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}");
+      
+      var all256 = all_match({
+      	processors: [
+      		dup283,
+      		dup393,
+      		part1249,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup282,
+      	]),
+      });
+      
+      var msg759 = msg("00257:16", all256);
+      
+      var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}");
+      
+      var all257 = all_match({
+      	processors: [
+      		dup283,
+      		dup393,
+      		part1250,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup61,
+      		dup282,
+      	]),
+      });
+      
+      var msg760 = msg("00257:17", all257);
+      
+      var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}");
+      
+      var all258 = all_match({
+      	processors: [
+      		dup283,
+      		dup393,
+      		part1251,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup61,
+      		dup282,
+      	]),
+      });
+      
+      var msg761 = msg("00257:18", all258);
+      
+      var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}");
+      
+      var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}");
+      
+      var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport");
+      
+      var select287 = linear_select([
+      	part1253,
+      	part1254,
+      ]);
+      
+      var all259 = all_match({
+      	processors: [
+      		part1252,
+      		select287,
+      	],
+      	on_success: processor_chain([
+      		dup185,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup61,
+      		dup276,
+      		dup277,
+      	]),
+      });
+      
+      var msg762 = msg("00257:06", all259);
+      
+      var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg763 = msg("00257:07", part1255);
+      
+      var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup60,
+      	dup276,
+      	dup277,
+      ]));
+      
+      var msg764 = msg("00257:08", part1256);
+      
+      var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}");
+      
+      var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}");
+      
+      var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}");
+      
+      var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype");
+      
+      var select288 = linear_select([
+      	part1258,
+      	part1259,
+      	part1260,
+      ]);
+      
+      var all260 = all_match({
+      	processors: [
+      		part1257,
+      		select288,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup282,
+      	]),
+      });
+      
+      var msg765 = msg("00257:09", all260);
+      
+      var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}");
+      
+      var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}");
+      
+      var select289 = linear_select([
+      	part1262,
+      	dup286,
+      ]);
+      
+      var all261 = all_match({
+      	processors: [
+      		part1261,
+      		select289,
+      	],
+      	on_success: processor_chain([
+      		dup185,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup276,
+      		dup277,
+      	]),
+      });
+      
+      var msg766 = msg("00257:10", all261);
+      
+      var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}");
+      
+      var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}");
+      
+      var select290 = linear_select([
+      	part1264,
+      	dup286,
+      ]);
+      
+      var all262 = all_match({
+      	processors: [
+      		part1263,
+      		select290,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup282,
+      	]),
+      });
+      
+      var msg767 = msg("00257:11", all262);
+      
+      var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var msg768 = msg("00257:12", part1265);
+      
+      var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup3,
+      	dup274,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg769 = msg("00257:13", part1266);
+      
+      var select291 = linear_select([
+      	msg750,
+      	msg751,
+      	msg752,
+      	msg753,
+      	msg754,
+      	msg755,
+      	msg756,
+      	msg757,
+      	msg758,
+      	msg759,
+      	msg760,
+      	msg761,
+      	msg762,
+      	msg763,
+      	msg764,
+      	msg765,
+      	msg766,
+      	msg767,
+      	msg768,
+      	msg769,
+      ]);
+      
+      var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}");
+      
+      var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}");
+      
+      var select292 = linear_select([
+      	part1268,
+      	dup289,
+      	dup241,
+      ]);
+      
+      var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}");
+      
+      var all263 = all_match({
+      	processors: [
+      		dup394,
+      		part1267,
+      		select292,
+      		part1269,
+      	],
+      	on_success: processor_chain([
+      		dup28,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg770 = msg("00259", all263);
+      
+      var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}");
+      
+      var all264 = all_match({
+      	processors: [
+      		dup394,
+      		part1270,
+      	],
+      	on_success: processor_chain([
+      		dup33,
+      		dup29,
+      		dup34,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg771 = msg("00259:07", all264);
+      
+      var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg772 = msg("00259:01", part1271);
+      
+      var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg773 = msg("00259:02", part1272);
+      
+      var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([
+      	dup206,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg774 = msg("00259:03", part1273);
+      
+      var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([
+      	dup206,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg775 = msg("00259:04", part1274);
+      
+      var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}");
+      
+      var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}");
+      
+      var select293 = linear_select([
+      	dup241,
+      	dup289,
+      	part1276,
+      ]);
+      
+      var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}");
+      
+      var all265 = all_match({
+      	processors: [
+      		part1275,
+      		select293,
+      		part1277,
+      	],
+      	on_success: processor_chain([
+      		dup290,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg776 = msg("00259:05", all265);
+      
+      var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg777 = msg("00259:06", part1278);
+      
+      var select294 = linear_select([
+      	msg770,
+      	msg771,
+      	msg772,
+      	msg773,
+      	msg774,
+      	msg775,
+      	msg776,
+      	msg777,
+      ]);
+      
+      var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg778 = msg("00262", part1279);
+      
+      var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([
+      	setc("eventcategory","1401050100"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg779 = msg("00263", part1280);
+      
+      var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}");
+      
+      var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}");
+      
+      var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}");
+      
+      var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}");
+      
+      var select295 = linear_select([
+      	part1281,
+      	part1282,
+      	part1283,
+      	part1284,
+      ]);
+      
+      var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}");
+      
+      var all266 = all_match({
+      	processors: [
+      		select295,
+      		part1285,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1003000000"),
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup61,
+      	]),
+      });
+      
+      var msg780 = msg("00400", all266);
+      
+      var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup85,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup291,
+      ]));
+      
+      var msg781 = msg("00401", part1286);
+      
+      var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup85,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup292,
+      ]));
+      
+      var msg782 = msg("00402", part1287);
+      
+      var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}");
+      
+      var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}");
+      
+      var all267 = all_match({
+      	processors: [
+      		part1288,
+      		dup337,
+      		part1289,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup292,
+      	]),
+      });
+      
+      var msg783 = msg("00402:01", all267);
+      
+      var select296 = linear_select([
+      	msg782,
+      	msg783,
+      ]);
+      
+      var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup85,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup291,
+      ]));
+      
+      var msg784 = msg("00403", part1290);
+      
+      var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup147,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup292,
+      ]));
+      
+      var msg785 = msg("00404", part1291);
+      
+      var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup147,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup291,
+      ]));
+      
+      var msg786 = msg("00405", part1292);
+      
+      var msg787 = msg("00406", dup413);
+      
+      var msg788 = msg("00407", dup413);
+      
+      var msg789 = msg("00408", dup413);
+      
+      var all268 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup293,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg790 = msg("00409", all268);
+      
+      var msg791 = msg("00410", dup413);
+      
+      var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup60,
+      ]));
+      
+      var msg792 = msg("00410:01", part1293);
+      
+      var select297 = linear_select([
+      	msg791,
+      	msg792,
+      ]);
+      
+      var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}");
+      
+      var all269 = all_match({
+      	processors: [
+      		part1294,
+      		dup343,
+      		dup293,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg793 = msg("00411", all269);
+      
+      var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}");
+      
+      var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all270 = all_match({
+      	processors: [
+      		part1295,
+      		dup337,
+      		part1296,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg794 = msg("00413", all270);
+      
+      var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}");
+      
+      var all271 = all_match({
+      	processors: [
+      		part1297,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup61,
+      	]),
+      });
+      
+      var msg795 = msg("00413:01", all271);
+      
+      var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg796 = msg("00413:02", part1298);
+      
+      var select298 = linear_select([
+      	msg794,
+      	msg795,
+      	msg796,
+      ]);
+      
+      var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg797 = msg("00414", part1299);
+      
+      var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg798 = msg("00414:01", part1300);
+      
+      var select299 = linear_select([
+      	msg797,
+      	msg798,
+      ]);
+      
+      var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg799 = msg("00415", part1301);
+      
+      var all272 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup294,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg800 = msg("00423", all272);
+      
+      var all273 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg801 = msg("00429", all273);
+      
+      var all274 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg802 = msg("00429:01", all274);
+      
+      var select300 = linear_select([
+      	msg801,
+      	msg802,
+      ]);
+      
+      var all275 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup295,
+      		dup351,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg803 = msg("00430", all275);
+      
+      var all276 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup295,
+      		dup351,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg804 = msg("00430:01", all276);
+      
+      var select301 = linear_select([
+      	msg803,
+      	msg804,
+      ]);
+      
+      var msg805 = msg("00431", dup414);
+      
+      var msg806 = msg("00432", dup414);
+      
+      var msg807 = msg("00433", dup415);
+      
+      var msg808 = msg("00434", dup415);
+      
+      var msg809 = msg("00435", dup395);
+      
+      var all277 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup294,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup4,
+      		dup59,
+      		dup5,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg810 = msg("00435:01", all277);
+      
+      var select302 = linear_select([
+      	msg809,
+      	msg810,
+      ]);
+      
+      var msg811 = msg("00436", dup395);
+      
+      var all278 = all_match({
+      	processors: [
+      		dup64,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg812 = msg("00436:01", all278);
+      
+      var select303 = linear_select([
+      	msg811,
+      	msg812,
+      ]);
+      
+      var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg813 = msg("00437", part1302);
+      
+      var all279 = all_match({
+      	processors: [
+      		dup299,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      		dup9,
+      	]),
+      });
+      
+      var msg814 = msg("00437:01", all279);
+      
+      var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      	dup9,
+      ]));
+      
+      var msg815 = msg("00437:02", part1303);
+      
+      var select304 = linear_select([
+      	msg813,
+      	msg814,
+      	msg815,
+      ]);
+      
+      var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg816 = msg("00438", part1304);
+      
+      var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg817 = msg("00438:01", part1305);
+      
+      var all280 = all_match({
+      	processors: [
+      		dup299,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup61,
+      	]),
+      });
+      
+      var msg818 = msg("00438:02", all280);
+      
+      var select305 = linear_select([
+      	msg816,
+      	msg817,
+      	msg818,
+      ]);
+      
+      var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup9,
+      	dup60,
+      ]));
+      
+      var msg819 = msg("00440", part1306);
+      
+      var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg820 = msg("00440:02", part1307);
+      
+      var all281 = all_match({
+      	processors: [
+      		dup239,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup9,
+      		dup61,
+      	]),
+      });
+      
+      var msg821 = msg("00440:01", all281);
+      
+      var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}");
+      
+      var all282 = all_match({
+      	processors: [
+      		part1308,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup9,
+      		dup60,
+      	]),
+      });
+      
+      var msg822 = msg("00440:03", all282);
+      
+      var select306 = linear_select([
+      	msg819,
+      	msg820,
+      	msg821,
+      	msg822,
+      ]);
+      
+      var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var msg823 = msg("00441", part1309);
+      
+      var msg824 = msg("00442", dup396);
+      
+      var msg825 = msg("00443", dup396);
+      
+      var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg826 = msg("00511", part1310);
+      
+      var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}");
+      
+      var all283 = all_match({
+      	processors: [
+      		part1311,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg827 = msg("00511:01", all283);
+      
+      var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg828 = msg("00511:02", part1312);
+      
+      var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}");
+      
+      var all284 = all_match({
+      	processors: [
+      		part1313,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg829 = msg("00511:03", all284);
+      
+      var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}");
+      
+      var all285 = all_match({
+      	processors: [
+      		part1314,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg830 = msg("00511:04", all285);
+      
+      var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}");
+      
+      var all286 = all_match({
+      	processors: [
+      		part1315,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg831 = msg("00511:05", all286);
+      
+      var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}");
+      
+      var all287 = all_match({
+      	processors: [
+      		part1316,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg832 = msg("00511:06", all287);
+      
+      var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}");
+      
+      var all288 = all_match({
+      	processors: [
+      		part1317,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg833 = msg("00511:07", all288);
+      
+      var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}");
+      
+      var all289 = all_match({
+      	processors: [
+      		part1318,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg834 = msg("00511:08", all289);
+      
+      var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}");
+      
+      var all290 = all_match({
+      	processors: [
+      		part1319,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg835 = msg("00511:09", all290);
+      
+      var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}");
+      
+      var all291 = all_match({
+      	processors: [
+      		part1320,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg836 = msg("00511:10", all291);
+      
+      var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}");
+      
+      var all292 = all_match({
+      	processors: [
+      		part1321,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg837 = msg("00511:11", all292);
+      
+      var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}");
+      
+      var all293 = all_match({
+      	processors: [
+      		part1322,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg838 = msg("00511:12", all293);
+      
+      var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}");
+      
+      var all294 = all_match({
+      	processors: [
+      		part1323,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg839 = msg("00511:13", all294);
+      
+      var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg840 = msg("00511:14", part1324);
+      
+      var select307 = linear_select([
+      	msg826,
+      	msg827,
+      	msg828,
+      	msg829,
+      	msg830,
+      	msg831,
+      	msg832,
+      	msg833,
+      	msg834,
+      	msg835,
+      	msg836,
+      	msg837,
+      	msg838,
+      	msg839,
+      	msg840,
+      ]);
+      
+      var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}");
+      
+      var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}");
+      
+      var select308 = linear_select([
+      	dup123,
+      	part1326,
+      	dup122,
+      ]);
+      
+      var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}");
+      
+      var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})");
+      
+      var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result");
+      
+      var select309 = linear_select([
+      	part1328,
+      	part1329,
+      ]);
+      
+      var all295 = all_match({
+      	processors: [
+      		part1325,
+      		select308,
+      		part1327,
+      		select309,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg841 = msg("00513", all295);
+      
+      var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}");
+      
+      var select310 = linear_select([
+      	part1330,
+      	dup287,
+      ]);
+      
+      var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}");
+      
+      var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}");
+      
+      var select311 = linear_select([
+      	dup96,
+      	part1332,
+      ]);
+      
+      var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}");
+      
+      var all296 = all_match({
+      	processors: [
+      		select310,
+      		part1331,
+      		select311,
+      		part1333,
+      	],
+      	on_success: processor_chain([
+      		dup301,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg842 = msg("00515", all296);
+      
+      var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}");
+      
+      var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}");
+      
+      var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}");
+      
+      var select312 = linear_select([
+      	part1335,
+      	part1336,
+      ]);
+      
+      var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2");
+      
+      var all297 = all_match({
+      	processors: [
+      		part1334,
+      		select312,
+      		part1337,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup302,
+      		dup3,
+      	]),
+      });
+      
+      var msg843 = msg("00515:01", all297);
+      
+      var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}");
+      
+      var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}");
+      
+      var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}");
+      
+      var select313 = linear_select([
+      	part1339,
+      	part1340,
+      ]);
+      
+      var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}");
+      
+      var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}");
+      
+      var select314 = linear_select([
+      	part1341,
+      	part1342,
+      	dup15,
+      ]);
+      
+      var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out");
+      
+      var all298 = all_match({
+      	processors: [
+      		part1338,
+      		select313,
+      		select314,
+      		part1343,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg844 = msg("00515:02", all298);
+      
+      var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}");
+      
+      var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}");
+      
+      var select315 = linear_select([
+      	part1344,
+      	part1345,
+      ]);
+      
+      var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}");
+      
+      var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type");
+      
+      var select316 = linear_select([
+      	dup304,
+      	part1347,
+      ]);
+      
+      var all299 = all_match({
+      	processors: [
+      		select315,
+      		part1346,
+      		dup398,
+      		dup40,
+      		select316,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg845 = msg("00515:04", all299);
+      
+      var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg846 = msg("00515:06", part1348);
+      
+      var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}");
+      
+      var select317 = linear_select([
+      	dup305,
+      	dup16,
+      ]);
+      
+      var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}");
+      
+      var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})");
+      
+      var select318 = linear_select([
+      	dup306,
+      	part1351,
+      	dup304,
+      ]);
+      
+      var all300 = all_match({
+      	processors: [
+      		part1349,
+      		select317,
+      		part1350,
+      		dup398,
+      		dup40,
+      		select318,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg847 = msg("00515:05", all300);
+      
+      var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg848 = msg("00515:07", part1352);
+      
+      var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}");
+      
+      var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}");
+      
+      var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}");
+      
+      var select319 = linear_select([
+      	part1354,
+      	part1355,
+      ]);
+      
+      var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}");
+      
+      var all301 = all_match({
+      	processors: [
+      		part1353,
+      		select319,
+      		part1356,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg849 = msg("00515:08", all301);
+      
+      var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg850 = msg("00515:09", part1357);
+      
+      var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg851 = msg("00515:10", part1358);
+      
+      var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg852 = msg("00515:11", part1359);
+      
+      var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}");
+      
+      var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})");
+      
+      var all302 = all_match({
+      	processors: [
+      		part1360,
+      		dup399,
+      		part1361,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg853 = msg("00515:12", all302);
+      
+      var select320 = linear_select([
+      	dup288,
+      	dup287,
+      ]);
+      
+      var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}");
+      
+      var select321 = linear_select([
+      	dup306,
+      	dup304,
+      ]);
+      
+      var all303 = all_match({
+      	processors: [
+      		select320,
+      		part1362,
+      		dup398,
+      		dup40,
+      		select321,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg854 = msg("00515:13", all303);
+      
+      var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}");
+      
+      var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}");
+      
+      var select322 = linear_select([
+      	part1363,
+      	part1364,
+      ]);
+      
+      var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}");
+      
+      var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session.");
+      
+      var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})");
+      
+      var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}");
+      
+      var select323 = linear_select([
+      	part1366,
+      	part1367,
+      	part1368,
+      ]);
+      
+      var all304 = all_match({
+      	processors: [
+      		select322,
+      		dup398,
+      		part1365,
+      		select323,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg855 = msg("00515:14", all304);
+      
+      var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}");
+      
+      var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}");
+      
+      var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}");
+      
+      var select324 = linear_select([
+      	part1370,
+      	part1371,
+      ]);
+      
+      var all305 = all_match({
+      	processors: [
+      		part1369,
+      		dup398,
+      		dup40,
+      		select324,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg856 = msg("00515:15", all305);
+      
+      var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}");
+      
+      var select325 = linear_select([
+      	part1372,
+      	dup287,
+      ]);
+      
+      var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}");
+      
+      var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})");
+      
+      var all306 = all_match({
+      	processors: [
+      		select325,
+      		part1373,
+      		dup399,
+      		part1374,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg857 = msg("00515:16", all306);
+      
+      var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}");
+      
+      var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}");
+      
+      var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}");
+      
+      var select326 = linear_select([
+      	part1376,
+      	part1377,
+      ]);
+      
+      var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}");
+      
+      var all307 = all_match({
+      	processors: [
+      		part1375,
+      		select326,
+      		part1378,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg858 = msg("00515:17", all307);
+      
+      var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg859 = msg("00515:18", part1379);
+      
+      var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}");
+      
+      var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}");
+      
+      var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}");
+      
+      var select327 = linear_select([
+      	part1381,
+      	part1382,
+      ]);
+      
+      var all308 = all_match({
+      	processors: [
+      		part1380,
+      		select327,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg860 = msg("00515:19", all308);
+      
+      var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg861 = msg("00515:20", part1383);
+      
+      var select328 = linear_select([
+      	msg842,
+      	msg843,
+      	msg844,
+      	msg845,
+      	msg846,
+      	msg847,
+      	msg848,
+      	msg849,
+      	msg850,
+      	msg851,
+      	msg852,
+      	msg853,
+      	msg854,
+      	msg855,
+      	msg856,
+      	msg857,
+      	msg858,
+      	msg859,
+      	msg860,
+      	msg861,
+      ]);
+      
+      var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg862 = msg("00518", part1384);
+      
+      var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg863 = msg("00518:17", part1385);
+      
+      var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg864 = msg("00518:01", part1386);
+      
+      var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg865 = msg("00518:02", part1387);
+      
+      var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg866 = msg("00518:03", part1388);
+      
+      var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg867 = msg("00518:04", part1389);
+      
+      var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg868 = msg("00518:05", part1390);
+      
+      var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([
+      	dup35,
+      	dup29,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg869 = msg("00518:06", part1391);
+      
+      var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}");
+      
+      var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}");
+      
+      var select329 = linear_select([
+      	dup24,
+      	part1393,
+      ]);
+      
+      var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}");
+      
+      var all309 = all_match({
+      	processors: [
+      		part1392,
+      		select329,
+      		part1394,
+      	],
+      	on_success: processor_chain([
+      		dup53,
+      		dup29,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg870 = msg("00518:07", all309);
+      
+      var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([
+      	dup35,
+      	dup29,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg871 = msg("00518:08", part1395);
+      
+      var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg872 = msg("00518:09", part1396);
+      
+      var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([
+      	dup206,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup4,
+      	dup9,
+      	dup5,
+      	dup3,
+      	dup302,
+      ]));
+      
+      var msg873 = msg("00518:10", part1397);
+      
+      var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}");
+      
+      var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}");
+      
+      var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}");
+      
+      var select330 = linear_select([
+      	part1399,
+      	part1400,
+      ]);
+      
+      var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})");
+      
+      var all310 = all_match({
+      	processors: [
+      		part1398,
+      		select330,
+      		part1401,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup9,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg874 = msg("00518:11", all310);
+      
+      var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup4,
+      	dup9,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg875 = msg("00518:12", part1402);
+      
+      var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup9,
+      	dup5,
+      ]));
+      
+      var msg876 = msg("00518:13", part1403);
+      
+      var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([
+      	dup290,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg877 = msg("00518:14", part1404);
+      
+      var select331 = linear_select([
+      	msg862,
+      	msg863,
+      	msg864,
+      	msg865,
+      	msg866,
+      	msg867,
+      	msg868,
+      	msg869,
+      	msg870,
+      	msg871,
+      	msg872,
+      	msg873,
+      	msg874,
+      	msg875,
+      	msg876,
+      	msg877,
+      ]);
+      
+      var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}");
+      
+      var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}");
+      
+      var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}");
+      
+      var select332 = linear_select([
+      	dup194,
+      	part1406,
+      	part1407,
+      ]);
+      
+      var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}");
+      
+      var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}");
+      
+      var select333 = linear_select([
+      	part1409,
+      	dup16,
+      ]);
+      
+      var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}");
+      
+      var all311 = all_match({
+      	processors: [
+      		part1405,
+      		select332,
+      		part1408,
+      		select333,
+      		part1410,
+      	],
+      	on_success: processor_chain([
+      		dup203,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg878 = msg("00519", all311);
+      
+      var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}");
+      
+      var select334 = linear_select([
+      	dup307,
+      	dup305,
+      ]);
+      
+      var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}");
+      
+      var all312 = all_match({
+      	processors: [
+      		part1411,
+      		select334,
+      		part1412,
+      	],
+      	on_success: processor_chain([
+      		dup203,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg879 = msg("00519:01", all312);
+      
+      var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}");
+      
+      var select335 = linear_select([
+      	dup307,
+      	part1413,
+      ]);
+      
+      var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}");
+      
+      var all313 = all_match({
+      	processors: [
+      		dup160,
+      		select335,
+      		part1414,
+      	],
+      	on_success: processor_chain([
+      		dup203,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg880 = msg("00519:02", all313);
+      
+      var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg881 = msg("00519:03", part1415);
+      
+      var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg882 = msg("00519:04", part1416);
+      
+      var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg883 = msg("00519:05", part1417);
+      
+      var select336 = linear_select([
+      	msg878,
+      	msg879,
+      	msg880,
+      	msg881,
+      	msg882,
+      	msg883,
+      ]);
+      
+      var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([
+      	dup35,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg884 = msg("00520", part1418);
+      
+      var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}");
+      
+      var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}");
+      
+      var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}");
+      
+      var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}");
+      
+      var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}");
+      
+      var select337 = linear_select([
+      	part1420,
+      	part1421,
+      	part1422,
+      	part1423,
+      ]);
+      
+      var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}");
+      
+      var all314 = all_match({
+      	processors: [
+      		part1419,
+      		select337,
+      		part1424,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg885 = msg("00520:01", all314);
+      
+      var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}");
+      
+      var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}");
+      
+      var all315 = all_match({
+      	processors: [
+      		part1425,
+      		dup400,
+      		part1426,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg886 = msg("00520:02", all315);
+      
+      var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}");
+      
+      var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}");
+      
+      var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}");
+      
+      var select338 = linear_select([
+      	part1427,
+      	part1428,
+      	part1429,
+      ]);
+      
+      var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}");
+      
+      var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}");
+      
+      var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed");
+      
+      var all316 = all_match({
+      	processors: [
+      		dup160,
+      		select338,
+      		part1430,
+      		dup400,
+      		part1431,
+      		dup400,
+      		part1432,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg887 = msg("00520:03", all316);
+      
+      var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg888 = msg("00520:04", part1433);
+      
+      var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg889 = msg("00520:05", part1434);
+      
+      var select339 = linear_select([
+      	msg884,
+      	msg885,
+      	msg886,
+      	msg887,
+      	msg888,
+      	msg889,
+      ]);
+      
+      var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg890 = msg("00521", part1435);
+      
+      var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg891 = msg("00522", part1436);
+      
+      var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg892 = msg("00523", part1437);
+      
+      var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg893 = msg("00524", part1438);
+      
+      var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg894 = msg("00524:02", part1439);
+      
+      var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg895 = msg("00524:03", part1440);
+      
+      var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg896 = msg("00524:04", part1441);
+      
+      var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg897 = msg("00524:05", part1442);
+      
+      var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg898 = msg("00524:06", part1443);
+      
+      var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg899 = msg("00524:12", part1444);
+      
+      var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup4,
+      	setc("result","the SNMP version type is incorrect"),
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg900 = msg("00524:14", part1445);
+      
+      var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}");
+      
+      var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}");
+      
+      var all317 = all_match({
+      	processors: [
+      		part1446,
+      		dup401,
+      		part1447,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg901 = msg("00524:13", all317);
+      
+      var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg902 = msg("00524:07", part1448);
+      
+      var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg903 = msg("00524:08", part1449);
+      
+      var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg904 = msg("00524:09", part1450);
+      
+      var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg905 = msg("00524:10", part1451);
+      
+      var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg906 = msg("00524:11", part1452);
+      
+      var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg907 = msg("00524:16", part1453);
+      
+      var select340 = linear_select([
+      	msg893,
+      	msg894,
+      	msg895,
+      	msg896,
+      	msg897,
+      	msg898,
+      	msg899,
+      	msg900,
+      	msg901,
+      	msg902,
+      	msg903,
+      	msg904,
+      	msg905,
+      	msg906,
+      	msg907,
+      ]);
+      
+      var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([
+      	dup203,
+      	setc("ec_subject","Password"),
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg908 = msg("00525", part1454);
+      
+      var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg909 = msg("00525:01", part1455);
+      
+      var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg910 = msg("00525:02", part1456);
+      
+      var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg911 = msg("00525:03", part1457);
+      
+      var select341 = linear_select([
+      	msg908,
+      	msg909,
+      	msg910,
+      	msg911,
+      ]);
+      
+      var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([
+      	dup37,
+      	dup219,
+      	dup38,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg912 = msg("00526", part1458);
+      
+      var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}");
+      
+      var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}");
+      
+      var select342 = linear_select([
+      	dup311,
+      	part1460,
+      ]);
+      
+      var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}");
+      
+      var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}");
+      
+      var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}");
+      
+      var select343 = linear_select([
+      	dup312,
+      	part1462,
+      	part1463,
+      ]);
+      
+      var all318 = all_match({
+      	processors: [
+      		part1459,
+      		select342,
+      		part1461,
+      		select343,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg913 = msg("00527", all318);
+      
+      var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg914 = msg("00527:01", part1464);
+      
+      var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}");
+      
+      var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}");
+      
+      var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}");
+      
+      var select344 = linear_select([
+      	dup311,
+      	part1466,
+      	part1467,
+      ]);
+      
+      var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}");
+      
+      var all319 = all_match({
+      	processors: [
+      		part1465,
+      		select344,
+      		part1468,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg915 = msg("00527:02", all319);
+      
+      var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg916 = msg("00527:03", part1469);
+      
+      var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg917 = msg("00527:04", part1470);
+      
+      var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated.");
+      
+      var all320 = all_match({
+      	processors: [
+      		dup210,
+      		dup337,
+      		part1471,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg918 = msg("00527:05", all320);
+      
+      var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}");
+      
+      var select345 = linear_select([
+      	dup106,
+      	dup127,
+      ]);
+      
+      var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}");
+      
+      var select346 = linear_select([
+      	dup312,
+      	part1473,
+      ]);
+      
+      var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})");
+      
+      var all321 = all_match({
+      	processors: [
+      		part1472,
+      		select345,
+      		dup23,
+      		select346,
+      		part1474,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg919 = msg("00527:06", all321);
+      
+      var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg920 = msg("00527:07", part1475);
+      
+      var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg921 = msg("00527:08", part1476);
+      
+      var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}");
+      
+      var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}");
+      
+      var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}");
+      
+      var select347 = linear_select([
+      	part1478,
+      	part1479,
+      ]);
+      
+      var all322 = all_match({
+      	processors: [
+      		part1477,
+      		select347,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup272,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg922 = msg("00527:09", all322);
+      
+      var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg923 = msg("00527:10", part1480);
+      
+      var select348 = linear_select([
+      	msg913,
+      	msg914,
+      	msg915,
+      	msg916,
+      	msg917,
+      	msg918,
+      	msg919,
+      	msg920,
+      	msg921,
+      	msg922,
+      	msg923,
+      ]);
+      
+      var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([
+      	setc("eventcategory","1302010000"),
+      	dup29,
+      	dup31,
+      	dup32,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg924 = msg("00528", part1481);
+      
+      var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg925 = msg("00528:01", part1482);
+      
+      var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg926 = msg("00528:02", part1483);
+      
+      var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg927 = msg("00528:03", part1484);
+      
+      var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg928 = msg("00528:04", part1485);
+      
+      var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg929 = msg("00528:05", part1486);
+      
+      var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([
+      	dup313,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("result","invalid version string"),
+      ]));
+      
+      var msg930 = msg("00528:06", part1487);
+      
+      var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}");
+      
+      var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}");
+      
+      var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}");
+      
+      var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}");
+      
+      var select349 = linear_select([
+      	dup88,
+      	part1489,
+      	part1490,
+      	part1491,
+      ]);
+      
+      var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}");
+      
+      var all323 = all_match({
+      	processors: [
+      		part1488,
+      		select349,
+      		part1492,
+      	],
+      	on_success: processor_chain([
+      		dup314,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg931 = msg("00528:07", all323);
+      
+      var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg932 = msg("00528:08", part1493);
+      
+      var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg933 = msg("00528:09", part1494);
+      
+      var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg934 = msg("00528:10", part1495);
+      
+      var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg935 = msg("00528:11", part1496);
+      
+      var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	setc("disposition","disabled"),
+      ]));
+      
+      var msg936 = msg("00528:12", part1497);
+      
+      var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}");
+      
+      var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}");
+      
+      var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}");
+      
+      var select350 = linear_select([
+      	part1499,
+      	part1500,
+      ]);
+      
+      var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}");
+      
+      var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}");
+      
+      var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}");
+      
+      var select351 = linear_select([
+      	part1503,
+      	dup157,
+      ]);
+      
+      var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}");
+      
+      var all324 = all_match({
+      	processors: [
+      		part1498,
+      		select350,
+      		part1501,
+      		dup337,
+      		part1502,
+      		select351,
+      		part1504,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg937 = msg("00528:13", all324);
+      
+      var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg938 = msg("00528:14", part1505);
+      
+      var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}");
+      
+      var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}");
+      
+      var select352 = linear_select([
+      	dup315,
+      	part1507,
+      ]);
+      
+      var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}");
+      
+      var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}");
+      
+      var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}");
+      
+      var select353 = linear_select([
+      	part1509,
+      	part1510,
+      ]);
+      
+      var all325 = all_match({
+      	processors: [
+      		part1506,
+      		select352,
+      		part1508,
+      		select353,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg939 = msg("00528:15", all325);
+      
+      var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg940 = msg("00528:16", part1511);
+      
+      var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg941 = msg("00528:17", part1512);
+      
+      var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}");
+      
+      var all326 = all_match({
+      	processors: [
+      		dup316,
+      		dup402,
+      		part1513,
+      		dup403,
+      		dup320,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		setc("disposition","successful"),
+      		setc("event_description","authentication successful for admin user"),
+      	]),
+      });
+      
+      var msg942 = msg("00528:18", all326);
+      
+      var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}");
+      
+      var all327 = all_match({
+      	processors: [
+      		dup316,
+      		dup402,
+      		part1514,
+      		dup403,
+      		dup320,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup29,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup302,
+      		dup3,
+      		setc("event_description","authentication failed for admin user"),
+      	]),
+      });
+      
+      var msg943 = msg("00528:26", all327);
+      
+      var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}");
+      
+      var all328 = all_match({
+      	processors: [
+      		dup321,
+      		dup404,
+      		part1515,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg944 = msg("00528:19", all328);
+      
+      var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}");
+      
+      var all329 = all_match({
+      	processors: [
+      		dup321,
+      		dup404,
+      		part1516,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg945 = msg("00528:20", all329);
+      
+      var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg946 = msg("00528:21", part1517);
+      
+      var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}");
+      
+      var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface.");
+      
+      var all330 = all_match({
+      	processors: [
+      		part1518,
+      		dup337,
+      		part1519,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		setc("result","SCS is not enabled for that interface"),
+      	]),
+      });
+      
+      var msg947 = msg("00528:22", all330);
+      
+      var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	setc("result","SCS cannot generate the host and server keys before timing out"),
+      ]));
+      
+      var msg948 = msg("00528:23", part1520);
+      
+      var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg949 = msg("00528:24", part1521);
+      
+      var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}");
+      
+      var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled.");
+      
+      var all331 = all_match({
+      	processors: [
+      		part1522,
+      		dup403,
+      		part1523,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg950 = msg("00528:25", all331);
+      
+      var select354 = linear_select([
+      	msg924,
+      	msg925,
+      	msg926,
+      	msg927,
+      	msg928,
+      	msg929,
+      	msg930,
+      	msg931,
+      	msg932,
+      	msg933,
+      	msg934,
+      	msg935,
+      	msg936,
+      	msg937,
+      	msg938,
+      	msg939,
+      	msg940,
+      	msg941,
+      	msg942,
+      	msg943,
+      	msg944,
+      	msg945,
+      	msg946,
+      	msg947,
+      	msg948,
+      	msg949,
+      	msg950,
+      ]);
+      
+      var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}");
+      
+      var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}");
+      
+      var select355 = linear_select([
+      	part1524,
+      	part1525,
+      ]);
+      
+      var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}");
+      
+      var all332 = all_match({
+      	processors: [
+      		dup63,
+      		select355,
+      		part1526,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg951 = msg("00529", all332);
+      
+      var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}");
+      
+      var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}");
+      
+      var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}");
+      
+      var select356 = linear_select([
+      	part1528,
+      	part1529,
+      ]);
+      
+      var all333 = all_match({
+      	processors: [
+      		part1527,
+      		select356,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg952 = msg("00529:01", all333);
+      
+      var select357 = linear_select([
+      	msg951,
+      	msg952,
+      ]);
+      
+      var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg953 = msg("00530", part1530);
+      
+      var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}");
+      
+      var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released");
+      
+      var all334 = all_match({
+      	processors: [
+      		part1531,
+      		dup337,
+      		part1532,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg954 = msg("00530:01", all334);
+      
+      var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg955 = msg("00530:02", part1533);
+      
+      var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg956 = msg("00530:03", part1534);
+      
+      var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg957 = msg("00530:04", part1535);
+      
+      var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg958 = msg("00530:05", part1536);
+      
+      var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg959 = msg("00530:06", part1537);
+      
+      var select358 = linear_select([
+      	msg953,
+      	msg954,
+      	msg955,
+      	msg956,
+      	msg957,
+      	msg958,
+      	msg959,
+      ]);
+      
+      var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}");
+      
+      var all335 = all_match({
+      	processors: [
+      		part1538,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg960 = msg("00531", all335);
+      
+      var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg961 = msg("00531:01", part1539);
+      
+      var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg962 = msg("00531:02", part1540);
+      
+      var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}");
+      
+      var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}");
+      
+      var select359 = linear_select([
+      	part1542,
+      	dup115,
+      ]);
+      
+      var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}");
+      
+      var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})");
+      
+      var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5");
+      
+      var select360 = linear_select([
+      	part1544,
+      	part1545,
+      ]);
+      
+      var all336 = all_match({
+      	processors: [
+      		part1541,
+      		select359,
+      		part1543,
+      		select360,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup146,
+      	]),
+      });
+      
+      var msg963 = msg("00531:03", all336);
+      
+      var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}");
+      
+      var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}");
+      
+      var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}");
+      
+      var select361 = linear_select([
+      	part1547,
+      	part1548,
+      	dup189,
+      ]);
+      
+      var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}");
+      
+      var all337 = all_match({
+      	processors: [
+      		part1546,
+      		select361,
+      		part1549,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg964 = msg("00531:04", all337);
+      
+      var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg965 = msg("00531:05", part1550);
+      
+      var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg966 = msg("00531:06", part1551);
+      
+      var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg967 = msg("00531:07", part1552);
+      
+      var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg968 = msg("00531:08", part1553);
+      
+      var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg969 = msg("00531:09", part1554);
+      
+      var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg970 = msg("00531:10", part1555);
+      
+      var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("event_description","system clock changed based on receive from primary NTP server"),
+      ]));
+      
+      var msg971 = msg("00531:11", part1556);
+      
+      var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg972 = msg("00531:12", part1557);
+      
+      var select362 = linear_select([
+      	msg960,
+      	msg961,
+      	msg962,
+      	msg963,
+      	msg964,
+      	msg965,
+      	msg966,
+      	msg967,
+      	msg968,
+      	msg969,
+      	msg970,
+      	msg971,
+      	msg972,
+      ]);
+      
+      var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg973 = msg("00533", part1558);
+      
+      var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg974 = msg("00534", part1559);
+      
+      var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg975 = msg("00535", part1560);
+      
+      var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg976 = msg("00535:01", part1561);
+      
+      var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg977 = msg("00535:02", part1562);
+      
+      var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg978 = msg("00535:03", part1563);
+      
+      var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("result","SCEP_FAILURE message"),
+      ]));
+      
+      var msg979 = msg("00535:04", part1564);
+      
+      var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg980 = msg("00535:05", part1565);
+      
+      var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Saved CA configuration - cert subject name"),
+      ]));
+      
+      var msg981 = msg("00535:06", part1566);
+      
+      var select363 = linear_select([
+      	msg975,
+      	msg976,
+      	msg977,
+      	msg978,
+      	msg979,
+      	msg980,
+      	msg981,
+      ]);
+      
+      var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}");
+      
+      var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}");
+      
+      var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}");
+      
+      var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}");
+      
+      var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}");
+      
+      var select364 = linear_select([
+      	part1568,
+      	part1569,
+      	part1570,
+      	part1571,
+      ]);
+      
+      var all338 = all_match({
+      	processors: [
+      		part1567,
+      		select364,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg982 = msg("00536:49", all338);
+      
+      var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg983 = msg("00536", part1572);
+      
+      var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg984 = msg("00536:01", part1573);
+      
+      var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg985 = msg("00536:02", part1574);
+      
+      var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg986 = msg("00536:03", part1575);
+      
+      var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([
+      	setc("eventcategory","1801010100"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg987 = msg("00536:04", part1576);
+      
+      var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg988 = msg("00536:05", part1577);
+      
+      var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg989 = msg("00536:06", part1578);
+      
+      var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg990 = msg("00536:07", part1579);
+      
+      var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg991 = msg("00536:08", part1580);
+      
+      var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg992 = msg("00536:09", part1581);
+      
+      var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg993 = msg("00536:10", part1582);
+      
+      var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg994 = msg("00536:11", part1583);
+      
+      var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg995 = msg("00536:12", part1584);
+      
+      var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg996 = msg("00536:13", part1585);
+      
+      var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}");
+      
+      var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}");
+      
+      var all339 = all_match({
+      	processors: [
+      		part1586,
+      		dup383,
+      		part1587,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg997 = msg("00536:14", all339);
+      
+      var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup9,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg998 = msg("00536:50", part1588);
+      
+      var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg999 = msg("00536:15", part1589);
+      
+      var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1000 = msg("00536:16", part1590);
+      
+      var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1001 = msg("00536:17", part1591);
+      
+      var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1002 = msg("00536:18", part1592);
+      
+      var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1003 = msg("00536:19", part1593);
+      
+      var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1004 = msg("00536:20", part1594);
+      
+      var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1005 = msg("00536:21", part1595);
+      
+      var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("result","Negotiations failed"),
+      ]));
+      
+      var msg1006 = msg("00536:22", part1596);
+      
+      var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("result","The time limit has elapsed"),
+      	setc("disposition","Aborted"),
+      ]));
+      
+      var msg1007 = msg("00536:23", part1597);
+      
+      var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1008 = msg("00536:24", part1598);
+      
+      var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1009 = msg("00536:25", part1599);
+      
+      var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1010 = msg("00536:26", part1600);
+      
+      var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1011 = msg("00536:27", part1601);
+      
+      var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1012 = msg("00536:28", part1602);
+      
+      var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1013 = msg("00536:29", part1603);
+      
+      var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1014 = msg("00536:30", part1604);
+      
+      var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1015 = msg("00536:31", part1605);
+      
+      var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1016 = msg("00536:32", part1606);
+      
+      var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1017 = msg("00536:33", part1607);
+      
+      var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1018 = msg("00536:34", part1608);
+      
+      var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1019 = msg("00536:35", part1609);
+      
+      var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}");
+      
+      var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first");
+      
+      var all340 = all_match({
+      	processors: [
+      		part1610,
+      		dup401,
+      		part1611,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1020 = msg("00536:36", all340);
+      
+      var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1021 = msg("00536:37", part1612);
+      
+      var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1022 = msg("00536:38", part1613);
+      
+      var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1023 = msg("00536:39", part1614);
+      
+      var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1024 = msg("00536:40", part1615);
+      
+      var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1025 = msg("00536:47", part1616);
+      
+      var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1026 = msg("00536:41", part1617);
+      
+      var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1027 = msg("00536:42", part1618);
+      
+      var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1028 = msg("00536:43", part1619);
+      
+      var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1029 = msg("00536:44", part1620);
+      
+      var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1030 = msg("00536:45", part1621);
+      
+      var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Received an IKE packet on interface"),
+      ]));
+      
+      var msg1031 = msg("00536:48", part1622);
+      
+      var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1032 = msg("00536:46", part1623);
+      
+      var select365 = linear_select([
+      	msg982,
+      	msg983,
+      	msg984,
+      	msg985,
+      	msg986,
+      	msg987,
+      	msg988,
+      	msg989,
+      	msg990,
+      	msg991,
+      	msg992,
+      	msg993,
+      	msg994,
+      	msg995,
+      	msg996,
+      	msg997,
+      	msg998,
+      	msg999,
+      	msg1000,
+      	msg1001,
+      	msg1002,
+      	msg1003,
+      	msg1004,
+      	msg1005,
+      	msg1006,
+      	msg1007,
+      	msg1008,
+      	msg1009,
+      	msg1010,
+      	msg1011,
+      	msg1012,
+      	msg1013,
+      	msg1014,
+      	msg1015,
+      	msg1016,
+      	msg1017,
+      	msg1018,
+      	msg1019,
+      	msg1020,
+      	msg1021,
+      	msg1022,
+      	msg1023,
+      	msg1024,
+      	msg1025,
+      	msg1026,
+      	msg1027,
+      	msg1028,
+      	msg1029,
+      	msg1030,
+      	msg1031,
+      	msg1032,
+      ]);
+      
+      var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg1033 = msg("00537", part1624);
+      
+      var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1034 = msg("00537:01", part1625);
+      
+      var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1035 = msg("00537:02", part1626);
+      
+      var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1036 = msg("00537:03", part1627);
+      
+      var select366 = linear_select([
+      	msg1033,
+      	msg1034,
+      	msg1035,
+      	msg1036,
+      ]);
+      
+      var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}");
+      
+      var select367 = linear_select([
+      	dup111,
+      	dup119,
+      ]);
+      
+      var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}");
+      
+      var all341 = all_match({
+      	processors: [
+      		part1628,
+      		select367,
+      		part1629,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1037 = msg("00538", all341);
+      
+      var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1038 = msg("00538:01", part1630);
+      
+      var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1039 = msg("00538:02", part1631);
+      
+      var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg1040 = msg("00538:03", part1632);
+      
+      var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1041 = msg("00538:04", part1633);
+      
+      var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}");
+      
+      var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}");
+      
+      var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}");
+      
+      var select368 = linear_select([
+      	part1635,
+      	part1636,
+      ]);
+      
+      var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}");
+      
+      var all342 = all_match({
+      	processors: [
+      		part1634,
+      		select368,
+      		part1637,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1042 = msg("00538:05", all342);
+      
+      var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}");
+      
+      var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}");
+      
+      var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}");
+      
+      var select369 = linear_select([
+      	part1639,
+      	part1640,
+      ]);
+      
+      var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip");
+      
+      var all343 = all_match({
+      	processors: [
+      		part1638,
+      		select369,
+      		part1641,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1043 = msg("00538:06", all343);
+      
+      var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}");
+      
+      var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}");
+      
+      var select370 = linear_select([
+      	part1643,
+      	dup16,
+      ]);
+      
+      var all344 = all_match({
+      	processors: [
+      		part1642,
+      		select370,
+      		dup136,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1044 = msg("00538:07", all344);
+      
+      var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1045 = msg("00538:08", part1644);
+      
+      var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([
+      	dup301,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("event_description","Connected to NSM server"),
+      ]));
+      
+      var msg1046 = msg("00538:09", part1645);
+      
+      var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}");
+      
+      var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})");
+      
+      var select371 = linear_select([
+      	part1647,
+      	dup41,
+      ]);
+      
+      var all345 = all_match({
+      	processors: [
+      		part1646,
+      		select371,
+      	],
+      	on_success: processor_chain([
+      		dup198,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      		setc("event_description","Connection to NSM server is down"),
+      	]),
+      });
+      
+      var msg1047 = msg("00538:10", all345);
+      
+      var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([
+      	dup198,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup323,
+      ]));
+      
+      var msg1048 = msg("00538:11", part1648);
+      
+      var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([
+      	dup198,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup323,
+      ]));
+      
+      var msg1049 = msg("00538:12", part1649);
+      
+      var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("event_description","Sent 2B message"),
+      ]));
+      
+      var msg1050 = msg("00538:13", part1650);
+      
+      var select372 = linear_select([
+      	msg1037,
+      	msg1038,
+      	msg1039,
+      	msg1040,
+      	msg1041,
+      	msg1042,
+      	msg1043,
+      	msg1044,
+      	msg1045,
+      	msg1046,
+      	msg1047,
+      	msg1048,
+      	msg1049,
+      	msg1050,
+      ]);
+      
+      var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1051 = msg("00539", part1651);
+      
+      var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1052 = msg("00539:01", part1652);
+      
+      var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1053 = msg("00539:02", part1653);
+      
+      var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1054 = msg("00539:03", part1654);
+      
+      var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1055 = msg("00539:04", part1655);
+      
+      var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1056 = msg("00539:05", part1656);
+      
+      var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1057 = msg("00539:06", part1657);
+      
+      var select373 = linear_select([
+      	msg1051,
+      	msg1052,
+      	msg1053,
+      	msg1054,
+      	msg1055,
+      	msg1056,
+      	msg1057,
+      ]);
+      
+      var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([
+      	dup324,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1058 = msg("00541", part1658);
+      
+      var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([
+      	dup273,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1059 = msg("00541:01", part1659);
+      
+      var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([
+      	dup273,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1060 = msg("00541:02", part1660);
+      
+      var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}");
+      
+      var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>");
+      
+      var select374 = linear_select([
+      	part1662,
+      	dup21,
+      ]);
+      
+      var all346 = all_match({
+      	processors: [
+      		part1661,
+      		select374,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1061 = msg("00541:03", all346);
+      
+      var select375 = linear_select([
+      	msg1058,
+      	msg1059,
+      	msg1060,
+      	msg1061,
+      ]);
+      
+      var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1062 = msg("00542", part1663);
+      
+      var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}");
+      
+      var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}");
+      
+      var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}");
+      
+      var select376 = linear_select([
+      	part1665,
+      	part1666,
+      ]);
+      
+      var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}");
+      
+      var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}");
+      
+      var select377 = linear_select([
+      	part1668,
+      	dup106,
+      ]);
+      
+      var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})");
+      
+      var all347 = all_match({
+      	processors: [
+      		part1664,
+      		select376,
+      		part1667,
+      		select377,
+      		part1669,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup3,
+      	]),
+      });
+      
+      var msg1063 = msg("00543", all347);
+      
+      var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup60,
+      	setc("action","RADIUS server challenge"),
+      ]));
+      
+      var msg1064 = msg("00544", part1670);
+      
+      var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1065 = msg("00546", part1671);
+      
+      var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg1066 = msg("00547", part1672);
+      
+      var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg1067 = msg("00547:01", part1673);
+      
+      var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1068 = msg("00547:02", part1674);
+      
+      var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}");
+      
+      var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}");
+      
+      var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}");
+      
+      var select378 = linear_select([
+      	part1676,
+      	part1677,
+      ]);
+      
+      var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})");
+      
+      var all348 = all_match({
+      	processors: [
+      		part1675,
+      		select378,
+      		part1678,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		setc("event_description","Content is bypassed for connection"),
+      	]),
+      });
+      
+      var msg1069 = msg("00547:03", all348);
+      
+      var select379 = linear_select([
+      	msg1066,
+      	msg1067,
+      	msg1068,
+      	msg1069,
+      ]);
+      
+      var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1070 = msg("00549", part1679);
+      
+      var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1071 = msg("00551", part1680);
+      
+      var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1072 = msg("00551:01", part1681);
+      
+      var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}");
+      
+      var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}");
+      
+      var select380 = linear_select([
+      	part1683,
+      	dup89,
+      ]);
+      
+      var all349 = all_match({
+      	processors: [
+      		part1682,
+      		select380,
+      		dup128,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1073 = msg("00551:02", all349);
+      
+      var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1074 = msg("00551:03", part1684);
+      
+      var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1075 = msg("00551:04", part1685);
+      
+      var select381 = linear_select([
+      	msg1071,
+      	msg1072,
+      	msg1073,
+      	msg1074,
+      	msg1075,
+      ]);
+      
+      var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}");
+      
+      var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}");
+      
+      var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}");
+      
+      var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}");
+      
+      var select382 = linear_select([
+      	part1687,
+      	part1688,
+      	part1689,
+      ]);
+      
+      var all350 = all_match({
+      	processors: [
+      		part1686,
+      		select382,
+      		dup325,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1076 = msg("00553", all350);
+      
+      var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1077 = msg("00553:01", part1690);
+      
+      var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1078 = msg("00553:02", part1691);
+      
+      var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1079 = msg("00553:03", part1692);
+      
+      var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}");
+      
+      var select383 = linear_select([
+      	dup326,
+      	dup327,
+      ]);
+      
+      var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}.");
+      
+      var all351 = all_match({
+      	processors: [
+      		part1693,
+      		select383,
+      		part1694,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1080 = msg("00553:04", all351);
+      
+      var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1081 = msg("00553:05", part1695);
+      
+      var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1082 = msg("00553:06", part1696);
+      
+      var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1083 = msg("00553:07", part1697);
+      
+      var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}");
+      
+      var select384 = linear_select([
+      	dup327,
+      	dup326,
+      ]);
+      
+      var all352 = all_match({
+      	processors: [
+      		part1698,
+      		select384,
+      		dup328,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1084 = msg("00553:08", all352);
+      
+      var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1085 = msg("00553:09", part1699);
+      
+      var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1086 = msg("00553:10", part1700);
+      
+      var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1087 = msg("00553:11", part1701);
+      
+      var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1088 = msg("00553:12", part1702);
+      
+      var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1089 = msg("00553:13", part1703);
+      
+      var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1090 = msg("00553:14", part1704);
+      
+      var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1091 = msg("00553:15", part1705);
+      
+      var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1092 = msg("00553:16", part1706);
+      
+      var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1093 = msg("00553:17", part1707);
+      
+      var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1094 = msg("00553:18", part1708);
+      
+      var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1095 = msg("00553:19", part1709);
+      
+      var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1096 = msg("00553:20", part1710);
+      
+      var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1097 = msg("00553:21", part1711);
+      
+      var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1098 = msg("00553:22", part1712);
+      
+      var select385 = linear_select([
+      	msg1076,
+      	msg1077,
+      	msg1078,
+      	msg1079,
+      	msg1080,
+      	msg1081,
+      	msg1082,
+      	msg1083,
+      	msg1084,
+      	msg1085,
+      	msg1086,
+      	msg1087,
+      	msg1088,
+      	msg1089,
+      	msg1090,
+      	msg1091,
+      	msg1092,
+      	msg1093,
+      	msg1094,
+      	msg1095,
+      	msg1096,
+      	msg1097,
+      	msg1098,
+      ]);
+      
+      var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}");
+      
+      var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}");
+      
+      var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}");
+      
+      var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}");
+      
+      var select386 = linear_select([
+      	part1714,
+      	part1715,
+      	part1716,
+      ]);
+      
+      var all353 = all_match({
+      	processors: [
+      		part1713,
+      		select386,
+      		dup325,
+      	],
+      	on_success: processor_chain([
+      		dup144,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1099 = msg("00554", all353);
+      
+      var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1100 = msg("00554:01", part1717);
+      
+      var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1101 = msg("00554:02", part1718);
+      
+      var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1102 = msg("00554:03", part1719);
+      
+      var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}");
+      
+      var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}.");
+      
+      var all354 = all_match({
+      	processors: [
+      		part1720,
+      		dup405,
+      		part1721,
+      	],
+      	on_success: processor_chain([
+      		dup144,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1103 = msg("00554:04", all354);
+      
+      var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}");
+      
+      var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}");
+      
+      var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}");
+      
+      var select387 = linear_select([
+      	part1723,
+      	part1724,
+      ]);
+      
+      var all355 = all_match({
+      	processors: [
+      		part1722,
+      		select387,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup144,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1104 = msg("00554:05", all355);
+      
+      var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([
+      	dup144,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1105 = msg("00554:06", part1725);
+      
+      var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}");
+      
+      var all356 = all_match({
+      	processors: [
+      		part1726,
+      		dup405,
+      		dup328,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1106 = msg("00554:07", all356);
+      
+      var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}");
+      
+      var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}");
+      
+      var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}");
+      
+      var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}");
+      
+      var select388 = linear_select([
+      	part1728,
+      	part1729,
+      	part1730,
+      ]);
+      
+      var all357 = all_match({
+      	processors: [
+      		part1727,
+      		select388,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1107 = msg("00554:08", all357);
+      
+      var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1108 = msg("00554:09", part1731);
+      
+      var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1109 = msg("00554:10", part1732);
+      
+      var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1110 = msg("00554:11", part1733);
+      
+      var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}");
+      
+      var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}");
+      
+      var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}");
+      
+      var select389 = linear_select([
+      	part1735,
+      	part1736,
+      ]);
+      
+      var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}");
+      
+      var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}");
+      
+      var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}");
+      
+      var select390 = linear_select([
+      	part1738,
+      	part1739,
+      ]);
+      
+      var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}");
+      
+      var all358 = all_match({
+      	processors: [
+      		part1734,
+      		select389,
+      		part1737,
+      		select390,
+      		part1740,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1111 = msg("00554:12", all358);
+      
+      var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1112 = msg("00554:13", part1741);
+      
+      var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1113 = msg("00554:14", part1742);
+      
+      var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1114 = msg("00554:15", part1743);
+      
+      var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1115 = msg("00554:16", part1744);
+      
+      var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1116 = msg("00554:17", part1745);
+      
+      var select391 = linear_select([
+      	msg1099,
+      	msg1100,
+      	msg1101,
+      	msg1102,
+      	msg1103,
+      	msg1104,
+      	msg1105,
+      	msg1106,
+      	msg1107,
+      	msg1108,
+      	msg1109,
+      	msg1110,
+      	msg1111,
+      	msg1112,
+      	msg1113,
+      	msg1114,
+      	msg1115,
+      	msg1116,
+      ]);
+      
+      var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1117 = msg("00555", part1746);
+      
+      var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1118 = msg("00556", part1747);
+      
+      var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1119 = msg("00556:01", part1748);
+      
+      var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}");
+      
+      var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}");
+      
+      var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}");
+      
+      var select392 = linear_select([
+      	part1750,
+      	part1751,
+      ]);
+      
+      var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}");
+      
+      var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}");
+      
+      var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}");
+      
+      var select393 = linear_select([
+      	part1753,
+      	part1754,
+      ]);
+      
+      var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3}).");
+      
+      var all359 = all_match({
+      	processors: [
+      		part1749,
+      		select392,
+      		part1752,
+      		select393,
+      		part1755,
+      	],
+      	on_success: processor_chain([
+      		dup254,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1120 = msg("00556:02", all359);
+      
+      var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}");
+      
+      var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}");
+      
+      var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}");
+      
+      var select394 = linear_select([
+      	part1757,
+      	part1758,
+      ]);
+      
+      var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}");
+      
+      var all360 = all_match({
+      	processors: [
+      		part1756,
+      		select394,
+      		part1759,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1121 = msg("00556:03", all360);
+      
+      var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1122 = msg("00556:04", part1760);
+      
+      var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1123 = msg("00556:05", part1761);
+      
+      var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1124 = msg("00556:06", part1762);
+      
+      var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1125 = msg("00556:07", part1763);
+      
+      var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}");
+      
+      var all361 = all_match({
+      	processors: [
+      		part1764,
+      		dup358,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1126 = msg("00556:08", all361);
+      
+      var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup282,
+      ]));
+      
+      var msg1127 = msg("00556:09", part1765);
+      
+      var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1128 = msg("00556:10", part1766);
+      
+      var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1129 = msg("00556:11", part1767);
+      
+      var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}");
+      
+      var select395 = linear_select([
+      	dup140,
+      	dup169,
+      ]);
+      
+      var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}.");
+      
+      var all362 = all_match({
+      	processors: [
+      		part1768,
+      		select395,
+      		part1769,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1130 = msg("00556:12", all362);
+      
+      var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1131 = msg("00556:13", part1770);
+      
+      var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}");
+      
+      var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}.");
+      
+      var all363 = all_match({
+      	processors: [
+      		part1771,
+      		dup406,
+      		part1772,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1132 = msg("00556:14", all363);
+      
+      var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}");
+      
+      var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}.");
+      
+      var all364 = all_match({
+      	processors: [
+      		part1773,
+      		dup406,
+      		part1774,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup282,
+      	]),
+      });
+      
+      var msg1133 = msg("00556:15", all364);
+      
+      var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}");
+      
+      var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}");
+      
+      var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}");
+      
+      var select396 = linear_select([
+      	part1776,
+      	part1777,
+      ]);
+      
+      var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}");
+      
+      var select397 = linear_select([
+      	dup104,
+      	dup120,
+      ]);
+      
+      var all365 = all_match({
+      	processors: [
+      		part1775,
+      		select396,
+      		part1778,
+      		select397,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1134 = msg("00556:16", all365);
+      
+      var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}");
+      
+      var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}");
+      
+      var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}");
+      
+      var select398 = linear_select([
+      	part1780,
+      	part1781,
+      ]);
+      
+      var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}");
+      
+      var all366 = all_match({
+      	processors: [
+      		part1779,
+      		select398,
+      		part1782,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1135 = msg("00556:17", all366);
+      
+      var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}");
+      
+      var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}");
+      
+      var select399 = linear_select([
+      	dup101,
+      	part1784,
+      ]);
+      
+      var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}.");
+      
+      var all367 = all_match({
+      	processors: [
+      		part1783,
+      		select399,
+      		part1785,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1136 = msg("00556:18", all367);
+      
+      var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}");
+      
+      var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}");
+      
+      var select400 = linear_select([
+      	dup103,
+      	dup96,
+      ]);
+      
+      var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}");
+      
+      var all368 = all_match({
+      	processors: [
+      		part1786,
+      		dup355,
+      		part1787,
+      		select400,
+      		part1788,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1137 = msg("00556:20", all368);
+      
+      var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup282,
+      ]));
+      
+      var msg1138 = msg("00556:21", part1789);
+      
+      var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1139 = msg("00556:22", part1790);
+      
+      var select401 = linear_select([
+      	msg1118,
+      	msg1119,
+      	msg1120,
+      	msg1121,
+      	msg1122,
+      	msg1123,
+      	msg1124,
+      	msg1125,
+      	msg1126,
+      	msg1127,
+      	msg1128,
+      	msg1129,
+      	msg1130,
+      	msg1131,
+      	msg1132,
+      	msg1133,
+      	msg1134,
+      	msg1135,
+      	msg1136,
+      	msg1137,
+      	msg1138,
+      	msg1139,
+      ]);
+      
+      var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1140 = msg("00572", part1791);
+      
+      var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1141 = msg("00572:01", part1792);
+      
+      var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1142 = msg("00572:03", part1793);
+      
+      var select402 = linear_select([
+      	msg1140,
+      	msg1141,
+      	msg1142,
+      ]);
+      
+      var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1143 = msg("00615", part1794);
+      
+      var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1144 = msg("00615:01", part1795);
+      
+      var select403 = linear_select([
+      	msg1143,
+      	msg1144,
+      ]);
+      
+      var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg1145 = msg("00601", part1796);
+      
+      var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg1146 = msg("00601:01", part1797);
+      
+      var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1147 = msg("00601:18", part1798);
+      
+      var select404 = linear_select([
+      	msg1145,
+      	msg1146,
+      	msg1147,
+      ]);
+      
+      var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1148 = msg("00602", part1799);
+      
+      var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}");
+      
+      var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}");
+      
+      var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}");
+      
+      var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}");
+      
+      var select405 = linear_select([
+      	part1802,
+      	part1803,
+      ]);
+      
+      var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}");
+      
+      var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}");
+      
+      var select406 = linear_select([
+      	part1805,
+      	dup96,
+      ]);
+      
+      var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})");
+      
+      var all369 = all_match({
+      	processors: [
+      		part1800,
+      		dup353,
+      		part1801,
+      		select405,
+      		part1804,
+      		select406,
+      		part1806,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1149 = msg("00612", all369);
+      
+      var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1150 = msg("00620", part1807);
+      
+      var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}");
+      
+      var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}");
+      
+      var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}");
+      
+      var select407 = linear_select([
+      	part1809,
+      	part1810,
+      ]);
+      
+      var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})");
+      
+      var all370 = all_match({
+      	processors: [
+      		part1808,
+      		select407,
+      		part1811,
+      	],
+      	on_success: processor_chain([
+      		dup272,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1151 = msg("00620:01", all370);
+      
+      var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1152 = msg("00620:02", part1812);
+      
+      var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1153 = msg("00620:03", part1813);
+      
+      var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1154 = msg("00620:04", part1814);
+      
+      var select408 = linear_select([
+      	msg1150,
+      	msg1151,
+      	msg1152,
+      	msg1153,
+      	msg1154,
+      ]);
+      
+      var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1155 = msg("00622", part1815);
+      
+      var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}");
+      
+      var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}");
+      
+      var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}");
+      
+      var select409 = linear_select([
+      	part1817,
+      	part1818,
+      ]);
+      
+      var all371 = all_match({
+      	processors: [
+      		part1816,
+      		select409,
+      		dup49,
+      	],
+      	on_success: processor_chain([
+      		dup273,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg1156 = msg("00625", all371);
+      
+      var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}");
+      
+      var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}");
+      
+      var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}");
+      
+      var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}");
+      
+      var select410 = linear_select([
+      	part1820,
+      	part1821,
+      	part1822,
+      ]);
+      
+      var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})");
+      
+      var all372 = all_match({
+      	processors: [
+      		part1819,
+      		select410,
+      		part1823,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg1157 = msg("00628", all372);
+      
+      var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      	dup282,
+      ]));
+      
+      var msg1158 = msg("00767:50", part1824);
+      
+      var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1159 = msg("00767:51", part1825);
+      
+      var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1160 = msg("00767:52", part1826);
+      
+      var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1161 = msg("00767:53", part1827);
+      
+      var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([
+      	dup27,
+      	setc("ec_theme","Communication"),
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1162 = msg("00767", part1828);
+      
+      var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}");
+      
+      var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}");
+      
+      var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}");
+      
+      var select411 = linear_select([
+      	part1830,
+      	part1831,
+      ]);
+      
+      var all373 = all_match({
+      	processors: [
+      		part1829,
+      		select411,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1163 = msg("00767:01", all373);
+      
+      var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([
+      	setc("eventcategory","1702000000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1164 = msg("00767:02", part1832);
+      
+      var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1165 = msg("00767:03", part1833);
+      
+      var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1166 = msg("00767:04", part1834);
+      
+      var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1167 = msg("00767:05", part1835);
+      
+      var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1168 = msg("00767:06", part1836);
+      
+      var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1169 = msg("00767:07", part1837);
+      
+      var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}");
+      
+      var all374 = all_match({
+      	processors: [
+      		part1838,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1170 = msg("00767:08", all374);
+      
+      var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}");
+      
+      var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}");
+      
+      var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}");
+      
+      var select412 = linear_select([
+      	part1840,
+      	part1841,
+      ]);
+      
+      var all375 = all_match({
+      	processors: [
+      		part1839,
+      		select412,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1171 = msg("00767:09", all375);
+      
+      var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}");
+      
+      var all376 = all_match({
+      	processors: [
+      		part1842,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1172 = msg("00767:10", all376);
+      
+      var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}");
+      
+      var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}");
+      
+      var select413 = linear_select([
+      	dup331,
+      	part1844,
+      ]);
+      
+      var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}");
+      
+      var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}");
+      
+      var select414 = linear_select([
+      	dup331,
+      	part1846,
+      ]);
+      
+      var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}");
+      
+      var all377 = all_match({
+      	processors: [
+      		part1843,
+      		select413,
+      		part1845,
+      		select414,
+      		part1847,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1173 = msg("00767:11", all377);
+      
+      var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1174 = msg("00767:12", part1848);
+      
+      var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}");
+      
+      var all378 = all_match({
+      	processors: [
+      		part1849,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1175 = msg("00767:13", all378);
+      
+      var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}");
+      
+      var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}");
+      
+      var select415 = linear_select([
+      	part1851,
+      	dup262,
+      ]);
+      
+      var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}");
+      
+      var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}");
+      
+      var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username");
+      
+      var select416 = linear_select([
+      	part1853,
+      	part1854,
+      ]);
+      
+      var all379 = all_match({
+      	processors: [
+      		part1850,
+      		select415,
+      		part1852,
+      		select416,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1176 = msg("00767:14", all379);
+      
+      var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}");
+      
+      var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}");
+      
+      var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}");
+      
+      var select417 = linear_select([
+      	part1855,
+      	part1856,
+      	part1857,
+      ]);
+      
+      var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}");
+      
+      var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}.");
+      
+      var all380 = all_match({
+      	processors: [
+      		dup183,
+      		select417,
+      		part1858,
+      		dup336,
+      		part1859,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1177 = msg("00767:15", all380);
+      
+      var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1178 = msg("00767:16", part1860);
+      
+      var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}");
+      
+      var all381 = all_match({
+      	processors: [
+      		part1861,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1179 = msg("00767:17", all381);
+      
+      var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1180 = msg("00767:18", part1862);
+      
+      var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1181 = msg("00767:19", part1863);
+      
+      var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1182 = msg("00767:20", part1864);
+      
+      var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1183 = msg("00767:21", part1865);
+      
+      var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}");
+      
+      var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}");
+      
+      var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}");
+      
+      var select418 = linear_select([
+      	part1867,
+      	part1868,
+      ]);
+      
+      var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}");
+      
+      var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}");
+      
+      var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}");
+      
+      var select419 = linear_select([
+      	part1870,
+      	part1871,
+      ]);
+      
+      var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}");
+      
+      var all382 = all_match({
+      	processors: [
+      		part1866,
+      		select418,
+      		part1869,
+      		select419,
+      		part1872,
+      		dup354,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1184 = msg("00767:22", all382);
+      
+      var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1185 = msg("00767:23", part1873);
+      
+      var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}");
+      
+      var select420 = linear_select([
+      	dup169,
+      	dup16,
+      ]);
+      
+      var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}");
+      
+      var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}");
+      
+      var select421 = linear_select([
+      	part1875,
+      	part1876,
+      ]);
+      
+      var all383 = all_match({
+      	processors: [
+      		part1874,
+      		select420,
+      		dup23,
+      		select421,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1186 = msg("00767:25", all383);
+      
+      var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}");
+      
+      var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}");
+      
+      var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}");
+      
+      var select422 = linear_select([
+      	part1878,
+      	part1879,
+      ]);
+      
+      var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}");
+      
+      var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}");
+      
+      var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})");
+      
+      var select423 = linear_select([
+      	part1881,
+      	part1882,
+      ]);
+      
+      var all384 = all_match({
+      	processors: [
+      		part1877,
+      		select422,
+      		part1880,
+      		select423,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1187 = msg("00767:26", all384);
+      
+      var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}");
+      
+      var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})");
+      
+      var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3");
+      
+      var select424 = linear_select([
+      	part1884,
+      	part1885,
+      ]);
+      
+      var all385 = all_match({
+      	processors: [
+      		part1883,
+      		select424,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1188 = msg("00767:27", all385);
+      
+      var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1189 = msg("00767:28", part1886);
+      
+      var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1190 = msg("00767:29", part1887);
+      
+      var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1191 = msg("00767:30", part1888);
+      
+      var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}");
+      
+      var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}");
+      
+      var select425 = linear_select([
+      	part1889,
+      	part1890,
+      ]);
+      
+      var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}");
+      
+      var all386 = all_match({
+      	processors: [
+      		dup186,
+      		select425,
+      		part1891,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1192 = msg("00767:31", all386);
+      
+      var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}");
+      
+      var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}");
+      
+      var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}");
+      
+      var select426 = linear_select([
+      	part1893,
+      	part1894,
+      ]);
+      
+      var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})");
+      
+      var all387 = all_match({
+      	processors: [
+      		part1892,
+      		select426,
+      		part1895,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1193 = msg("00767:32", all387);
+      
+      var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1194 = msg("00767:33", part1896);
+      
+      var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([
+      	dup313,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1195 = msg("00767:34", part1897);
+      
+      var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1196 = msg("00767:35", part1898);
+      
+      var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1197 = msg("00767:36", part1899);
+      
+      var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([
+      	dup254,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1198 = msg("00767:37", part1900);
+      
+      var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([
+      	setc("eventcategory","1602000000"),
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1199 = msg("00767:38", part1901);
+      
+      var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}");
+      
+      var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}");
+      
+      var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}");
+      
+      var select427 = linear_select([
+      	part1903,
+      	part1904,
+      ]);
+      
+      var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}");
+      
+      var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}");
+      
+      var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}");
+      
+      var select428 = linear_select([
+      	part1906,
+      	part1907,
+      ]);
+      
+      var all388 = all_match({
+      	processors: [
+      		part1902,
+      		select427,
+      		part1905,
+      		select428,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		dup324,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1200 = msg("00767:39", all388);
+      
+      var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([
+      	dup62,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1201 = msg("00767:40", part1908);
+      
+      var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1202 = msg("00767:42", part1909);
+      
+      var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1203 = msg("00767:43", part1910);
+      
+      var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1204 = msg("00767:44", part1911);
+      
+      var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1205 = msg("00767:45", part1912);
+      
+      var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1206 = msg("00767:46", part1913);
+      
+      var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1207 = msg("00767:47", part1914);
+      
+      var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}");
+      
+      var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})");
+      
+      var all389 = all_match({
+      	processors: [
+      		part1915,
+      		dup364,
+      		part1916,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1208 = msg("00767:24", all389);
+      
+      var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1209 = msg("00767:48", part1917);
+      
+      var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}");
+      
+      var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}");
+      
+      var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}");
+      
+      var select429 = linear_select([
+      	part1919,
+      	part1920,
+      ]);
+      
+      var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})");
+      
+      var all390 = all_match({
+      	processors: [
+      		part1918,
+      		select429,
+      		part1921,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg1210 = msg("00767:49", all390);
+      
+      var select430 = linear_select([
+      	msg1158,
+      	msg1159,
+      	msg1160,
+      	msg1161,
+      	msg1162,
+      	msg1163,
+      	msg1164,
+      	msg1165,
+      	msg1166,
+      	msg1167,
+      	msg1168,
+      	msg1169,
+      	msg1170,
+      	msg1171,
+      	msg1172,
+      	msg1173,
+      	msg1174,
+      	msg1175,
+      	msg1176,
+      	msg1177,
+      	msg1178,
+      	msg1179,
+      	msg1180,
+      	msg1181,
+      	msg1182,
+      	msg1183,
+      	msg1184,
+      	msg1185,
+      	msg1186,
+      	msg1187,
+      	msg1188,
+      	msg1189,
+      	msg1190,
+      	msg1191,
+      	msg1192,
+      	msg1193,
+      	msg1194,
+      	msg1195,
+      	msg1196,
+      	msg1197,
+      	msg1198,
+      	msg1199,
+      	msg1200,
+      	msg1201,
+      	msg1202,
+      	msg1203,
+      	msg1204,
+      	msg1205,
+      	msg1206,
+      	msg1207,
+      	msg1208,
+      	msg1209,
+      	msg1210,
+      ]);
+      
+      var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup277,
+      	dup3,
+      	dup275,
+      	dup60,
+      ]));
+      
+      var msg1211 = msg("01269", part1922);
+      
+      var msg1212 = msg("01269:01", dup407);
+      
+      var msg1213 = msg("01269:02", dup408);
+      
+      var msg1214 = msg("01269:03", dup409);
+      
+      var select431 = linear_select([
+      	msg1211,
+      	msg1212,
+      	msg1213,
+      	msg1214,
+      ]);
+      
+      var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup276,
+      	dup277,
+      	dup275,
+      	dup332,
+      ]));
+      
+      var msg1215 = msg("17852", part1923);
+      
+      var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup332,
+      	dup282,
+      ]));
+      
+      var msg1216 = msg("17852:01", part1924);
+      
+      var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup61,
+      ]));
+      
+      var msg1217 = msg("17852:02", part1925);
+      
+      var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup332,
+      	dup282,
+      ]));
+      
+      var msg1218 = msg("17852:03", part1926);
+      
+      var select432 = linear_select([
+      	msg1215,
+      	msg1216,
+      	msg1217,
+      	msg1218,
+      ]);
+      
+      var msg1219 = msg("23184", dup410);
+      
+      var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg1220 = msg("23184:01", part1927);
+      
+      var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup276,
+      	dup277,
+      	dup275,
+      	dup61,
+      ]));
+      
+      var msg1221 = msg("23184:02", part1928);
+      
+      var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup332,
+      	dup282,
+      ]));
+      
+      var msg1222 = msg("23184:03", part1929);
+      
+      var select433 = linear_select([
+      	msg1219,
+      	msg1220,
+      	msg1221,
+      	msg1222,
+      ]);
+      
+      var msg1223 = msg("27052", dup410);
+      
+      var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg1224 = msg("27052:01", part1930);
+      
+      var select434 = linear_select([
+      	msg1223,
+      	msg1224,
+      ]);
+      
+      var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup277,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup60,
+      ]));
+      
+      var msg1225 = msg("39568", part1931);
+      
+      var msg1226 = msg("39568:01", dup407);
+      
+      var msg1227 = msg("39568:02", dup408);
+      
+      var msg1228 = msg("39568:03", dup409);
+      
+      var select435 = linear_select([
+      	msg1225,
+      	msg1226,
+      	msg1227,
+      	msg1228,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select2,
+      	msgid_select({
+      		"00001": select6,
+      		"00002": select29,
+      		"00003": select31,
+      		"00004": select33,
+      		"00005": select39,
+      		"00006": select40,
+      		"00007": select63,
+      		"00008": select66,
+      		"00009": select83,
+      		"00010": select86,
+      		"00011": select100,
+      		"00012": select101,
+      		"00013": select102,
+      		"00014": select104,
+      		"00015": select114,
+      		"00016": select115,
+      		"00017": select125,
+      		"00018": select138,
+      		"00019": select147,
+      		"00020": select150,
+      		"00021": select151,
+      		"00022": select163,
+      		"00023": select164,
+      		"00024": select170,
+      		"00025": select171,
+      		"00026": select176,
+      		"00027": select184,
+      		"00028": msg469,
+      		"00029": select188,
+      		"00030": select197,
+      		"00031": select205,
+      		"00032": select207,
+      		"00033": select214,
+      		"00034": select225,
+      		"00035": select232,
+      		"00036": select234,
+      		"00037": select241,
+      		"00038": msg660,
+      		"00039": msg661,
+      		"00040": select244,
+      		"00041": select245,
+      		"00042": select246,
+      		"00043": msg668,
+      		"00044": select248,
+      		"00045": msg671,
+      		"00047": msg672,
+      		"00048": select257,
+      		"00049": select258,
+      		"00050": msg682,
+      		"00051": msg683,
+      		"00052": msg684,
+      		"00055": select265,
+      		"00056": msg696,
+      		"00057": msg697,
+      		"00058": msg698,
+      		"00059": select272,
+      		"00062": select273,
+      		"00063": msg713,
+      		"00064": select274,
+      		"00070": select276,
+      		"00071": select277,
+      		"00072": select278,
+      		"00073": select279,
+      		"00074": msg726,
+      		"00075": select280,
+      		"00076": select281,
+      		"00077": select282,
+      		"00084": msg735,
+      		"00090": msg736,
+      		"00200": msg737,
+      		"00201": msg738,
+      		"00202": msg739,
+      		"00203": msg740,
+      		"00206": select285,
+      		"00207": select286,
+      		"00257": select291,
+      		"00259": select294,
+      		"00262": msg778,
+      		"00263": msg779,
+      		"00400": msg780,
+      		"00401": msg781,
+      		"00402": select296,
+      		"00403": msg784,
+      		"00404": msg785,
+      		"00405": msg786,
+      		"00406": msg787,
+      		"00407": msg788,
+      		"00408": msg789,
+      		"00409": msg790,
+      		"00410": select297,
+      		"00411": msg793,
+      		"00413": select298,
+      		"00414": select299,
+      		"00415": msg799,
+      		"00423": msg800,
+      		"00429": select300,
+      		"00430": select301,
+      		"00431": msg805,
+      		"00432": msg806,
+      		"00433": msg807,
+      		"00434": msg808,
+      		"00435": select302,
+      		"00436": select303,
+      		"00437": select304,
+      		"00438": select305,
+      		"00440": select306,
+      		"00441": msg823,
+      		"00442": msg824,
+      		"00443": msg825,
+      		"00511": select307,
+      		"00513": msg841,
+      		"00515": select328,
+      		"00518": select331,
+      		"00519": select336,
+      		"00520": select339,
+      		"00521": msg890,
+      		"00522": msg891,
+      		"00523": msg892,
+      		"00524": select340,
+      		"00525": select341,
+      		"00526": msg912,
+      		"00527": select348,
+      		"00528": select354,
+      		"00529": select357,
+      		"00530": select358,
+      		"00531": select362,
+      		"00533": msg973,
+      		"00534": msg974,
+      		"00535": select363,
+      		"00536": select365,
+      		"00537": select366,
+      		"00538": select372,
+      		"00539": select373,
+      		"00541": select375,
+      		"00542": msg1062,
+      		"00543": msg1063,
+      		"00544": msg1064,
+      		"00546": msg1065,
+      		"00547": select379,
+      		"00549": msg1070,
+      		"00551": select381,
+      		"00553": select385,
+      		"00554": select391,
+      		"00555": msg1117,
+      		"00556": select401,
+      		"00572": select402,
+      		"00601": select404,
+      		"00602": msg1148,
+      		"00612": msg1149,
+      		"00615": select403,
+      		"00620": select408,
+      		"00622": msg1155,
+      		"00625": msg1156,
+      		"00628": msg1157,
+      		"00767": select430,
+      		"01269": select431,
+      		"17852": select432,
+      		"23184": select433,
+      		"27052": select434,
+      		"39568": select435,
+      	}),
+      ]);
+      
+      var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}");
+      
+      var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}");
+      
+      var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})");
+      
+      var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})");
+      
+      var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1");
+      
+      var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}");
+      
+      var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}");
+      
+      var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}");
+      
+      var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}");
+      
+      var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0");
+      
+      var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} ");
+      
+      var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", "");
+      
+      var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}");
+      
+      var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}");
+      
+      var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}");
+      
+      var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator");
+      
+      var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition");
+      
+      var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}");
+      
+      var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})");
+      
+      var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}");
+      
+      var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}");
+      
+      var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}");
+      
+      var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}");
+      
+      var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})");
+      
+      var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}");
+      
+      var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}");
+      
+      var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}");
+      
+      var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}");
+      
+      var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}");
+      
+      var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}");
+      
+      var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}");
+      
+      var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}");
+      
+      var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}");
+      
+      var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}");
+      
+      var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}");
+      
+      var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}");
+      
+      var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}");
+      
+      var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}");
+      
+      var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}");
+      
+      var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}");
+      
+      var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}");
+      
+      var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}");
+      
+      var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}");
+      
+      var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}");
+      
+      var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}");
+      
+      var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}");
+      
+      var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}");
+      
+      var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}");
+      
+      var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}");
+      
+      var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}");
+      
+      var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}");
+      
+      var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}");
+      
+      var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}");
+      
+      var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}");
+      
+      var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}");
+      
+      var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}");
+      
+      var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}");
+      
+      var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}");
+      
+      var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}");
+      
+      var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}");
+      
+      var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}");
+      
+      var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}");
+      
+      var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}");
+      
+      var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}");
+      
+      var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}");
+      
+      var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}");
+      
+      var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}");
+      
+      var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}");
+      
+      var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}");
+      
+      var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}");
+      
+      var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}");
+      
+      var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}");
+      
+      var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}");
+      
+      var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}");
+      
+      var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}");
+      
+      var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}");
+      
+      var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}");
+      
+      var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}");
+      
+      var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}");
+      
+      var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface");
+      
+      var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}");
+      
+      var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}");
+      
+      var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}");
+      
+      var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}.");
+      
+      var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}");
+      
+      var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}");
+      
+      var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}");
+      
+      var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}");
+      
+      var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}");
+      
+      var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}");
+      
+      var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}");
+      
+      var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}");
+      
+      var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}");
+      
+      var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}");
+      
+      var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}");
+      
+      var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}");
+      
+      var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) ");
+      
+      var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}");
+      
+      var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}");
+      
+      var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}");
+      
+      var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}");
+      
+      var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}");
+      
+      var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}");
+      
+      var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}");
+      
+      var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}");
+      
+      var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}");
+      
+      var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}");
+      
+      var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}");
+      
+      var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})");
+      
+      var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}");
+      
+      var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}");
+      
+      var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}");
+      
+      var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}");
+      
+      var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}");
+      
+      var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}");
+      
+      var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}");
+      
+      var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}");
+      
+      var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}");
+      
+      var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}");
+      
+      var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}");
+      
+      var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}");
+      
+      var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}");
+      
+      var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}");
+      
+      var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}");
+      
+      var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}");
+      
+      var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}");
+      
+      var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}");
+      
+      var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}");
+      
+      var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}");
+      
+      var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}");
+      
+      var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}");
+      
+      var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}");
+      
+      var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}");
+      
+      var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}");
+      
+      var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}");
+      
+      var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}");
+      
+      var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}");
+      
+      var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}");
+      
+      var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}");
+      
+      var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}");
+      
+      var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}");
+      
+      var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}");
+      
+      var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}");
+      
+      var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}");
+      
+      var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}");
+      
+      var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}");
+      
+      var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}");
+      
+      var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}");
+      
+      var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}");
+      
+      var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}");
+      
+      var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}");
+      
+      var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}");
+      
+      var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}");
+      
+      var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}");
+      
+      var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}");
+      
+      var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}");
+      
+      var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}");
+      
+      var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}");
+      
+      var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}");
+      
+      var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}");
+      
+      var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}");
+      
+      var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})");
+      
+      var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}");
+      
+      var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}");
+      
+      var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}");
+      
+      var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}");
+      
+      var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}");
+      
+      var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}");
+      
+      var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}");
+      
+      var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}");
+      
+      var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}");
+      
+      var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}");
+      
+      var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}");
+      
+      var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}");
+      
+      var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}");
+      
+      var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}");
+      
+      var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}");
+      
+      var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}");
+      
+      var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}");
+      
+      var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}");
+      
+      var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}");
+      
+      var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}");
+      
+      var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}");
+      
+      var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}");
+      
+      var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}");
+      
+      var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}");
+      
+      var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}");
+      
+      var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}");
+      
+      var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}");
+      
+      var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}");
+      
+      var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}");
+      
+      var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}");
+      
+      var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}");
+      
+      var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}");
+      
+      var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}");
+      
+      var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}");
+      
+      var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state");
+      
+      var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}");
+      
+      var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}");
+      
+      var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}");
+      
+      var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}");
+      
+      var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr");
+      
+      var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}");
+      
+      var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}");
+      
+      var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}");
+      
+      var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times.");
+      
+      var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.");
+      
+      var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}");
+      
+      var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}");
+      
+      var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})");
+      
+      var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}");
+      
+      var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}");
+      
+      var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}");
+      
+      var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}");
+      
+      var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}");
+      
+      var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}");
+      
+      var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}");
+      
+      var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}");
+      
+      var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}");
+      
+      var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}");
+      
+      var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}");
+      
+      var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}");
+      
+      var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}");
+      
+      var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}");
+      
+      var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}");
+      
+      var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}");
+      
+      var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}");
+      
+      var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}");
+      
+      var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}");
+      
+      var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}");
+      
+      var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}");
+      
+      var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}");
+      
+      var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}");
+      
+      var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}");
+      
+      var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}");
+      
+      var select436 = linear_select([
+      	dup10,
+      	dup11,
+      ]);
+      
+      var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var select437 = linear_select([
+      	dup13,
+      	dup14,
+      ]);
+      
+      var select438 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var select439 = linear_select([
+      	dup56,
+      	dup57,
+      ]);
+      
+      var select440 = linear_select([
+      	dup65,
+      	dup66,
+      ]);
+      
+      var select441 = linear_select([
+      	dup68,
+      	dup69,
+      ]);
+      
+      var select442 = linear_select([
+      	dup71,
+      	dup72,
+      ]);
+      
+      var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var select443 = linear_select([
+      	dup74,
+      	dup75,
+      ]);
+      
+      var select444 = linear_select([
+      	dup81,
+      	dup82,
+      ]);
+      
+      var select445 = linear_select([
+      	dup24,
+      	dup90,
+      ]);
+      
+      var select446 = linear_select([
+      	dup94,
+      	dup95,
+      ]);
+      
+      var select447 = linear_select([
+      	dup98,
+      	dup99,
+      ]);
+      
+      var select448 = linear_select([
+      	dup100,
+      	dup101,
+      	dup102,
+      ]);
+      
+      var select449 = linear_select([
+      	dup113,
+      	dup114,
+      ]);
+      
+      var select450 = linear_select([
+      	dup111,
+      	dup16,
+      ]);
+      
+      var select451 = linear_select([
+      	dup127,
+      	dup107,
+      ]);
+      
+      var select452 = linear_select([
+      	dup8,
+      	dup21,
+      ]);
+      
+      var select453 = linear_select([
+      	dup122,
+      	dup133,
+      ]);
+      
+      var select454 = linear_select([
+      	dup142,
+      	dup143,
+      ]);
+      
+      var select455 = linear_select([
+      	dup145,
+      	dup21,
+      ]);
+      
+      var select456 = linear_select([
+      	dup127,
+      	dup106,
+      ]);
+      
+      var select457 = linear_select([
+      	dup152,
+      	dup96,
+      ]);
+      
+      var select458 = linear_select([
+      	dup154,
+      	dup155,
+      ]);
+      
+      var select459 = linear_select([
+      	dup156,
+      	dup157,
+      ]);
+      
+      var select460 = linear_select([
+      	dup99,
+      	dup134,
+      ]);
+      
+      var select461 = linear_select([
+      	dup158,
+      	dup159,
+      ]);
+      
+      var select462 = linear_select([
+      	dup161,
+      	dup162,
+      ]);
+      
+      var select463 = linear_select([
+      	dup163,
+      	dup103,
+      ]);
+      
+      var select464 = linear_select([
+      	dup162,
+      	dup161,
+      ]);
+      
+      var select465 = linear_select([
+      	dup46,
+      	dup47,
+      ]);
+      
+      var select466 = linear_select([
+      	dup166,
+      	dup167,
+      ]);
+      
+      var select467 = linear_select([
+      	dup172,
+      	dup173,
+      ]);
+      
+      var select468 = linear_select([
+      	dup174,
+      	dup175,
+      	dup176,
+      	dup177,
+      	dup178,
+      	dup179,
+      	dup180,
+      	dup181,
+      	dup182,
+      ]);
+      
+      var select469 = linear_select([
+      	dup49,
+      	dup21,
+      ]);
+      
+      var select470 = linear_select([
+      	dup189,
+      	dup190,
+      ]);
+      
+      var select471 = linear_select([
+      	dup96,
+      	dup152,
+      ]);
+      
+      var select472 = linear_select([
+      	dup196,
+      	dup197,
+      ]);
+      
+      var select473 = linear_select([
+      	dup24,
+      	dup200,
+      ]);
+      
+      var select474 = linear_select([
+      	dup103,
+      	dup163,
+      ]);
+      
+      var select475 = linear_select([
+      	dup205,
+      	dup118,
+      ]);
+      
+      var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var select476 = linear_select([
+      	dup212,
+      	dup213,
+      ]);
+      
+      var select477 = linear_select([
+      	dup215,
+      	dup216,
+      ]);
+      
+      var select478 = linear_select([
+      	dup222,
+      	dup215,
+      ]);
+      
+      var select479 = linear_select([
+      	dup224,
+      	dup225,
+      ]);
+      
+      var select480 = linear_select([
+      	dup231,
+      	dup124,
+      ]);
+      
+      var select481 = linear_select([
+      	dup229,
+      	dup230,
+      ]);
+      
+      var select482 = linear_select([
+      	dup233,
+      	dup234,
+      ]);
+      
+      var select483 = linear_select([
+      	dup236,
+      	dup237,
+      ]);
+      
+      var select484 = linear_select([
+      	dup242,
+      	dup243,
+      ]);
+      
+      var select485 = linear_select([
+      	dup245,
+      	dup246,
+      ]);
+      
+      var select486 = linear_select([
+      	dup247,
+      	dup248,
+      ]);
+      
+      var select487 = linear_select([
+      	dup249,
+      	dup250,
+      ]);
+      
+      var select488 = linear_select([
+      	dup251,
+      	dup252,
+      ]);
+      
+      var select489 = linear_select([
+      	dup260,
+      	dup261,
+      ]);
+      
+      var select490 = linear_select([
+      	dup264,
+      	dup265,
+      ]);
+      
+      var select491 = linear_select([
+      	dup268,
+      	dup269,
+      ]);
+      
+      var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var select492 = linear_select([
+      	dup284,
+      	dup285,
+      ]);
+      
+      var select493 = linear_select([
+      	dup287,
+      	dup288,
+      ]);
+      
+      var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var select494 = linear_select([
+      	dup300,
+      	dup26,
+      ]);
+      
+      var select495 = linear_select([
+      	dup115,
+      	dup303,
+      ]);
+      
+      var select496 = linear_select([
+      	dup125,
+      	dup96,
+      ]);
+      
+      var select497 = linear_select([
+      	dup189,
+      	dup308,
+      	dup309,
+      ]);
+      
+      var select498 = linear_select([
+      	dup310,
+      	dup16,
+      ]);
+      
+      var select499 = linear_select([
+      	dup317,
+      	dup318,
+      ]);
+      
+      var select500 = linear_select([
+      	dup319,
+      	dup315,
+      ]);
+      
+      var select501 = linear_select([
+      	dup322,
+      	dup250,
+      ]);
+      
+      var select502 = linear_select([
+      	dup327,
+      	dup329,
+      ]);
+      
+      var select503 = linear_select([
+      	dup330,
+      	dup129,
+      ]);
+      
+      var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup60,
+      ]));
+      
+      var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup61,
+      ]));
+      
+      var all391 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		dup266,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var all392 = all_match({
+      	processors: [
+      		dup267,
+      		dup391,
+      		dup270,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var all393 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup293,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var all394 = all_match({
+      	processors: [
+      		dup296,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup297,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var all395 = all_match({
+      	processors: [
+      		dup298,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup297,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+- community_id:
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: dns.question.name
+    target_field: dns.question.registered_domain
+    target_subdomain_field: dns.question.subdomain
+    target_etld_field: dns.question.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: client.domain
+    target_field: client.registered_domain
+    target_subdomain_field: client.subdomain
+    target_etld_field: client.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: server.domain
+    target_field: server.registered_domain
+    target_subdomain_field: server.subdomain
+    target_etld_field: server.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: destination.domain
+    target_field: destination.registered_domain
+    target_subdomain_field: destination.subdomain
+    target_etld_field: destination.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: source.domain
+    target_field: source.registered_domain
+    target_subdomain_field: source.subdomain
+    target_etld_field: source.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: url.domain
+    target_field: url.registered_domain
+    target_subdomain_field: url.subdomain
+    target_etld_field: url.top_level_domain
+- add_locale: ~
diff --git a/packages/juniper_netscreen/0.3.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/juniper_netscreen/0.3.1/data_stream/log/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..0a6ba053fa
--- /dev/null
+++ b/packages/juniper_netscreen/0.3.1/data_stream/log/agent/stream/tcp.yml.hbs
@@ -0,0 +1,26354 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Juniper"
+        product: "Netscreen"
+        type: "Firewall"
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+{{#if processors}}
+{{processors}}
+{{/if}}
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function match_copy(id, src, dst, on_success) {
+          dst = FIELDS_PREFIX + dst;
+          if (dst === FIELDS_PREFIX || dst === src) {
+              return function (evt) {
+                  if (debug) {
+                      console.debug("noop      OK: " + id + " field:" + src);
+                      console.debug("       input: <<" + evt.Get(src) + ">>");
+                  }
+                  if (on_success != null) on_success(evt);
+              }
+          }
+          return function (evt) {
+              var msg = evt.Get(src);
+              evt.Put(dst, msg);
+              if (debug) {
+                  console.debug("copy      OK: " + id + " field:" + src);
+                  console.debug("      target: '" + dst + "'");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null) on_success(evt);
+          }
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.debug(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      function tagval(id, src, cfg, keys, on_success) {
+          var fail = function(evt) {
+              evt.Put(FLAG_FIELD, "tagval_parsing_error");
+          }
+          if (cfg.kv_separator.length !== 1) {
+              throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)");
+          }
+          var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0?
+              cfg.open_quote.length + cfg.close_quote.length : 0;
+          var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$');
+          return function(evt) {
+              var msg = evt.Get(src);
+              if (msg === undefined) {
+                  console.warn("tagval: input field is missing");
+                  return fail(evt);
+              }
+              var pairs = msg.split(cfg.pair_separator);
+              var i;
+              var success = false;
+              var prev = "";
+              for (i=0; i<pairs.length; i++) {
+                  var m = pairs[i].match(kv_regex);
+                  var field;
+                  if (m === null || m.length !== 3 || m[1] === undefined || m[2] === undefined) {
+                      prev += pairs[i] + cfg.pair_separator;
+                      continue;
+                  }
+                  var key = prev + m[1];
+                  prev = "";
+                  if ( (field=keys[key]) === undefined && (field=keys[key.trim()])===undefined ) {
+                      continue;
+                  }
+                  var value = m[2].trim();
+                  if (quotes_len > 0 &&
+                      value.length >= cfg.open_quote.length + cfg.close_quote.length &&
+                      value.substr(0, cfg.open_quote.length) === cfg.open_quote &&
+                      value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) {
+                      value = value.substr(cfg.open_quote.length, value.length - quotes_len);
+                  }
+                  evt.Put(FIELDS_PREFIX + field, value);
+                  success = true;
+              }
+              if (!success) {
+                  return fail(evt);
+              }
+              if (on_success != null) {
+                  on_success(evt);
+              }
+          }
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_source": {to:[{field: "related.hosts", setter: fld_append}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "fqdn": {to:[{field: "related.hosts", setter: fld_append}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "message", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (value === "") continue;
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          test_tvm();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      // Tests the TAGVALMAP feature.
+      function test_tvm() {
+          var tests = [
+              {
+                  config: {
+                      pair_separator: ',',
+                      kv_separator: '=',
+                      open_quote: '[',
+                      close_quote: ']'
+                  },
+                  mappings: {
+                      "key a": "url",
+                      "key_b": "b",
+                      "Operation": "operation",
+                  },
+                  on_success: processor_chain([
+                                      setf("d","b")
+                                  ]),
+                  message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore",
+                  expected: {
+                      "nwparser.url": "http://example.com/",
+                      "nwparser.b": "value for=B",
+                      "nwparser.operation": "COPY",
+                      "nwparser.d": "value for=B",
+                      "log.flags": null,
+                  }
+              },
+              {
+                  config: {
+                      pair_separator: ',',
+                      kv_separator: '=',
+                      open_quote: '[',
+                      close_quote: ']'
+                  },
+                  mappings: {
+                      "key a": "url",
+                      "key_b": "b",
+                      "Operation": "operation"
+                  },
+                  on_success: processor_chain([
+                      setf("d","b")
+                  ]),
+                  message: "nothing to see here",
+                  expected: {
+                      "nwparser.url": null,
+                      "nwparser.d": null,
+                      "log.flags": "tagval_parsing_error",
+                  }
+              },
+              {
+                  config: {
+                      pair_separator: ' ',
+                      kv_separator: ':',
+                      open_quote: '"',
+                      close_quote: '"'
+                  },
+                  mappings: {
+                      "ICMP Type": "icmp_type",
+                      "ICMP Code": "icmp_code",
+                      "Operation": "operation",
+                  },
+                  on_success: processor_chain([
+                      setc("success","true")
+                  ]),
+                  message: "Operation:drop ICMP Type:5 ICMP Code:1 ",
+                  expected: {
+                      "nwparser.icmp_code": "1",
+                      "nwparser.icmp_type": "5",
+                      "nwparser.operation": "drop",
+                      "nwparser.success": "true",
+                      "log.flags": null,
+                  }
+              },
+          ];
+          var assertEqual = function(evt, key, expected) {
+              var value = evt.Get(key);
+              if (value !== expected)
+                  throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'");
+          };
+          tests.forEach(function (test, idx) {
+              var processor = tagval("test", "message", test.config, test.mappings, test.on_success);
+              var evt = new Event({
+                  "message": test.message,
+              });
+              processor(evt);
+              for (var key in test.expected) {
+                  assertEqual(evt, key, test.expected[key]);
+              }
+          });
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(restore_flags);
+      	builder.Add(populate_fields);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_dir2SumType = {
+      	keyvaluepairs: {
+      		"0": constant("2"),
+      		"1": constant("3"),
+      	},
+      	"default": constant("2"),
+      };
+      
+      var map_dir2Addr = {
+      	keyvaluepairs: {
+      		"0": field("saddr"),
+      		"1": field("daddr"),
+      	},
+      	"default": field("saddr"),
+      };
+      
+      var map_dir2Port = {
+      	keyvaluepairs: {
+      		"0": field("sport"),
+      		"1": field("dport"),
+      	},
+      	"default": field("sport"),
+      };
+      
+      var dup1 = setc("eventcategory","1701000000");
+      
+      var dup2 = setf("hardware_id","hfld2");
+      
+      var dup3 = setf("vsys","hvsys");
+      
+      var dup4 = setf("msg","$MSG");
+      
+      var dup5 = setf("severity","hseverity");
+      
+      var dup6 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}");
+      
+      var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}");
+      
+      var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})");
+      
+      var dup9 = date_time({
+      	dest: "event_time",
+      	args: ["fld1"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})");
+      
+      var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1");
+      
+      var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}");
+      
+      var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}");
+      
+      var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}");
+      
+      var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}");
+      
+      var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0");
+      
+      var dup17 = setc("eventcategory","1502000000");
+      
+      var dup18 = setc("eventcategory","1703000000");
+      
+      var dup19 = setc("eventcategory","1603000000");
+      
+      var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} ");
+      
+      var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", "");
+      
+      var dup22 = setc("eventcategory","1502050000");
+      
+      var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}");
+      
+      var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}");
+      
+      var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}");
+      
+      var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator");
+      
+      var dup27 = setc("eventcategory","1801010000");
+      
+      var dup28 = setc("eventcategory","1401060000");
+      
+      var dup29 = setc("ec_subject","User");
+      
+      var dup30 = setc("ec_activity","Logon");
+      
+      var dup31 = setc("ec_theme","Authentication");
+      
+      var dup32 = setc("ec_outcome","Success");
+      
+      var dup33 = setc("eventcategory","1401070000");
+      
+      var dup34 = setc("ec_activity","Logoff");
+      
+      var dup35 = setc("eventcategory","1303000000");
+      
+      var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition");
+      
+      var dup37 = setc("eventcategory","1402020200");
+      
+      var dup38 = setc("ec_theme","UserGroup");
+      
+      var dup39 = setc("ec_outcome","Error");
+      
+      var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}");
+      
+      var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})");
+      
+      var dup42 = setc("eventcategory","1402020300");
+      
+      var dup43 = setc("ec_activity","Modify");
+      
+      var dup44 = setc("eventcategory","1605000000");
+      
+      var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}");
+      
+      var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}");
+      
+      var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}");
+      
+      var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}");
+      
+      var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})");
+      
+      var dup50 = setc("eventcategory","1701020000");
+      
+      var dup51 = setc("ec_theme","Configuration");
+      
+      var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}");
+      
+      var dup53 = setc("eventcategory","1301000000");
+      
+      var dup54 = setc("ec_outcome","Failure");
+      
+      var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}");
+      
+      var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}");
+      
+      var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}");
+      
+      var dup58 = setc("eventcategory","1001000000");
+      
+      var dup59 = setc("dclass_counter1_string","Number of times the attack occurred");
+      
+      var dup60 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$OUT"),
+      		field("saddr"),
+      		field("daddr"),
+      	],
+      });
+      
+      var dup61 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$OUT"),
+      		field("saddr"),
+      		field("daddr"),
+      		field("sport"),
+      		field("dport"),
+      	],
+      });
+      
+      var dup62 = setc("eventcategory","1608010000");
+      
+      var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}");
+      
+      var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}");
+      
+      var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}");
+      
+      var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}");
+      
+      var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}");
+      
+      var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}");
+      
+      var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}");
+      
+      var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}");
+      
+      var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}");
+      
+      var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}");
+      
+      var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}");
+      
+      var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}");
+      
+      var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}");
+      
+      var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}");
+      
+      var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}");
+      
+      var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}");
+      
+      var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}");
+      
+      var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}");
+      
+      var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var dup84 = setc("eventcategory","1002020000");
+      
+      var dup85 = setc("eventcategory","1002000000");
+      
+      var dup86 = setc("eventcategory","1603110000");
+      
+      var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}");
+      
+      var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}");
+      
+      var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}");
+      
+      var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}");
+      
+      var dup91 = setc("eventcategory","1613040200");
+      
+      var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}");
+      
+      var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}");
+      
+      var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}");
+      
+      var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}");
+      
+      var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}");
+      
+      var dup97 = setc("eventcategory","1613050200");
+      
+      var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}");
+      
+      var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}");
+      
+      var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}");
+      
+      var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}");
+      
+      var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}");
+      
+      var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}");
+      
+      var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}");
+      
+      var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}");
+      
+      var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}");
+      
+      var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}");
+      
+      var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}");
+      
+      var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}");
+      
+      var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}");
+      
+      var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}");
+      
+      var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}");
+      
+      var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}");
+      
+      var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}");
+      
+      var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}");
+      
+      var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}");
+      
+      var dup117 = setc("eventcategory","1603090000");
+      
+      var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}");
+      
+      var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}");
+      
+      var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}");
+      
+      var dup121 = setc("eventcategory","1603030000");
+      
+      var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}");
+      
+      var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}");
+      
+      var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface");
+      
+      var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}");
+      
+      var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}");
+      
+      var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}");
+      
+      var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}.");
+      
+      var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}");
+      
+      var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}");
+      
+      var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}");
+      
+      var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}");
+      
+      var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}");
+      
+      var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}");
+      
+      var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}");
+      
+      var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}");
+      
+      var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}");
+      
+      var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}");
+      
+      var dup141 = setc("eventcategory","1702030000");
+      
+      var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}");
+      
+      var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}");
+      
+      var dup144 = setc("eventcategory","1601000000");
+      
+      var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) ");
+      
+      var dup146 = date_time({
+      	dest: "event_time",
+      	args: ["fld2"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup147 = setc("eventcategory","1103000000");
+      
+      var dup148 = setc("ec_subject","NetworkComm");
+      
+      var dup149 = setc("ec_activity","Scan");
+      
+      var dup150 = setc("ec_theme","TEV");
+      
+      var dup151 = setc("eventcategory","1103010000");
+      
+      var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}");
+      
+      var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}");
+      
+      var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}");
+      
+      var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}");
+      
+      var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}");
+      
+      var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}");
+      
+      var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}");
+      
+      var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}");
+      
+      var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}");
+      
+      var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}");
+      
+      var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}");
+      
+      var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}");
+      
+      var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})");
+      
+      var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}");
+      
+      var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}");
+      
+      var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}");
+      
+      var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}");
+      
+      var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}");
+      
+      var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}");
+      
+      var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}");
+      
+      var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}");
+      
+      var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}");
+      
+      var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}");
+      
+      var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}");
+      
+      var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}");
+      
+      var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}");
+      
+      var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}");
+      
+      var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}");
+      
+      var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}");
+      
+      var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}");
+      
+      var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}");
+      
+      var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}");
+      
+      var dup184 = setc("eventcategory","1603020000");
+      
+      var dup185 = setc("eventcategory","1803000000");
+      
+      var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}");
+      
+      var dup187 = setc("eventcategory","1603010000");
+      
+      var dup188 = setc("eventcategory","1603100000");
+      
+      var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}");
+      
+      var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}");
+      
+      var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}");
+      
+      var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}");
+      
+      var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}");
+      
+      var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}");
+      
+      var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}");
+      
+      var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}");
+      
+      var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}");
+      
+      var dup198 = setc("eventcategory","1801030000");
+      
+      var dup199 = setc("eventcategory","1302010200");
+      
+      var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}");
+      
+      var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}");
+      
+      var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}");
+      
+      var dup203 = setc("eventcategory","1304000000");
+      
+      var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}");
+      
+      var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}");
+      
+      var dup206 = setc("eventcategory","1401030000");
+      
+      var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}");
+      
+      var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}");
+      
+      var dup209 = setc("eventcategory","1605020000");
+      
+      var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}");
+      
+      var dup211 = setc("ec_subject","Certificate");
+      
+      var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}");
+      
+      var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}");
+      
+      var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}");
+      
+      var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}");
+      
+      var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}");
+      
+      var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}");
+      
+      var dup218 = setc("ec_subject","CryptoKey");
+      
+      var dup219 = setc("ec_subject","Configuration");
+      
+      var dup220 = setc("ec_activity","Request");
+      
+      var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}");
+      
+      var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}");
+      
+      var dup223 = setc("eventcategory","1612000000");
+      
+      var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}");
+      
+      var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}");
+      
+      var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}");
+      
+      var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}");
+      
+      var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}");
+      
+      var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}");
+      
+      var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}");
+      
+      var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})");
+      
+      var dup232 = setc("eventcategory","1201000000");
+      
+      var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}");
+      
+      var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}");
+      
+      var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}");
+      
+      var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}");
+      
+      var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}");
+      
+      var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}");
+      
+      var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup240 = setc("eventcategory","1401000000");
+      
+      var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}");
+      
+      var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}");
+      
+      var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}");
+      
+      var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}");
+      
+      var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}");
+      
+      var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}");
+      
+      var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}");
+      
+      var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}");
+      
+      var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}");
+      
+      var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}");
+      
+      var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}");
+      
+      var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}");
+      
+      var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}");
+      
+      var dup254 = setc("eventcategory","1608000000");
+      
+      var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}");
+      
+      var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}");
+      
+      var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}");
+      
+      var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}");
+      
+      var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}");
+      
+      var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}");
+      
+      var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}");
+      
+      var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}");
+      
+      var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}");
+      
+      var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}");
+      
+      var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}");
+      
+      var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}");
+      
+      var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}");
+      
+      var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}");
+      
+      var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}");
+      
+      var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state");
+      
+      var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}");
+      
+      var dup272 = setc("eventcategory","1805010000");
+      
+      var dup273 = setc("eventcategory","1805000000");
+      
+      var dup274 = date_time({
+      	dest: "starttime",
+      	args: ["fld2"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup275 = call({
+      	dest: "nwparser.bytes",
+      	fn: CALC,
+      	args: [
+      		field("sbytes"),
+      		constant("+"),
+      		field("rbytes"),
+      	],
+      });
+      
+      var dup276 = setc("action","Deny");
+      
+      var dup277 = setc("disposition","Deny");
+      
+      var dup278 = setc("direction","outgoing");
+      
+      var dup279 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$IN"),
+      		field("saddr"),
+      		field("daddr"),
+      		field("sport"),
+      		field("dport"),
+      	],
+      });
+      
+      var dup280 = setc("direction","incoming");
+      
+      var dup281 = setc("eventcategory","1801000000");
+      
+      var dup282 = setf("action","disposition");
+      
+      var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}");
+      
+      var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}");
+      
+      var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}");
+      
+      var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr");
+      
+      var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}");
+      
+      var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}");
+      
+      var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}");
+      
+      var dup290 = setc("eventcategory","1401050200");
+      
+      var dup291 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$IN"),
+      		field("daddr"),
+      		field("saddr"),
+      	],
+      });
+      
+      var dup292 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$IN"),
+      		field("daddr"),
+      		field("saddr"),
+      		field("dport"),
+      		field("sport"),
+      	],
+      });
+      
+      var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times.");
+      
+      var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.");
+      
+      var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}");
+      
+      var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup297 = setc("eventcategory","1204000000");
+      
+      var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}");
+      
+      var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})");
+      
+      var dup301 = setc("eventcategory","1801020000");
+      
+      var dup302 = setc("disposition","failed");
+      
+      var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}");
+      
+      var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}");
+      
+      var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}");
+      
+      var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}");
+      
+      var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}");
+      
+      var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}");
+      
+      var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}");
+      
+      var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}");
+      
+      var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}");
+      
+      var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}");
+      
+      var dup313 = setc("eventcategory","1803020000");
+      
+      var dup314 = setc("eventcategory","1613030000");
+      
+      var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}");
+      
+      var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}");
+      
+      var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}");
+      
+      var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}");
+      
+      var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}");
+      
+      var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}");
+      
+      var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}");
+      
+      var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}");
+      
+      var dup323 = setc("event_description","Cannot connect to NSM server");
+      
+      var dup324 = setc("eventcategory","1603040000");
+      
+      var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}");
+      
+      var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}");
+      
+      var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}");
+      
+      var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}");
+      
+      var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}");
+      
+      var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}");
+      
+      var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}");
+      
+      var dup332 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$OUT"),
+      		field("daddr"),
+      		field("saddr"),
+      		field("dport"),
+      		field("sport"),
+      	],
+      });
+      
+      var dup333 = linear_select([
+      	dup10,
+      	dup11,
+      ]);
+      
+      var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var dup335 = linear_select([
+      	dup13,
+      	dup14,
+      ]);
+      
+      var dup336 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup337 = linear_select([
+      	dup56,
+      	dup57,
+      ]);
+      
+      var dup338 = linear_select([
+      	dup65,
+      	dup66,
+      ]);
+      
+      var dup339 = linear_select([
+      	dup68,
+      	dup69,
+      ]);
+      
+      var dup340 = linear_select([
+      	dup71,
+      	dup72,
+      ]);
+      
+      var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var dup342 = linear_select([
+      	dup74,
+      	dup75,
+      ]);
+      
+      var dup343 = linear_select([
+      	dup81,
+      	dup82,
+      ]);
+      
+      var dup344 = linear_select([
+      	dup24,
+      	dup90,
+      ]);
+      
+      var dup345 = linear_select([
+      	dup94,
+      	dup95,
+      ]);
+      
+      var dup346 = linear_select([
+      	dup98,
+      	dup99,
+      ]);
+      
+      var dup347 = linear_select([
+      	dup100,
+      	dup101,
+      	dup102,
+      ]);
+      
+      var dup348 = linear_select([
+      	dup113,
+      	dup114,
+      ]);
+      
+      var dup349 = linear_select([
+      	dup111,
+      	dup16,
+      ]);
+      
+      var dup350 = linear_select([
+      	dup127,
+      	dup107,
+      ]);
+      
+      var dup351 = linear_select([
+      	dup8,
+      	dup21,
+      ]);
+      
+      var dup352 = linear_select([
+      	dup122,
+      	dup133,
+      ]);
+      
+      var dup353 = linear_select([
+      	dup142,
+      	dup143,
+      ]);
+      
+      var dup354 = linear_select([
+      	dup145,
+      	dup21,
+      ]);
+      
+      var dup355 = linear_select([
+      	dup127,
+      	dup106,
+      ]);
+      
+      var dup356 = linear_select([
+      	dup152,
+      	dup96,
+      ]);
+      
+      var dup357 = linear_select([
+      	dup154,
+      	dup155,
+      ]);
+      
+      var dup358 = linear_select([
+      	dup156,
+      	dup157,
+      ]);
+      
+      var dup359 = linear_select([
+      	dup99,
+      	dup134,
+      ]);
+      
+      var dup360 = linear_select([
+      	dup158,
+      	dup159,
+      ]);
+      
+      var dup361 = linear_select([
+      	dup161,
+      	dup162,
+      ]);
+      
+      var dup362 = linear_select([
+      	dup163,
+      	dup103,
+      ]);
+      
+      var dup363 = linear_select([
+      	dup162,
+      	dup161,
+      ]);
+      
+      var dup364 = linear_select([
+      	dup46,
+      	dup47,
+      ]);
+      
+      var dup365 = linear_select([
+      	dup166,
+      	dup167,
+      ]);
+      
+      var dup366 = linear_select([
+      	dup172,
+      	dup173,
+      ]);
+      
+      var dup367 = linear_select([
+      	dup174,
+      	dup175,
+      	dup176,
+      	dup177,
+      	dup178,
+      	dup179,
+      	dup180,
+      	dup181,
+      	dup182,
+      ]);
+      
+      var dup368 = linear_select([
+      	dup49,
+      	dup21,
+      ]);
+      
+      var dup369 = linear_select([
+      	dup189,
+      	dup190,
+      ]);
+      
+      var dup370 = linear_select([
+      	dup96,
+      	dup152,
+      ]);
+      
+      var dup371 = linear_select([
+      	dup196,
+      	dup197,
+      ]);
+      
+      var dup372 = linear_select([
+      	dup24,
+      	dup200,
+      ]);
+      
+      var dup373 = linear_select([
+      	dup103,
+      	dup163,
+      ]);
+      
+      var dup374 = linear_select([
+      	dup205,
+      	dup118,
+      ]);
+      
+      var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var dup376 = linear_select([
+      	dup212,
+      	dup213,
+      ]);
+      
+      var dup377 = linear_select([
+      	dup215,
+      	dup216,
+      ]);
+      
+      var dup378 = linear_select([
+      	dup222,
+      	dup215,
+      ]);
+      
+      var dup379 = linear_select([
+      	dup224,
+      	dup225,
+      ]);
+      
+      var dup380 = linear_select([
+      	dup231,
+      	dup124,
+      ]);
+      
+      var dup381 = linear_select([
+      	dup229,
+      	dup230,
+      ]);
+      
+      var dup382 = linear_select([
+      	dup233,
+      	dup234,
+      ]);
+      
+      var dup383 = linear_select([
+      	dup236,
+      	dup237,
+      ]);
+      
+      var dup384 = linear_select([
+      	dup242,
+      	dup243,
+      ]);
+      
+      var dup385 = linear_select([
+      	dup245,
+      	dup246,
+      ]);
+      
+      var dup386 = linear_select([
+      	dup247,
+      	dup248,
+      ]);
+      
+      var dup387 = linear_select([
+      	dup249,
+      	dup250,
+      ]);
+      
+      var dup388 = linear_select([
+      	dup251,
+      	dup252,
+      ]);
+      
+      var dup389 = linear_select([
+      	dup260,
+      	dup261,
+      ]);
+      
+      var dup390 = linear_select([
+      	dup264,
+      	dup265,
+      ]);
+      
+      var dup391 = linear_select([
+      	dup268,
+      	dup269,
+      ]);
+      
+      var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var dup393 = linear_select([
+      	dup284,
+      	dup285,
+      ]);
+      
+      var dup394 = linear_select([
+      	dup287,
+      	dup288,
+      ]);
+      
+      var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var dup397 = linear_select([
+      	dup300,
+      	dup26,
+      ]);
+      
+      var dup398 = linear_select([
+      	dup115,
+      	dup303,
+      ]);
+      
+      var dup399 = linear_select([
+      	dup125,
+      	dup96,
+      ]);
+      
+      var dup400 = linear_select([
+      	dup189,
+      	dup308,
+      	dup309,
+      ]);
+      
+      var dup401 = linear_select([
+      	dup310,
+      	dup16,
+      ]);
+      
+      var dup402 = linear_select([
+      	dup317,
+      	dup318,
+      ]);
+      
+      var dup403 = linear_select([
+      	dup319,
+      	dup315,
+      ]);
+      
+      var dup404 = linear_select([
+      	dup322,
+      	dup250,
+      ]);
+      
+      var dup405 = linear_select([
+      	dup327,
+      	dup329,
+      ]);
+      
+      var dup406 = linear_select([
+      	dup330,
+      	dup129,
+      ]);
+      
+      var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup60,
+      ]));
+      
+      var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup61,
+      ]));
+      
+      var dup411 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		dup266,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var dup412 = all_match({
+      	processors: [
+      		dup267,
+      		dup391,
+      		dup270,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var dup413 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup293,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var dup414 = all_match({
+      	processors: [
+      		dup296,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup297,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var dup415 = all_match({
+      	processors: [
+      		dup298,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup297,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}");
+      
+      var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}");
+      
+      var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}");
+      
+      var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}");
+      
+      var select1 = linear_select([
+      	part1,
+      	part2,
+      	part3,
+      ]);
+      
+      var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		hdr4,
+      		select1,
+      		part4,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0002"),
+      	]),
+      });
+      
+      var select2 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	all1,
+      ]);
+      
+      var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1 = msg("00001", part5);
+      
+      var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg2 = msg("00001:01", part6);
+      
+      var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}");
+      
+      var select3 = linear_select([
+      	part7,
+      	dup7,
+      ]);
+      
+      var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup6,
+      		select3,
+      		part8,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg3 = msg("00001:02", all2);
+      
+      var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg4 = msg("00001:03", part9);
+      
+      var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}");
+      
+      var select4 = linear_select([
+      	part10,
+      	dup7,
+      ]);
+      
+      var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}");
+      
+      var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}");
+      
+      var select5 = linear_select([
+      	dup8,
+      	part12,
+      ]);
+      
+      var all3 = all_match({
+      	processors: [
+      		dup6,
+      		select4,
+      		part11,
+      		select5,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg5 = msg("00001:04", all3);
+      
+      var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}");
+      
+      var all4 = all_match({
+      	processors: [
+      		part13,
+      		dup333,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg6 = msg("00001:05", all4);
+      
+      var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg7 = msg("00001:06", part14);
+      
+      var msg8 = msg("00001:07", dup334);
+      
+      var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}");
+      
+      var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup12,
+      		dup335,
+      		part15,
+      		dup336,
+      		part16,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg9 = msg("00001:08", all5);
+      
+      var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})");
+      
+      var all6 = all_match({
+      	processors: [
+      		dup12,
+      		dup335,
+      		part17,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg10 = msg("00001:09", all6);
+      
+      var select6 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      ]);
+      
+      var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg11 = msg("00002:03", part18);
+      
+      var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg12 = msg("00002:04", part19);
+      
+      var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg13 = msg("00002:05", part20);
+      
+      var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg14 = msg("00002:06", part21);
+      
+      var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg15 = msg("00002:07", part22);
+      
+      var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg16 = msg("00002:55", part23);
+      
+      var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg17 = msg("00002:08", part24);
+      
+      var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg18 = msg("00002:09", part25);
+      
+      var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg19 = msg("00002:10", part26);
+      
+      var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg20 = msg("00002:11", part27);
+      
+      var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg21 = msg("00002:12", part28);
+      
+      var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg22 = msg("00002:15", part29);
+      
+      var msg23 = msg("00002:17", dup334);
+      
+      var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}");
+      
+      var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}");
+      
+      var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}");
+      
+      var select7 = linear_select([
+      	part31,
+      	part32,
+      ]);
+      
+      var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):");
+      
+      var all7 = all_match({
+      	processors: [
+      		part30,
+      		select7,
+      		part33,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg24 = msg("00002:18", all7);
+      
+      var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg25 = msg("00002:19", part34);
+      
+      var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}");
+      
+      var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}");
+      
+      var select8 = linear_select([
+      	part36,
+      	dup20,
+      	dup21,
+      ]);
+      
+      var all8 = all_match({
+      	processors: [
+      		part35,
+      		select8,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg26 = msg("00002:20", all8);
+      
+      var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}");
+      
+      var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}");
+      
+      var select9 = linear_select([
+      	part37,
+      	part38,
+      ]);
+      
+      var select10 = linear_select([
+      	dup24,
+      	dup25,
+      ]);
+      
+      var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}");
+      
+      var all9 = all_match({
+      	processors: [
+      		select9,
+      		dup23,
+      		select10,
+      		part39,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg27 = msg("00002:21", all9);
+      
+      var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}");
+      
+      var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console");
+      
+      var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}");
+      
+      var select11 = linear_select([
+      	part41,
+      	part42,
+      	dup26,
+      ]);
+      
+      var all10 = all_match({
+      	processors: [
+      		part40,
+      		select11,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg28 = msg("00002:22", all10);
+      
+      var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}");
+      
+      var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}");
+      
+      var select12 = linear_select([
+      	dup20,
+      	part44,
+      	dup21,
+      ]);
+      
+      var all11 = all_match({
+      	processors: [
+      		part43,
+      		select12,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg29 = msg("00002:23", all11);
+      
+      var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}");
+      
+      var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}");
+      
+      var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}");
+      
+      var select13 = linear_select([
+      	part46,
+      	part47,
+      ]);
+      
+      var all12 = all_match({
+      	processors: [
+      		part45,
+      		select13,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg30 = msg("00002:24", all12);
+      
+      var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	setc("eventcategory","1402000000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg31 = msg("00002:25", part48);
+      
+      var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg32 = msg("00002:26", part49);
+      
+      var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg33 = msg("00002:27", part50);
+      
+      var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg34 = msg("00002:28", part51);
+      
+      var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg35 = msg("00002:29", part52);
+      
+      var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([
+      	dup28,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg36 = msg("00002:30", part53);
+      
+      var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([
+      	dup33,
+      	dup29,
+      	dup34,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg37 = msg("00002:41", part54);
+      
+      var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([
+      	dup35,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg38 = msg("00002:31", part55);
+      
+      var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}");
+      
+      var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}");
+      
+      var select14 = linear_select([
+      	part56,
+      	part57,
+      ]);
+      
+      var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}");
+      
+      var all13 = all_match({
+      	processors: [
+      		select14,
+      		part58,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg39 = msg("00002:32", all13);
+      
+      var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg40 = msg("00002:35", part59);
+      
+      var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}");
+      
+      var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}");
+      
+      var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}");
+      
+      var select15 = linear_select([
+      	part61,
+      	part62,
+      ]);
+      
+      var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}");
+      
+      var all14 = all_match({
+      	processors: [
+      		part60,
+      		select15,
+      		part63,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg41 = msg("00002:36", all14);
+      
+      var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}");
+      
+      var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}");
+      
+      var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}");
+      
+      var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}");
+      
+      var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}");
+      
+      var select16 = linear_select([
+      	part65,
+      	part66,
+      	part67,
+      	part68,
+      ]);
+      
+      var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}");
+      
+      var all15 = all_match({
+      	processors: [
+      		part64,
+      		select16,
+      		part69,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg42 = msg("00002:37", all15);
+      
+      var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}");
+      
+      var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}");
+      
+      var select17 = linear_select([
+      	part71,
+      	dup36,
+      ]);
+      
+      var all16 = all_match({
+      	processors: [
+      		part70,
+      		select17,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg43 = msg("00002:38", all16);
+      
+      var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg44 = msg("00002:39", part72);
+      
+      var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([
+      	dup37,
+      	dup29,
+      	setc("ec_activity","Create"),
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg45 = msg("00002:40", part73);
+      
+      var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([
+      	dup35,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg46 = msg("00002:44", part74);
+      
+      var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}");
+      
+      var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}");
+      
+      var select18 = linear_select([
+      	part76,
+      	dup40,
+      ]);
+      
+      var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}");
+      
+      var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}");
+      
+      var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}");
+      
+      var select19 = linear_select([
+      	part78,
+      	part79,
+      ]);
+      
+      var all17 = all_match({
+      	processors: [
+      		part75,
+      		select18,
+      		part77,
+      		select19,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup42,
+      		dup43,
+      		dup38,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg47 = msg("00002:42", all17);
+      
+      var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}");
+      
+      var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}");
+      
+      var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}");
+      
+      var select20 = linear_select([
+      	part81,
+      	part82,
+      ]);
+      
+      var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})");
+      
+      var all18 = all_match({
+      	processors: [
+      		part80,
+      		select20,
+      		part83,
+      	],
+      	on_success: processor_chain([
+      		dup42,
+      		dup29,
+      		dup43,
+      		dup38,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg48 = msg("00002:43", all18);
+      
+      var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([
+      	dup42,
+      	dup29,
+      	dup43,
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg49 = msg("00002:50", part84);
+      
+      var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([
+      	dup42,
+      	dup29,
+      	dup43,
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg50 = msg("00002:51", part85);
+      
+      var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg51 = msg("00002:45", part86);
+      
+      var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}");
+      
+      var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}");
+      
+      var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}");
+      
+      var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}");
+      
+      var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}");
+      
+      var select21 = linear_select([
+      	part87,
+      	part88,
+      	part89,
+      	part90,
+      	part91,
+      ]);
+      
+      var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})");
+      
+      var all19 = all_match({
+      	processors: [
+      		select21,
+      		part92,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg52 = msg("00002:47", all19);
+      
+      var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}");
+      
+      var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}");
+      
+      var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}");
+      
+      var select22 = linear_select([
+      	part94,
+      	part95,
+      ]);
+      
+      var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}");
+      
+      var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}");
+      
+      var select23 = linear_select([
+      	part97,
+      	dup45,
+      ]);
+      
+      var all20 = all_match({
+      	processors: [
+      		part93,
+      		select22,
+      		part96,
+      		select23,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg53 = msg("00002:48", all20);
+      
+      var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}");
+      
+      var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}");
+      
+      var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}");
+      
+      var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}");
+      
+      var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}");
+      
+      var select24 = linear_select([
+      	part99,
+      	part100,
+      	part101,
+      	part102,
+      ]);
+      
+      var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}");
+      
+      var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}");
+      
+      var select25 = linear_select([
+      	dup46,
+      	part104,
+      	dup47,
+      ]);
+      
+      var select26 = linear_select([
+      	dup48,
+      	dup45,
+      ]);
+      
+      var all21 = all_match({
+      	processors: [
+      		part98,
+      		select24,
+      		part103,
+      		select25,
+      		select26,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg54 = msg("00002:52", all21);
+      
+      var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([
+      	dup42,
+      	dup43,
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg55 = msg("00002:53", part105);
+      
+      var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}");
+      
+      var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}");
+      
+      var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}");
+      
+      var select27 = linear_select([
+      	part107,
+      	part108,
+      ]);
+      
+      var all22 = all_match({
+      	processors: [
+      		part106,
+      		select27,
+      		dup49,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg56 = msg("00002:54", all22);
+      
+      var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}");
+      
+      var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}");
+      
+      var select28 = linear_select([
+      	part110,
+      	dup52,
+      ]);
+      
+      var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}");
+      
+      var all23 = all_match({
+      	processors: [
+      		part109,
+      		select28,
+      		part111,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg57 = msg("00002", all23);
+      
+      var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([
+      	dup53,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg58 = msg("00002:56", part112);
+      
+      var select29 = linear_select([
+      	msg11,
+      	msg12,
+      	msg13,
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      	msg29,
+      	msg30,
+      	msg31,
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      	msg46,
+      	msg47,
+      	msg48,
+      	msg49,
+      	msg50,
+      	msg51,
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      	msg56,
+      	msg57,
+      	msg58,
+      ]);
+      
+      var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([
+      	dup53,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg59 = msg("00003", part113);
+      
+      var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([
+      	dup53,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg60 = msg("00003:01", part114);
+      
+      var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg61 = msg("00003:02", part115);
+      
+      var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg62 = msg("00003:03", part116);
+      
+      var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}");
+      
+      var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}");
+      
+      var select30 = linear_select([
+      	part117,
+      	part118,
+      ]);
+      
+      var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}.");
+      
+      var all24 = all_match({
+      	processors: [
+      		dup55,
+      		select30,
+      		part119,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg63 = msg("00003:05", all24);
+      
+      var select31 = linear_select([
+      	msg59,
+      	msg60,
+      	msg61,
+      	msg62,
+      	msg63,
+      ]);
+      
+      var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg64 = msg("00004", part120);
+      
+      var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg65 = msg("00004:01", part121);
+      
+      var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg66 = msg("00004:02", part122);
+      
+      var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg67 = msg("00004:03", part123);
+      
+      var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}");
+      
+      var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all25 = all_match({
+      	processors: [
+      		part124,
+      		dup337,
+      		part125,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup59,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg68 = msg("00004:04", all25);
+      
+      var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg69 = msg("00004:05", part126);
+      
+      var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg70 = msg("00004:06", part127);
+      
+      var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg71 = msg("00004:07", part128);
+      
+      var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg72 = msg("00004:08", part129);
+      
+      var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([
+      	dup62,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg73 = msg("00004:09", part130);
+      
+      var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([
+      	dup62,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg74 = msg("00004:10", part131);
+      
+      var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg75 = msg("00004:11", part132);
+      
+      var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg76 = msg("00004:12", part133);
+      
+      var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg77 = msg("00004:13", part134);
+      
+      var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}");
+      
+      var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}");
+      
+      var select32 = linear_select([
+      	part135,
+      	part136,
+      ]);
+      
+      var all26 = all_match({
+      	processors: [
+      		dup63,
+      		select32,
+      		dup49,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg78 = msg("00004:14", all26);
+      
+      var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg79 = msg("00004:15", part137);
+      
+      var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg80 = msg("00004:16", part138);
+      
+      var all27 = all_match({
+      	processors: [
+      		dup64,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup4,
+      		dup59,
+      		dup9,
+      		dup5,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg81 = msg("00004:17", all27);
+      
+      var select33 = linear_select([
+      	msg64,
+      	msg65,
+      	msg66,
+      	msg67,
+      	msg68,
+      	msg69,
+      	msg70,
+      	msg71,
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      	msg77,
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      ]);
+      
+      var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg82 = msg("00005", part139);
+      
+      var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg83 = msg("00005:01", part140);
+      
+      var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg84 = msg("00005:02", part141);
+      
+      var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}");
+      
+      var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}");
+      
+      var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}");
+      
+      var select34 = linear_select([
+      	part144,
+      	dup73,
+      ]);
+      
+      var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all28 = all_match({
+      	processors: [
+      		part142,
+      		dup339,
+      		dup70,
+      		dup340,
+      		part143,
+      		select34,
+      		part145,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup59,
+      		dup61,
+      	]),
+      });
+      
+      var msg85 = msg("00005:03", all28);
+      
+      var msg86 = msg("00005:04", dup341);
+      
+      var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([
+      	setc("eventcategory","1001020100"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg87 = msg("00005:05", part146);
+      
+      var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}.");
+      
+      var all29 = all_match({
+      	processors: [
+      		dup342,
+      		part147,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg88 = msg("00005:06", all29);
+      
+      var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}");
+      
+      var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}");
+      
+      var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}");
+      
+      var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}");
+      
+      var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}");
+      
+      var select35 = linear_select([
+      	part149,
+      	part150,
+      	dup76,
+      	part151,
+      	part152,
+      ]);
+      
+      var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}.");
+      
+      var all30 = all_match({
+      	processors: [
+      		part148,
+      		select35,
+      		part153,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg89 = msg("00005:07", all30);
+      
+      var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}");
+      
+      var select36 = linear_select([
+      	dup77,
+      	dup78,
+      ]);
+      
+      var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}.");
+      
+      var all31 = all_match({
+      	processors: [
+      		dup342,
+      		part154,
+      		select36,
+      		part155,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg90 = msg("00005:08", all31);
+      
+      var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg91 = msg("00005:09", part156);
+      
+      var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg92 = msg("00005:10", part157);
+      
+      var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}");
+      
+      var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}");
+      
+      var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}");
+      
+      var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}");
+      
+      var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}");
+      
+      var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}");
+      
+      var select37 = linear_select([
+      	part159,
+      	part160,
+      	part161,
+      	part162,
+      	part163,
+      ]);
+      
+      var all32 = all_match({
+      	processors: [
+      		part158,
+      		select37,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg93 = msg("00005:11", all32);
+      
+      var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg94 = msg("00005:12", part164);
+      
+      var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg95 = msg("00005:13", part165);
+      
+      var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg96 = msg("00005:14", part166);
+      
+      var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg97 = msg("00005:15", part167);
+      
+      var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg98 = msg("00005:16", part168);
+      
+      var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}");
+      
+      var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}");
+      
+      var select38 = linear_select([
+      	part169,
+      	part170,
+      ]);
+      
+      var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}.");
+      
+      var all33 = all_match({
+      	processors: [
+      		dup79,
+      		select38,
+      		part171,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg99 = msg("00005:17", all33);
+      
+      var all34 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup84,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg100 = msg("00005:18", all34);
+      
+      var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup84,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup61,
+      ]));
+      
+      var msg101 = msg("00005:19", part172);
+      
+      var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([
+      	dup84,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg102 = msg("00005:20", part173);
+      
+      var select39 = linear_select([
+      	msg82,
+      	msg83,
+      	msg84,
+      	msg85,
+      	msg86,
+      	msg87,
+      	msg88,
+      	msg89,
+      	msg90,
+      	msg91,
+      	msg92,
+      	msg93,
+      	msg94,
+      	msg95,
+      	msg96,
+      	msg97,
+      	msg98,
+      	msg99,
+      	msg100,
+      	msg101,
+      	msg102,
+      ]);
+      
+      var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup85,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg103 = msg("00006", part174);
+      
+      var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg104 = msg("00006:01", part175);
+      
+      var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg105 = msg("00006:02", part176);
+      
+      var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg106 = msg("00006:03", part177);
+      
+      var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}");
+      
+      var all35 = all_match({
+      	processors: [
+      		part178,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup84,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg107 = msg("00006:04", all35);
+      
+      var all36 = all_match({
+      	processors: [
+      		dup64,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup84,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg108 = msg("00006:05", all36);
+      
+      var select40 = linear_select([
+      	msg103,
+      	msg104,
+      	msg105,
+      	msg106,
+      	msg107,
+      	msg108,
+      ]);
+      
+      var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg109 = msg("00007", part179);
+      
+      var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg110 = msg("00007:01", part180);
+      
+      var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}");
+      
+      var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}");
+      
+      var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}");
+      
+      var select41 = linear_select([
+      	part182,
+      	part183,
+      ]);
+      
+      var all37 = all_match({
+      	processors: [
+      		part181,
+      		select41,
+      	],
+      	on_success: processor_chain([
+      		dup86,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg111 = msg("00007:02", all37);
+      
+      var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg112 = msg("00007:03", part184);
+      
+      var select42 = linear_select([
+      	dup88,
+      	dup89,
+      ]);
+      
+      var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}");
+      
+      var all38 = all_match({
+      	processors: [
+      		dup87,
+      		select42,
+      		dup23,
+      		dup344,
+      		part185,
+      	],
+      	on_success: processor_chain([
+      		dup91,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg113 = msg("00007:04", all38);
+      
+      var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg114 = msg("00007:05", part186);
+      
+      var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg115 = msg("00007:06", part187);
+      
+      var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg116 = msg("00007:07", part188);
+      
+      var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg117 = msg("00007:08", part189);
+      
+      var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg118 = msg("00007:09", part190);
+      
+      var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg119 = msg("00007:10", part191);
+      
+      var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}");
+      
+      var select43 = linear_select([
+      	dup92,
+      	dup93,
+      ]);
+      
+      var all39 = all_match({
+      	processors: [
+      		part192,
+      		select43,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg120 = msg("00007:11", all39);
+      
+      var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg121 = msg("00007:12", part193);
+      
+      var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg122 = msg("00007:13", part194);
+      
+      var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup85,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup60,
+      ]));
+      
+      var msg123 = msg("00007:14", part195);
+      
+      var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg124 = msg("00007:15", part196);
+      
+      var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg125 = msg("00007:16", part197);
+      
+      var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg126 = msg("00007:17", part198);
+      
+      var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}");
+      
+      var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}");
+      
+      var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}");
+      
+      var select44 = linear_select([
+      	part200,
+      	part201,
+      ]);
+      
+      var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}");
+      
+      var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}");
+      
+      var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}");
+      
+      var select45 = linear_select([
+      	part203,
+      	part204,
+      ]);
+      
+      var all40 = all_match({
+      	processors: [
+      		part199,
+      		select44,
+      		part202,
+      		select45,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg127 = msg("00007:18", all40);
+      
+      var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg128 = msg("00007:20", part205);
+      
+      var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}");
+      
+      var all41 = all_match({
+      	processors: [
+      		part206,
+      		dup345,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg129 = msg("00007:21", all41);
+      
+      var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg130 = msg("00007:22", part207);
+      
+      var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg131 = msg("00007:23", part208);
+      
+      var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg132 = msg("00007:24", part209);
+      
+      var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg133 = msg("00007:25", part210);
+      
+      var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}");
+      
+      var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}");
+      
+      var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}");
+      
+      var select46 = linear_select([
+      	part212,
+      	part213,
+      ]);
+      
+      var all42 = all_match({
+      	processors: [
+      		part211,
+      		select46,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg134 = msg("00007:26", all42);
+      
+      var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg135 = msg("00007:27", part214);
+      
+      var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg136 = msg("00007:28", part215);
+      
+      var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}");
+      
+      var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}");
+      
+      var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}");
+      
+      var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}");
+      
+      var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}");
+      
+      var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}");
+      
+      var select47 = linear_select([
+      	part217,
+      	part218,
+      	part219,
+      	part220,
+      	part221,
+      ]);
+      
+      var all43 = all_match({
+      	processors: [
+      		part216,
+      		select47,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg137 = msg("00007:29", all43);
+      
+      var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg138 = msg("00007:30", part222);
+      
+      var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}");
+      
+      var all44 = all_match({
+      	processors: [
+      		part223,
+      		dup345,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg139 = msg("00007:31", all44);
+      
+      var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}");
+      
+      var select48 = linear_select([
+      	dup89,
+      	dup88,
+      ]);
+      
+      var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}");
+      
+      var all45 = all_match({
+      	processors: [
+      		part224,
+      		select48,
+      		dup23,
+      		dup344,
+      		part225,
+      	],
+      	on_success: processor_chain([
+      		dup91,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg140 = msg("00007:32", all45);
+      
+      var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}");
+      
+      var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}");
+      
+      var select49 = linear_select([
+      	part226,
+      	part227,
+      ]);
+      
+      var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}");
+      
+      var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}");
+      
+      var select50 = linear_select([
+      	part229,
+      	dup96,
+      ]);
+      
+      var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode.");
+      
+      var all46 = all_match({
+      	processors: [
+      		select49,
+      		part228,
+      		select50,
+      		part230,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg141 = msg("00007:33", all46);
+      
+      var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([
+      	dup97,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg142 = msg("00007:34", part231);
+      
+      var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg143 = msg("00007:35", part232);
+      
+      var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg144 = msg("00007:36", part233);
+      
+      var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}");
+      
+      var all47 = all_match({
+      	processors: [
+      		part234,
+      		dup346,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg145 = msg("00007:37", all47);
+      
+      var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}");
+      
+      var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}");
+      
+      var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}");
+      
+      var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}");
+      
+      var select51 = linear_select([
+      	part237,
+      	part238,
+      ]);
+      
+      var all48 = all_match({
+      	processors: [
+      		part235,
+      		dup347,
+      		dup103,
+      		dup347,
+      		part236,
+      		select51,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg146 = msg("00007:38", all48);
+      
+      var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}");
+      
+      var all49 = all_match({
+      	processors: [
+      		part239,
+      		dup346,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg147 = msg("00007:39", all49);
+      
+      var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg148 = msg("00007:40", part240);
+      
+      var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg149 = msg("00007:41", part241);
+      
+      var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg150 = msg("00007:42", part242);
+      
+      var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg151 = msg("00007:43", part243);
+      
+      var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg152 = msg("00007:44", part244);
+      
+      var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg153 = msg("00007:45", part245);
+      
+      var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup85,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup60,
+      ]));
+      
+      var msg154 = msg("00007:46", part246);
+      
+      var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg155 = msg("00007:47", part247);
+      
+      var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([
+      	dup97,
+      	dup2,
+      	dup3,
+      	dup4,
+      	setc("disposition","dropped"),
+      	setc("result","Invalid encryption Password"),
+      ]));
+      
+      var msg156 = msg("00007:48", part248);
+      
+      var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([
+      	setc("eventcategory","1604000000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg157 = msg("00007:49", part249);
+      
+      var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}");
+      
+      var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}");
+      
+      var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}");
+      
+      var select52 = linear_select([
+      	part251,
+      	part252,
+      ]);
+      
+      var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}");
+      
+      var all50 = all_match({
+      	processors: [
+      		part250,
+      		select52,
+      		part253,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg158 = msg("00007:50", all50);
+      
+      var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}");
+      
+      var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}");
+      
+      var select53 = linear_select([
+      	dup104,
+      	part255,
+      ]);
+      
+      var select54 = linear_select([
+      	dup105,
+      	dup73,
+      ]);
+      
+      var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}");
+      
+      var select55 = linear_select([
+      	dup106,
+      	dup107,
+      ]);
+      
+      var all51 = all_match({
+      	processors: [
+      		part254,
+      		select53,
+      		dup23,
+      		select54,
+      		part256,
+      		select55,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg159 = msg("00007:51", all51);
+      
+      var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg160 = msg("00007:52", part257);
+      
+      var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg161 = msg("00007:53", part258);
+      
+      var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg162 = msg("00007:54", part259);
+      
+      var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg163 = msg("00007:55", part260);
+      
+      var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg164 = msg("00007:56", part261);
+      
+      var select56 = linear_select([
+      	dup109,
+      	dup110,
+      ]);
+      
+      var select57 = linear_select([
+      	dup111,
+      	dup112,
+      ]);
+      
+      var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}");
+      
+      var all52 = all_match({
+      	processors: [
+      		dup55,
+      		select56,
+      		dup23,
+      		select57,
+      		part262,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg165 = msg("00007:57", all52);
+      
+      var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg166 = msg("00007:58", part263);
+      
+      var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg167 = msg("00007:59", part264);
+      
+      var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg168 = msg("00007:60", part265);
+      
+      var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg169 = msg("00007:61", part266);
+      
+      var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg170 = msg("00007:62", part267);
+      
+      var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg171 = msg("00007:63", part268);
+      
+      var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}");
+      
+      var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}");
+      
+      var all53 = all_match({
+      	processors: [
+      		dup348,
+      		part269,
+      		dup349,
+      		part270,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg172 = msg("00007:64", all53);
+      
+      var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}");
+      
+      var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}");
+      
+      var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}");
+      
+      var select58 = linear_select([
+      	part272,
+      	part273,
+      ]);
+      
+      var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}");
+      
+      var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}");
+      
+      var all54 = all_match({
+      	processors: [
+      		dup348,
+      		part271,
+      		select58,
+      		part274,
+      		dup349,
+      		part275,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg173 = msg("00007:65", all54);
+      
+      var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}");
+      
+      var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}");
+      
+      var select59 = linear_select([
+      	part276,
+      	part277,
+      ]);
+      
+      var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}");
+      
+      var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}");
+      
+      var select60 = linear_select([
+      	part279,
+      	dup115,
+      ]);
+      
+      var all55 = all_match({
+      	processors: [
+      		select59,
+      		part278,
+      		select60,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg174 = msg("00007:66", all55);
+      
+      var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg175 = msg("00007:67", part280);
+      
+      var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}");
+      
+      var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}");
+      
+      var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}");
+      
+      var select61 = linear_select([
+      	part282,
+      	part283,
+      ]);
+      
+      var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}");
+      
+      var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}");
+      
+      var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}");
+      
+      var select62 = linear_select([
+      	part285,
+      	part286,
+      ]);
+      
+      var all56 = all_match({
+      	processors: [
+      		part281,
+      		select61,
+      		part284,
+      		select62,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg176 = msg("00007:68", all56);
+      
+      var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg177 = msg("00007:69", part287);
+      
+      var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg178 = msg("00007:70", part288);
+      
+      var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg179 = msg("00007:71", part289);
+      
+      var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg180 = msg("00007:72", part290);
+      
+      var select63 = linear_select([
+      	msg109,
+      	msg110,
+      	msg111,
+      	msg112,
+      	msg113,
+      	msg114,
+      	msg115,
+      	msg116,
+      	msg117,
+      	msg118,
+      	msg119,
+      	msg120,
+      	msg121,
+      	msg122,
+      	msg123,
+      	msg124,
+      	msg125,
+      	msg126,
+      	msg127,
+      	msg128,
+      	msg129,
+      	msg130,
+      	msg131,
+      	msg132,
+      	msg133,
+      	msg134,
+      	msg135,
+      	msg136,
+      	msg137,
+      	msg138,
+      	msg139,
+      	msg140,
+      	msg141,
+      	msg142,
+      	msg143,
+      	msg144,
+      	msg145,
+      	msg146,
+      	msg147,
+      	msg148,
+      	msg149,
+      	msg150,
+      	msg151,
+      	msg152,
+      	msg153,
+      	msg154,
+      	msg155,
+      	msg156,
+      	msg157,
+      	msg158,
+      	msg159,
+      	msg160,
+      	msg161,
+      	msg162,
+      	msg163,
+      	msg164,
+      	msg165,
+      	msg166,
+      	msg167,
+      	msg168,
+      	msg169,
+      	msg170,
+      	msg171,
+      	msg172,
+      	msg173,
+      	msg174,
+      	msg175,
+      	msg176,
+      	msg177,
+      	msg178,
+      	msg179,
+      	msg180,
+      ]);
+      
+      var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg181 = msg("00008", part291);
+      
+      var msg182 = msg("00008:01", dup341);
+      
+      var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg183 = msg("00008:02", part292);
+      
+      var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg184 = msg("00008:03", part293);
+      
+      var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}");
+      
+      var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}");
+      
+      var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}");
+      
+      var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}");
+      
+      var select64 = linear_select([
+      	part295,
+      	part296,
+      	part297,
+      ]);
+      
+      var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}");
+      
+      var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}");
+      
+      var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})");
+      
+      var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}");
+      
+      var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}");
+      
+      var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}");
+      
+      var select65 = linear_select([
+      	part299,
+      	part300,
+      	part301,
+      	part302,
+      	part303,
+      	dup21,
+      ]);
+      
+      var all57 = all_match({
+      	processors: [
+      		part294,
+      		select64,
+      		part298,
+      		select65,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg185 = msg("00008:04", all57);
+      
+      var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg186 = msg("00008:05", part304);
+      
+      var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup61,
+      ]));
+      
+      var msg187 = msg("00008:06", part305);
+      
+      var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup60,
+      ]));
+      
+      var msg188 = msg("00008:07", part306);
+      
+      var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup60,
+      ]));
+      
+      var msg189 = msg("00008:08", part307);
+      
+      var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg190 = msg("00008:09", part308);
+      
+      var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}");
+      
+      var all58 = all_match({
+      	processors: [
+      		part309,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup60,
+      	]),
+      });
+      
+      var msg191 = msg("00008:10", all58);
+      
+      var select66 = linear_select([
+      	msg181,
+      	msg182,
+      	msg183,
+      	msg184,
+      	msg185,
+      	msg186,
+      	msg187,
+      	msg188,
+      	msg189,
+      	msg190,
+      	msg191,
+      ]);
+      
+      var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg192 = msg("00009", part310);
+      
+      var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg193 = msg("00009:01", part311);
+      
+      var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg194 = msg("00009:02", part312);
+      
+      var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg195 = msg("00009:03", part313);
+      
+      var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg196 = msg("00009:05", part314);
+      
+      var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}");
+      
+      var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}");
+      
+      var select67 = linear_select([
+      	part315,
+      	part316,
+      ]);
+      
+      var select68 = linear_select([
+      	dup119,
+      	dup16,
+      ]);
+      
+      var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}");
+      
+      var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}");
+      
+      var select69 = linear_select([
+      	dup120,
+      	part318,
+      ]);
+      
+      var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}");
+      
+      var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info");
+      
+      var select70 = linear_select([
+      	part319,
+      	part320,
+      ]);
+      
+      var all59 = all_match({
+      	processors: [
+      		select67,
+      		dup118,
+      		select68,
+      		part317,
+      		select69,
+      		dup23,
+      		select70,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg197 = msg("00009:06", all59);
+      
+      var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}");
+      
+      var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}");
+      
+      var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}");
+      
+      var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}");
+      
+      var select71 = linear_select([
+      	part323,
+      	part324,
+      ]);
+      
+      var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}");
+      
+      var all60 = all_match({
+      	processors: [
+      		part321,
+      		dup337,
+      		part322,
+      		select71,
+      		part325,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg198 = msg("00009:07", all60);
+      
+      var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg199 = msg("00009:09", part326);
+      
+      var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}");
+      
+      var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}");
+      
+      var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}");
+      
+      var select72 = linear_select([
+      	part328,
+      	part329,
+      ]);
+      
+      var all61 = all_match({
+      	processors: [
+      		part327,
+      		select72,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg200 = msg("00009:10", all61);
+      
+      var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}");
+      
+      var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}");
+      
+      var select73 = linear_select([
+      	part330,
+      	part331,
+      ]);
+      
+      var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}");
+      
+      var all62 = all_match({
+      	processors: [
+      		select73,
+      		part332,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg201 = msg("00009:11", all62);
+      
+      var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg202 = msg("00009:12", part333);
+      
+      var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg203 = msg("00009:13", part334);
+      
+      var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}");
+      
+      var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}");
+      
+      var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}");
+      
+      var select74 = linear_select([
+      	part335,
+      	part336,
+      	part337,
+      ]);
+      
+      var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}");
+      
+      var select75 = linear_select([
+      	dup122,
+      	dup123,
+      ]);
+      
+      var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})");
+      
+      var select76 = linear_select([
+      	part339,
+      	dup124,
+      ]);
+      
+      var all63 = all_match({
+      	processors: [
+      		select74,
+      		part338,
+      		select75,
+      		dup23,
+      		select76,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg204 = msg("00009:14", all63);
+      
+      var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}");
+      
+      var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}");
+      
+      var select77 = linear_select([
+      	part341,
+      	dup125,
+      ]);
+      
+      var all64 = all_match({
+      	processors: [
+      		part340,
+      		select77,
+      		dup126,
+      		dup350,
+      		dup128,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg205 = msg("00009:15", all64);
+      
+      var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}");
+      
+      var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}");
+      
+      var select78 = linear_select([
+      	dup129,
+      	dup130,
+      	part343,
+      ]);
+      
+      var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}.");
+      
+      var all65 = all_match({
+      	processors: [
+      		part342,
+      		dup350,
+      		dup23,
+      		select78,
+      		part344,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg206 = msg("00009:16", all65);
+      
+      var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}");
+      
+      var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}");
+      
+      var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}");
+      
+      var select79 = linear_select([
+      	part346,
+      	part347,
+      ]);
+      
+      var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}.");
+      
+      var all66 = all_match({
+      	processors: [
+      		part345,
+      		select79,
+      		part348,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg207 = msg("00009:17", all66);
+      
+      var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg208 = msg("00009:18", part349);
+      
+      var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg209 = msg("00009:19", part350);
+      
+      var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg210 = msg("00009:27", part351);
+      
+      var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}");
+      
+      var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}");
+      
+      var select80 = linear_select([
+      	part352,
+      	part353,
+      ]);
+      
+      var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}");
+      
+      var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}");
+      
+      var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}");
+      
+      var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}");
+      
+      var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})");
+      
+      var select81 = linear_select([
+      	part355,
+      	part356,
+      	part357,
+      	part358,
+      ]);
+      
+      var all67 = all_match({
+      	processors: [
+      		select80,
+      		part354,
+      		select81,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg211 = msg("00009:20", all67);
+      
+      var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var all68 = all_match({
+      	processors: [
+      		part359,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup60,
+      	]),
+      });
+      
+      var msg212 = msg("00009:21", all68);
+      
+      var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg213 = msg("00009:22", part360);
+      
+      var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup9,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg214 = msg("00009:23", part361);
+      
+      var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}");
+      
+      var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}");
+      
+      var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}");
+      
+      var select82 = linear_select([
+      	part363,
+      	part364,
+      ]);
+      
+      var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}");
+      
+      var all69 = all_match({
+      	processors: [
+      		part362,
+      		select82,
+      		part365,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg215 = msg("00009:24", all69);
+      
+      var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup9,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg216 = msg("00009:25", part366);
+      
+      var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}");
+      
+      var all70 = all_match({
+      	processors: [
+      		part367,
+      		dup333,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg217 = msg("00009:26", all70);
+      
+      var select83 = linear_select([
+      	msg192,
+      	msg193,
+      	msg194,
+      	msg195,
+      	msg196,
+      	msg197,
+      	msg198,
+      	msg199,
+      	msg200,
+      	msg201,
+      	msg202,
+      	msg203,
+      	msg204,
+      	msg205,
+      	msg206,
+      	msg207,
+      	msg208,
+      	msg209,
+      	msg210,
+      	msg211,
+      	msg212,
+      	msg213,
+      	msg214,
+      	msg215,
+      	msg216,
+      	msg217,
+      ]);
+      
+      var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}");
+      
+      var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}");
+      
+      var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}");
+      
+      var select84 = linear_select([
+      	part369,
+      	part370,
+      ]);
+      
+      var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}");
+      
+      var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}");
+      
+      var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}");
+      
+      var select85 = linear_select([
+      	part372,
+      	part373,
+      	dup126,
+      ]);
+      
+      var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}");
+      
+      var all71 = all_match({
+      	processors: [
+      		part368,
+      		select84,
+      		part371,
+      		select85,
+      		part374,
+      		dup351,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup4,
+      		dup59,
+      		dup5,
+      		dup9,
+      		dup3,
+      		dup61,
+      	]),
+      });
+      
+      var msg218 = msg("00010", all71);
+      
+      var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg219 = msg("00010:01", part375);
+      
+      var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg220 = msg("00010:02", part376);
+      
+      var all72 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg221 = msg("00010:03", all72);
+      
+      var select86 = linear_select([
+      	msg218,
+      	msg219,
+      	msg220,
+      	msg221,
+      ]);
+      
+      var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg222 = msg("00011", part377);
+      
+      var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}");
+      
+      var select87 = linear_select([
+      	dup57,
+      	dup56,
+      ]);
+      
+      var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}");
+      
+      var all73 = all_match({
+      	processors: [
+      		part378,
+      		select87,
+      		part379,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg223 = msg("00011:01", all73);
+      
+      var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg224 = msg("00011:02", part380);
+      
+      var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}");
+      
+      var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}");
+      
+      var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}");
+      
+      var select88 = linear_select([
+      	part382,
+      	part383,
+      ]);
+      
+      var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}");
+      
+      var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}");
+      
+      var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}");
+      
+      var select89 = linear_select([
+      	part385,
+      	part386,
+      ]);
+      
+      var all74 = all_match({
+      	processors: [
+      		part381,
+      		select88,
+      		part384,
+      		select89,
+      		dup36,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg225 = msg("00011:03", all74);
+      
+      var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}");
+      
+      var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}");
+      
+      var all75 = all_match({
+      	processors: [
+      		part387,
+      		dup352,
+      		part388,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg226 = msg("00011:04", all75);
+      
+      var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}");
+      
+      var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}");
+      
+      var select90 = linear_select([
+      	part389,
+      	part390,
+      ]);
+      
+      var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}");
+      
+      var all76 = all_match({
+      	processors: [
+      		dup79,
+      		select90,
+      		part391,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg227 = msg("00011:05", all76);
+      
+      var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var msg228 = msg("00011:07", part392);
+      
+      var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg229 = msg("00011:08", part393);
+      
+      var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg230 = msg("00011:09", part394);
+      
+      var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg231 = msg("00011:10", part395);
+      
+      var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg232 = msg("00011:11", part396);
+      
+      var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg233 = msg("00011:12", part397);
+      
+      var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg234 = msg("00011:13", part398);
+      
+      var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}");
+      
+      var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}");
+      
+      var select91 = linear_select([
+      	dup134,
+      	part400,
+      ]);
+      
+      var all77 = all_match({
+      	processors: [
+      		part399,
+      		select91,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg235 = msg("00011:14", all77);
+      
+      var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg236 = msg("00011:15", part401);
+      
+      var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg237 = msg("00011:16", part402);
+      
+      var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}");
+      
+      var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}");
+      
+      var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}");
+      
+      var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}");
+      
+      var select92 = linear_select([
+      	part404,
+      	part405,
+      	part406,
+      ]);
+      
+      var all78 = all_match({
+      	processors: [
+      		part403,
+      		select92,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg238 = msg("00011:17", all78);
+      
+      var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}");
+      
+      var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}");
+      
+      var select93 = linear_select([
+      	part407,
+      	part408,
+      ]);
+      
+      var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}");
+      
+      var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}");
+      
+      var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}");
+      
+      var select94 = linear_select([
+      	part410,
+      	part411,
+      ]);
+      
+      var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}");
+      
+      var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}");
+      
+      var select95 = linear_select([
+      	part413,
+      	dup135,
+      ]);
+      
+      var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}");
+      
+      var all79 = all_match({
+      	processors: [
+      		select93,
+      		part409,
+      		select94,
+      		part412,
+      		select95,
+      		part414,
+      		dup350,
+      		dup128,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg239 = msg("00011:18", all79);
+      
+      var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}");
+      
+      var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}");
+      
+      var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}");
+      
+      var select96 = linear_select([
+      	part416,
+      	part417,
+      ]);
+      
+      var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}");
+      
+      var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}");
+      
+      var select97 = linear_select([
+      	part419,
+      	dup135,
+      ]);
+      
+      var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}");
+      
+      var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}");
+      
+      var select98 = linear_select([
+      	dup107,
+      	part421,
+      ]);
+      
+      var all80 = all_match({
+      	processors: [
+      		part415,
+      		select96,
+      		part418,
+      		select97,
+      		part420,
+      		select98,
+      		dup136,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg240 = msg("00011:19", all80);
+      
+      var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}");
+      
+      var select99 = linear_select([
+      	part422,
+      	dup79,
+      ]);
+      
+      var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\"");
+      
+      var all81 = all_match({
+      	processors: [
+      		select99,
+      		part423,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg241 = msg("00011:20", all81);
+      
+      var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg242 = msg("00011:21", part424);
+      
+      var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg243 = msg("00011:22", part425);
+      
+      var all82 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		call({
+      			dest: "nwparser.inout",
+      			fn: DIRCHK,
+      			args: [
+      				field("$IN"),
+      				field("saddr"),
+      				field("daddr"),
+      			],
+      		}),
+      	]),
+      });
+      
+      var msg244 = msg("00011:23", all82);
+      
+      var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg245 = msg("00011:24", part426);
+      
+      var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg246 = msg("00011:25", part427);
+      
+      var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg247 = msg("00011:26", part428);
+      
+      var select100 = linear_select([
+      	msg222,
+      	msg223,
+      	msg224,
+      	msg225,
+      	msg226,
+      	msg227,
+      	msg228,
+      	msg229,
+      	msg230,
+      	msg231,
+      	msg232,
+      	msg233,
+      	msg234,
+      	msg235,
+      	msg236,
+      	msg237,
+      	msg238,
+      	msg239,
+      	msg240,
+      	msg241,
+      	msg242,
+      	msg243,
+      	msg244,
+      	msg245,
+      	msg246,
+      	msg247,
+      ]);
+      
+      var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg248 = msg("00012:02", part429);
+      
+      var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg249 = msg("00012:03", part430);
+      
+      var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg250 = msg("00012:04", part431);
+      
+      var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg251 = msg("00012:05", part432);
+      
+      var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup61,
+      ]));
+      
+      var msg252 = msg("00012:06", part433);
+      
+      var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      	dup59,
+      ]));
+      
+      var msg253 = msg("00012:07", part434);
+      
+      var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg254 = msg("00012:08", part435);
+      
+      var all83 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg255 = msg("00012:09", all83);
+      
+      var all84 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg256 = msg("00012:10", all84);
+      
+      var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      	dup61,
+      ]));
+      
+      var msg257 = msg("00012:11", part436);
+      
+      var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg258 = msg("00012:12", part437);
+      
+      var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg259 = msg("00012", part438);
+      
+      var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg260 = msg("00012:01", part439);
+      
+      var select101 = linear_select([
+      	msg248,
+      	msg249,
+      	msg250,
+      	msg251,
+      	msg252,
+      	msg253,
+      	msg254,
+      	msg255,
+      	msg256,
+      	msg257,
+      	msg258,
+      	msg259,
+      	msg260,
+      ]);
+      
+      var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg261 = msg("00013", part440);
+      
+      var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      	setc("signame","An Attempt to connect to NetScreen-Global Manager Port."),
+      ]));
+      
+      var msg262 = msg("00013:01", part441);
+      
+      var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg263 = msg("00013:02", part442);
+      
+      var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg264 = msg("00013:03", part443);
+      
+      var select102 = linear_select([
+      	msg261,
+      	msg262,
+      	msg263,
+      	msg264,
+      ]);
+      
+      var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg265 = msg("00014", part444);
+      
+      var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}");
+      
+      var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}");
+      
+      var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}");
+      
+      var select103 = linear_select([
+      	part446,
+      	part447,
+      ]);
+      
+      var all85 = all_match({
+      	processors: [
+      		part445,
+      		select103,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg266 = msg("00014:01", all85);
+      
+      var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg267 = msg("00014:02", part448);
+      
+      var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg268 = msg("00014:03", part449);
+      
+      var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg269 = msg("00014:04", part450);
+      
+      var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg270 = msg("00014:05", part451);
+      
+      var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg271 = msg("00014:06", part452);
+      
+      var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg272 = msg("00014:07", part453);
+      
+      var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg273 = msg("00014:08", part454);
+      
+      var select104 = linear_select([
+      	msg265,
+      	msg266,
+      	msg267,
+      	msg268,
+      	msg269,
+      	msg270,
+      	msg271,
+      	msg272,
+      	msg273,
+      ]);
+      
+      var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg274 = msg("00015", part455);
+      
+      var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg275 = msg("00015:01", part456);
+      
+      var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}");
+      
+      var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}");
+      
+      var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}");
+      
+      var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}");
+      
+      var select105 = linear_select([
+      	part458,
+      	dup137,
+      	part459,
+      	part460,
+      ]);
+      
+      var all86 = all_match({
+      	processors: [
+      		part457,
+      		select105,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg276 = msg("00015:02", all86);
+      
+      var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg277 = msg("00015:03", part461);
+      
+      var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}");
+      
+      var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}");
+      
+      var select106 = linear_select([
+      	dup139,
+      	dup140,
+      	part463,
+      ]);
+      
+      var all87 = all_match({
+      	processors: [
+      		part462,
+      		select106,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg278 = msg("00015:04", all87);
+      
+      var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}");
+      
+      var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}");
+      
+      var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}");
+      
+      var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}");
+      
+      var select107 = linear_select([
+      	part465,
+      	part466,
+      	dup76,
+      	part467,
+      ]);
+      
+      var all88 = all_match({
+      	processors: [
+      		part464,
+      		select107,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg279 = msg("00015:05", all88);
+      
+      var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}");
+      
+      var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}");
+      
+      var select108 = linear_select([
+      	part468,
+      	part469,
+      ]);
+      
+      var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}");
+      
+      var all89 = all_match({
+      	processors: [
+      		select108,
+      		part470,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg280 = msg("00015:06", all89);
+      
+      var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg281 = msg("00015:07", part471);
+      
+      var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([
+      	dup141,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg282 = msg("00015:08", part472);
+      
+      var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}");
+      
+      var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}");
+      
+      var select109 = linear_select([
+      	part473,
+      	part474,
+      ]);
+      
+      var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}");
+      
+      var all90 = all_match({
+      	processors: [
+      		select109,
+      		part475,
+      	],
+      	on_success: processor_chain([
+      		dup141,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg283 = msg("00015:09", all90);
+      
+      var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg284 = msg("00015:10", part476);
+      
+      var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg285 = msg("00015:11", part477);
+      
+      var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}");
+      
+      var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}");
+      
+      var select110 = linear_select([
+      	part478,
+      	part479,
+      ]);
+      
+      var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}");
+      
+      var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})");
+      
+      var all91 = all_match({
+      	processors: [
+      		dup87,
+      		select110,
+      		part480,
+      		dup353,
+      		dup103,
+      		dup353,
+      		part481,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg286 = msg("00015:12", all91);
+      
+      var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([
+      	dup144,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg287 = msg("00015:13", part482);
+      
+      var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}");
+      
+      var all92 = all_match({
+      	processors: [
+      		part483,
+      		dup353,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg288 = msg("00015:14", all92);
+      
+      var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg289 = msg("00015:15", part484);
+      
+      var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg290 = msg("00015:16", part485);
+      
+      var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg291 = msg("00015:17", part486);
+      
+      var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([
+      	dup121,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("change_attribute","RTO mirror group"),
+      ]));
+      
+      var msg292 = msg("00015:18", part487);
+      
+      var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg293 = msg("00015:19", part488);
+      
+      var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg294 = msg("00015:20", part489);
+      
+      var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}");
+      
+      var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}");
+      
+      var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}");
+      
+      var select111 = linear_select([
+      	part491,
+      	part492,
+      ]);
+      
+      var all93 = all_match({
+      	processors: [
+      		part490,
+      		select111,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg295 = msg("00015:21", all93);
+      
+      var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}");
+      
+      var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}");
+      
+      var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}");
+      
+      var select112 = linear_select([
+      	part493,
+      	part494,
+      	part495,
+      ]);
+      
+      var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}");
+      
+      var all94 = all_match({
+      	processors: [
+      		select112,
+      		part496,
+      		dup354,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg296 = msg("00015:22", all94);
+      
+      var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg297 = msg("00015:23", part497);
+      
+      var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg298 = msg("00015:24", part498);
+      
+      var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([
+      	setc("eventcategory","1613050100"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg299 = msg("00015:25", part499);
+      
+      var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([
+      	dup97,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg300 = msg("00015:29", part500);
+      
+      var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}");
+      
+      var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}");
+      
+      var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}");
+      
+      var select113 = linear_select([
+      	part502,
+      	part503,
+      ]);
+      
+      var all95 = all_match({
+      	processors: [
+      		part501,
+      		select113,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg301 = msg("00015:26", all95);
+      
+      var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup146,
+      ]));
+      
+      var msg302 = msg("00015:33", part504);
+      
+      var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg303 = msg("00015:27", part505);
+      
+      var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg304 = msg("00015:28", part506);
+      
+      var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}");
+      
+      var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})");
+      
+      var all96 = all_match({
+      	processors: [
+      		part507,
+      		dup355,
+      		part508,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg305 = msg("00015:30", all96);
+      
+      var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg306 = msg("00015:31", part509);
+      
+      var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg307 = msg("00015:32", part510);
+      
+      var select114 = linear_select([
+      	msg274,
+      	msg275,
+      	msg276,
+      	msg277,
+      	msg278,
+      	msg279,
+      	msg280,
+      	msg281,
+      	msg282,
+      	msg283,
+      	msg284,
+      	msg285,
+      	msg286,
+      	msg287,
+      	msg288,
+      	msg289,
+      	msg290,
+      	msg291,
+      	msg292,
+      	msg293,
+      	msg294,
+      	msg295,
+      	msg296,
+      	msg297,
+      	msg298,
+      	msg299,
+      	msg300,
+      	msg301,
+      	msg302,
+      	msg303,
+      	msg304,
+      	msg305,
+      	msg306,
+      	msg307,
+      ]);
+      
+      var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup147,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg308 = msg("00016", part511);
+      
+      var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg309 = msg("00016:01", part512);
+      
+      var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([
+      	dup1,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg310 = msg("00016:02", part513);
+      
+      var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([
+      	dup147,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg311 = msg("00016:03", part514);
+      
+      var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg312 = msg("00016:05", part515);
+      
+      var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup147,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg313 = msg("00016:06", part516);
+      
+      var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}");
+      
+      var all97 = all_match({
+      	processors: [
+      		part517,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup147,
+      		dup148,
+      		dup149,
+      		dup150,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg314 = msg("00016:07", all97);
+      
+      var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	setc("eventcategory","1001020305"),
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg315 = msg("00016:08", part518);
+      
+      var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	setc("eventcategory","1001030305"),
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg316 = msg("00016:09", part519);
+      
+      var select115 = linear_select([
+      	msg308,
+      	msg309,
+      	msg310,
+      	msg311,
+      	msg312,
+      	msg313,
+      	msg314,
+      	msg315,
+      	msg316,
+      ]);
+      
+      var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup151,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg317 = msg("00017", part520);
+      
+      var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}");
+      
+      var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}");
+      
+      var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}");
+      
+      var select116 = linear_select([
+      	part522,
+      	part523,
+      ]);
+      
+      var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}");
+      
+      var all98 = all_match({
+      	processors: [
+      		part521,
+      		select116,
+      		part524,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg318 = msg("00017:23", all98);
+      
+      var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}");
+      
+      var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}");
+      
+      var select117 = linear_select([
+      	part525,
+      	part526,
+      ]);
+      
+      var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}");
+      
+      var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}");
+      
+      var all99 = all_match({
+      	processors: [
+      		select117,
+      		part527,
+      		dup356,
+      		part528,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg319 = msg("00017:01", all99);
+      
+      var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg320 = msg("00017:02", part529);
+      
+      var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg321 = msg("00017:03", part530);
+      
+      var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}");
+      
+      var all100 = all_match({
+      	processors: [
+      		dup153,
+      		dup357,
+      		part531,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg322 = msg("00017:04", all100);
+      
+      var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg323 = msg("00017:05", part532);
+      
+      var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}");
+      
+      var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}");
+      
+      var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}");
+      
+      var select118 = linear_select([
+      	part534,
+      	dup101,
+      	part535,
+      ]);
+      
+      var all101 = all_match({
+      	processors: [
+      		part533,
+      		select118,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg324 = msg("00017:06", all101);
+      
+      var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}");
+      
+      var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}");
+      
+      var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}");
+      
+      var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}");
+      
+      var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}");
+      
+      var select119 = linear_select([
+      	part537,
+      	part538,
+      	dup98,
+      	part539,
+      	part540,
+      ]);
+      
+      var all102 = all_match({
+      	processors: [
+      		part536,
+      		select119,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg325 = msg("00017:07", all102);
+      
+      var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg326 = msg("00017:08", part541);
+      
+      var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}");
+      
+      var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}");
+      
+      var select120 = linear_select([
+      	part542,
+      	part543,
+      ]);
+      
+      var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}");
+      
+      var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}");
+      
+      var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}");
+      
+      var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}");
+      
+      var select121 = linear_select([
+      	part545,
+      	part546,
+      	part547,
+      ]);
+      
+      var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}");
+      
+      var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit");
+      
+      var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}");
+      
+      var select122 = linear_select([
+      	part549,
+      	part550,
+      	dup36,
+      ]);
+      
+      var all103 = all_match({
+      	processors: [
+      		select120,
+      		part544,
+      		select121,
+      		part548,
+      		select122,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg327 = msg("00017:09", all103);
+      
+      var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}");
+      
+      var all104 = all_match({
+      	processors: [
+      		part551,
+      		dup358,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg328 = msg("00017:10", all104);
+      
+      var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg329 = msg("00017:11", part552);
+      
+      var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}");
+      
+      var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}");
+      
+      var select123 = linear_select([
+      	dup109,
+      	dup110,
+      	part554,
+      ]);
+      
+      var all105 = all_match({
+      	processors: [
+      		part553,
+      		select123,
+      		dup127,
+      		dup359,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg330 = msg("00017:12", all105);
+      
+      var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg331 = msg("00017:26", part555);
+      
+      var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg332 = msg("00017:13", part556);
+      
+      var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup9,
+      	dup5,
+      ]));
+      
+      var msg333 = msg("00017:14", part557);
+      
+      var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}");
+      
+      var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}.");
+      
+      var all106 = all_match({
+      	processors: [
+      		part558,
+      		dup360,
+      		part559,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg334 = msg("00017:15", all106);
+      
+      var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}");
+      
+      var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}.");
+      
+      var all107 = all_match({
+      	processors: [
+      		part560,
+      		dup360,
+      		part561,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg335 = msg("00017:31", all107);
+      
+      var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}");
+      
+      var all108 = all_match({
+      	processors: [
+      		part562,
+      		dup359,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg336 = msg("00017:16", all108);
+      
+      var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}");
+      
+      var select124 = linear_select([
+      	dup99,
+      	dup93,
+      ]);
+      
+      var all109 = all_match({
+      	processors: [
+      		part563,
+      		select124,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg337 = msg("00017:17", all109);
+      
+      var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}");
+      
+      var all110 = all_match({
+      	processors: [
+      		dup153,
+      		dup357,
+      		part564,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg338 = msg("00017:18", all110);
+      
+      var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}");
+      
+      var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all111 = all_match({
+      	processors: [
+      		part565,
+      		dup337,
+      		part566,
+      	],
+      	on_success: processor_chain([
+      		dup151,
+      		dup2,
+      		dup3,
+      		dup59,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg339 = msg("00017:19", all111);
+      
+      var all112 = all_match({
+      	processors: [
+      		dup64,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup151,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg340 = msg("00017:20", all112);
+      
+      var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup151,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg341 = msg("00017:21", part567);
+      
+      var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg342 = msg("00017:22", part568);
+      
+      var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg343 = msg("00017:24", part569);
+      
+      var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg344 = msg("00017:25", part570);
+      
+      var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg345 = msg("00017:28", part571);
+      
+      var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg346 = msg("00017:29", part572);
+      
+      var select125 = linear_select([
+      	msg317,
+      	msg318,
+      	msg319,
+      	msg320,
+      	msg321,
+      	msg322,
+      	msg323,
+      	msg324,
+      	msg325,
+      	msg326,
+      	msg327,
+      	msg328,
+      	msg329,
+      	msg330,
+      	msg331,
+      	msg332,
+      	msg333,
+      	msg334,
+      	msg335,
+      	msg336,
+      	msg337,
+      	msg338,
+      	msg339,
+      	msg340,
+      	msg341,
+      	msg342,
+      	msg343,
+      	msg344,
+      	msg345,
+      	msg346,
+      ]);
+      
+      var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg347 = msg("00018", part573);
+      
+      var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([
+      	setc("eventcategory","1502010000"),
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg348 = msg("00018:01", part574);
+      
+      var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg349 = msg("00018:02", part575);
+      
+      var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg350 = msg("00018:04", part576);
+      
+      var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg351 = msg("00018:16", part577);
+      
+      var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}");
+      
+      var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}");
+      
+      var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}");
+      
+      var select126 = linear_select([
+      	part579,
+      	part580,
+      ]);
+      
+      var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}");
+      
+      var all113 = all_match({
+      	processors: [
+      		part578,
+      		select126,
+      		part581,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg352 = msg("00018:06", all113);
+      
+      var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg353 = msg("00018:08", part582);
+      
+      var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup3,
+      	dup2,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg354 = msg("00018:09", part583);
+      
+      var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}");
+      
+      var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}");
+      
+      var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}");
+      
+      var select127 = linear_select([
+      	part585,
+      	part586,
+      ]);
+      
+      var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})");
+      
+      var all114 = all_match({
+      	processors: [
+      		part584,
+      		select127,
+      		part587,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup3,
+      		dup2,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg355 = msg("00018:10", all114);
+      
+      var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}");
+      
+      var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}");
+      
+      var select128 = linear_select([
+      	part588,
+      	part589,
+      ]);
+      
+      var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}");
+      
+      var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}");
+      
+      var select129 = linear_select([
+      	part591,
+      	dup16,
+      ]);
+      
+      var all115 = all_match({
+      	processors: [
+      		dup160,
+      		select128,
+      		part590,
+      		select129,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg356 = msg("00018:11", all115);
+      
+      var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}");
+      
+      var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}");
+      
+      var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}");
+      
+      var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}");
+      
+      var select130 = linear_select([
+      	part593,
+      	part594,
+      	part595,
+      ]);
+      
+      var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})");
+      
+      var all116 = all_match({
+      	processors: [
+      		part592,
+      		select130,
+      		part596,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg357 = msg("00018:12", all116);
+      
+      var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}");
+      
+      var all117 = all_match({
+      	processors: [
+      		dup361,
+      		part597,
+      		dup362,
+      		dup164,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg358 = msg("00018:32", all117);
+      
+      var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}");
+      
+      var all118 = all_match({
+      	processors: [
+      		dup361,
+      		part598,
+      		dup362,
+      		dup164,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg359 = msg("00018:22", all118);
+      
+      var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}");
+      
+      var select131 = linear_select([
+      	dup78,
+      	dup77,
+      ]);
+      
+      var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer");
+      
+      var all119 = all_match({
+      	processors: [
+      		part599,
+      		select131,
+      		part600,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg360 = msg("00018:15", all119);
+      
+      var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}");
+      
+      var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}");
+      
+      var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}");
+      
+      var select132 = linear_select([
+      	part602,
+      	part603,
+      ]);
+      
+      var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}");
+      
+      var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}");
+      
+      var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}");
+      
+      var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}");
+      
+      var select133 = linear_select([
+      	part605,
+      	part606,
+      	part607,
+      ]);
+      
+      var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})");
+      
+      var all120 = all_match({
+      	processors: [
+      		part601,
+      		select132,
+      		part604,
+      		select133,
+      		part608,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg361 = msg("00018:14", all120);
+      
+      var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg362 = msg("00018:29", part609);
+      
+      var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg363 = msg("00018:07", part610);
+      
+      var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg364 = msg("00018:18", part611);
+      
+      var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg365 = msg("00018:17", part612);
+      
+      var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg366 = msg("00018:19", part613);
+      
+      var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}");
+      
+      var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}");
+      
+      var select134 = linear_select([
+      	part614,
+      	part615,
+      ]);
+      
+      var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}");
+      
+      var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}");
+      
+      var select135 = linear_select([
+      	part617,
+      	dup103,
+      ]);
+      
+      var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}");
+      
+      var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}");
+      
+      var select136 = linear_select([
+      	part618,
+      	part619,
+      ]);
+      
+      var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})");
+      
+      var all121 = all_match({
+      	processors: [
+      		select134,
+      		part616,
+      		select135,
+      		dup23,
+      		select136,
+      		part620,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg367 = msg("00018:23", all121);
+      
+      var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg368 = msg("00018:21", part621);
+      
+      var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg369 = msg("00018:24", part622);
+      
+      var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})");
+      
+      var all122 = all_match({
+      	processors: [
+      		dup363,
+      		part623,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg370 = msg("00018:25", all122);
+      
+      var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})");
+      
+      var all123 = all_match({
+      	processors: [
+      		dup363,
+      		part624,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg371 = msg("00018:30", all123);
+      
+      var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}");
+      
+      var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}");
+      
+      var select137 = linear_select([
+      	dup48,
+      	part626,
+      ]);
+      
+      var all124 = all_match({
+      	processors: [
+      		part625,
+      		dup364,
+      		select137,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg372 = msg("00018:26", all124);
+      
+      var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg373 = msg("00018:27", part627);
+      
+      var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      	setc("info","the DI attack component was modified"),
+      ]));
+      
+      var msg374 = msg("00018:28", part628);
+      
+      var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg375 = msg("00018:03", part629);
+      
+      var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg376 = msg("00018:31", part630);
+      
+      var select138 = linear_select([
+      	msg347,
+      	msg348,
+      	msg349,
+      	msg350,
+      	msg351,
+      	msg352,
+      	msg353,
+      	msg354,
+      	msg355,
+      	msg356,
+      	msg357,
+      	msg358,
+      	msg359,
+      	msg360,
+      	msg361,
+      	msg362,
+      	msg363,
+      	msg364,
+      	msg365,
+      	msg366,
+      	msg367,
+      	msg368,
+      	msg369,
+      	msg370,
+      	msg371,
+      	msg372,
+      	msg373,
+      	msg374,
+      	msg375,
+      	msg376,
+      ]);
+      
+      var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg377 = msg("00019", part631);
+      
+      var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured");
+      
+      var all125 = all_match({
+      	processors: [
+      		dup165,
+      		dup365,
+      		part632,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg378 = msg("00019:01", all125);
+      
+      var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}");
+      
+      var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}");
+      
+      var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}");
+      
+      var select139 = linear_select([
+      	part634,
+      	part635,
+      ]);
+      
+      var all126 = all_match({
+      	processors: [
+      		part633,
+      		select139,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg379 = msg("00019:02", all126);
+      
+      var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([
+      	dup91,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg380 = msg("00019:03", part636);
+      
+      var select140 = linear_select([
+      	dup169,
+      	dup78,
+      ]);
+      
+      var select141 = linear_select([
+      	dup139,
+      	dup170,
+      	dup137,
+      	dup122,
+      ]);
+      
+      var all127 = all_match({
+      	processors: [
+      		dup168,
+      		select140,
+      		dup23,
+      		select141,
+      		dup171,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg381 = msg("00019:04", all127);
+      
+      var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}");
+      
+      var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}");
+      
+      var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}");
+      
+      var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}");
+      
+      var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}");
+      
+      var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}");
+      
+      var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}");
+      
+      var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}");
+      
+      var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}");
+      
+      var select142 = linear_select([
+      	part638,
+      	part639,
+      	part640,
+      	part641,
+      	part642,
+      	part643,
+      	part644,
+      	part645,
+      ]);
+      
+      var all128 = all_match({
+      	processors: [
+      		part637,
+      		select142,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg382 = msg("00019:05", all128);
+      
+      var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}");
+      
+      var all129 = all_match({
+      	processors: [
+      		dup168,
+      		dup366,
+      		part646,
+      		dup367,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg383 = msg("00019:06", all129);
+      
+      var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([
+      	dup91,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg384 = msg("00019:07", part647);
+      
+      var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg385 = msg("00019:08", part648);
+      
+      var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}");
+      
+      var select143 = linear_select([
+      	dup139,
+      	dup170,
+      	dup137,
+      ]);
+      
+      var all130 = all_match({
+      	processors: [
+      		part649,
+      		select143,
+      		dup171,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg386 = msg("00019:09", all130);
+      
+      var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}");
+      
+      var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}");
+      
+      var select144 = linear_select([
+      	part650,
+      	part651,
+      ]);
+      
+      var all131 = all_match({
+      	processors: [
+      		dup183,
+      		select144,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg387 = msg("00019:10", all131);
+      
+      var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined");
+      
+      var all132 = all_match({
+      	processors: [
+      		dup165,
+      		dup365,
+      		part652,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg388 = msg("00019:11", all132);
+      
+      var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg389 = msg("00019:12", part653);
+      
+      var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}");
+      
+      var select145 = linear_select([
+      	dup107,
+      	dup106,
+      ]);
+      
+      var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}");
+      
+      var all133 = all_match({
+      	processors: [
+      		part654,
+      		select145,
+      		part655,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg390 = msg("00019:13", all133);
+      
+      var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}");
+      
+      var all134 = all_match({
+      	processors: [
+      		dup168,
+      		dup366,
+      		part656,
+      		dup367,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg391 = msg("00019:14", all134);
+      
+      var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg392 = msg("00019:15", part657);
+      
+      var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([
+      	setc("eventcategory","1701030000"),
+      	setc("ec_activity","Delete"),
+      	dup51,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg393 = msg("00019:16", part658);
+      
+      var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg394 = msg("00019:17", part659);
+      
+      var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}");
+      
+      var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}");
+      
+      var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}");
+      
+      var select146 = linear_select([
+      	part661,
+      	part662,
+      ]);
+      
+      var all135 = all_match({
+      	processors: [
+      		part660,
+      		select146,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg395 = msg("00019:18", all135);
+      
+      var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg396 = msg("00019:19", part663);
+      
+      var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg397 = msg("00019:20", part664);
+      
+      var select147 = linear_select([
+      	msg377,
+      	msg378,
+      	msg379,
+      	msg380,
+      	msg381,
+      	msg382,
+      	msg383,
+      	msg384,
+      	msg385,
+      	msg386,
+      	msg387,
+      	msg388,
+      	msg389,
+      	msg390,
+      	msg391,
+      	msg392,
+      	msg393,
+      	msg394,
+      	msg395,
+      	msg396,
+      	msg397,
+      ]);
+      
+      var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg398 = msg("00020", part665);
+      
+      var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}");
+      
+      var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}");
+      
+      var select148 = linear_select([
+      	dup152,
+      	part667,
+      ]);
+      
+      var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}");
+      
+      var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes");
+      
+      var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total");
+      
+      var select149 = linear_select([
+      	part669,
+      	part670,
+      ]);
+      
+      var all136 = all_match({
+      	processors: [
+      		part666,
+      		select148,
+      		part668,
+      		select149,
+      	],
+      	on_success: processor_chain([
+      		dup184,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg399 = msg("00020:01", all136);
+      
+      var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([
+      	dup184,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg400 = msg("00020:02", part671);
+      
+      var select150 = linear_select([
+      	msg398,
+      	msg399,
+      	msg400,
+      ]);
+      
+      var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg401 = msg("00021", part672);
+      
+      var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg402 = msg("00021:01", part673);
+      
+      var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg403 = msg("00021:02", part674);
+      
+      var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg404 = msg("00021:03", part675);
+      
+      var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg405 = msg("00021:04", part676);
+      
+      var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg406 = msg("00021:05", part677);
+      
+      var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      	setc("info","DIP port-translation stickiness was modified"),
+      ]));
+      
+      var msg407 = msg("00021:06", part678);
+      
+      var select151 = linear_select([
+      	msg401,
+      	msg402,
+      	msg403,
+      	msg404,
+      	msg405,
+      	msg406,
+      	msg407,
+      ]);
+      
+      var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}");
+      
+      var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}");
+      
+      var select152 = linear_select([
+      	part679,
+      	part680,
+      ]);
+      
+      var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly");
+      
+      var all137 = all_match({
+      	processors: [
+      		dup186,
+      		select152,
+      		part681,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg408 = msg("00022", all137);
+      
+      var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}");
+      
+      var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}");
+      
+      var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}");
+      
+      var select153 = linear_select([
+      	part682,
+      	part683,
+      	part684,
+      ]);
+      
+      var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}");
+      
+      var all138 = all_match({
+      	processors: [
+      		select153,
+      		part685,
+      		dup368,
+      	],
+      	on_success: processor_chain([
+      		dup187,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg409 = msg("00022:01", all138);
+      
+      var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg410 = msg("00022:02", part686);
+      
+      var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg411 = msg("00022:03", part687);
+      
+      var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}");
+      
+      var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}");
+      
+      var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}");
+      
+      var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}");
+      
+      var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}");
+      
+      var select154 = linear_select([
+      	part689,
+      	part690,
+      	part691,
+      	part692,
+      ]);
+      
+      var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}");
+      
+      var all139 = all_match({
+      	processors: [
+      		part688,
+      		select154,
+      		part693,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg412 = msg("00022:04", all139);
+      
+      var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg413 = msg("00022:05", part694);
+      
+      var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}");
+      
+      var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}");
+      
+      var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}");
+      
+      var select155 = linear_select([
+      	part696,
+      	part697,
+      ]);
+      
+      var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}");
+      
+      var all140 = all_match({
+      	processors: [
+      		part695,
+      		select155,
+      		part698,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg414 = msg("00022:06", all140);
+      
+      var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg415 = msg("00022:07", part699);
+      
+      var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}");
+      
+      var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}");
+      
+      var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}");
+      
+      var select156 = linear_select([
+      	part700,
+      	part701,
+      	part702,
+      ]);
+      
+      var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}");
+      
+      var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}");
+      
+      var select157 = linear_select([
+      	part704,
+      	dup96,
+      ]);
+      
+      var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}");
+      
+      var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}");
+      
+      var select158 = linear_select([
+      	part706,
+      	dup96,
+      ]);
+      
+      var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}");
+      
+      var all141 = all_match({
+      	processors: [
+      		select156,
+      		part703,
+      		select157,
+      		part705,
+      		select158,
+      		part707,
+      	],
+      	on_success: processor_chain([
+      		dup188,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg416 = msg("00022:08", all141);
+      
+      var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}");
+      
+      var select159 = linear_select([
+      	dup191,
+      	dup192,
+      ]);
+      
+      var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}");
+      
+      var all142 = all_match({
+      	processors: [
+      		dup55,
+      		dup369,
+      		part708,
+      		select159,
+      		part709,
+      	],
+      	on_success: processor_chain([
+      		dup188,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg417 = msg("00022:09", all142);
+      
+      var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}");
+      
+      var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}");
+      
+      var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}");
+      
+      var select160 = linear_select([
+      	part711,
+      	part712,
+      ]);
+      
+      var all143 = all_match({
+      	processors: [
+      		part710,
+      		select160,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg418 = msg("00022:10", all143);
+      
+      var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}");
+      
+      var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}");
+      
+      var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}");
+      
+      var select161 = linear_select([
+      	part714,
+      	part715,
+      ]);
+      
+      var all144 = all_match({
+      	processors: [
+      		part713,
+      		select161,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg419 = msg("00022:11", all144);
+      
+      var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}");
+      
+      var select162 = linear_select([
+      	dup192,
+      	dup191,
+      ]);
+      
+      var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}");
+      
+      var all145 = all_match({
+      	processors: [
+      		part716,
+      		select162,
+      		part717,
+      	],
+      	on_success: processor_chain([
+      		dup188,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg420 = msg("00022:12", all145);
+      
+      var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg421 = msg("00022:13", part718);
+      
+      var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg422 = msg("00022:14", part719);
+      
+      var select163 = linear_select([
+      	msg408,
+      	msg409,
+      	msg410,
+      	msg411,
+      	msg412,
+      	msg413,
+      	msg414,
+      	msg415,
+      	msg416,
+      	msg417,
+      	msg418,
+      	msg419,
+      	msg420,
+      	msg421,
+      	msg422,
+      ]);
+      
+      var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([
+      	dup187,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg423 = msg("00023", part720);
+      
+      var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([
+      	dup187,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg424 = msg("00023:01", part721);
+      
+      var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([
+      	dup187,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg425 = msg("00023:02", part722);
+      
+      var select164 = linear_select([
+      	msg423,
+      	msg424,
+      	msg425,
+      ]);
+      
+      var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}");
+      
+      var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}");
+      
+      var select165 = linear_select([
+      	part723,
+      	part724,
+      ]);
+      
+      var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}");
+      
+      var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}");
+      
+      var select166 = linear_select([
+      	part725,
+      	part726,
+      ]);
+      
+      var all146 = all_match({
+      	processors: [
+      		select165,
+      		dup193,
+      		select166,
+      		dup52,
+      		dup368,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg426 = msg("00024", all146);
+      
+      var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}");
+      
+      var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}");
+      
+      var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}");
+      
+      var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}");
+      
+      var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}");
+      
+      var select167 = linear_select([
+      	part727,
+      	part728,
+      	part729,
+      	part730,
+      	part731,
+      ]);
+      
+      var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}");
+      
+      var all147 = all_match({
+      	processors: [
+      		select167,
+      		part732,
+      	],
+      	on_success: processor_chain([
+      		dup117,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg427 = msg("00024:01", all147);
+      
+      var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}");
+      
+      var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}");
+      
+      var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}");
+      
+      var select168 = linear_select([
+      	part734,
+      	part735,
+      ]);
+      
+      var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})");
+      
+      var all148 = all_match({
+      	processors: [
+      		part733,
+      		select168,
+      		part736,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg428 = msg("00024:02", all148);
+      
+      var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}");
+      
+      var select169 = linear_select([
+      	dup194,
+      	dup106,
+      ]);
+      
+      var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})");
+      
+      var all149 = all_match({
+      	processors: [
+      		part737,
+      		select169,
+      		part738,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg429 = msg("00024:03", all149);
+      
+      var select170 = linear_select([
+      	msg426,
+      	msg427,
+      	msg428,
+      	msg429,
+      ]);
+      
+      var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg430 = msg("00025", part739);
+      
+      var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg431 = msg("00025:01", part740);
+      
+      var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg432 = msg("00025:02", part741);
+      
+      var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg433 = msg("00025:03", part742);
+      
+      var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg434 = msg("00025:04", part743);
+      
+      var select171 = linear_select([
+      	msg430,
+      	msg431,
+      	msg432,
+      	msg433,
+      	msg434,
+      ]);
+      
+      var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg435 = msg("00026", part744);
+      
+      var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg436 = msg("00026:13", part745);
+      
+      var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}");
+      
+      var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})");
+      
+      var all150 = all_match({
+      	processors: [
+      		dup195,
+      		dup370,
+      		part746,
+      		dup371,
+      		part747,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg437 = msg("00026:01", all150);
+      
+      var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}");
+      
+      var select172 = linear_select([
+      	part748,
+      	dup96,
+      ]);
+      
+      var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}");
+      
+      var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}");
+      
+      var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}");
+      
+      var select173 = linear_select([
+      	part750,
+      	part751,
+      ]);
+      
+      var all151 = all_match({
+      	processors: [
+      		dup195,
+      		select172,
+      		part749,
+      		select173,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg438 = msg("00026:02", all151);
+      
+      var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}");
+      
+      var all152 = all_match({
+      	processors: [
+      		dup195,
+      		dup370,
+      		part752,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg439 = msg("00026:03", all152);
+      
+      var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([
+      	dup198,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg440 = msg("00026:04", part753);
+      
+      var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([
+      	dup198,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg441 = msg("00026:05", part754);
+      
+      var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([
+      	dup199,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg442 = msg("00026:06", part755);
+      
+      var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([
+      	dup199,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg443 = msg("00026:07", part756);
+      
+      var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}");
+      
+      var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]");
+      
+      var all153 = all_match({
+      	processors: [
+      		part757,
+      		dup372,
+      		part758,
+      	],
+      	on_success: processor_chain([
+      		dup199,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg444 = msg("00026:08", all153);
+      
+      var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg445 = msg("00026:09", part759);
+      
+      var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}");
+      
+      var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}");
+      
+      var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}");
+      
+      var select174 = linear_select([
+      	part761,
+      	part762,
+      ]);
+      
+      var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}");
+      
+      var select175 = linear_select([
+      	part763,
+      	dup201,
+      ]);
+      
+      var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})");
+      
+      var all154 = all_match({
+      	processors: [
+      		part760,
+      		select174,
+      		dup103,
+      		select175,
+      		dup202,
+      		dup373,
+      		part764,
+      	],
+      	on_success: processor_chain([
+      		dup203,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg446 = msg("00026:10", all154);
+      
+      var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg447 = msg("00026:11", part765);
+      
+      var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg448 = msg("00026:12", part766);
+      
+      var select176 = linear_select([
+      	msg435,
+      	msg436,
+      	msg437,
+      	msg438,
+      	msg439,
+      	msg440,
+      	msg441,
+      	msg442,
+      	msg443,
+      	msg444,
+      	msg445,
+      	msg446,
+      	msg447,
+      	msg448,
+      ]);
+      
+      var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}");
+      
+      var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}");
+      
+      var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}");
+      
+      var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}");
+      
+      var select177 = linear_select([
+      	part768,
+      	part769,
+      	part770,
+      ]);
+      
+      var all155 = all_match({
+      	processors: [
+      		dup204,
+      		dup374,
+      		part767,
+      		select177,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup30,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg449 = msg("00027", all155);
+      
+      var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg450 = msg("00027:01", part771);
+      
+      var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg451 = msg("00027:02", part772);
+      
+      var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg452 = msg("00027:03", part773);
+      
+      var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg453 = msg("00027:04", part774);
+      
+      var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}");
+      
+      var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}");
+      
+      var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}");
+      
+      var select178 = linear_select([
+      	part776,
+      	part777,
+      ]);
+      
+      var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}");
+      
+      var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}");
+      
+      var select179 = linear_select([
+      	part779,
+      	dup127,
+      ]);
+      
+      var select180 = linear_select([
+      	dup207,
+      	dup208,
+      ]);
+      
+      var all156 = all_match({
+      	processors: [
+      		part775,
+      		select178,
+      		part778,
+      		select179,
+      		dup23,
+      		select180,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg454 = msg("00027:05", all156);
+      
+      var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}");
+      
+      var select181 = linear_select([
+      	dup208,
+      	dup207,
+      ]);
+      
+      var all157 = all_match({
+      	processors: [
+      		part780,
+      		select181,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1606000000"),
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg455 = msg("00027:06", all157);
+      
+      var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg456 = msg("00027:07", part781);
+      
+      var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg457 = msg("00027:08", part782);
+      
+      var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg458 = msg("00027:09", part783);
+      
+      var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg459 = msg("00027:10", part784);
+      
+      var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg460 = msg("00027:11", part785);
+      
+      var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}");
+      
+      var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}");
+      
+      var select182 = linear_select([
+      	part787,
+      	dup193,
+      ]);
+      
+      var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}");
+      
+      var all158 = all_match({
+      	processors: [
+      		part786,
+      		select182,
+      		part788,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg461 = msg("00027:12", all158);
+      
+      var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}");
+      
+      var all159 = all_match({
+      	processors: [
+      		dup204,
+      		dup374,
+      		part789,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup30,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg462 = msg("00027:13", all159);
+      
+      var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}");
+      
+      var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}");
+      
+      var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}");
+      
+      var select183 = linear_select([
+      	part791,
+      	part792,
+      ]);
+      
+      var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})");
+      
+      var all160 = all_match({
+      	processors: [
+      		part790,
+      		select183,
+      		part793,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg463 = msg("00027:14", all160);
+      
+      var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg464 = msg("00027:15", part794);
+      
+      var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg465 = msg("00027:16", part795);
+      
+      var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg466 = msg("00027:17", part796);
+      
+      var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg467 = msg("00027:18", part797);
+      
+      var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg468 = msg("00027:19", part798);
+      
+      var select184 = linear_select([
+      	msg449,
+      	msg450,
+      	msg451,
+      	msg452,
+      	msg453,
+      	msg454,
+      	msg455,
+      	msg456,
+      	msg457,
+      	msg458,
+      	msg459,
+      	msg460,
+      	msg461,
+      	msg462,
+      	msg463,
+      	msg464,
+      	msg465,
+      	msg466,
+      	msg467,
+      	msg468,
+      ]);
+      
+      var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}");
+      
+      var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}");
+      
+      var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}");
+      
+      var select185 = linear_select([
+      	part799,
+      	part800,
+      	part801,
+      ]);
+      
+      var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all161 = all_match({
+      	processors: [
+      		select185,
+      		part802,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      		setc("signame","Attempt to Connect to the NetScreen-Global Port"),
+      	]),
+      });
+      
+      var msg469 = msg("00028", all161);
+      
+      var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg470 = msg("00029", part803);
+      
+      var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([
+      	dup184,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg471 = msg("00029:01", part804);
+      
+      var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}");
+      
+      var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}");
+      
+      var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}");
+      
+      var select186 = linear_select([
+      	part806,
+      	part807,
+      ]);
+      
+      var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}");
+      
+      var all162 = all_match({
+      	processors: [
+      		part805,
+      		select186,
+      		part808,
+      	],
+      	on_success: processor_chain([
+      		dup117,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg472 = msg("00029:02", all162);
+      
+      var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}");
+      
+      var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}");
+      
+      var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}");
+      
+      var select187 = linear_select([
+      	part810,
+      	part811,
+      ]);
+      
+      var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}");
+      
+      var all163 = all_match({
+      	processors: [
+      		dup210,
+      		dup337,
+      		part809,
+      		select187,
+      		part812,
+      	],
+      	on_success: processor_chain([
+      		dup117,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg473 = msg("00029:03", all163);
+      
+      var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg474 = msg("00029:04", part813);
+      
+      var select188 = linear_select([
+      	msg470,
+      	msg471,
+      	msg472,
+      	msg473,
+      	msg474,
+      ]);
+      
+      var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg475 = msg("00030", part814);
+      
+      var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}");
+      
+      var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}");
+      
+      var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}");
+      
+      var select189 = linear_select([
+      	part816,
+      	part817,
+      ]);
+      
+      var all164 = all_match({
+      	processors: [
+      		part815,
+      		select189,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg476 = msg("00030:01", all164);
+      
+      var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg477 = msg("00030:05", part818);
+      
+      var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg478 = msg("00030:06", part819);
+      
+      var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg479 = msg("00030:07", part820);
+      
+      var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg480 = msg("00030:10", part821);
+      
+      var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg481 = msg("00030:12", part822);
+      
+      var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}");
+      
+      var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}");
+      
+      var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}");
+      
+      var select190 = linear_select([
+      	part824,
+      	part825,
+      ]);
+      
+      var all165 = all_match({
+      	processors: [
+      		part823,
+      		select190,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg482 = msg("00030:13", all165);
+      
+      var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}");
+      
+      var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}");
+      
+      var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}");
+      
+      var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}");
+      
+      var select191 = linear_select([
+      	part826,
+      	part827,
+      	part828,
+      	part829,
+      ]);
+      
+      var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}");
+      
+      var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}");
+      
+      var select192 = linear_select([
+      	part831,
+      	dup16,
+      ]);
+      
+      var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}");
+      
+      var all166 = all_match({
+      	processors: [
+      		dup55,
+      		select191,
+      		part830,
+      		select192,
+      		part832,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg483 = msg("00030:14", all166);
+      
+      var msg484 = msg("00030:02", dup375);
+      
+      var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg485 = msg("00030:15", part833);
+      
+      var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg486 = msg("00030:16", part834);
+      
+      var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg487 = msg("00030:18", part835);
+      
+      var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}");
+      
+      var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}");
+      
+      var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}");
+      
+      var select193 = linear_select([
+      	part837,
+      	part838,
+      ]);
+      
+      var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}");
+      
+      var all167 = all_match({
+      	processors: [
+      		part836,
+      		select193,
+      		part839,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg488 = msg("00030:19", all167);
+      
+      var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg489 = msg("00030:30", part840);
+      
+      var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg490 = msg("00030:31", part841);
+      
+      var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg491 = msg("00030:32", part842);
+      
+      var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg492 = msg("00030:33", part843);
+      
+      var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg493 = msg("00030:34", part844);
+      
+      var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg494 = msg("00030:35", part845);
+      
+      var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg495 = msg("00030:36", part846);
+      
+      var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg496 = msg("00030:37", part847);
+      
+      var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg497 = msg("00030:38", part848);
+      
+      var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}");
+      
+      var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}");
+      
+      var select194 = linear_select([
+      	part850,
+      	dup16,
+      ]);
+      
+      var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}");
+      
+      var all168 = all_match({
+      	processors: [
+      		part849,
+      		select194,
+      		part851,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg498 = msg("00030:39", all168);
+      
+      var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}");
+      
+      var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}");
+      
+      var all169 = all_match({
+      	processors: [
+      		part852,
+      		dup376,
+      		part853,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg499 = msg("00030:17", all169);
+      
+      var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}");
+      
+      var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}");
+      
+      var select195 = linear_select([
+      	dup214,
+      	part855,
+      ]);
+      
+      var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}");
+      
+      var all170 = all_match({
+      	processors: [
+      		part854,
+      		select195,
+      		part856,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg500 = msg("00030:40", all170);
+      
+      var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg501 = msg("00030:41", part857);
+      
+      var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg502 = msg("00030:42", part858);
+      
+      var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg503 = msg("00030:43", part859);
+      
+      var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg504 = msg("00030:44", part860);
+      
+      var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg505 = msg("00030:45", part861);
+      
+      var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg506 = msg("00030:46", part862);
+      
+      var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg507 = msg("00030:47", part863);
+      
+      var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg508 = msg("00030:48", part864);
+      
+      var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg509 = msg("00030:49", part865);
+      
+      var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg510 = msg("00030:50", part866);
+      
+      var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg511 = msg("00030:51", part867);
+      
+      var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg512 = msg("00030:52", part868);
+      
+      var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg513 = msg("00030:53", part869);
+      
+      var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([
+      	dup44,
+      	dup211,
+      	dup31,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg514 = msg("00030:54", part870);
+      
+      var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}");
+      
+      var all171 = all_match({
+      	processors: [
+      		part871,
+      		dup377,
+      		dup217,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg515 = msg("00030:55", all171);
+      
+      var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg516 = msg("00030:56", part872);
+      
+      var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([
+      	dup35,
+      	dup218,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg517 = msg("00030:57", part873);
+      
+      var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([
+      	dup86,
+      	dup218,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg518 = msg("00030:58", part874);
+      
+      var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([
+      	dup35,
+      	dup218,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg519 = msg("00030:59", part875);
+      
+      var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([
+      	dup35,
+      	dup218,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg520 = msg("00030:60", part876);
+      
+      var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg521 = msg("00030:61", part877);
+      
+      var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg522 = msg("00030:62", part878);
+      
+      var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([
+      	dup18,
+      	dup219,
+      	dup51,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg523 = msg("00030:63", part879);
+      
+      var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([
+      	dup18,
+      	dup218,
+      	dup51,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg524 = msg("00030:64", part880);
+      
+      var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([
+      	dup18,
+      	dup218,
+      	dup51,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg525 = msg("00030:65", part881);
+      
+      var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg526 = msg("00030:66", part882);
+      
+      var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg527 = msg("00030:67", part883);
+      
+      var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg528 = msg("00030:68", part884);
+      
+      var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg529 = msg("00030:69", part885);
+      
+      var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}");
+      
+      var all172 = all_match({
+      	processors: [
+      		part886,
+      		dup377,
+      		dup217,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg530 = msg("00030:70", all172);
+      
+      var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg531 = msg("00030:71", part887);
+      
+      var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg532 = msg("00030:72", part888);
+      
+      var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}");
+      
+      var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}");
+      
+      var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}");
+      
+      var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}");
+      
+      var select196 = linear_select([
+      	part890,
+      	part891,
+      	part892,
+      ]);
+      
+      var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}.");
+      
+      var all173 = all_match({
+      	processors: [
+      		part889,
+      		select196,
+      		part893,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg533 = msg("00030:73", all173);
+      
+      var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg534 = msg("00030:74", part894);
+      
+      var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg535 = msg("00030:75", part895);
+      
+      var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}");
+      
+      var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}.");
+      
+      var all174 = all_match({
+      	processors: [
+      		part896,
+      		dup376,
+      		part897,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg536 = msg("00030:76", all174);
+      
+      var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([
+      	dup18,
+      	dup218,
+      	dup51,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg537 = msg("00030:77", part898);
+      
+      var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup220,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg538 = msg("00030:78", part899);
+      
+      var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup220,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg539 = msg("00030:79", part900);
+      
+      var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg540 = msg("00030:80", part901);
+      
+      var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg541 = msg("00030:81", part902);
+      
+      var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg542 = msg("00030:82", part903);
+      
+      var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg543 = msg("00030:83", part904);
+      
+      var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg544 = msg("00030:84", part905);
+      
+      var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([
+      	setc("eventcategory","1603080000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg545 = msg("00030:85", part906);
+      
+      var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})");
+      
+      var all175 = all_match({
+      	processors: [
+      		dup221,
+      		dup378,
+      		part907,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg546 = msg("00030:86", all175);
+      
+      var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg547 = msg("00030:87", part908);
+      
+      var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>");
+      
+      var all176 = all_match({
+      	processors: [
+      		dup221,
+      		dup378,
+      		part909,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg548 = msg("00030:88", all176);
+      
+      var select197 = linear_select([
+      	msg475,
+      	msg476,
+      	msg477,
+      	msg478,
+      	msg479,
+      	msg480,
+      	msg481,
+      	msg482,
+      	msg483,
+      	msg484,
+      	msg485,
+      	msg486,
+      	msg487,
+      	msg488,
+      	msg489,
+      	msg490,
+      	msg491,
+      	msg492,
+      	msg493,
+      	msg494,
+      	msg495,
+      	msg496,
+      	msg497,
+      	msg498,
+      	msg499,
+      	msg500,
+      	msg501,
+      	msg502,
+      	msg503,
+      	msg504,
+      	msg505,
+      	msg506,
+      	msg507,
+      	msg508,
+      	msg509,
+      	msg510,
+      	msg511,
+      	msg512,
+      	msg513,
+      	msg514,
+      	msg515,
+      	msg516,
+      	msg517,
+      	msg518,
+      	msg519,
+      	msg520,
+      	msg521,
+      	msg522,
+      	msg523,
+      	msg524,
+      	msg525,
+      	msg526,
+      	msg527,
+      	msg528,
+      	msg529,
+      	msg530,
+      	msg531,
+      	msg532,
+      	msg533,
+      	msg534,
+      	msg535,
+      	msg536,
+      	msg537,
+      	msg538,
+      	msg539,
+      	msg540,
+      	msg541,
+      	msg542,
+      	msg543,
+      	msg544,
+      	msg545,
+      	msg546,
+      	msg547,
+      	msg548,
+      ]);
+      
+      var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([
+      	dup121,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg549 = msg("00031:13", part910);
+      
+      var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg550 = msg("00031", part911);
+      
+      var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg551 = msg("00031:01", part912);
+      
+      var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}");
+      
+      var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}");
+      
+      var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}");
+      
+      var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}");
+      
+      var all177 = all_match({
+      	processors: [
+      		part913,
+      		dup379,
+      		part914,
+      		dup379,
+      		part915,
+      		dup379,
+      		part916,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg552 = msg("00031:02", all177);
+      
+      var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}");
+      
+      var select198 = linear_select([
+      	dup130,
+      	dup129,
+      ]);
+      
+      var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}");
+      
+      var all178 = all_match({
+      	processors: [
+      		part917,
+      		select198,
+      		part918,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg553 = msg("00031:03", all178);
+      
+      var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}");
+      
+      var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}");
+      
+      var select199 = linear_select([
+      	part920,
+      	dup226,
+      ]);
+      
+      var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}");
+      
+      var all179 = all_match({
+      	processors: [
+      		part919,
+      		select199,
+      		part921,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg554 = msg("00031:04", all179);
+      
+      var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}");
+      
+      var select200 = linear_select([
+      	dup226,
+      	dup25,
+      ]);
+      
+      var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})");
+      
+      var all180 = all_match({
+      	processors: [
+      		part922,
+      		select200,
+      		part923,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg555 = msg("00031:11", all180);
+      
+      var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}");
+      
+      var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}");
+      
+      var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}");
+      
+      var select201 = linear_select([
+      	part925,
+      	part926,
+      ]);
+      
+      var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}");
+      
+      var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}");
+      
+      var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}");
+      
+      var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}");
+      
+      var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}");
+      
+      var select202 = linear_select([
+      	part931,
+      	dup96,
+      ]);
+      
+      var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}");
+      
+      var all181 = all_match({
+      	processors: [
+      		part924,
+      		select201,
+      		part927,
+      		dup379,
+      		part928,
+      		dup379,
+      		part929,
+      		dup379,
+      		part930,
+      		select202,
+      		part932,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg556 = msg("00031:08", all181);
+      
+      var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}");
+      
+      var all182 = all_match({
+      	processors: [
+      		part933,
+      		dup337,
+      		dup227,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg557 = msg("00031:05", all182);
+      
+      var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}");
+      
+      var select203 = linear_select([
+      	part934,
+      	dup229,
+      	dup230,
+      ]);
+      
+      var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}");
+      
+      var select204 = linear_select([
+      	dup105,
+      	dup96,
+      ]);
+      
+      var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}");
+      
+      var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}");
+      
+      var all183 = all_match({
+      	processors: [
+      		dup228,
+      		select203,
+      		part935,
+      		select204,
+      		part936,
+      		dup356,
+      		part937,
+      		dup352,
+      		dup23,
+      		dup380,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg558 = msg("00031:06", all183);
+      
+      var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}");
+      
+      var all184 = all_match({
+      	processors: [
+      		dup228,
+      		dup381,
+      		part938,
+      		dup337,
+      		dup227,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg559 = msg("00031:07", all184);
+      
+      var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}");
+      
+      var all185 = all_match({
+      	processors: [
+      		dup228,
+      		dup381,
+      		part939,
+      		dup380,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg560 = msg("00031:09", all185);
+      
+      var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg561 = msg("00031:10", part940);
+      
+      var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg562 = msg("00031:12", part941);
+      
+      var select205 = linear_select([
+      	msg549,
+      	msg550,
+      	msg551,
+      	msg552,
+      	msg553,
+      	msg554,
+      	msg555,
+      	msg556,
+      	msg557,
+      	msg558,
+      	msg559,
+      	msg560,
+      	msg561,
+      	msg562,
+      ]);
+      
+      var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg563 = msg("00032", part942);
+      
+      var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg564 = msg("00032:01", part943);
+      
+      var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}");
+      
+      var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}");
+      
+      var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}");
+      
+      var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}");
+      
+      var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}");
+      
+      var select206 = linear_select([
+      	part945,
+      	part946,
+      	part947,
+      	part948,
+      ]);
+      
+      var all186 = all_match({
+      	processors: [
+      		part944,
+      		select206,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg565 = msg("00032:03", all186);
+      
+      var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg566 = msg("00032:04", part949);
+      
+      var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg567 = msg("00032:05", part950);
+      
+      var msg568 = msg("00032:02", dup375);
+      
+      var select207 = linear_select([
+      	msg563,
+      	msg564,
+      	msg565,
+      	msg566,
+      	msg567,
+      	msg568,
+      ]);
+      
+      var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("agent","NSM"),
+      ]));
+      
+      var msg569 = msg("00033:25", part951);
+      
+      var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}");
+      
+      var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}");
+      
+      var select208 = linear_select([
+      	dup52,
+      	part953,
+      ]);
+      
+      var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}");
+      
+      var all187 = all_match({
+      	processors: [
+      		dup382,
+      		part952,
+      		select208,
+      		part954,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg570 = msg("00033", all187);
+      
+      var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}");
+      
+      var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}");
+      
+      var select209 = linear_select([
+      	part955,
+      	part956,
+      ]);
+      
+      var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}");
+      
+      var all188 = all_match({
+      	processors: [
+      		dup160,
+      		select209,
+      		dup23,
+      		dup369,
+      		part957,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg571 = msg("00033:03", all188);
+      
+      var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}");
+      
+      var all189 = all_match({
+      	processors: [
+      		dup382,
+      		dup23,
+      		dup369,
+      		part958,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg572 = msg("00033:02", all189);
+      
+      var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg573 = msg("00033:04", part959);
+      
+      var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg574 = msg("00033:05", part960);
+      
+      var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg575 = msg("00033:06", part961);
+      
+      var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	setc("dclass_counter1_string","Number of times the threshold was exceeded"),
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg576 = msg("00033:01", part962);
+      
+      var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg577 = msg("00033:07", part963);
+      
+      var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}");
+      
+      var all190 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part964,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg578 = msg("00033:08", all190);
+      
+      var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}");
+      
+      var all191 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part965,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg579 = msg("00033:09", all191);
+      
+      var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}");
+      
+      var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}");
+      
+      var select210 = linear_select([
+      	part967,
+      	dup238,
+      ]);
+      
+      var all192 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part966,
+      		select210,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg580 = msg("00033:10", all192);
+      
+      var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}");
+      
+      var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}");
+      
+      var all193 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part968,
+      		dup383,
+      		part969,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg581 = msg("00033:11", all193);
+      
+      var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}");
+      
+      var select211 = linear_select([
+      	dup101,
+      	dup238,
+      ]);
+      
+      var all194 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part970,
+      		select211,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg582 = msg("00033:12", all194);
+      
+      var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}");
+      
+      var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}");
+      
+      var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}.");
+      
+      var select212 = linear_select([
+      	part972,
+      	part973,
+      ]);
+      
+      var all195 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part971,
+      		select212,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg583 = msg("00033:13", all195);
+      
+      var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}.");
+      
+      var all196 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part974,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg584 = msg("00033:14", all196);
+      
+      var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}.");
+      
+      var all197 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part975,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg585 = msg("00033:15", all197);
+      
+      var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}.");
+      
+      var all198 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part976,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg586 = msg("00033:16", all198);
+      
+      var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}");
+      
+      var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}");
+      
+      var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}");
+      
+      var select213 = linear_select([
+      	part978,
+      	part979,
+      ]);
+      
+      var all199 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part977,
+      		select213,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg587 = msg("00033:17", all199);
+      
+      var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}");
+      
+      var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.");
+      
+      var all200 = all_match({
+      	processors: [
+      		part980,
+      		dup339,
+      		dup70,
+      		dup340,
+      		part981,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup59,
+      		dup61,
+      	]),
+      });
+      
+      var msg588 = msg("00033:19", all200);
+      
+      var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([
+      	dup27,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup59,
+      	dup60,
+      ]));
+      
+      var msg589 = msg("00033:20", part982);
+      
+      var all201 = all_match({
+      	processors: [
+      		dup239,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg590 = msg("00033:21", all201);
+      
+      var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var all202 = all_match({
+      	processors: [
+      		part983,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg591 = msg("00033:22", all202);
+      
+      var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg592 = msg("00033:23", part984);
+      
+      var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([
+      	setc("eventcategory","1001030500"),
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg593 = msg("00033:24", part985);
+      
+      var select214 = linear_select([
+      	msg569,
+      	msg570,
+      	msg571,
+      	msg572,
+      	msg573,
+      	msg574,
+      	msg575,
+      	msg576,
+      	msg577,
+      	msg578,
+      	msg579,
+      	msg580,
+      	msg581,
+      	msg582,
+      	msg583,
+      	msg584,
+      	msg585,
+      	msg586,
+      	msg587,
+      	msg588,
+      	msg589,
+      	msg590,
+      	msg591,
+      	msg592,
+      	msg593,
+      ]);
+      
+      var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}");
+      
+      var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}");
+      
+      var select215 = linear_select([
+      	part986,
+      	part987,
+      ]);
+      
+      var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}");
+      
+      var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}");
+      
+      var select216 = linear_select([
+      	part988,
+      	dup201,
+      	part989,
+      ]);
+      
+      var select217 = linear_select([
+      	dup196,
+      	dup103,
+      	dup163,
+      ]);
+      
+      var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})");
+      
+      var all203 = all_match({
+      	processors: [
+      		select215,
+      		dup103,
+      		select216,
+      		dup202,
+      		select217,
+      		part990,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg594 = msg("00034", all203);
+      
+      var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}");
+      
+      var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}");
+      
+      var select218 = linear_select([
+      	part991,
+      	part992,
+      ]);
+      
+      var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}");
+      
+      var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}");
+      
+      var select219 = linear_select([
+      	part994,
+      	dup241,
+      ]);
+      
+      var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}");
+      
+      var all204 = all_match({
+      	processors: [
+      		select218,
+      		part993,
+      		select219,
+      		part995,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg595 = msg("00034:01", all204);
+      
+      var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg596 = msg("00034:02", part996);
+      
+      var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}");
+      
+      var all205 = all_match({
+      	processors: [
+      		dup384,
+      		part997,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg597 = msg("00034:03", all205);
+      
+      var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg598 = msg("00034:04", part998);
+      
+      var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg599 = msg("00034:05", part999);
+      
+      var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}");
+      
+      var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}");
+      
+      var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}");
+      
+      var select220 = linear_select([
+      	part1001,
+      	part1002,
+      ]);
+      
+      var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}");
+      
+      var all206 = all_match({
+      	processors: [
+      		dup384,
+      		part1000,
+      		select220,
+      		part1003,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg600 = msg("00034:06", all206);
+      
+      var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg601 = msg("00034:07", part1004);
+      
+      var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg602 = msg("00034:08", part1005);
+      
+      var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg603 = msg("00034:09", part1006);
+      
+      var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}");
+      
+      var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}");
+      
+      var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}");
+      
+      var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}");
+      
+      var select221 = linear_select([
+      	part1009,
+      	part1010,
+      ]);
+      
+      var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}");
+      
+      var all207 = all_match({
+      	processors: [
+      		dup244,
+      		dup385,
+      		part1007,
+      		dup352,
+      		part1008,
+      		select221,
+      		part1011,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg604 = msg("00034:10", all207);
+      
+      var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}");
+      
+      var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}");
+      
+      var all208 = all_match({
+      	processors: [
+      		dup244,
+      		dup385,
+      		part1012,
+      		dup386,
+      		part1013,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg605 = msg("00034:12", all208);
+      
+      var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}");
+      
+      var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}");
+      
+      var all209 = all_match({
+      	processors: [
+      		dup244,
+      		dup385,
+      		part1014,
+      		dup386,
+      		part1015,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg606 = msg("00034:11", all209);
+      
+      var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg607 = msg("00034:15", part1016);
+      
+      var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}");
+      
+      var all210 = all_match({
+      	processors: [
+      		dup244,
+      		dup387,
+      		part1017,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg608 = msg("00034:18", all210);
+      
+      var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge");
+      
+      var all211 = all_match({
+      	processors: [
+      		dup244,
+      		dup387,
+      		part1018,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg609 = msg("00034:20", all211);
+      
+      var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}");
+      
+      var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}");
+      
+      var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}");
+      
+      var select222 = linear_select([
+      	part1021,
+      	dup156,
+      ]);
+      
+      var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}");
+      
+      var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}");
+      
+      var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}");
+      
+      var select223 = linear_select([
+      	part1023,
+      	part1024,
+      ]);
+      
+      var all212 = all_match({
+      	processors: [
+      		dup244,
+      		dup387,
+      		part1019,
+      		dup372,
+      		part1020,
+      		select222,
+      		part1022,
+      		select223,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg610 = msg("00034:21", all212);
+      
+      var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg611 = msg("00034:22", part1025);
+      
+      var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}");
+      
+      var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}");
+      
+      var select224 = linear_select([
+      	part1026,
+      	part1027,
+      ]);
+      
+      var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}");
+      
+      var all213 = all_match({
+      	processors: [
+      		dup160,
+      		select224,
+      		part1028,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg612 = msg("00034:23", all213);
+      
+      var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg613 = msg("00034:24", part1029);
+      
+      var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg614 = msg("00034:25", part1030);
+      
+      var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg615 = msg("00034:26", part1031);
+      
+      var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg616 = msg("00034:27", part1032);
+      
+      var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg617 = msg("00034:28", part1033);
+      
+      var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg618 = msg("00034:29", part1034);
+      
+      var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg619 = msg("00034:30", part1035);
+      
+      var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg620 = msg("00034:31", part1036);
+      
+      var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg621 = msg("00034:32", part1037);
+      
+      var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg622 = msg("00034:33", part1038);
+      
+      var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg623 = msg("00034:34", part1039);
+      
+      var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg624 = msg("00034:35", part1040);
+      
+      var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg625 = msg("00034:36", part1041);
+      
+      var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg626 = msg("00034:37", part1042);
+      
+      var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg627 = msg("00034:38", part1043);
+      
+      var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg628 = msg("00034:39", part1044);
+      
+      var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg629 = msg("00034:40", part1045);
+      
+      var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}");
+      
+      var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}");
+      
+      var all214 = all_match({
+      	processors: [
+      		part1046,
+      		dup373,
+      		part1047,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg630 = msg("00034:41", all214);
+      
+      var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg631 = msg("00034:42", part1048);
+      
+      var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg632 = msg("00034:43", part1049);
+      
+      var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg633 = msg("00034:44", part1050);
+      
+      var select225 = linear_select([
+      	msg594,
+      	msg595,
+      	msg596,
+      	msg597,
+      	msg598,
+      	msg599,
+      	msg600,
+      	msg601,
+      	msg602,
+      	msg603,
+      	msg604,
+      	msg605,
+      	msg606,
+      	msg607,
+      	msg608,
+      	msg609,
+      	msg610,
+      	msg611,
+      	msg612,
+      	msg613,
+      	msg614,
+      	msg615,
+      	msg616,
+      	msg617,
+      	msg618,
+      	msg619,
+      	msg620,
+      	msg621,
+      	msg622,
+      	msg623,
+      	msg624,
+      	msg625,
+      	msg626,
+      	msg627,
+      	msg628,
+      	msg629,
+      	msg630,
+      	msg631,
+      	msg632,
+      	msg633,
+      ]);
+      
+      var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg634 = msg("00035", part1051);
+      
+      var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg635 = msg("00035:01", part1052);
+      
+      var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg636 = msg("00035:02", part1053);
+      
+      var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg637 = msg("00035:03", part1054);
+      
+      var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}");
+      
+      var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}");
+      
+      var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}");
+      
+      var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}");
+      
+      var select226 = linear_select([
+      	part1056,
+      	part1057,
+      	part1058,
+      ]);
+      
+      var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}");
+      
+      var all215 = all_match({
+      	processors: [
+      		part1055,
+      		select226,
+      		part1059,
+      	],
+      	on_success: processor_chain([
+      		dup117,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg638 = msg("00035:04", all215);
+      
+      var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg639 = msg("00035:05", part1060);
+      
+      var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}");
+      
+      var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}");
+      
+      var all216 = all_match({
+      	processors: [
+      		part1061,
+      		dup388,
+      		part1062,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg640 = msg("00035:06", all216);
+      
+      var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg641 = msg("00035:07", part1063);
+      
+      var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg642 = msg("00035:08", part1064);
+      
+      var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}");
+      
+      var select227 = linear_select([
+      	part1065,
+      	dup92,
+      ]);
+      
+      var all217 = all_match({
+      	processors: [
+      		dup253,
+      		select227,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg643 = msg("00035:09", all217);
+      
+      var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}");
+      
+      var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}");
+      
+      var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}");
+      
+      var select228 = linear_select([
+      	part1067,
+      	part1068,
+      ]);
+      
+      var all218 = all_match({
+      	processors: [
+      		part1066,
+      		select228,
+      	],
+      	on_success: processor_chain([
+      		dup184,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg644 = msg("00035:10", all218);
+      
+      var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}");
+      
+      var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}");
+      
+      var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}");
+      
+      var select229 = linear_select([
+      	part1070,
+      	part1071,
+      ]);
+      
+      var all219 = all_match({
+      	processors: [
+      		part1069,
+      		select229,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg645 = msg("00035:11", all219);
+      
+      var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}");
+      
+      var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}");
+      
+      var all220 = all_match({
+      	processors: [
+      		part1072,
+      		dup388,
+      		part1073,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg646 = msg("00035:12", all220);
+      
+      var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}");
+      
+      var select230 = linear_select([
+      	dup101,
+      	part1074,
+      ]);
+      
+      var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}");
+      
+      var all221 = all_match({
+      	processors: [
+      		dup253,
+      		select230,
+      		part1075,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg647 = msg("00035:13", all221);
+      
+      var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg648 = msg("00035:14", part1076);
+      
+      var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}");
+      
+      var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}");
+      
+      var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}");
+      
+      var select231 = linear_select([
+      	part1078,
+      	part1079,
+      ]);
+      
+      var all222 = all_match({
+      	processors: [
+      		part1077,
+      		select231,
+      	],
+      	on_success: processor_chain([
+      		dup184,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg649 = msg("00035:15", all222);
+      
+      var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg650 = msg("00035:16", part1080);
+      
+      var select232 = linear_select([
+      	msg634,
+      	msg635,
+      	msg636,
+      	msg637,
+      	msg638,
+      	msg639,
+      	msg640,
+      	msg641,
+      	msg642,
+      	msg643,
+      	msg644,
+      	msg645,
+      	msg646,
+      	msg647,
+      	msg648,
+      	msg649,
+      	msg650,
+      ]);
+      
+      var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg651 = msg("00036", part1081);
+      
+      var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}");
+      
+      var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}");
+      
+      var select233 = linear_select([
+      	dup214,
+      	part1083,
+      ]);
+      
+      var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}");
+      
+      var all223 = all_match({
+      	processors: [
+      		part1082,
+      		select233,
+      		part1084,
+      	],
+      	on_success: processor_chain([
+      		dup254,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg652 = msg("00036:01", all223);
+      
+      var select234 = linear_select([
+      	msg651,
+      	msg652,
+      ]);
+      
+      var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}");
+      
+      var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}");
+      
+      var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}");
+      
+      var select235 = linear_select([
+      	part1086,
+      	part1087,
+      ]);
+      
+      var all224 = all_match({
+      	processors: [
+      		part1085,
+      		select235,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg653 = msg("00037", all224);
+      
+      var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}");
+      
+      var select236 = linear_select([
+      	dup255,
+      	dup256,
+      ]);
+      
+      var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}");
+      
+      var all225 = all_match({
+      	processors: [
+      		part1088,
+      		select236,
+      		part1089,
+      		dup351,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg654 = msg("00037:01", all225);
+      
+      var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg655 = msg("00037:02", part1090);
+      
+      var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}");
+      
+      var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}");
+      
+      var select237 = linear_select([
+      	part1091,
+      	part1092,
+      ]);
+      
+      var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}");
+      
+      var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})");
+      
+      var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}.");
+      
+      var select238 = linear_select([
+      	part1094,
+      	part1095,
+      ]);
+      
+      var all226 = all_match({
+      	processors: [
+      		dup113,
+      		select237,
+      		dup371,
+      		part1093,
+      		select238,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg656 = msg("00037:03", all226);
+      
+      var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg657 = msg("00037:04", part1096);
+      
+      var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}");
+      
+      var select239 = linear_select([
+      	dup256,
+      	dup255,
+      ]);
+      
+      var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}");
+      
+      var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space");
+      
+      var select240 = linear_select([
+      	dup10,
+      	part1099,
+      ]);
+      
+      var all227 = all_match({
+      	processors: [
+      		part1097,
+      		select239,
+      		part1098,
+      		select240,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg658 = msg("00037:05", all227);
+      
+      var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg659 = msg("00037:06", part1100);
+      
+      var select241 = linear_select([
+      	msg653,
+      	msg654,
+      	msg655,
+      	msg656,
+      	msg657,
+      	msg658,
+      	msg659,
+      ]);
+      
+      var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}");
+      
+      var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}");
+      
+      var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}");
+      
+      var select242 = linear_select([
+      	part1102,
+      	part1103,
+      ]);
+      
+      var all228 = all_match({
+      	processors: [
+      		part1101,
+      		select242,
+      		dup36,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg660 = msg("00038", all228);
+      
+      var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg661 = msg("00039", part1104);
+      
+      var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}");
+      
+      var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}");
+      
+      var select243 = linear_select([
+      	part1105,
+      	part1106,
+      ]);
+      
+      var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}");
+      
+      var all229 = all_match({
+      	processors: [
+      		select243,
+      		part1107,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg662 = msg("00040", all229);
+      
+      var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg663 = msg("00040:01", part1108);
+      
+      var select244 = linear_select([
+      	msg662,
+      	msg663,
+      ]);
+      
+      var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg664 = msg("00041", part1109);
+      
+      var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg665 = msg("00041:01", part1110);
+      
+      var select245 = linear_select([
+      	msg664,
+      	msg665,
+      ]);
+      
+      var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg666 = msg("00042", part1111);
+      
+      var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup60,
+      ]));
+      
+      var msg667 = msg("00042:01", part1112);
+      
+      var select246 = linear_select([
+      	msg666,
+      	msg667,
+      ]);
+      
+      var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg668 = msg("00043", part1113);
+      
+      var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}");
+      
+      var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}");
+      
+      var select247 = linear_select([
+      	dup257,
+      	part1115,
+      ]);
+      
+      var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}");
+      
+      var all230 = all_match({
+      	processors: [
+      		part1114,
+      		select247,
+      		part1116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg669 = msg("00044", all230);
+      
+      var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg670 = msg("00044:01", part1117);
+      
+      var select248 = linear_select([
+      	msg669,
+      	msg670,
+      ]);
+      
+      var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg671 = msg("00045", part1118);
+      
+      var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}");
+      
+      var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}");
+      
+      var select249 = linear_select([
+      	part1119,
+      	part1120,
+      ]);
+      
+      var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})");
+      
+      var all231 = all_match({
+      	processors: [
+      		dup183,
+      		select249,
+      		part1121,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg672 = msg("00047", all231);
+      
+      var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}");
+      
+      var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}");
+      
+      var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}");
+      
+      var select250 = linear_select([
+      	part1123,
+      	part1124,
+      ]);
+      
+      var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}");
+      
+      var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}");
+      
+      var select251 = linear_select([
+      	part1126,
+      	dup112,
+      ]);
+      
+      var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}");
+      
+      var select252 = linear_select([
+      	part1127,
+      	dup139,
+      ]);
+      
+      var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}");
+      
+      var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}");
+      
+      var select253 = linear_select([
+      	part1129,
+      	dup16,
+      ]);
+      
+      var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}");
+      
+      var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}");
+      
+      var select254 = linear_select([
+      	part1131,
+      	dup129,
+      ]);
+      
+      var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})");
+      
+      var all232 = all_match({
+      	processors: [
+      		part1122,
+      		select250,
+      		part1125,
+      		select251,
+      		dup257,
+      		select252,
+      		part1128,
+      		select253,
+      		part1130,
+      		select254,
+      		part1132,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1501000000"),
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg673 = msg("00048", all232);
+      
+      var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}");
+      
+      var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}");
+      
+      var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}");
+      
+      var select255 = linear_select([
+      	part1134,
+      	part1135,
+      ]);
+      
+      var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}");
+      
+      var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}");
+      
+      var select256 = linear_select([
+      	part1137,
+      	dup105,
+      ]);
+      
+      var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})");
+      
+      var all233 = all_match({
+      	processors: [
+      		part1133,
+      		select255,
+      		part1136,
+      		select256,
+      		part1138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg674 = msg("00048:01", all233);
+      
+      var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg675 = msg("00048:02", part1139);
+      
+      var select257 = linear_select([
+      	msg673,
+      	msg674,
+      	msg675,
+      ]);
+      
+      var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg676 = msg("00049", part1140);
+      
+      var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg677 = msg("00049:01", part1141);
+      
+      var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg678 = msg("00049:02", part1142);
+      
+      var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg679 = msg("00049:03", part1143);
+      
+      var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg680 = msg("00049:04", part1144);
+      
+      var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg681 = msg("00049:05", part1145);
+      
+      var select258 = linear_select([
+      	msg676,
+      	msg677,
+      	msg678,
+      	msg679,
+      	msg680,
+      	msg681,
+      ]);
+      
+      var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg682 = msg("00050", part1146);
+      
+      var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg683 = msg("00051", part1147);
+      
+      var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg684 = msg("00052", part1148);
+      
+      var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}");
+      
+      var select259 = linear_select([
+      	dup169,
+      	part1149,
+      ]);
+      
+      var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}.");
+      
+      var all234 = all_match({
+      	processors: [
+      		dup258,
+      		select259,
+      		part1150,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg685 = msg("00055", all234);
+      
+      var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}");
+      
+      var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}");
+      
+      var select260 = linear_select([
+      	part1151,
+      	part1152,
+      ]);
+      
+      var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}.");
+      
+      var all235 = all_match({
+      	processors: [
+      		dup258,
+      		select260,
+      		part1153,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg686 = msg("00055:01", all235);
+      
+      var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}.");
+      
+      var all236 = all_match({
+      	processors: [
+      		dup259,
+      		dup389,
+      		part1154,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg687 = msg("00055:02", all236);
+      
+      var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}.");
+      
+      var all237 = all_match({
+      	processors: [
+      		dup259,
+      		dup389,
+      		part1155,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg688 = msg("00055:03", all237);
+      
+      var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg689 = msg("00055:04", part1156);
+      
+      var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}");
+      
+      var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}");
+      
+      var select261 = linear_select([
+      	dup110,
+      	part1158,
+      ]);
+      
+      var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}");
+      
+      var all238 = all_match({
+      	processors: [
+      		part1157,
+      		select261,
+      		part1159,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg690 = msg("00055:05", all238);
+      
+      var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}");
+      
+      var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}");
+      
+      var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}");
+      
+      var select262 = linear_select([
+      	part1161,
+      	part1162,
+      ]);
+      
+      var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}.");
+      
+      var all239 = all_match({
+      	processors: [
+      		part1160,
+      		select262,
+      		part1163,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg691 = msg("00055:06", all239);
+      
+      var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}");
+      
+      var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}");
+      
+      var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}");
+      
+      var select263 = linear_select([
+      	part1164,
+      	part1165,
+      	part1166,
+      ]);
+      
+      var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}.");
+      
+      var all240 = all_match({
+      	processors: [
+      		dup258,
+      		select263,
+      		part1167,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg692 = msg("00055:07", all240);
+      
+      var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}");
+      
+      var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}");
+      
+      var select264 = linear_select([
+      	part1168,
+      	part1169,
+      ]);
+      
+      var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}.");
+      
+      var all241 = all_match({
+      	processors: [
+      		dup258,
+      		select264,
+      		part1170,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg693 = msg("00055:08", all241);
+      
+      var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg694 = msg("00055:09", part1171);
+      
+      var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg695 = msg("00055:10", part1172);
+      
+      var select265 = linear_select([
+      	msg685,
+      	msg686,
+      	msg687,
+      	msg688,
+      	msg689,
+      	msg690,
+      	msg691,
+      	msg692,
+      	msg693,
+      	msg694,
+      	msg695,
+      ]);
+      
+      var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg696 = msg("00056", part1173);
+      
+      var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg697 = msg("00057", part1174);
+      
+      var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg698 = msg("00058", part1175);
+      
+      var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}");
+      
+      var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}");
+      
+      var select266 = linear_select([
+      	part1177,
+      	dup262,
+      	dup157,
+      	dup156,
+      ]);
+      
+      var all242 = all_match({
+      	processors: [
+      		part1176,
+      		select266,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg699 = msg("00059", all242);
+      
+      var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}");
+      
+      var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}");
+      
+      var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}");
+      
+      var select267 = linear_select([
+      	part1179,
+      	part1180,
+      ]);
+      
+      var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}");
+      
+      var all243 = all_match({
+      	processors: [
+      		part1178,
+      		select267,
+      		part1181,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg700 = msg("00059:02", all243);
+      
+      var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg701 = msg("00059:03", part1182);
+      
+      var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg702 = msg("00059:04", part1183);
+      
+      var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}");
+      
+      var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}");
+      
+      var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}");
+      
+      var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}");
+      
+      var select268 = linear_select([
+      	part1184,
+      	part1185,
+      	part1186,
+      	part1187,
+      ]);
+      
+      var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared.");
+      
+      var all244 = all_match({
+      	processors: [
+      		select268,
+      		part1188,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg703 = msg("00059:05", all244);
+      
+      var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg704 = msg("00059:06", part1189);
+      
+      var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg705 = msg("00059:07", part1190);
+      
+      var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}");
+      
+      var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}");
+      
+      var select269 = linear_select([
+      	part1191,
+      	part1192,
+      ]);
+      
+      var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3}).");
+      
+      var all245 = all_match({
+      	processors: [
+      		select269,
+      		part1193,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg706 = msg("00059:08", all245);
+      
+      var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}");
+      
+      var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}");
+      
+      var select270 = linear_select([
+      	part1194,
+      	part1195,
+      ]);
+      
+      var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}");
+      
+      var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}");
+      
+      var select271 = linear_select([
+      	dup261,
+      	part1197,
+      ]);
+      
+      var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\"");
+      
+      var all246 = all_match({
+      	processors: [
+      		dup160,
+      		select270,
+      		part1196,
+      		select271,
+      		part1198,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg707 = msg("00059:09", all246);
+      
+      var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg708 = msg("00059:01", part1199);
+      
+      var select272 = linear_select([
+      	msg699,
+      	msg700,
+      	msg701,
+      	msg702,
+      	msg703,
+      	msg704,
+      	msg705,
+      	msg706,
+      	msg707,
+      	msg708,
+      ]);
+      
+      var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Track IP failed"),
+      ]));
+      
+      var msg709 = msg("00062:01", part1200);
+      
+      var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Track IP failure reached threshold"),
+      ]));
+      
+      var msg710 = msg("00062:02", part1201);
+      
+      var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Track IP succeeded"),
+      ]));
+      
+      var msg711 = msg("00062:03", part1202);
+      
+      var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg712 = msg("00062", part1203);
+      
+      var select273 = linear_select([
+      	msg709,
+      	msg710,
+      	msg711,
+      	msg712,
+      ]);
+      
+      var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg713 = msg("00063", part1204);
+      
+      var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg714 = msg("00064", part1205);
+      
+      var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg715 = msg("00064:01", part1206);
+      
+      var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg716 = msg("00064:02", part1207);
+      
+      var select274 = linear_select([
+      	msg714,
+      	msg715,
+      	msg716,
+      ]);
+      
+      var msg717 = msg("00070", dup411);
+      
+      var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}");
+      
+      var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}");
+      
+      var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})");
+      
+      var select275 = linear_select([
+      	part1209,
+      	part1210,
+      ]);
+      
+      var all247 = all_match({
+      	processors: [
+      		dup267,
+      		dup391,
+      		part1208,
+      		select275,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg718 = msg("00070:01", all247);
+      
+      var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg719 = msg("00070:02", part1211);
+      
+      var select276 = linear_select([
+      	msg717,
+      	msg718,
+      	msg719,
+      ]);
+      
+      var msg720 = msg("00071", dup411);
+      
+      var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg721 = msg("00071:01", part1212);
+      
+      var select277 = linear_select([
+      	msg720,
+      	msg721,
+      ]);
+      
+      var msg722 = msg("00072", dup411);
+      
+      var msg723 = msg("00072:01", dup412);
+      
+      var select278 = linear_select([
+      	msg722,
+      	msg723,
+      ]);
+      
+      var msg724 = msg("00073", dup411);
+      
+      var msg725 = msg("00073:01", dup412);
+      
+      var select279 = linear_select([
+      	msg724,
+      	msg725,
+      ]);
+      
+      var msg726 = msg("00074", dup392);
+      
+      var all248 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		dup271,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg727 = msg("00075", all248);
+      
+      var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("event_description","local device in the Virtual Security Device group changed state to inoperable"),
+      ]));
+      
+      var msg728 = msg("00075:02", part1213);
+      
+      var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg729 = msg("00075:01", part1214);
+      
+      var select280 = linear_select([
+      	msg727,
+      	msg728,
+      	msg729,
+      ]);
+      
+      var msg730 = msg("00076", dup392);
+      
+      var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}");
+      
+      var all249 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		part1215,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg731 = msg("00076:01", all249);
+      
+      var select281 = linear_select([
+      	msg730,
+      	msg731,
+      ]);
+      
+      var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([
+      	dup144,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg732 = msg("00077", part1216);
+      
+      var all250 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		dup271,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg733 = msg("00077:01", all250);
+      
+      var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([
+      	setc("eventcategory","1607000000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg734 = msg("00077:02", part1217);
+      
+      var select282 = linear_select([
+      	msg732,
+      	msg733,
+      	msg734,
+      ]);
+      
+      var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg735 = msg("00084", part1218);
+      
+      var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}");
+      
+      var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}");
+      
+      var select283 = linear_select([
+      	part1219,
+      	part1220,
+      ]);
+      
+      var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}");
+      
+      var all251 = all_match({
+      	processors: [
+      		select283,
+      		dup103,
+      		dup369,
+      		part1221,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg736 = msg("00090", all251);
+      
+      var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg737 = msg("00200", part1222);
+      
+      var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg738 = msg("00201", part1223);
+      
+      var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([
+      	dup272,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg739 = msg("00202", part1224);
+      
+      var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([
+      	dup272,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg740 = msg("00203", part1225);
+      
+      var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}");
+      
+      var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}");
+      
+      var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}");
+      
+      var select284 = linear_select([
+      	part1227,
+      	part1228,
+      ]);
+      
+      var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})");
+      
+      var all252 = all_match({
+      	processors: [
+      		part1226,
+      		select284,
+      		part1229,
+      	],
+      	on_success: processor_chain([
+      		dup272,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg741 = msg("00206", all252);
+      
+      var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}");
+      
+      var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet.");
+      
+      var all253 = all_match({
+      	processors: [
+      		part1230,
+      		dup352,
+      		part1231,
+      	],
+      	on_success: processor_chain([
+      		dup273,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg742 = msg("00206:01", all253);
+      
+      var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}");
+      
+      var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet.");
+      
+      var all254 = all_match({
+      	processors: [
+      		part1232,
+      		dup352,
+      		part1233,
+      	],
+      	on_success: processor_chain([
+      		dup273,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg743 = msg("00206:02", all254);
+      
+      var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg744 = msg("00206:03", part1234);
+      
+      var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg745 = msg("00206:04", part1235);
+      
+      var select285 = linear_select([
+      	msg741,
+      	msg742,
+      	msg743,
+      	msg744,
+      	msg745,
+      ]);
+      
+      var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg746 = msg("00207", part1236);
+      
+      var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg747 = msg("00207:01", part1237);
+      
+      var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg748 = msg("00207:02", part1238);
+      
+      var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg749 = msg("00207:03", part1239);
+      
+      var select286 = linear_select([
+      	msg746,
+      	msg747,
+      	msg748,
+      	msg749,
+      ]);
+      
+      var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup276,
+      	dup277,
+      	dup278,
+      ]));
+      
+      var msg750 = msg("00257", part1240);
+      
+      var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup279,
+      	dup276,
+      	dup277,
+      	dup280,
+      ]));
+      
+      var msg751 = msg("00257:14", part1241);
+      
+      var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup282,
+      	dup278,
+      ]));
+      
+      var msg752 = msg("00257:01", part1242);
+      
+      var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup279,
+      	dup282,
+      	dup280,
+      ]));
+      
+      var msg753 = msg("00257:15", part1243);
+      
+      var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup276,
+      	dup277,
+      ]));
+      
+      var msg754 = msg("00257:02", part1244);
+      
+      var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg755 = msg("00257:03", part1245);
+      
+      var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup276,
+      	dup277,
+      ]));
+      
+      var msg756 = msg("00257:04", part1246);
+      
+      var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg757 = msg("00257:05", part1247);
+      
+      var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}");
+      
+      var all255 = all_match({
+      	processors: [
+      		dup283,
+      		dup393,
+      		part1248,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup282,
+      	]),
+      });
+      
+      var msg758 = msg("00257:19", all255);
+      
+      var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}");
+      
+      var all256 = all_match({
+      	processors: [
+      		dup283,
+      		dup393,
+      		part1249,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup282,
+      	]),
+      });
+      
+      var msg759 = msg("00257:16", all256);
+      
+      var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}");
+      
+      var all257 = all_match({
+      	processors: [
+      		dup283,
+      		dup393,
+      		part1250,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup61,
+      		dup282,
+      	]),
+      });
+      
+      var msg760 = msg("00257:17", all257);
+      
+      var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}");
+      
+      var all258 = all_match({
+      	processors: [
+      		dup283,
+      		dup393,
+      		part1251,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup61,
+      		dup282,
+      	]),
+      });
+      
+      var msg761 = msg("00257:18", all258);
+      
+      var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}");
+      
+      var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}");
+      
+      var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport");
+      
+      var select287 = linear_select([
+      	part1253,
+      	part1254,
+      ]);
+      
+      var all259 = all_match({
+      	processors: [
+      		part1252,
+      		select287,
+      	],
+      	on_success: processor_chain([
+      		dup185,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup61,
+      		dup276,
+      		dup277,
+      	]),
+      });
+      
+      var msg762 = msg("00257:06", all259);
+      
+      var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg763 = msg("00257:07", part1255);
+      
+      var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup60,
+      	dup276,
+      	dup277,
+      ]));
+      
+      var msg764 = msg("00257:08", part1256);
+      
+      var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}");
+      
+      var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}");
+      
+      var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}");
+      
+      var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype");
+      
+      var select288 = linear_select([
+      	part1258,
+      	part1259,
+      	part1260,
+      ]);
+      
+      var all260 = all_match({
+      	processors: [
+      		part1257,
+      		select288,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup282,
+      	]),
+      });
+      
+      var msg765 = msg("00257:09", all260);
+      
+      var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}");
+      
+      var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}");
+      
+      var select289 = linear_select([
+      	part1262,
+      	dup286,
+      ]);
+      
+      var all261 = all_match({
+      	processors: [
+      		part1261,
+      		select289,
+      	],
+      	on_success: processor_chain([
+      		dup185,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup276,
+      		dup277,
+      	]),
+      });
+      
+      var msg766 = msg("00257:10", all261);
+      
+      var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}");
+      
+      var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}");
+      
+      var select290 = linear_select([
+      	part1264,
+      	dup286,
+      ]);
+      
+      var all262 = all_match({
+      	processors: [
+      		part1263,
+      		select290,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup282,
+      	]),
+      });
+      
+      var msg767 = msg("00257:11", all262);
+      
+      var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var msg768 = msg("00257:12", part1265);
+      
+      var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup3,
+      	dup274,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg769 = msg("00257:13", part1266);
+      
+      var select291 = linear_select([
+      	msg750,
+      	msg751,
+      	msg752,
+      	msg753,
+      	msg754,
+      	msg755,
+      	msg756,
+      	msg757,
+      	msg758,
+      	msg759,
+      	msg760,
+      	msg761,
+      	msg762,
+      	msg763,
+      	msg764,
+      	msg765,
+      	msg766,
+      	msg767,
+      	msg768,
+      	msg769,
+      ]);
+      
+      var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}");
+      
+      var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}");
+      
+      var select292 = linear_select([
+      	part1268,
+      	dup289,
+      	dup241,
+      ]);
+      
+      var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}");
+      
+      var all263 = all_match({
+      	processors: [
+      		dup394,
+      		part1267,
+      		select292,
+      		part1269,
+      	],
+      	on_success: processor_chain([
+      		dup28,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg770 = msg("00259", all263);
+      
+      var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}");
+      
+      var all264 = all_match({
+      	processors: [
+      		dup394,
+      		part1270,
+      	],
+      	on_success: processor_chain([
+      		dup33,
+      		dup29,
+      		dup34,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg771 = msg("00259:07", all264);
+      
+      var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg772 = msg("00259:01", part1271);
+      
+      var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg773 = msg("00259:02", part1272);
+      
+      var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([
+      	dup206,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg774 = msg("00259:03", part1273);
+      
+      var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([
+      	dup206,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg775 = msg("00259:04", part1274);
+      
+      var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}");
+      
+      var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}");
+      
+      var select293 = linear_select([
+      	dup241,
+      	dup289,
+      	part1276,
+      ]);
+      
+      var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}");
+      
+      var all265 = all_match({
+      	processors: [
+      		part1275,
+      		select293,
+      		part1277,
+      	],
+      	on_success: processor_chain([
+      		dup290,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg776 = msg("00259:05", all265);
+      
+      var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg777 = msg("00259:06", part1278);
+      
+      var select294 = linear_select([
+      	msg770,
+      	msg771,
+      	msg772,
+      	msg773,
+      	msg774,
+      	msg775,
+      	msg776,
+      	msg777,
+      ]);
+      
+      var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg778 = msg("00262", part1279);
+      
+      var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([
+      	setc("eventcategory","1401050100"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg779 = msg("00263", part1280);
+      
+      var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}");
+      
+      var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}");
+      
+      var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}");
+      
+      var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}");
+      
+      var select295 = linear_select([
+      	part1281,
+      	part1282,
+      	part1283,
+      	part1284,
+      ]);
+      
+      var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}");
+      
+      var all266 = all_match({
+      	processors: [
+      		select295,
+      		part1285,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1003000000"),
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup61,
+      	]),
+      });
+      
+      var msg780 = msg("00400", all266);
+      
+      var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup85,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup291,
+      ]));
+      
+      var msg781 = msg("00401", part1286);
+      
+      var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup85,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup292,
+      ]));
+      
+      var msg782 = msg("00402", part1287);
+      
+      var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}");
+      
+      var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}");
+      
+      var all267 = all_match({
+      	processors: [
+      		part1288,
+      		dup337,
+      		part1289,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup292,
+      	]),
+      });
+      
+      var msg783 = msg("00402:01", all267);
+      
+      var select296 = linear_select([
+      	msg782,
+      	msg783,
+      ]);
+      
+      var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup85,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup291,
+      ]));
+      
+      var msg784 = msg("00403", part1290);
+      
+      var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup147,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup292,
+      ]));
+      
+      var msg785 = msg("00404", part1291);
+      
+      var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup147,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup291,
+      ]));
+      
+      var msg786 = msg("00405", part1292);
+      
+      var msg787 = msg("00406", dup413);
+      
+      var msg788 = msg("00407", dup413);
+      
+      var msg789 = msg("00408", dup413);
+      
+      var all268 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup293,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg790 = msg("00409", all268);
+      
+      var msg791 = msg("00410", dup413);
+      
+      var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup60,
+      ]));
+      
+      var msg792 = msg("00410:01", part1293);
+      
+      var select297 = linear_select([
+      	msg791,
+      	msg792,
+      ]);
+      
+      var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}");
+      
+      var all269 = all_match({
+      	processors: [
+      		part1294,
+      		dup343,
+      		dup293,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg793 = msg("00411", all269);
+      
+      var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}");
+      
+      var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all270 = all_match({
+      	processors: [
+      		part1295,
+      		dup337,
+      		part1296,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg794 = msg("00413", all270);
+      
+      var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}");
+      
+      var all271 = all_match({
+      	processors: [
+      		part1297,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup61,
+      	]),
+      });
+      
+      var msg795 = msg("00413:01", all271);
+      
+      var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg796 = msg("00413:02", part1298);
+      
+      var select298 = linear_select([
+      	msg794,
+      	msg795,
+      	msg796,
+      ]);
+      
+      var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg797 = msg("00414", part1299);
+      
+      var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg798 = msg("00414:01", part1300);
+      
+      var select299 = linear_select([
+      	msg797,
+      	msg798,
+      ]);
+      
+      var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg799 = msg("00415", part1301);
+      
+      var all272 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup294,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg800 = msg("00423", all272);
+      
+      var all273 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg801 = msg("00429", all273);
+      
+      var all274 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg802 = msg("00429:01", all274);
+      
+      var select300 = linear_select([
+      	msg801,
+      	msg802,
+      ]);
+      
+      var all275 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup295,
+      		dup351,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg803 = msg("00430", all275);
+      
+      var all276 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup295,
+      		dup351,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg804 = msg("00430:01", all276);
+      
+      var select301 = linear_select([
+      	msg803,
+      	msg804,
+      ]);
+      
+      var msg805 = msg("00431", dup414);
+      
+      var msg806 = msg("00432", dup414);
+      
+      var msg807 = msg("00433", dup415);
+      
+      var msg808 = msg("00434", dup415);
+      
+      var msg809 = msg("00435", dup395);
+      
+      var all277 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup294,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup4,
+      		dup59,
+      		dup5,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg810 = msg("00435:01", all277);
+      
+      var select302 = linear_select([
+      	msg809,
+      	msg810,
+      ]);
+      
+      var msg811 = msg("00436", dup395);
+      
+      var all278 = all_match({
+      	processors: [
+      		dup64,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg812 = msg("00436:01", all278);
+      
+      var select303 = linear_select([
+      	msg811,
+      	msg812,
+      ]);
+      
+      var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg813 = msg("00437", part1302);
+      
+      var all279 = all_match({
+      	processors: [
+      		dup299,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      		dup9,
+      	]),
+      });
+      
+      var msg814 = msg("00437:01", all279);
+      
+      var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      	dup9,
+      ]));
+      
+      var msg815 = msg("00437:02", part1303);
+      
+      var select304 = linear_select([
+      	msg813,
+      	msg814,
+      	msg815,
+      ]);
+      
+      var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg816 = msg("00438", part1304);
+      
+      var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg817 = msg("00438:01", part1305);
+      
+      var all280 = all_match({
+      	processors: [
+      		dup299,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup61,
+      	]),
+      });
+      
+      var msg818 = msg("00438:02", all280);
+      
+      var select305 = linear_select([
+      	msg816,
+      	msg817,
+      	msg818,
+      ]);
+      
+      var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup9,
+      	dup60,
+      ]));
+      
+      var msg819 = msg("00440", part1306);
+      
+      var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg820 = msg("00440:02", part1307);
+      
+      var all281 = all_match({
+      	processors: [
+      		dup239,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup9,
+      		dup61,
+      	]),
+      });
+      
+      var msg821 = msg("00440:01", all281);
+      
+      var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}");
+      
+      var all282 = all_match({
+      	processors: [
+      		part1308,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup9,
+      		dup60,
+      	]),
+      });
+      
+      var msg822 = msg("00440:03", all282);
+      
+      var select306 = linear_select([
+      	msg819,
+      	msg820,
+      	msg821,
+      	msg822,
+      ]);
+      
+      var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var msg823 = msg("00441", part1309);
+      
+      var msg824 = msg("00442", dup396);
+      
+      var msg825 = msg("00443", dup396);
+      
+      var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg826 = msg("00511", part1310);
+      
+      var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}");
+      
+      var all283 = all_match({
+      	processors: [
+      		part1311,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg827 = msg("00511:01", all283);
+      
+      var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg828 = msg("00511:02", part1312);
+      
+      var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}");
+      
+      var all284 = all_match({
+      	processors: [
+      		part1313,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg829 = msg("00511:03", all284);
+      
+      var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}");
+      
+      var all285 = all_match({
+      	processors: [
+      		part1314,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg830 = msg("00511:04", all285);
+      
+      var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}");
+      
+      var all286 = all_match({
+      	processors: [
+      		part1315,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg831 = msg("00511:05", all286);
+      
+      var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}");
+      
+      var all287 = all_match({
+      	processors: [
+      		part1316,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg832 = msg("00511:06", all287);
+      
+      var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}");
+      
+      var all288 = all_match({
+      	processors: [
+      		part1317,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg833 = msg("00511:07", all288);
+      
+      var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}");
+      
+      var all289 = all_match({
+      	processors: [
+      		part1318,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg834 = msg("00511:08", all289);
+      
+      var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}");
+      
+      var all290 = all_match({
+      	processors: [
+      		part1319,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg835 = msg("00511:09", all290);
+      
+      var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}");
+      
+      var all291 = all_match({
+      	processors: [
+      		part1320,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg836 = msg("00511:10", all291);
+      
+      var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}");
+      
+      var all292 = all_match({
+      	processors: [
+      		part1321,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg837 = msg("00511:11", all292);
+      
+      var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}");
+      
+      var all293 = all_match({
+      	processors: [
+      		part1322,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg838 = msg("00511:12", all293);
+      
+      var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}");
+      
+      var all294 = all_match({
+      	processors: [
+      		part1323,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg839 = msg("00511:13", all294);
+      
+      var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg840 = msg("00511:14", part1324);
+      
+      var select307 = linear_select([
+      	msg826,
+      	msg827,
+      	msg828,
+      	msg829,
+      	msg830,
+      	msg831,
+      	msg832,
+      	msg833,
+      	msg834,
+      	msg835,
+      	msg836,
+      	msg837,
+      	msg838,
+      	msg839,
+      	msg840,
+      ]);
+      
+      var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}");
+      
+      var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}");
+      
+      var select308 = linear_select([
+      	dup123,
+      	part1326,
+      	dup122,
+      ]);
+      
+      var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}");
+      
+      var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})");
+      
+      var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result");
+      
+      var select309 = linear_select([
+      	part1328,
+      	part1329,
+      ]);
+      
+      var all295 = all_match({
+      	processors: [
+      		part1325,
+      		select308,
+      		part1327,
+      		select309,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg841 = msg("00513", all295);
+      
+      var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}");
+      
+      var select310 = linear_select([
+      	part1330,
+      	dup287,
+      ]);
+      
+      var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}");
+      
+      var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}");
+      
+      var select311 = linear_select([
+      	dup96,
+      	part1332,
+      ]);
+      
+      var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}");
+      
+      var all296 = all_match({
+      	processors: [
+      		select310,
+      		part1331,
+      		select311,
+      		part1333,
+      	],
+      	on_success: processor_chain([
+      		dup301,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg842 = msg("00515", all296);
+      
+      var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}");
+      
+      var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}");
+      
+      var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}");
+      
+      var select312 = linear_select([
+      	part1335,
+      	part1336,
+      ]);
+      
+      var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2");
+      
+      var all297 = all_match({
+      	processors: [
+      		part1334,
+      		select312,
+      		part1337,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup302,
+      		dup3,
+      	]),
+      });
+      
+      var msg843 = msg("00515:01", all297);
+      
+      var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}");
+      
+      var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}");
+      
+      var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}");
+      
+      var select313 = linear_select([
+      	part1339,
+      	part1340,
+      ]);
+      
+      var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}");
+      
+      var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}");
+      
+      var select314 = linear_select([
+      	part1341,
+      	part1342,
+      	dup15,
+      ]);
+      
+      var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out");
+      
+      var all298 = all_match({
+      	processors: [
+      		part1338,
+      		select313,
+      		select314,
+      		part1343,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg844 = msg("00515:02", all298);
+      
+      var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}");
+      
+      var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}");
+      
+      var select315 = linear_select([
+      	part1344,
+      	part1345,
+      ]);
+      
+      var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}");
+      
+      var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type");
+      
+      var select316 = linear_select([
+      	dup304,
+      	part1347,
+      ]);
+      
+      var all299 = all_match({
+      	processors: [
+      		select315,
+      		part1346,
+      		dup398,
+      		dup40,
+      		select316,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg845 = msg("00515:04", all299);
+      
+      var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg846 = msg("00515:06", part1348);
+      
+      var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}");
+      
+      var select317 = linear_select([
+      	dup305,
+      	dup16,
+      ]);
+      
+      var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}");
+      
+      var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})");
+      
+      var select318 = linear_select([
+      	dup306,
+      	part1351,
+      	dup304,
+      ]);
+      
+      var all300 = all_match({
+      	processors: [
+      		part1349,
+      		select317,
+      		part1350,
+      		dup398,
+      		dup40,
+      		select318,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg847 = msg("00515:05", all300);
+      
+      var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg848 = msg("00515:07", part1352);
+      
+      var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}");
+      
+      var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}");
+      
+      var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}");
+      
+      var select319 = linear_select([
+      	part1354,
+      	part1355,
+      ]);
+      
+      var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}");
+      
+      var all301 = all_match({
+      	processors: [
+      		part1353,
+      		select319,
+      		part1356,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg849 = msg("00515:08", all301);
+      
+      var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg850 = msg("00515:09", part1357);
+      
+      var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg851 = msg("00515:10", part1358);
+      
+      var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg852 = msg("00515:11", part1359);
+      
+      var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}");
+      
+      var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})");
+      
+      var all302 = all_match({
+      	processors: [
+      		part1360,
+      		dup399,
+      		part1361,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg853 = msg("00515:12", all302);
+      
+      var select320 = linear_select([
+      	dup288,
+      	dup287,
+      ]);
+      
+      var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}");
+      
+      var select321 = linear_select([
+      	dup306,
+      	dup304,
+      ]);
+      
+      var all303 = all_match({
+      	processors: [
+      		select320,
+      		part1362,
+      		dup398,
+      		dup40,
+      		select321,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg854 = msg("00515:13", all303);
+      
+      var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}");
+      
+      var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}");
+      
+      var select322 = linear_select([
+      	part1363,
+      	part1364,
+      ]);
+      
+      var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}");
+      
+      var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session.");
+      
+      var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})");
+      
+      var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}");
+      
+      var select323 = linear_select([
+      	part1366,
+      	part1367,
+      	part1368,
+      ]);
+      
+      var all304 = all_match({
+      	processors: [
+      		select322,
+      		dup398,
+      		part1365,
+      		select323,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg855 = msg("00515:14", all304);
+      
+      var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}");
+      
+      var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}");
+      
+      var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}");
+      
+      var select324 = linear_select([
+      	part1370,
+      	part1371,
+      ]);
+      
+      var all305 = all_match({
+      	processors: [
+      		part1369,
+      		dup398,
+      		dup40,
+      		select324,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg856 = msg("00515:15", all305);
+      
+      var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}");
+      
+      var select325 = linear_select([
+      	part1372,
+      	dup287,
+      ]);
+      
+      var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}");
+      
+      var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})");
+      
+      var all306 = all_match({
+      	processors: [
+      		select325,
+      		part1373,
+      		dup399,
+      		part1374,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg857 = msg("00515:16", all306);
+      
+      var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}");
+      
+      var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}");
+      
+      var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}");
+      
+      var select326 = linear_select([
+      	part1376,
+      	part1377,
+      ]);
+      
+      var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}");
+      
+      var all307 = all_match({
+      	processors: [
+      		part1375,
+      		select326,
+      		part1378,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg858 = msg("00515:17", all307);
+      
+      var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg859 = msg("00515:18", part1379);
+      
+      var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}");
+      
+      var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}");
+      
+      var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}");
+      
+      var select327 = linear_select([
+      	part1381,
+      	part1382,
+      ]);
+      
+      var all308 = all_match({
+      	processors: [
+      		part1380,
+      		select327,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg860 = msg("00515:19", all308);
+      
+      var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg861 = msg("00515:20", part1383);
+      
+      var select328 = linear_select([
+      	msg842,
+      	msg843,
+      	msg844,
+      	msg845,
+      	msg846,
+      	msg847,
+      	msg848,
+      	msg849,
+      	msg850,
+      	msg851,
+      	msg852,
+      	msg853,
+      	msg854,
+      	msg855,
+      	msg856,
+      	msg857,
+      	msg858,
+      	msg859,
+      	msg860,
+      	msg861,
+      ]);
+      
+      var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg862 = msg("00518", part1384);
+      
+      var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg863 = msg("00518:17", part1385);
+      
+      var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg864 = msg("00518:01", part1386);
+      
+      var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg865 = msg("00518:02", part1387);
+      
+      var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg866 = msg("00518:03", part1388);
+      
+      var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg867 = msg("00518:04", part1389);
+      
+      var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg868 = msg("00518:05", part1390);
+      
+      var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([
+      	dup35,
+      	dup29,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg869 = msg("00518:06", part1391);
+      
+      var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}");
+      
+      var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}");
+      
+      var select329 = linear_select([
+      	dup24,
+      	part1393,
+      ]);
+      
+      var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}");
+      
+      var all309 = all_match({
+      	processors: [
+      		part1392,
+      		select329,
+      		part1394,
+      	],
+      	on_success: processor_chain([
+      		dup53,
+      		dup29,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg870 = msg("00518:07", all309);
+      
+      var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([
+      	dup35,
+      	dup29,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg871 = msg("00518:08", part1395);
+      
+      var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg872 = msg("00518:09", part1396);
+      
+      var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([
+      	dup206,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup4,
+      	dup9,
+      	dup5,
+      	dup3,
+      	dup302,
+      ]));
+      
+      var msg873 = msg("00518:10", part1397);
+      
+      var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}");
+      
+      var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}");
+      
+      var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}");
+      
+      var select330 = linear_select([
+      	part1399,
+      	part1400,
+      ]);
+      
+      var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})");
+      
+      var all310 = all_match({
+      	processors: [
+      		part1398,
+      		select330,
+      		part1401,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup9,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg874 = msg("00518:11", all310);
+      
+      var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup4,
+      	dup9,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg875 = msg("00518:12", part1402);
+      
+      var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup9,
+      	dup5,
+      ]));
+      
+      var msg876 = msg("00518:13", part1403);
+      
+      var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([
+      	dup290,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg877 = msg("00518:14", part1404);
+      
+      var select331 = linear_select([
+      	msg862,
+      	msg863,
+      	msg864,
+      	msg865,
+      	msg866,
+      	msg867,
+      	msg868,
+      	msg869,
+      	msg870,
+      	msg871,
+      	msg872,
+      	msg873,
+      	msg874,
+      	msg875,
+      	msg876,
+      	msg877,
+      ]);
+      
+      var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}");
+      
+      var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}");
+      
+      var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}");
+      
+      var select332 = linear_select([
+      	dup194,
+      	part1406,
+      	part1407,
+      ]);
+      
+      var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}");
+      
+      var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}");
+      
+      var select333 = linear_select([
+      	part1409,
+      	dup16,
+      ]);
+      
+      var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}");
+      
+      var all311 = all_match({
+      	processors: [
+      		part1405,
+      		select332,
+      		part1408,
+      		select333,
+      		part1410,
+      	],
+      	on_success: processor_chain([
+      		dup203,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg878 = msg("00519", all311);
+      
+      var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}");
+      
+      var select334 = linear_select([
+      	dup307,
+      	dup305,
+      ]);
+      
+      var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}");
+      
+      var all312 = all_match({
+      	processors: [
+      		part1411,
+      		select334,
+      		part1412,
+      	],
+      	on_success: processor_chain([
+      		dup203,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg879 = msg("00519:01", all312);
+      
+      var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}");
+      
+      var select335 = linear_select([
+      	dup307,
+      	part1413,
+      ]);
+      
+      var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}");
+      
+      var all313 = all_match({
+      	processors: [
+      		dup160,
+      		select335,
+      		part1414,
+      	],
+      	on_success: processor_chain([
+      		dup203,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg880 = msg("00519:02", all313);
+      
+      var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg881 = msg("00519:03", part1415);
+      
+      var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg882 = msg("00519:04", part1416);
+      
+      var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg883 = msg("00519:05", part1417);
+      
+      var select336 = linear_select([
+      	msg878,
+      	msg879,
+      	msg880,
+      	msg881,
+      	msg882,
+      	msg883,
+      ]);
+      
+      var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([
+      	dup35,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg884 = msg("00520", part1418);
+      
+      var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}");
+      
+      var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}");
+      
+      var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}");
+      
+      var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}");
+      
+      var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}");
+      
+      var select337 = linear_select([
+      	part1420,
+      	part1421,
+      	part1422,
+      	part1423,
+      ]);
+      
+      var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}");
+      
+      var all314 = all_match({
+      	processors: [
+      		part1419,
+      		select337,
+      		part1424,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg885 = msg("00520:01", all314);
+      
+      var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}");
+      
+      var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}");
+      
+      var all315 = all_match({
+      	processors: [
+      		part1425,
+      		dup400,
+      		part1426,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg886 = msg("00520:02", all315);
+      
+      var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}");
+      
+      var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}");
+      
+      var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}");
+      
+      var select338 = linear_select([
+      	part1427,
+      	part1428,
+      	part1429,
+      ]);
+      
+      var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}");
+      
+      var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}");
+      
+      var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed");
+      
+      var all316 = all_match({
+      	processors: [
+      		dup160,
+      		select338,
+      		part1430,
+      		dup400,
+      		part1431,
+      		dup400,
+      		part1432,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg887 = msg("00520:03", all316);
+      
+      var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg888 = msg("00520:04", part1433);
+      
+      var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg889 = msg("00520:05", part1434);
+      
+      var select339 = linear_select([
+      	msg884,
+      	msg885,
+      	msg886,
+      	msg887,
+      	msg888,
+      	msg889,
+      ]);
+      
+      var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg890 = msg("00521", part1435);
+      
+      var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg891 = msg("00522", part1436);
+      
+      var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg892 = msg("00523", part1437);
+      
+      var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg893 = msg("00524", part1438);
+      
+      var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg894 = msg("00524:02", part1439);
+      
+      var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg895 = msg("00524:03", part1440);
+      
+      var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg896 = msg("00524:04", part1441);
+      
+      var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg897 = msg("00524:05", part1442);
+      
+      var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg898 = msg("00524:06", part1443);
+      
+      var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg899 = msg("00524:12", part1444);
+      
+      var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup4,
+      	setc("result","the SNMP version type is incorrect"),
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg900 = msg("00524:14", part1445);
+      
+      var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}");
+      
+      var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}");
+      
+      var all317 = all_match({
+      	processors: [
+      		part1446,
+      		dup401,
+      		part1447,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg901 = msg("00524:13", all317);
+      
+      var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg902 = msg("00524:07", part1448);
+      
+      var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg903 = msg("00524:08", part1449);
+      
+      var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg904 = msg("00524:09", part1450);
+      
+      var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg905 = msg("00524:10", part1451);
+      
+      var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg906 = msg("00524:11", part1452);
+      
+      var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg907 = msg("00524:16", part1453);
+      
+      var select340 = linear_select([
+      	msg893,
+      	msg894,
+      	msg895,
+      	msg896,
+      	msg897,
+      	msg898,
+      	msg899,
+      	msg900,
+      	msg901,
+      	msg902,
+      	msg903,
+      	msg904,
+      	msg905,
+      	msg906,
+      	msg907,
+      ]);
+      
+      var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([
+      	dup203,
+      	setc("ec_subject","Password"),
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg908 = msg("00525", part1454);
+      
+      var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg909 = msg("00525:01", part1455);
+      
+      var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg910 = msg("00525:02", part1456);
+      
+      var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg911 = msg("00525:03", part1457);
+      
+      var select341 = linear_select([
+      	msg908,
+      	msg909,
+      	msg910,
+      	msg911,
+      ]);
+      
+      var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([
+      	dup37,
+      	dup219,
+      	dup38,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg912 = msg("00526", part1458);
+      
+      var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}");
+      
+      var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}");
+      
+      var select342 = linear_select([
+      	dup311,
+      	part1460,
+      ]);
+      
+      var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}");
+      
+      var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}");
+      
+      var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}");
+      
+      var select343 = linear_select([
+      	dup312,
+      	part1462,
+      	part1463,
+      ]);
+      
+      var all318 = all_match({
+      	processors: [
+      		part1459,
+      		select342,
+      		part1461,
+      		select343,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg913 = msg("00527", all318);
+      
+      var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg914 = msg("00527:01", part1464);
+      
+      var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}");
+      
+      var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}");
+      
+      var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}");
+      
+      var select344 = linear_select([
+      	dup311,
+      	part1466,
+      	part1467,
+      ]);
+      
+      var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}");
+      
+      var all319 = all_match({
+      	processors: [
+      		part1465,
+      		select344,
+      		part1468,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg915 = msg("00527:02", all319);
+      
+      var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg916 = msg("00527:03", part1469);
+      
+      var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg917 = msg("00527:04", part1470);
+      
+      var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated.");
+      
+      var all320 = all_match({
+      	processors: [
+      		dup210,
+      		dup337,
+      		part1471,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg918 = msg("00527:05", all320);
+      
+      var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}");
+      
+      var select345 = linear_select([
+      	dup106,
+      	dup127,
+      ]);
+      
+      var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}");
+      
+      var select346 = linear_select([
+      	dup312,
+      	part1473,
+      ]);
+      
+      var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})");
+      
+      var all321 = all_match({
+      	processors: [
+      		part1472,
+      		select345,
+      		dup23,
+      		select346,
+      		part1474,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg919 = msg("00527:06", all321);
+      
+      var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg920 = msg("00527:07", part1475);
+      
+      var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg921 = msg("00527:08", part1476);
+      
+      var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}");
+      
+      var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}");
+      
+      var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}");
+      
+      var select347 = linear_select([
+      	part1478,
+      	part1479,
+      ]);
+      
+      var all322 = all_match({
+      	processors: [
+      		part1477,
+      		select347,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup272,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg922 = msg("00527:09", all322);
+      
+      var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg923 = msg("00527:10", part1480);
+      
+      var select348 = linear_select([
+      	msg913,
+      	msg914,
+      	msg915,
+      	msg916,
+      	msg917,
+      	msg918,
+      	msg919,
+      	msg920,
+      	msg921,
+      	msg922,
+      	msg923,
+      ]);
+      
+      var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([
+      	setc("eventcategory","1302010000"),
+      	dup29,
+      	dup31,
+      	dup32,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg924 = msg("00528", part1481);
+      
+      var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg925 = msg("00528:01", part1482);
+      
+      var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg926 = msg("00528:02", part1483);
+      
+      var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg927 = msg("00528:03", part1484);
+      
+      var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg928 = msg("00528:04", part1485);
+      
+      var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg929 = msg("00528:05", part1486);
+      
+      var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([
+      	dup313,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("result","invalid version string"),
+      ]));
+      
+      var msg930 = msg("00528:06", part1487);
+      
+      var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}");
+      
+      var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}");
+      
+      var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}");
+      
+      var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}");
+      
+      var select349 = linear_select([
+      	dup88,
+      	part1489,
+      	part1490,
+      	part1491,
+      ]);
+      
+      var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}");
+      
+      var all323 = all_match({
+      	processors: [
+      		part1488,
+      		select349,
+      		part1492,
+      	],
+      	on_success: processor_chain([
+      		dup314,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg931 = msg("00528:07", all323);
+      
+      var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg932 = msg("00528:08", part1493);
+      
+      var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg933 = msg("00528:09", part1494);
+      
+      var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg934 = msg("00528:10", part1495);
+      
+      var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg935 = msg("00528:11", part1496);
+      
+      var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	setc("disposition","disabled"),
+      ]));
+      
+      var msg936 = msg("00528:12", part1497);
+      
+      var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}");
+      
+      var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}");
+      
+      var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}");
+      
+      var select350 = linear_select([
+      	part1499,
+      	part1500,
+      ]);
+      
+      var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}");
+      
+      var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}");
+      
+      var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}");
+      
+      var select351 = linear_select([
+      	part1503,
+      	dup157,
+      ]);
+      
+      var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}");
+      
+      var all324 = all_match({
+      	processors: [
+      		part1498,
+      		select350,
+      		part1501,
+      		dup337,
+      		part1502,
+      		select351,
+      		part1504,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg937 = msg("00528:13", all324);
+      
+      var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg938 = msg("00528:14", part1505);
+      
+      var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}");
+      
+      var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}");
+      
+      var select352 = linear_select([
+      	dup315,
+      	part1507,
+      ]);
+      
+      var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}");
+      
+      var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}");
+      
+      var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}");
+      
+      var select353 = linear_select([
+      	part1509,
+      	part1510,
+      ]);
+      
+      var all325 = all_match({
+      	processors: [
+      		part1506,
+      		select352,
+      		part1508,
+      		select353,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg939 = msg("00528:15", all325);
+      
+      var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg940 = msg("00528:16", part1511);
+      
+      var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg941 = msg("00528:17", part1512);
+      
+      var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}");
+      
+      var all326 = all_match({
+      	processors: [
+      		dup316,
+      		dup402,
+      		part1513,
+      		dup403,
+      		dup320,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		setc("disposition","successful"),
+      		setc("event_description","authentication successful for admin user"),
+      	]),
+      });
+      
+      var msg942 = msg("00528:18", all326);
+      
+      var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}");
+      
+      var all327 = all_match({
+      	processors: [
+      		dup316,
+      		dup402,
+      		part1514,
+      		dup403,
+      		dup320,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup29,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup302,
+      		dup3,
+      		setc("event_description","authentication failed for admin user"),
+      	]),
+      });
+      
+      var msg943 = msg("00528:26", all327);
+      
+      var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}");
+      
+      var all328 = all_match({
+      	processors: [
+      		dup321,
+      		dup404,
+      		part1515,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg944 = msg("00528:19", all328);
+      
+      var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}");
+      
+      var all329 = all_match({
+      	processors: [
+      		dup321,
+      		dup404,
+      		part1516,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg945 = msg("00528:20", all329);
+      
+      var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg946 = msg("00528:21", part1517);
+      
+      var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}");
+      
+      var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface.");
+      
+      var all330 = all_match({
+      	processors: [
+      		part1518,
+      		dup337,
+      		part1519,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		setc("result","SCS is not enabled for that interface"),
+      	]),
+      });
+      
+      var msg947 = msg("00528:22", all330);
+      
+      var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	setc("result","SCS cannot generate the host and server keys before timing out"),
+      ]));
+      
+      var msg948 = msg("00528:23", part1520);
+      
+      var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg949 = msg("00528:24", part1521);
+      
+      var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}");
+      
+      var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled.");
+      
+      var all331 = all_match({
+      	processors: [
+      		part1522,
+      		dup403,
+      		part1523,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg950 = msg("00528:25", all331);
+      
+      var select354 = linear_select([
+      	msg924,
+      	msg925,
+      	msg926,
+      	msg927,
+      	msg928,
+      	msg929,
+      	msg930,
+      	msg931,
+      	msg932,
+      	msg933,
+      	msg934,
+      	msg935,
+      	msg936,
+      	msg937,
+      	msg938,
+      	msg939,
+      	msg940,
+      	msg941,
+      	msg942,
+      	msg943,
+      	msg944,
+      	msg945,
+      	msg946,
+      	msg947,
+      	msg948,
+      	msg949,
+      	msg950,
+      ]);
+      
+      var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}");
+      
+      var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}");
+      
+      var select355 = linear_select([
+      	part1524,
+      	part1525,
+      ]);
+      
+      var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}");
+      
+      var all332 = all_match({
+      	processors: [
+      		dup63,
+      		select355,
+      		part1526,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg951 = msg("00529", all332);
+      
+      var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}");
+      
+      var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}");
+      
+      var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}");
+      
+      var select356 = linear_select([
+      	part1528,
+      	part1529,
+      ]);
+      
+      var all333 = all_match({
+      	processors: [
+      		part1527,
+      		select356,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg952 = msg("00529:01", all333);
+      
+      var select357 = linear_select([
+      	msg951,
+      	msg952,
+      ]);
+      
+      var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg953 = msg("00530", part1530);
+      
+      var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}");
+      
+      var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released");
+      
+      var all334 = all_match({
+      	processors: [
+      		part1531,
+      		dup337,
+      		part1532,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg954 = msg("00530:01", all334);
+      
+      var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg955 = msg("00530:02", part1533);
+      
+      var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg956 = msg("00530:03", part1534);
+      
+      var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg957 = msg("00530:04", part1535);
+      
+      var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg958 = msg("00530:05", part1536);
+      
+      var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg959 = msg("00530:06", part1537);
+      
+      var select358 = linear_select([
+      	msg953,
+      	msg954,
+      	msg955,
+      	msg956,
+      	msg957,
+      	msg958,
+      	msg959,
+      ]);
+      
+      var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}");
+      
+      var all335 = all_match({
+      	processors: [
+      		part1538,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg960 = msg("00531", all335);
+      
+      var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg961 = msg("00531:01", part1539);
+      
+      var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg962 = msg("00531:02", part1540);
+      
+      var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}");
+      
+      var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}");
+      
+      var select359 = linear_select([
+      	part1542,
+      	dup115,
+      ]);
+      
+      var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}");
+      
+      var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})");
+      
+      var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5");
+      
+      var select360 = linear_select([
+      	part1544,
+      	part1545,
+      ]);
+      
+      var all336 = all_match({
+      	processors: [
+      		part1541,
+      		select359,
+      		part1543,
+      		select360,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup146,
+      	]),
+      });
+      
+      var msg963 = msg("00531:03", all336);
+      
+      var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}");
+      
+      var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}");
+      
+      var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}");
+      
+      var select361 = linear_select([
+      	part1547,
+      	part1548,
+      	dup189,
+      ]);
+      
+      var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}");
+      
+      var all337 = all_match({
+      	processors: [
+      		part1546,
+      		select361,
+      		part1549,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg964 = msg("00531:04", all337);
+      
+      var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg965 = msg("00531:05", part1550);
+      
+      var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg966 = msg("00531:06", part1551);
+      
+      var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg967 = msg("00531:07", part1552);
+      
+      var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg968 = msg("00531:08", part1553);
+      
+      var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg969 = msg("00531:09", part1554);
+      
+      var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg970 = msg("00531:10", part1555);
+      
+      var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("event_description","system clock changed based on receive from primary NTP server"),
+      ]));
+      
+      var msg971 = msg("00531:11", part1556);
+      
+      var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg972 = msg("00531:12", part1557);
+      
+      var select362 = linear_select([
+      	msg960,
+      	msg961,
+      	msg962,
+      	msg963,
+      	msg964,
+      	msg965,
+      	msg966,
+      	msg967,
+      	msg968,
+      	msg969,
+      	msg970,
+      	msg971,
+      	msg972,
+      ]);
+      
+      var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg973 = msg("00533", part1558);
+      
+      var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg974 = msg("00534", part1559);
+      
+      var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg975 = msg("00535", part1560);
+      
+      var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg976 = msg("00535:01", part1561);
+      
+      var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg977 = msg("00535:02", part1562);
+      
+      var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg978 = msg("00535:03", part1563);
+      
+      var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("result","SCEP_FAILURE message"),
+      ]));
+      
+      var msg979 = msg("00535:04", part1564);
+      
+      var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg980 = msg("00535:05", part1565);
+      
+      var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Saved CA configuration - cert subject name"),
+      ]));
+      
+      var msg981 = msg("00535:06", part1566);
+      
+      var select363 = linear_select([
+      	msg975,
+      	msg976,
+      	msg977,
+      	msg978,
+      	msg979,
+      	msg980,
+      	msg981,
+      ]);
+      
+      var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}");
+      
+      var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}");
+      
+      var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}");
+      
+      var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}");
+      
+      var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}");
+      
+      var select364 = linear_select([
+      	part1568,
+      	part1569,
+      	part1570,
+      	part1571,
+      ]);
+      
+      var all338 = all_match({
+      	processors: [
+      		part1567,
+      		select364,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg982 = msg("00536:49", all338);
+      
+      var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg983 = msg("00536", part1572);
+      
+      var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg984 = msg("00536:01", part1573);
+      
+      var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg985 = msg("00536:02", part1574);
+      
+      var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg986 = msg("00536:03", part1575);
+      
+      var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([
+      	setc("eventcategory","1801010100"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg987 = msg("00536:04", part1576);
+      
+      var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg988 = msg("00536:05", part1577);
+      
+      var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg989 = msg("00536:06", part1578);
+      
+      var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg990 = msg("00536:07", part1579);
+      
+      var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg991 = msg("00536:08", part1580);
+      
+      var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg992 = msg("00536:09", part1581);
+      
+      var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg993 = msg("00536:10", part1582);
+      
+      var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg994 = msg("00536:11", part1583);
+      
+      var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg995 = msg("00536:12", part1584);
+      
+      var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg996 = msg("00536:13", part1585);
+      
+      var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}");
+      
+      var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}");
+      
+      var all339 = all_match({
+      	processors: [
+      		part1586,
+      		dup383,
+      		part1587,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg997 = msg("00536:14", all339);
+      
+      var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup9,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg998 = msg("00536:50", part1588);
+      
+      var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg999 = msg("00536:15", part1589);
+      
+      var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1000 = msg("00536:16", part1590);
+      
+      var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1001 = msg("00536:17", part1591);
+      
+      var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1002 = msg("00536:18", part1592);
+      
+      var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1003 = msg("00536:19", part1593);
+      
+      var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1004 = msg("00536:20", part1594);
+      
+      var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1005 = msg("00536:21", part1595);
+      
+      var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("result","Negotiations failed"),
+      ]));
+      
+      var msg1006 = msg("00536:22", part1596);
+      
+      var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("result","The time limit has elapsed"),
+      	setc("disposition","Aborted"),
+      ]));
+      
+      var msg1007 = msg("00536:23", part1597);
+      
+      var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1008 = msg("00536:24", part1598);
+      
+      var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1009 = msg("00536:25", part1599);
+      
+      var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1010 = msg("00536:26", part1600);
+      
+      var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1011 = msg("00536:27", part1601);
+      
+      var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1012 = msg("00536:28", part1602);
+      
+      var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1013 = msg("00536:29", part1603);
+      
+      var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1014 = msg("00536:30", part1604);
+      
+      var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1015 = msg("00536:31", part1605);
+      
+      var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1016 = msg("00536:32", part1606);
+      
+      var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1017 = msg("00536:33", part1607);
+      
+      var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1018 = msg("00536:34", part1608);
+      
+      var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1019 = msg("00536:35", part1609);
+      
+      var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}");
+      
+      var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first");
+      
+      var all340 = all_match({
+      	processors: [
+      		part1610,
+      		dup401,
+      		part1611,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1020 = msg("00536:36", all340);
+      
+      var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1021 = msg("00536:37", part1612);
+      
+      var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1022 = msg("00536:38", part1613);
+      
+      var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1023 = msg("00536:39", part1614);
+      
+      var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1024 = msg("00536:40", part1615);
+      
+      var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1025 = msg("00536:47", part1616);
+      
+      var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1026 = msg("00536:41", part1617);
+      
+      var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1027 = msg("00536:42", part1618);
+      
+      var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1028 = msg("00536:43", part1619);
+      
+      var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1029 = msg("00536:44", part1620);
+      
+      var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1030 = msg("00536:45", part1621);
+      
+      var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Received an IKE packet on interface"),
+      ]));
+      
+      var msg1031 = msg("00536:48", part1622);
+      
+      var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1032 = msg("00536:46", part1623);
+      
+      var select365 = linear_select([
+      	msg982,
+      	msg983,
+      	msg984,
+      	msg985,
+      	msg986,
+      	msg987,
+      	msg988,
+      	msg989,
+      	msg990,
+      	msg991,
+      	msg992,
+      	msg993,
+      	msg994,
+      	msg995,
+      	msg996,
+      	msg997,
+      	msg998,
+      	msg999,
+      	msg1000,
+      	msg1001,
+      	msg1002,
+      	msg1003,
+      	msg1004,
+      	msg1005,
+      	msg1006,
+      	msg1007,
+      	msg1008,
+      	msg1009,
+      	msg1010,
+      	msg1011,
+      	msg1012,
+      	msg1013,
+      	msg1014,
+      	msg1015,
+      	msg1016,
+      	msg1017,
+      	msg1018,
+      	msg1019,
+      	msg1020,
+      	msg1021,
+      	msg1022,
+      	msg1023,
+      	msg1024,
+      	msg1025,
+      	msg1026,
+      	msg1027,
+      	msg1028,
+      	msg1029,
+      	msg1030,
+      	msg1031,
+      	msg1032,
+      ]);
+      
+      var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg1033 = msg("00537", part1624);
+      
+      var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1034 = msg("00537:01", part1625);
+      
+      var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1035 = msg("00537:02", part1626);
+      
+      var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1036 = msg("00537:03", part1627);
+      
+      var select366 = linear_select([
+      	msg1033,
+      	msg1034,
+      	msg1035,
+      	msg1036,
+      ]);
+      
+      var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}");
+      
+      var select367 = linear_select([
+      	dup111,
+      	dup119,
+      ]);
+      
+      var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}");
+      
+      var all341 = all_match({
+      	processors: [
+      		part1628,
+      		select367,
+      		part1629,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1037 = msg("00538", all341);
+      
+      var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1038 = msg("00538:01", part1630);
+      
+      var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1039 = msg("00538:02", part1631);
+      
+      var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg1040 = msg("00538:03", part1632);
+      
+      var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1041 = msg("00538:04", part1633);
+      
+      var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}");
+      
+      var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}");
+      
+      var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}");
+      
+      var select368 = linear_select([
+      	part1635,
+      	part1636,
+      ]);
+      
+      var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}");
+      
+      var all342 = all_match({
+      	processors: [
+      		part1634,
+      		select368,
+      		part1637,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1042 = msg("00538:05", all342);
+      
+      var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}");
+      
+      var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}");
+      
+      var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}");
+      
+      var select369 = linear_select([
+      	part1639,
+      	part1640,
+      ]);
+      
+      var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip");
+      
+      var all343 = all_match({
+      	processors: [
+      		part1638,
+      		select369,
+      		part1641,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1043 = msg("00538:06", all343);
+      
+      var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}");
+      
+      var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}");
+      
+      var select370 = linear_select([
+      	part1643,
+      	dup16,
+      ]);
+      
+      var all344 = all_match({
+      	processors: [
+      		part1642,
+      		select370,
+      		dup136,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1044 = msg("00538:07", all344);
+      
+      var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1045 = msg("00538:08", part1644);
+      
+      var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([
+      	dup301,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("event_description","Connected to NSM server"),
+      ]));
+      
+      var msg1046 = msg("00538:09", part1645);
+      
+      var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}");
+      
+      var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})");
+      
+      var select371 = linear_select([
+      	part1647,
+      	dup41,
+      ]);
+      
+      var all345 = all_match({
+      	processors: [
+      		part1646,
+      		select371,
+      	],
+      	on_success: processor_chain([
+      		dup198,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      		setc("event_description","Connection to NSM server is down"),
+      	]),
+      });
+      
+      var msg1047 = msg("00538:10", all345);
+      
+      var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([
+      	dup198,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup323,
+      ]));
+      
+      var msg1048 = msg("00538:11", part1648);
+      
+      var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([
+      	dup198,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup323,
+      ]));
+      
+      var msg1049 = msg("00538:12", part1649);
+      
+      var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("event_description","Sent 2B message"),
+      ]));
+      
+      var msg1050 = msg("00538:13", part1650);
+      
+      var select372 = linear_select([
+      	msg1037,
+      	msg1038,
+      	msg1039,
+      	msg1040,
+      	msg1041,
+      	msg1042,
+      	msg1043,
+      	msg1044,
+      	msg1045,
+      	msg1046,
+      	msg1047,
+      	msg1048,
+      	msg1049,
+      	msg1050,
+      ]);
+      
+      var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1051 = msg("00539", part1651);
+      
+      var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1052 = msg("00539:01", part1652);
+      
+      var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1053 = msg("00539:02", part1653);
+      
+      var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1054 = msg("00539:03", part1654);
+      
+      var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1055 = msg("00539:04", part1655);
+      
+      var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1056 = msg("00539:05", part1656);
+      
+      var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1057 = msg("00539:06", part1657);
+      
+      var select373 = linear_select([
+      	msg1051,
+      	msg1052,
+      	msg1053,
+      	msg1054,
+      	msg1055,
+      	msg1056,
+      	msg1057,
+      ]);
+      
+      var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([
+      	dup324,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1058 = msg("00541", part1658);
+      
+      var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([
+      	dup273,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1059 = msg("00541:01", part1659);
+      
+      var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([
+      	dup273,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1060 = msg("00541:02", part1660);
+      
+      var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}");
+      
+      var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>");
+      
+      var select374 = linear_select([
+      	part1662,
+      	dup21,
+      ]);
+      
+      var all346 = all_match({
+      	processors: [
+      		part1661,
+      		select374,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1061 = msg("00541:03", all346);
+      
+      var select375 = linear_select([
+      	msg1058,
+      	msg1059,
+      	msg1060,
+      	msg1061,
+      ]);
+      
+      var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1062 = msg("00542", part1663);
+      
+      var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}");
+      
+      var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}");
+      
+      var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}");
+      
+      var select376 = linear_select([
+      	part1665,
+      	part1666,
+      ]);
+      
+      var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}");
+      
+      var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}");
+      
+      var select377 = linear_select([
+      	part1668,
+      	dup106,
+      ]);
+      
+      var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})");
+      
+      var all347 = all_match({
+      	processors: [
+      		part1664,
+      		select376,
+      		part1667,
+      		select377,
+      		part1669,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup3,
+      	]),
+      });
+      
+      var msg1063 = msg("00543", all347);
+      
+      var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup60,
+      	setc("action","RADIUS server challenge"),
+      ]));
+      
+      var msg1064 = msg("00544", part1670);
+      
+      var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1065 = msg("00546", part1671);
+      
+      var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg1066 = msg("00547", part1672);
+      
+      var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg1067 = msg("00547:01", part1673);
+      
+      var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1068 = msg("00547:02", part1674);
+      
+      var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}");
+      
+      var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}");
+      
+      var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}");
+      
+      var select378 = linear_select([
+      	part1676,
+      	part1677,
+      ]);
+      
+      var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})");
+      
+      var all348 = all_match({
+      	processors: [
+      		part1675,
+      		select378,
+      		part1678,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		setc("event_description","Content is bypassed for connection"),
+      	]),
+      });
+      
+      var msg1069 = msg("00547:03", all348);
+      
+      var select379 = linear_select([
+      	msg1066,
+      	msg1067,
+      	msg1068,
+      	msg1069,
+      ]);
+      
+      var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1070 = msg("00549", part1679);
+      
+      var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1071 = msg("00551", part1680);
+      
+      var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1072 = msg("00551:01", part1681);
+      
+      var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}");
+      
+      var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}");
+      
+      var select380 = linear_select([
+      	part1683,
+      	dup89,
+      ]);
+      
+      var all349 = all_match({
+      	processors: [
+      		part1682,
+      		select380,
+      		dup128,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1073 = msg("00551:02", all349);
+      
+      var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1074 = msg("00551:03", part1684);
+      
+      var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1075 = msg("00551:04", part1685);
+      
+      var select381 = linear_select([
+      	msg1071,
+      	msg1072,
+      	msg1073,
+      	msg1074,
+      	msg1075,
+      ]);
+      
+      var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}");
+      
+      var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}");
+      
+      var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}");
+      
+      var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}");
+      
+      var select382 = linear_select([
+      	part1687,
+      	part1688,
+      	part1689,
+      ]);
+      
+      var all350 = all_match({
+      	processors: [
+      		part1686,
+      		select382,
+      		dup325,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1076 = msg("00553", all350);
+      
+      var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1077 = msg("00553:01", part1690);
+      
+      var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1078 = msg("00553:02", part1691);
+      
+      var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1079 = msg("00553:03", part1692);
+      
+      var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}");
+      
+      var select383 = linear_select([
+      	dup326,
+      	dup327,
+      ]);
+      
+      var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}.");
+      
+      var all351 = all_match({
+      	processors: [
+      		part1693,
+      		select383,
+      		part1694,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1080 = msg("00553:04", all351);
+      
+      var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1081 = msg("00553:05", part1695);
+      
+      var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1082 = msg("00553:06", part1696);
+      
+      var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1083 = msg("00553:07", part1697);
+      
+      var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}");
+      
+      var select384 = linear_select([
+      	dup327,
+      	dup326,
+      ]);
+      
+      var all352 = all_match({
+      	processors: [
+      		part1698,
+      		select384,
+      		dup328,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1084 = msg("00553:08", all352);
+      
+      var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1085 = msg("00553:09", part1699);
+      
+      var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1086 = msg("00553:10", part1700);
+      
+      var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1087 = msg("00553:11", part1701);
+      
+      var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1088 = msg("00553:12", part1702);
+      
+      var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1089 = msg("00553:13", part1703);
+      
+      var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1090 = msg("00553:14", part1704);
+      
+      var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1091 = msg("00553:15", part1705);
+      
+      var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1092 = msg("00553:16", part1706);
+      
+      var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1093 = msg("00553:17", part1707);
+      
+      var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1094 = msg("00553:18", part1708);
+      
+      var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1095 = msg("00553:19", part1709);
+      
+      var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1096 = msg("00553:20", part1710);
+      
+      var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1097 = msg("00553:21", part1711);
+      
+      var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1098 = msg("00553:22", part1712);
+      
+      var select385 = linear_select([
+      	msg1076,
+      	msg1077,
+      	msg1078,
+      	msg1079,
+      	msg1080,
+      	msg1081,
+      	msg1082,
+      	msg1083,
+      	msg1084,
+      	msg1085,
+      	msg1086,
+      	msg1087,
+      	msg1088,
+      	msg1089,
+      	msg1090,
+      	msg1091,
+      	msg1092,
+      	msg1093,
+      	msg1094,
+      	msg1095,
+      	msg1096,
+      	msg1097,
+      	msg1098,
+      ]);
+      
+      var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}");
+      
+      var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}");
+      
+      var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}");
+      
+      var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}");
+      
+      var select386 = linear_select([
+      	part1714,
+      	part1715,
+      	part1716,
+      ]);
+      
+      var all353 = all_match({
+      	processors: [
+      		part1713,
+      		select386,
+      		dup325,
+      	],
+      	on_success: processor_chain([
+      		dup144,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1099 = msg("00554", all353);
+      
+      var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1100 = msg("00554:01", part1717);
+      
+      var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1101 = msg("00554:02", part1718);
+      
+      var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1102 = msg("00554:03", part1719);
+      
+      var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}");
+      
+      var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}.");
+      
+      var all354 = all_match({
+      	processors: [
+      		part1720,
+      		dup405,
+      		part1721,
+      	],
+      	on_success: processor_chain([
+      		dup144,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1103 = msg("00554:04", all354);
+      
+      var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}");
+      
+      var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}");
+      
+      var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}");
+      
+      var select387 = linear_select([
+      	part1723,
+      	part1724,
+      ]);
+      
+      var all355 = all_match({
+      	processors: [
+      		part1722,
+      		select387,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup144,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1104 = msg("00554:05", all355);
+      
+      var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([
+      	dup144,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1105 = msg("00554:06", part1725);
+      
+      var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}");
+      
+      var all356 = all_match({
+      	processors: [
+      		part1726,
+      		dup405,
+      		dup328,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1106 = msg("00554:07", all356);
+      
+      var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}");
+      
+      var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}");
+      
+      var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}");
+      
+      var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}");
+      
+      var select388 = linear_select([
+      	part1728,
+      	part1729,
+      	part1730,
+      ]);
+      
+      var all357 = all_match({
+      	processors: [
+      		part1727,
+      		select388,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1107 = msg("00554:08", all357);
+      
+      var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1108 = msg("00554:09", part1731);
+      
+      var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1109 = msg("00554:10", part1732);
+      
+      var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1110 = msg("00554:11", part1733);
+      
+      var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}");
+      
+      var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}");
+      
+      var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}");
+      
+      var select389 = linear_select([
+      	part1735,
+      	part1736,
+      ]);
+      
+      var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}");
+      
+      var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}");
+      
+      var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}");
+      
+      var select390 = linear_select([
+      	part1738,
+      	part1739,
+      ]);
+      
+      var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}");
+      
+      var all358 = all_match({
+      	processors: [
+      		part1734,
+      		select389,
+      		part1737,
+      		select390,
+      		part1740,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1111 = msg("00554:12", all358);
+      
+      var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1112 = msg("00554:13", part1741);
+      
+      var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1113 = msg("00554:14", part1742);
+      
+      var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1114 = msg("00554:15", part1743);
+      
+      var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1115 = msg("00554:16", part1744);
+      
+      var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1116 = msg("00554:17", part1745);
+      
+      var select391 = linear_select([
+      	msg1099,
+      	msg1100,
+      	msg1101,
+      	msg1102,
+      	msg1103,
+      	msg1104,
+      	msg1105,
+      	msg1106,
+      	msg1107,
+      	msg1108,
+      	msg1109,
+      	msg1110,
+      	msg1111,
+      	msg1112,
+      	msg1113,
+      	msg1114,
+      	msg1115,
+      	msg1116,
+      ]);
+      
+      var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1117 = msg("00555", part1746);
+      
+      var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1118 = msg("00556", part1747);
+      
+      var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1119 = msg("00556:01", part1748);
+      
+      var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}");
+      
+      var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}");
+      
+      var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}");
+      
+      var select392 = linear_select([
+      	part1750,
+      	part1751,
+      ]);
+      
+      var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}");
+      
+      var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}");
+      
+      var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}");
+      
+      var select393 = linear_select([
+      	part1753,
+      	part1754,
+      ]);
+      
+      var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3}).");
+      
+      var all359 = all_match({
+      	processors: [
+      		part1749,
+      		select392,
+      		part1752,
+      		select393,
+      		part1755,
+      	],
+      	on_success: processor_chain([
+      		dup254,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1120 = msg("00556:02", all359);
+      
+      var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}");
+      
+      var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}");
+      
+      var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}");
+      
+      var select394 = linear_select([
+      	part1757,
+      	part1758,
+      ]);
+      
+      var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}");
+      
+      var all360 = all_match({
+      	processors: [
+      		part1756,
+      		select394,
+      		part1759,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1121 = msg("00556:03", all360);
+      
+      var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1122 = msg("00556:04", part1760);
+      
+      var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1123 = msg("00556:05", part1761);
+      
+      var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1124 = msg("00556:06", part1762);
+      
+      var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1125 = msg("00556:07", part1763);
+      
+      var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}");
+      
+      var all361 = all_match({
+      	processors: [
+      		part1764,
+      		dup358,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1126 = msg("00556:08", all361);
+      
+      var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup282,
+      ]));
+      
+      var msg1127 = msg("00556:09", part1765);
+      
+      var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1128 = msg("00556:10", part1766);
+      
+      var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1129 = msg("00556:11", part1767);
+      
+      var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}");
+      
+      var select395 = linear_select([
+      	dup140,
+      	dup169,
+      ]);
+      
+      var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}.");
+      
+      var all362 = all_match({
+      	processors: [
+      		part1768,
+      		select395,
+      		part1769,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1130 = msg("00556:12", all362);
+      
+      var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1131 = msg("00556:13", part1770);
+      
+      var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}");
+      
+      var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}.");
+      
+      var all363 = all_match({
+      	processors: [
+      		part1771,
+      		dup406,
+      		part1772,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1132 = msg("00556:14", all363);
+      
+      var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}");
+      
+      var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}.");
+      
+      var all364 = all_match({
+      	processors: [
+      		part1773,
+      		dup406,
+      		part1774,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup282,
+      	]),
+      });
+      
+      var msg1133 = msg("00556:15", all364);
+      
+      var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}");
+      
+      var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}");
+      
+      var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}");
+      
+      var select396 = linear_select([
+      	part1776,
+      	part1777,
+      ]);
+      
+      var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}");
+      
+      var select397 = linear_select([
+      	dup104,
+      	dup120,
+      ]);
+      
+      var all365 = all_match({
+      	processors: [
+      		part1775,
+      		select396,
+      		part1778,
+      		select397,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1134 = msg("00556:16", all365);
+      
+      var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}");
+      
+      var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}");
+      
+      var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}");
+      
+      var select398 = linear_select([
+      	part1780,
+      	part1781,
+      ]);
+      
+      var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}");
+      
+      var all366 = all_match({
+      	processors: [
+      		part1779,
+      		select398,
+      		part1782,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1135 = msg("00556:17", all366);
+      
+      var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}");
+      
+      var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}");
+      
+      var select399 = linear_select([
+      	dup101,
+      	part1784,
+      ]);
+      
+      var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}.");
+      
+      var all367 = all_match({
+      	processors: [
+      		part1783,
+      		select399,
+      		part1785,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1136 = msg("00556:18", all367);
+      
+      var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}");
+      
+      var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}");
+      
+      var select400 = linear_select([
+      	dup103,
+      	dup96,
+      ]);
+      
+      var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}");
+      
+      var all368 = all_match({
+      	processors: [
+      		part1786,
+      		dup355,
+      		part1787,
+      		select400,
+      		part1788,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1137 = msg("00556:20", all368);
+      
+      var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup282,
+      ]));
+      
+      var msg1138 = msg("00556:21", part1789);
+      
+      var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1139 = msg("00556:22", part1790);
+      
+      var select401 = linear_select([
+      	msg1118,
+      	msg1119,
+      	msg1120,
+      	msg1121,
+      	msg1122,
+      	msg1123,
+      	msg1124,
+      	msg1125,
+      	msg1126,
+      	msg1127,
+      	msg1128,
+      	msg1129,
+      	msg1130,
+      	msg1131,
+      	msg1132,
+      	msg1133,
+      	msg1134,
+      	msg1135,
+      	msg1136,
+      	msg1137,
+      	msg1138,
+      	msg1139,
+      ]);
+      
+      var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1140 = msg("00572", part1791);
+      
+      var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1141 = msg("00572:01", part1792);
+      
+      var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1142 = msg("00572:03", part1793);
+      
+      var select402 = linear_select([
+      	msg1140,
+      	msg1141,
+      	msg1142,
+      ]);
+      
+      var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1143 = msg("00615", part1794);
+      
+      var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1144 = msg("00615:01", part1795);
+      
+      var select403 = linear_select([
+      	msg1143,
+      	msg1144,
+      ]);
+      
+      var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg1145 = msg("00601", part1796);
+      
+      var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg1146 = msg("00601:01", part1797);
+      
+      var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1147 = msg("00601:18", part1798);
+      
+      var select404 = linear_select([
+      	msg1145,
+      	msg1146,
+      	msg1147,
+      ]);
+      
+      var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1148 = msg("00602", part1799);
+      
+      var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}");
+      
+      var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}");
+      
+      var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}");
+      
+      var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}");
+      
+      var select405 = linear_select([
+      	part1802,
+      	part1803,
+      ]);
+      
+      var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}");
+      
+      var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}");
+      
+      var select406 = linear_select([
+      	part1805,
+      	dup96,
+      ]);
+      
+      var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})");
+      
+      var all369 = all_match({
+      	processors: [
+      		part1800,
+      		dup353,
+      		part1801,
+      		select405,
+      		part1804,
+      		select406,
+      		part1806,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1149 = msg("00612", all369);
+      
+      var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1150 = msg("00620", part1807);
+      
+      var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}");
+      
+      var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}");
+      
+      var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}");
+      
+      var select407 = linear_select([
+      	part1809,
+      	part1810,
+      ]);
+      
+      var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})");
+      
+      var all370 = all_match({
+      	processors: [
+      		part1808,
+      		select407,
+      		part1811,
+      	],
+      	on_success: processor_chain([
+      		dup272,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1151 = msg("00620:01", all370);
+      
+      var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1152 = msg("00620:02", part1812);
+      
+      var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1153 = msg("00620:03", part1813);
+      
+      var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1154 = msg("00620:04", part1814);
+      
+      var select408 = linear_select([
+      	msg1150,
+      	msg1151,
+      	msg1152,
+      	msg1153,
+      	msg1154,
+      ]);
+      
+      var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1155 = msg("00622", part1815);
+      
+      var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}");
+      
+      var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}");
+      
+      var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}");
+      
+      var select409 = linear_select([
+      	part1817,
+      	part1818,
+      ]);
+      
+      var all371 = all_match({
+      	processors: [
+      		part1816,
+      		select409,
+      		dup49,
+      	],
+      	on_success: processor_chain([
+      		dup273,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg1156 = msg("00625", all371);
+      
+      var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}");
+      
+      var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}");
+      
+      var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}");
+      
+      var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}");
+      
+      var select410 = linear_select([
+      	part1820,
+      	part1821,
+      	part1822,
+      ]);
+      
+      var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})");
+      
+      var all372 = all_match({
+      	processors: [
+      		part1819,
+      		select410,
+      		part1823,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg1157 = msg("00628", all372);
+      
+      var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      	dup282,
+      ]));
+      
+      var msg1158 = msg("00767:50", part1824);
+      
+      var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1159 = msg("00767:51", part1825);
+      
+      var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1160 = msg("00767:52", part1826);
+      
+      var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1161 = msg("00767:53", part1827);
+      
+      var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([
+      	dup27,
+      	setc("ec_theme","Communication"),
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1162 = msg("00767", part1828);
+      
+      var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}");
+      
+      var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}");
+      
+      var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}");
+      
+      var select411 = linear_select([
+      	part1830,
+      	part1831,
+      ]);
+      
+      var all373 = all_match({
+      	processors: [
+      		part1829,
+      		select411,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1163 = msg("00767:01", all373);
+      
+      var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([
+      	setc("eventcategory","1702000000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1164 = msg("00767:02", part1832);
+      
+      var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1165 = msg("00767:03", part1833);
+      
+      var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1166 = msg("00767:04", part1834);
+      
+      var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1167 = msg("00767:05", part1835);
+      
+      var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1168 = msg("00767:06", part1836);
+      
+      var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1169 = msg("00767:07", part1837);
+      
+      var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}");
+      
+      var all374 = all_match({
+      	processors: [
+      		part1838,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1170 = msg("00767:08", all374);
+      
+      var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}");
+      
+      var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}");
+      
+      var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}");
+      
+      var select412 = linear_select([
+      	part1840,
+      	part1841,
+      ]);
+      
+      var all375 = all_match({
+      	processors: [
+      		part1839,
+      		select412,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1171 = msg("00767:09", all375);
+      
+      var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}");
+      
+      var all376 = all_match({
+      	processors: [
+      		part1842,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1172 = msg("00767:10", all376);
+      
+      var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}");
+      
+      var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}");
+      
+      var select413 = linear_select([
+      	dup331,
+      	part1844,
+      ]);
+      
+      var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}");
+      
+      var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}");
+      
+      var select414 = linear_select([
+      	dup331,
+      	part1846,
+      ]);
+      
+      var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}");
+      
+      var all377 = all_match({
+      	processors: [
+      		part1843,
+      		select413,
+      		part1845,
+      		select414,
+      		part1847,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1173 = msg("00767:11", all377);
+      
+      var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1174 = msg("00767:12", part1848);
+      
+      var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}");
+      
+      var all378 = all_match({
+      	processors: [
+      		part1849,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1175 = msg("00767:13", all378);
+      
+      var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}");
+      
+      var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}");
+      
+      var select415 = linear_select([
+      	part1851,
+      	dup262,
+      ]);
+      
+      var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}");
+      
+      var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}");
+      
+      var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username");
+      
+      var select416 = linear_select([
+      	part1853,
+      	part1854,
+      ]);
+      
+      var all379 = all_match({
+      	processors: [
+      		part1850,
+      		select415,
+      		part1852,
+      		select416,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1176 = msg("00767:14", all379);
+      
+      var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}");
+      
+      var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}");
+      
+      var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}");
+      
+      var select417 = linear_select([
+      	part1855,
+      	part1856,
+      	part1857,
+      ]);
+      
+      var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}");
+      
+      var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}.");
+      
+      var all380 = all_match({
+      	processors: [
+      		dup183,
+      		select417,
+      		part1858,
+      		dup336,
+      		part1859,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1177 = msg("00767:15", all380);
+      
+      var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1178 = msg("00767:16", part1860);
+      
+      var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}");
+      
+      var all381 = all_match({
+      	processors: [
+      		part1861,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1179 = msg("00767:17", all381);
+      
+      var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1180 = msg("00767:18", part1862);
+      
+      var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1181 = msg("00767:19", part1863);
+      
+      var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1182 = msg("00767:20", part1864);
+      
+      var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1183 = msg("00767:21", part1865);
+      
+      var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}");
+      
+      var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}");
+      
+      var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}");
+      
+      var select418 = linear_select([
+      	part1867,
+      	part1868,
+      ]);
+      
+      var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}");
+      
+      var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}");
+      
+      var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}");
+      
+      var select419 = linear_select([
+      	part1870,
+      	part1871,
+      ]);
+      
+      var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}");
+      
+      var all382 = all_match({
+      	processors: [
+      		part1866,
+      		select418,
+      		part1869,
+      		select419,
+      		part1872,
+      		dup354,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1184 = msg("00767:22", all382);
+      
+      var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1185 = msg("00767:23", part1873);
+      
+      var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}");
+      
+      var select420 = linear_select([
+      	dup169,
+      	dup16,
+      ]);
+      
+      var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}");
+      
+      var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}");
+      
+      var select421 = linear_select([
+      	part1875,
+      	part1876,
+      ]);
+      
+      var all383 = all_match({
+      	processors: [
+      		part1874,
+      		select420,
+      		dup23,
+      		select421,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1186 = msg("00767:25", all383);
+      
+      var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}");
+      
+      var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}");
+      
+      var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}");
+      
+      var select422 = linear_select([
+      	part1878,
+      	part1879,
+      ]);
+      
+      var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}");
+      
+      var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}");
+      
+      var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})");
+      
+      var select423 = linear_select([
+      	part1881,
+      	part1882,
+      ]);
+      
+      var all384 = all_match({
+      	processors: [
+      		part1877,
+      		select422,
+      		part1880,
+      		select423,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1187 = msg("00767:26", all384);
+      
+      var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}");
+      
+      var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})");
+      
+      var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3");
+      
+      var select424 = linear_select([
+      	part1884,
+      	part1885,
+      ]);
+      
+      var all385 = all_match({
+      	processors: [
+      		part1883,
+      		select424,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1188 = msg("00767:27", all385);
+      
+      var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1189 = msg("00767:28", part1886);
+      
+      var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1190 = msg("00767:29", part1887);
+      
+      var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1191 = msg("00767:30", part1888);
+      
+      var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}");
+      
+      var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}");
+      
+      var select425 = linear_select([
+      	part1889,
+      	part1890,
+      ]);
+      
+      var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}");
+      
+      var all386 = all_match({
+      	processors: [
+      		dup186,
+      		select425,
+      		part1891,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1192 = msg("00767:31", all386);
+      
+      var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}");
+      
+      var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}");
+      
+      var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}");
+      
+      var select426 = linear_select([
+      	part1893,
+      	part1894,
+      ]);
+      
+      var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})");
+      
+      var all387 = all_match({
+      	processors: [
+      		part1892,
+      		select426,
+      		part1895,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1193 = msg("00767:32", all387);
+      
+      var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1194 = msg("00767:33", part1896);
+      
+      var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([
+      	dup313,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1195 = msg("00767:34", part1897);
+      
+      var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1196 = msg("00767:35", part1898);
+      
+      var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1197 = msg("00767:36", part1899);
+      
+      var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([
+      	dup254,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1198 = msg("00767:37", part1900);
+      
+      var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([
+      	setc("eventcategory","1602000000"),
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1199 = msg("00767:38", part1901);
+      
+      var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}");
+      
+      var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}");
+      
+      var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}");
+      
+      var select427 = linear_select([
+      	part1903,
+      	part1904,
+      ]);
+      
+      var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}");
+      
+      var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}");
+      
+      var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}");
+      
+      var select428 = linear_select([
+      	part1906,
+      	part1907,
+      ]);
+      
+      var all388 = all_match({
+      	processors: [
+      		part1902,
+      		select427,
+      		part1905,
+      		select428,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		dup324,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1200 = msg("00767:39", all388);
+      
+      var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([
+      	dup62,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1201 = msg("00767:40", part1908);
+      
+      var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1202 = msg("00767:42", part1909);
+      
+      var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1203 = msg("00767:43", part1910);
+      
+      var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1204 = msg("00767:44", part1911);
+      
+      var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1205 = msg("00767:45", part1912);
+      
+      var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1206 = msg("00767:46", part1913);
+      
+      var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1207 = msg("00767:47", part1914);
+      
+      var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}");
+      
+      var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})");
+      
+      var all389 = all_match({
+      	processors: [
+      		part1915,
+      		dup364,
+      		part1916,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1208 = msg("00767:24", all389);
+      
+      var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1209 = msg("00767:48", part1917);
+      
+      var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}");
+      
+      var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}");
+      
+      var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}");
+      
+      var select429 = linear_select([
+      	part1919,
+      	part1920,
+      ]);
+      
+      var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})");
+      
+      var all390 = all_match({
+      	processors: [
+      		part1918,
+      		select429,
+      		part1921,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg1210 = msg("00767:49", all390);
+      
+      var select430 = linear_select([
+      	msg1158,
+      	msg1159,
+      	msg1160,
+      	msg1161,
+      	msg1162,
+      	msg1163,
+      	msg1164,
+      	msg1165,
+      	msg1166,
+      	msg1167,
+      	msg1168,
+      	msg1169,
+      	msg1170,
+      	msg1171,
+      	msg1172,
+      	msg1173,
+      	msg1174,
+      	msg1175,
+      	msg1176,
+      	msg1177,
+      	msg1178,
+      	msg1179,
+      	msg1180,
+      	msg1181,
+      	msg1182,
+      	msg1183,
+      	msg1184,
+      	msg1185,
+      	msg1186,
+      	msg1187,
+      	msg1188,
+      	msg1189,
+      	msg1190,
+      	msg1191,
+      	msg1192,
+      	msg1193,
+      	msg1194,
+      	msg1195,
+      	msg1196,
+      	msg1197,
+      	msg1198,
+      	msg1199,
+      	msg1200,
+      	msg1201,
+      	msg1202,
+      	msg1203,
+      	msg1204,
+      	msg1205,
+      	msg1206,
+      	msg1207,
+      	msg1208,
+      	msg1209,
+      	msg1210,
+      ]);
+      
+      var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup277,
+      	dup3,
+      	dup275,
+      	dup60,
+      ]));
+      
+      var msg1211 = msg("01269", part1922);
+      
+      var msg1212 = msg("01269:01", dup407);
+      
+      var msg1213 = msg("01269:02", dup408);
+      
+      var msg1214 = msg("01269:03", dup409);
+      
+      var select431 = linear_select([
+      	msg1211,
+      	msg1212,
+      	msg1213,
+      	msg1214,
+      ]);
+      
+      var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup276,
+      	dup277,
+      	dup275,
+      	dup332,
+      ]));
+      
+      var msg1215 = msg("17852", part1923);
+      
+      var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup332,
+      	dup282,
+      ]));
+      
+      var msg1216 = msg("17852:01", part1924);
+      
+      var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup61,
+      ]));
+      
+      var msg1217 = msg("17852:02", part1925);
+      
+      var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup332,
+      	dup282,
+      ]));
+      
+      var msg1218 = msg("17852:03", part1926);
+      
+      var select432 = linear_select([
+      	msg1215,
+      	msg1216,
+      	msg1217,
+      	msg1218,
+      ]);
+      
+      var msg1219 = msg("23184", dup410);
+      
+      var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg1220 = msg("23184:01", part1927);
+      
+      var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup276,
+      	dup277,
+      	dup275,
+      	dup61,
+      ]));
+      
+      var msg1221 = msg("23184:02", part1928);
+      
+      var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup332,
+      	dup282,
+      ]));
+      
+      var msg1222 = msg("23184:03", part1929);
+      
+      var select433 = linear_select([
+      	msg1219,
+      	msg1220,
+      	msg1221,
+      	msg1222,
+      ]);
+      
+      var msg1223 = msg("27052", dup410);
+      
+      var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg1224 = msg("27052:01", part1930);
+      
+      var select434 = linear_select([
+      	msg1223,
+      	msg1224,
+      ]);
+      
+      var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup277,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup60,
+      ]));
+      
+      var msg1225 = msg("39568", part1931);
+      
+      var msg1226 = msg("39568:01", dup407);
+      
+      var msg1227 = msg("39568:02", dup408);
+      
+      var msg1228 = msg("39568:03", dup409);
+      
+      var select435 = linear_select([
+      	msg1225,
+      	msg1226,
+      	msg1227,
+      	msg1228,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select2,
+      	msgid_select({
+      		"00001": select6,
+      		"00002": select29,
+      		"00003": select31,
+      		"00004": select33,
+      		"00005": select39,
+      		"00006": select40,
+      		"00007": select63,
+      		"00008": select66,
+      		"00009": select83,
+      		"00010": select86,
+      		"00011": select100,
+      		"00012": select101,
+      		"00013": select102,
+      		"00014": select104,
+      		"00015": select114,
+      		"00016": select115,
+      		"00017": select125,
+      		"00018": select138,
+      		"00019": select147,
+      		"00020": select150,
+      		"00021": select151,
+      		"00022": select163,
+      		"00023": select164,
+      		"00024": select170,
+      		"00025": select171,
+      		"00026": select176,
+      		"00027": select184,
+      		"00028": msg469,
+      		"00029": select188,
+      		"00030": select197,
+      		"00031": select205,
+      		"00032": select207,
+      		"00033": select214,
+      		"00034": select225,
+      		"00035": select232,
+      		"00036": select234,
+      		"00037": select241,
+      		"00038": msg660,
+      		"00039": msg661,
+      		"00040": select244,
+      		"00041": select245,
+      		"00042": select246,
+      		"00043": msg668,
+      		"00044": select248,
+      		"00045": msg671,
+      		"00047": msg672,
+      		"00048": select257,
+      		"00049": select258,
+      		"00050": msg682,
+      		"00051": msg683,
+      		"00052": msg684,
+      		"00055": select265,
+      		"00056": msg696,
+      		"00057": msg697,
+      		"00058": msg698,
+      		"00059": select272,
+      		"00062": select273,
+      		"00063": msg713,
+      		"00064": select274,
+      		"00070": select276,
+      		"00071": select277,
+      		"00072": select278,
+      		"00073": select279,
+      		"00074": msg726,
+      		"00075": select280,
+      		"00076": select281,
+      		"00077": select282,
+      		"00084": msg735,
+      		"00090": msg736,
+      		"00200": msg737,
+      		"00201": msg738,
+      		"00202": msg739,
+      		"00203": msg740,
+      		"00206": select285,
+      		"00207": select286,
+      		"00257": select291,
+      		"00259": select294,
+      		"00262": msg778,
+      		"00263": msg779,
+      		"00400": msg780,
+      		"00401": msg781,
+      		"00402": select296,
+      		"00403": msg784,
+      		"00404": msg785,
+      		"00405": msg786,
+      		"00406": msg787,
+      		"00407": msg788,
+      		"00408": msg789,
+      		"00409": msg790,
+      		"00410": select297,
+      		"00411": msg793,
+      		"00413": select298,
+      		"00414": select299,
+      		"00415": msg799,
+      		"00423": msg800,
+      		"00429": select300,
+      		"00430": select301,
+      		"00431": msg805,
+      		"00432": msg806,
+      		"00433": msg807,
+      		"00434": msg808,
+      		"00435": select302,
+      		"00436": select303,
+      		"00437": select304,
+      		"00438": select305,
+      		"00440": select306,
+      		"00441": msg823,
+      		"00442": msg824,
+      		"00443": msg825,
+      		"00511": select307,
+      		"00513": msg841,
+      		"00515": select328,
+      		"00518": select331,
+      		"00519": select336,
+      		"00520": select339,
+      		"00521": msg890,
+      		"00522": msg891,
+      		"00523": msg892,
+      		"00524": select340,
+      		"00525": select341,
+      		"00526": msg912,
+      		"00527": select348,
+      		"00528": select354,
+      		"00529": select357,
+      		"00530": select358,
+      		"00531": select362,
+      		"00533": msg973,
+      		"00534": msg974,
+      		"00535": select363,
+      		"00536": select365,
+      		"00537": select366,
+      		"00538": select372,
+      		"00539": select373,
+      		"00541": select375,
+      		"00542": msg1062,
+      		"00543": msg1063,
+      		"00544": msg1064,
+      		"00546": msg1065,
+      		"00547": select379,
+      		"00549": msg1070,
+      		"00551": select381,
+      		"00553": select385,
+      		"00554": select391,
+      		"00555": msg1117,
+      		"00556": select401,
+      		"00572": select402,
+      		"00601": select404,
+      		"00602": msg1148,
+      		"00612": msg1149,
+      		"00615": select403,
+      		"00620": select408,
+      		"00622": msg1155,
+      		"00625": msg1156,
+      		"00628": msg1157,
+      		"00767": select430,
+      		"01269": select431,
+      		"17852": select432,
+      		"23184": select433,
+      		"27052": select434,
+      		"39568": select435,
+      	}),
+      ]);
+      
+      var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}");
+      
+      var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}");
+      
+      var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})");
+      
+      var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})");
+      
+      var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1");
+      
+      var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}");
+      
+      var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}");
+      
+      var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}");
+      
+      var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}");
+      
+      var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0");
+      
+      var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} ");
+      
+      var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", "");
+      
+      var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}");
+      
+      var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}");
+      
+      var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}");
+      
+      var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator");
+      
+      var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition");
+      
+      var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}");
+      
+      var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})");
+      
+      var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}");
+      
+      var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}");
+      
+      var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}");
+      
+      var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}");
+      
+      var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})");
+      
+      var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}");
+      
+      var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}");
+      
+      var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}");
+      
+      var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}");
+      
+      var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}");
+      
+      var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}");
+      
+      var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}");
+      
+      var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}");
+      
+      var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}");
+      
+      var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}");
+      
+      var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}");
+      
+      var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}");
+      
+      var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}");
+      
+      var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}");
+      
+      var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}");
+      
+      var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}");
+      
+      var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}");
+      
+      var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}");
+      
+      var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}");
+      
+      var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}");
+      
+      var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}");
+      
+      var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}");
+      
+      var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}");
+      
+      var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}");
+      
+      var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}");
+      
+      var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}");
+      
+      var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}");
+      
+      var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}");
+      
+      var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}");
+      
+      var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}");
+      
+      var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}");
+      
+      var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}");
+      
+      var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}");
+      
+      var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}");
+      
+      var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}");
+      
+      var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}");
+      
+      var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}");
+      
+      var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}");
+      
+      var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}");
+      
+      var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}");
+      
+      var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}");
+      
+      var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}");
+      
+      var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}");
+      
+      var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}");
+      
+      var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}");
+      
+      var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}");
+      
+      var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}");
+      
+      var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}");
+      
+      var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}");
+      
+      var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}");
+      
+      var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}");
+      
+      var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}");
+      
+      var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}");
+      
+      var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}");
+      
+      var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}");
+      
+      var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface");
+      
+      var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}");
+      
+      var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}");
+      
+      var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}");
+      
+      var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}.");
+      
+      var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}");
+      
+      var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}");
+      
+      var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}");
+      
+      var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}");
+      
+      var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}");
+      
+      var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}");
+      
+      var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}");
+      
+      var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}");
+      
+      var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}");
+      
+      var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}");
+      
+      var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}");
+      
+      var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}");
+      
+      var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) ");
+      
+      var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}");
+      
+      var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}");
+      
+      var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}");
+      
+      var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}");
+      
+      var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}");
+      
+      var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}");
+      
+      var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}");
+      
+      var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}");
+      
+      var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}");
+      
+      var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}");
+      
+      var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}");
+      
+      var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})");
+      
+      var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}");
+      
+      var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}");
+      
+      var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}");
+      
+      var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}");
+      
+      var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}");
+      
+      var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}");
+      
+      var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}");
+      
+      var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}");
+      
+      var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}");
+      
+      var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}");
+      
+      var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}");
+      
+      var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}");
+      
+      var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}");
+      
+      var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}");
+      
+      var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}");
+      
+      var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}");
+      
+      var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}");
+      
+      var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}");
+      
+      var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}");
+      
+      var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}");
+      
+      var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}");
+      
+      var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}");
+      
+      var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}");
+      
+      var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}");
+      
+      var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}");
+      
+      var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}");
+      
+      var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}");
+      
+      var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}");
+      
+      var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}");
+      
+      var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}");
+      
+      var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}");
+      
+      var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}");
+      
+      var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}");
+      
+      var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}");
+      
+      var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}");
+      
+      var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}");
+      
+      var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}");
+      
+      var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}");
+      
+      var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}");
+      
+      var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}");
+      
+      var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}");
+      
+      var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}");
+      
+      var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}");
+      
+      var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}");
+      
+      var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}");
+      
+      var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}");
+      
+      var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}");
+      
+      var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}");
+      
+      var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}");
+      
+      var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}");
+      
+      var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}");
+      
+      var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}");
+      
+      var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})");
+      
+      var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}");
+      
+      var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}");
+      
+      var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}");
+      
+      var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}");
+      
+      var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}");
+      
+      var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}");
+      
+      var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}");
+      
+      var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}");
+      
+      var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}");
+      
+      var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}");
+      
+      var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}");
+      
+      var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}");
+      
+      var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}");
+      
+      var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}");
+      
+      var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}");
+      
+      var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}");
+      
+      var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}");
+      
+      var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}");
+      
+      var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}");
+      
+      var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}");
+      
+      var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}");
+      
+      var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}");
+      
+      var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}");
+      
+      var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}");
+      
+      var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}");
+      
+      var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}");
+      
+      var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}");
+      
+      var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}");
+      
+      var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}");
+      
+      var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}");
+      
+      var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}");
+      
+      var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}");
+      
+      var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}");
+      
+      var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}");
+      
+      var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state");
+      
+      var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}");
+      
+      var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}");
+      
+      var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}");
+      
+      var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}");
+      
+      var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr");
+      
+      var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}");
+      
+      var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}");
+      
+      var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}");
+      
+      var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times.");
+      
+      var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.");
+      
+      var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}");
+      
+      var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}");
+      
+      var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})");
+      
+      var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}");
+      
+      var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}");
+      
+      var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}");
+      
+      var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}");
+      
+      var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}");
+      
+      var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}");
+      
+      var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}");
+      
+      var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}");
+      
+      var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}");
+      
+      var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}");
+      
+      var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}");
+      
+      var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}");
+      
+      var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}");
+      
+      var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}");
+      
+      var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}");
+      
+      var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}");
+      
+      var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}");
+      
+      var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}");
+      
+      var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}");
+      
+      var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}");
+      
+      var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}");
+      
+      var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}");
+      
+      var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}");
+      
+      var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}");
+      
+      var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}");
+      
+      var select436 = linear_select([
+      	dup10,
+      	dup11,
+      ]);
+      
+      var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var select437 = linear_select([
+      	dup13,
+      	dup14,
+      ]);
+      
+      var select438 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var select439 = linear_select([
+      	dup56,
+      	dup57,
+      ]);
+      
+      var select440 = linear_select([
+      	dup65,
+      	dup66,
+      ]);
+      
+      var select441 = linear_select([
+      	dup68,
+      	dup69,
+      ]);
+      
+      var select442 = linear_select([
+      	dup71,
+      	dup72,
+      ]);
+      
+      var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var select443 = linear_select([
+      	dup74,
+      	dup75,
+      ]);
+      
+      var select444 = linear_select([
+      	dup81,
+      	dup82,
+      ]);
+      
+      var select445 = linear_select([
+      	dup24,
+      	dup90,
+      ]);
+      
+      var select446 = linear_select([
+      	dup94,
+      	dup95,
+      ]);
+      
+      var select447 = linear_select([
+      	dup98,
+      	dup99,
+      ]);
+      
+      var select448 = linear_select([
+      	dup100,
+      	dup101,
+      	dup102,
+      ]);
+      
+      var select449 = linear_select([
+      	dup113,
+      	dup114,
+      ]);
+      
+      var select450 = linear_select([
+      	dup111,
+      	dup16,
+      ]);
+      
+      var select451 = linear_select([
+      	dup127,
+      	dup107,
+      ]);
+      
+      var select452 = linear_select([
+      	dup8,
+      	dup21,
+      ]);
+      
+      var select453 = linear_select([
+      	dup122,
+      	dup133,
+      ]);
+      
+      var select454 = linear_select([
+      	dup142,
+      	dup143,
+      ]);
+      
+      var select455 = linear_select([
+      	dup145,
+      	dup21,
+      ]);
+      
+      var select456 = linear_select([
+      	dup127,
+      	dup106,
+      ]);
+      
+      var select457 = linear_select([
+      	dup152,
+      	dup96,
+      ]);
+      
+      var select458 = linear_select([
+      	dup154,
+      	dup155,
+      ]);
+      
+      var select459 = linear_select([
+      	dup156,
+      	dup157,
+      ]);
+      
+      var select460 = linear_select([
+      	dup99,
+      	dup134,
+      ]);
+      
+      var select461 = linear_select([
+      	dup158,
+      	dup159,
+      ]);
+      
+      var select462 = linear_select([
+      	dup161,
+      	dup162,
+      ]);
+      
+      var select463 = linear_select([
+      	dup163,
+      	dup103,
+      ]);
+      
+      var select464 = linear_select([
+      	dup162,
+      	dup161,
+      ]);
+      
+      var select465 = linear_select([
+      	dup46,
+      	dup47,
+      ]);
+      
+      var select466 = linear_select([
+      	dup166,
+      	dup167,
+      ]);
+      
+      var select467 = linear_select([
+      	dup172,
+      	dup173,
+      ]);
+      
+      var select468 = linear_select([
+      	dup174,
+      	dup175,
+      	dup176,
+      	dup177,
+      	dup178,
+      	dup179,
+      	dup180,
+      	dup181,
+      	dup182,
+      ]);
+      
+      var select469 = linear_select([
+      	dup49,
+      	dup21,
+      ]);
+      
+      var select470 = linear_select([
+      	dup189,
+      	dup190,
+      ]);
+      
+      var select471 = linear_select([
+      	dup96,
+      	dup152,
+      ]);
+      
+      var select472 = linear_select([
+      	dup196,
+      	dup197,
+      ]);
+      
+      var select473 = linear_select([
+      	dup24,
+      	dup200,
+      ]);
+      
+      var select474 = linear_select([
+      	dup103,
+      	dup163,
+      ]);
+      
+      var select475 = linear_select([
+      	dup205,
+      	dup118,
+      ]);
+      
+      var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var select476 = linear_select([
+      	dup212,
+      	dup213,
+      ]);
+      
+      var select477 = linear_select([
+      	dup215,
+      	dup216,
+      ]);
+      
+      var select478 = linear_select([
+      	dup222,
+      	dup215,
+      ]);
+      
+      var select479 = linear_select([
+      	dup224,
+      	dup225,
+      ]);
+      
+      var select480 = linear_select([
+      	dup231,
+      	dup124,
+      ]);
+      
+      var select481 = linear_select([
+      	dup229,
+      	dup230,
+      ]);
+      
+      var select482 = linear_select([
+      	dup233,
+      	dup234,
+      ]);
+      
+      var select483 = linear_select([
+      	dup236,
+      	dup237,
+      ]);
+      
+      var select484 = linear_select([
+      	dup242,
+      	dup243,
+      ]);
+      
+      var select485 = linear_select([
+      	dup245,
+      	dup246,
+      ]);
+      
+      var select486 = linear_select([
+      	dup247,
+      	dup248,
+      ]);
+      
+      var select487 = linear_select([
+      	dup249,
+      	dup250,
+      ]);
+      
+      var select488 = linear_select([
+      	dup251,
+      	dup252,
+      ]);
+      
+      var select489 = linear_select([
+      	dup260,
+      	dup261,
+      ]);
+      
+      var select490 = linear_select([
+      	dup264,
+      	dup265,
+      ]);
+      
+      var select491 = linear_select([
+      	dup268,
+      	dup269,
+      ]);
+      
+      var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var select492 = linear_select([
+      	dup284,
+      	dup285,
+      ]);
+      
+      var select493 = linear_select([
+      	dup287,
+      	dup288,
+      ]);
+      
+      var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var select494 = linear_select([
+      	dup300,
+      	dup26,
+      ]);
+      
+      var select495 = linear_select([
+      	dup115,
+      	dup303,
+      ]);
+      
+      var select496 = linear_select([
+      	dup125,
+      	dup96,
+      ]);
+      
+      var select497 = linear_select([
+      	dup189,
+      	dup308,
+      	dup309,
+      ]);
+      
+      var select498 = linear_select([
+      	dup310,
+      	dup16,
+      ]);
+      
+      var select499 = linear_select([
+      	dup317,
+      	dup318,
+      ]);
+      
+      var select500 = linear_select([
+      	dup319,
+      	dup315,
+      ]);
+      
+      var select501 = linear_select([
+      	dup322,
+      	dup250,
+      ]);
+      
+      var select502 = linear_select([
+      	dup327,
+      	dup329,
+      ]);
+      
+      var select503 = linear_select([
+      	dup330,
+      	dup129,
+      ]);
+      
+      var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup60,
+      ]));
+      
+      var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup61,
+      ]));
+      
+      var all391 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		dup266,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var all392 = all_match({
+      	processors: [
+      		dup267,
+      		dup391,
+      		dup270,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var all393 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup293,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var all394 = all_match({
+      	processors: [
+      		dup296,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup297,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var all395 = all_match({
+      	processors: [
+      		dup298,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup297,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+- community_id:
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: dns.question.name
+    target_field: dns.question.registered_domain
+    target_subdomain_field: dns.question.subdomain
+    target_etld_field: dns.question.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: client.domain
+    target_field: client.registered_domain
+    target_subdomain_field: client.subdomain
+    target_etld_field: client.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: server.domain
+    target_field: server.registered_domain
+    target_subdomain_field: server.subdomain
+    target_etld_field: server.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: destination.domain
+    target_field: destination.registered_domain
+    target_subdomain_field: destination.subdomain
+    target_etld_field: destination.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: source.domain
+    target_field: source.registered_domain
+    target_subdomain_field: source.subdomain
+    target_etld_field: source.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: url.domain
+    target_field: url.registered_domain
+    target_subdomain_field: url.subdomain
+    target_etld_field: url.top_level_domain
+- add_locale: ~
diff --git a/packages/juniper_netscreen/0.3.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/juniper_netscreen/0.3.1/data_stream/log/agent/stream/udp.yml.hbs
new file mode 100755
index 0000000000..63a0c266a8
--- /dev/null
+++ b/packages/juniper_netscreen/0.3.1/data_stream/log/agent/stream/udp.yml.hbs
@@ -0,0 +1,26354 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+fields_under_root: true
+fields:
+    observer:
+        vendor: "Juniper"
+        product: "Netscreen"
+        type: "Firewall"
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+{{#if processors}}
+{{processors}}
+{{/if}}
+- script:
+    lang: javascript
+    params:
+      ecs: true
+      rsa: {{rsa_fields}}
+      tz_offset: {{tz_offset}}
+      keep_raw: {{keep_raw_fields}}
+      debug: {{debug}}
+    source: |
+      // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      // or more contributor license agreements. Licensed under the Elastic License;
+      // you may not use this file except in compliance with the Elastic License.
+      
+      /* jshint -W014,-W016,-W097,-W116 */
+      
+      var processor = require("processor");
+      var console = require("console");
+      
+      var FLAG_FIELD = "log.flags";
+      var FIELDS_OBJECT = "nwparser";
+      var FIELDS_PREFIX = FIELDS_OBJECT + ".";
+      
+      var defaults = {
+          debug: false,
+          ecs: true,
+          rsa: false,
+          keep_raw: false,
+          tz_offset: "local",
+          strip_priority: true
+      };
+      
+      var saved_flags = null;
+      var debug;
+      var map_ecs;
+      var map_rsa;
+      var keep_raw;
+      var device;
+      var tz_offset;
+      var strip_priority;
+      
+      // Register params from configuration.
+      function register(params) {
+          debug = params.debug !== undefined ? params.debug : defaults.debug;
+          map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
+          map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
+          keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
+          tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
+          strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
+          device = new DeviceProcessor();
+      }
+      
+      function parse_tz_offset(offset) {
+          var date;
+          var m;
+          switch(offset) {
+              // local uses the tz offset from the JS VM.
+              case "local":
+                  date = new Date();
+                  // Reversing the sign as we the offset from UTC, not to UTC.
+                  return parse_local_tz_offset(-date.getTimezoneOffset());
+              // event uses the tz offset from event.timezone (add_locale processor).
+              case "event":
+                  return offset;
+              // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
+              default:
+                  m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
+                  if (m === null || m.length !== 4) {
+                      throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
+                  }
+                  return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
+          }
+      }
+      
+      function parse_local_tz_offset(minutes) {
+          var neg = minutes < 0;
+          minutes = Math.abs(minutes);
+          var min = minutes % 60;
+          var hours = Math.floor(minutes / 60);
+          var pad2digit = function(n) {
+              if (n < 10) { return "0" + n;}
+              return "" + n;
+          };
+          return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
+      }
+      
+      function process(evt) {
+          // Function register is only called by the processor when `params` are set
+          // in the processor config.
+          if (device === undefined) {
+              register(defaults);
+          }
+          return device.process(evt);
+      }
+      
+      function processor_chain(subprocessors) {
+          var builder = new processor.Chain();
+          subprocessors.forEach(builder.Add);
+          return builder.Build().Run;
+      }
+      
+      function linear_select(subprocessors) {
+          return function (evt) {
+              var flags = evt.Get(FLAG_FIELD);
+              var i;
+              for (i = 0; i < subprocessors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  if (debug) console.warn("linear_select trying entry " + i);
+                  subprocessors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) == null) break;
+                  if (debug) console.warn("linear_select failed entry " + i);
+              }
+              if (flags !== null) {
+                  evt.Put(FLAG_FIELD, flags);
+              }
+              if (debug) {
+                  if (i < subprocessors.length) {
+                      console.warn("linear_select matched entry " + i);
+                  } else {
+                      console.warn("linear_select didn't match");
+                  }
+              }
+          };
+      }
+      
+      function conditional(opt) {
+          return function(evt) {
+              if (opt.if(evt)) {
+                  opt.then(evt);
+              } else if (opt.else) {
+                  opt.else(evt);
+              }
+          };
+      }
+      
+      var strip_syslog_priority = (function() {
+          var isEnabled = function() { return strip_priority === true; };
+          var fetchPRI = field("_pri");
+          var fetchPayload = field("payload");
+          var removePayload = remove(["payload"]);
+          var cleanup = remove(["_pri", "payload"]);
+          var onMatch = function(evt) {
+              var pri, priStr = fetchPRI(evt);
+              if (priStr != null
+                  && 0 < priStr.length && priStr.length < 4
+                  && !isNaN((pri = Number(priStr)))
+                  && 0 <= pri && pri < 192) {
+                  var severity = pri & 7,
+                      facility = pri >> 3;
+                  setc("_severity", "" + severity)(evt);
+                  setc("_facility", "" + facility)(evt);
+                  // Replace message with priority stripped.
+                  evt.Put("message", fetchPayload(evt));
+                  removePayload(evt);
+              } else {
+                  // not a valid syslog PRI, cleanup.
+                  cleanup(evt);
+              }
+          };
+          return conditional({
+              if: isEnabled,
+              then: cleanup_flags(match(
+                  "STRIP_PRI",
+                  "message",
+                  "<%{_pri}>%{payload}",
+                  onMatch
+              ))
+          });
+      })();
+      
+      function match(id, src, pattern, on_success) {
+          var dissect = new processor.Dissect({
+              field: src,
+              tokenizer: pattern,
+              target_prefix: FIELDS_OBJECT,
+              ignore_failure: true,
+              overwrite_keys: true,
+              trim_values: "right"
+          });
+          return function (evt) {
+              var msg = evt.Get(src);
+              dissect.Run(evt);
+              var failed = evt.Get(FLAG_FIELD) != null;
+              if (debug) {
+                  if (failed) {
+                      console.debug("dissect fail: " + id + " field:" + src);
+                  } else {
+                      console.debug("dissect   OK: " + id + " field:" + src);
+                  }
+                  console.debug("        expr: <<" + pattern + ">>");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null && !failed) {
+                  on_success(evt);
+              }
+          };
+      }
+      
+      function match_copy(id, src, dst, on_success) {
+          dst = FIELDS_PREFIX + dst;
+          if (dst === FIELDS_PREFIX || dst === src) {
+              return function (evt) {
+                  if (debug) {
+                      console.debug("noop      OK: " + id + " field:" + src);
+                      console.debug("       input: <<" + evt.Get(src) + ">>");
+                  }
+                  if (on_success != null) on_success(evt);
+              }
+          }
+          return function (evt) {
+              var msg = evt.Get(src);
+              evt.Put(dst, msg);
+              if (debug) {
+                  console.debug("copy      OK: " + id + " field:" + src);
+                  console.debug("      target: '" + dst + "'");
+                  console.debug("       input: <<" + msg + ">>");
+              }
+              if (on_success != null) on_success(evt);
+          }
+      }
+      
+      function cleanup_flags(processor) {
+          return function(evt) {
+              processor(evt);
+              evt.Delete(FLAG_FIELD);
+          };
+      }
+      
+      function all_match(opts) {
+          return function (evt) {
+              var i;
+              for (i = 0; i < opts.processors.length; i++) {
+                  evt.Delete(FLAG_FIELD);
+                  opts.processors[i](evt);
+                  // Dissect processor succeeded?
+                  if (evt.Get(FLAG_FIELD) != null) {
+                      if (debug) console.warn("all_match failure at " + i);
+                      if (opts.on_failure != null) opts.on_failure(evt);
+                      return;
+                  }
+                  if (debug) console.warn("all_match success at " + i);
+              }
+              if (opts.on_success != null) opts.on_success(evt);
+          };
+      }
+      
+      function msgid_select(mapping) {
+          return function (evt) {
+              var msgid = evt.Get(FIELDS_PREFIX + "messageid");
+              if (msgid == null) {
+                  if (debug) console.warn("msgid_select: no messageid captured!");
+                  return;
+              }
+              var next = mapping[msgid];
+              if (next === undefined) {
+                  if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
+                  return;
+              }
+              if (debug) console.info("msgid_select: matched key=" + msgid);
+              return next(evt);
+          };
+      }
+      
+      function msg(msg_id, match) {
+          return function (evt) {
+              match(evt);
+              if (evt.Get(FLAG_FIELD) == null) {
+                  evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
+              }
+          };
+      }
+      
+      var start;
+      
+      function save_flags(evt) {
+          saved_flags = evt.Get(FLAG_FIELD);
+          evt.Put("event.original", evt.Get("message"));
+      }
+      
+      function restore_flags(evt) {
+          if (saved_flags !== null) {
+              evt.Put(FLAG_FIELD, saved_flags);
+          }
+          evt.Delete("message");
+      }
+      
+      function constant(value) {
+          return function (evt) {
+              return value;
+          };
+      }
+      
+      function field(name) {
+          var fullname = FIELDS_PREFIX + name;
+          return function (evt) {
+              return evt.Get(fullname);
+          };
+      }
+      
+      function STRCAT(args) {
+          var s = "";
+          var i;
+          for (i = 0; i < args.length; i++) {
+              s += args[i];
+          }
+          return s;
+      }
+      
+      // TODO: Implement
+      function DIRCHK(args) {
+          unimplemented("DIRCHK");
+      }
+      
+      function strictToInt(str) {
+          return str * 1;
+      }
+      
+      function CALC(args) {
+          if (args.length !== 3) {
+              console.warn("skipped call to CALC with " + args.length + " arguments.");
+              return;
+          }
+          var a = strictToInt(args[0]);
+          var b = strictToInt(args[2]);
+          if (isNaN(a) || isNaN(b)) {
+              console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
+              return;
+          }
+          var result;
+          switch (args[1]) {
+              case "+":
+                  result = a + b;
+                  break;
+              case "-":
+                  result = a - b;
+                  break;
+              case "*":
+                  result = a * b;
+                  break;
+              default:
+                  // Only * and + seen in the parsers.
+                  console.warn("unknown CALC operation '" + args[1] + "'.");
+                  return;
+          }
+          // Always return a string
+          return result !== undefined ? "" + result : result;
+      }
+      
+      var quoteChars = "\"'`";
+      function RMQ(args) {
+          if(args.length !== 1) {
+              console.warn("RMQ: only one argument expected");
+              return;
+          }
+          var value = args[0].trim();
+          var n = value.length;
+          var char;
+          return n > 1
+              && (char=value.charAt(0)) === value.charAt(n-1)
+              && quoteChars.indexOf(char) !== -1?
+                  value.substr(1, n-2)
+                  : value;
+      }
+      
+      function call(opts) {
+          var args = new Array(opts.args.length);
+          return function (evt) {
+              for (var i = 0; i < opts.args.length; i++)
+                  if ((args[i] = opts.args[i](evt)) == null) return;
+              var result = opts.fn(args);
+              if (result != null) {
+                  evt.Put(opts.dest, result);
+              }
+          };
+      }
+      
+      function nop(evt) {
+      }
+      
+      function appendErrorMsg(evt, msg) {
+          var value = evt.Get("error.message");
+          if (value == null) {
+              value = [msg];
+          } else if (msg instanceof Array) {
+              value.push(msg);
+          } else {
+              value = [value, msg];
+          }
+          evt.Put("error.message", value);
+      }
+      
+      function unimplemented(name) {
+          appendErrorMsg("unimplemented feature: " + name);
+      }
+      
+      function lookup(opts) {
+          return function (evt) {
+              var key = opts.key(evt);
+              if (key == null) return;
+              var value = opts.map.keyvaluepairs[key];
+              if (value === undefined) {
+                  value = opts.map.default;
+              }
+              if (value !== undefined) {
+                  evt.Put(opts.dest, value(evt));
+              }
+          };
+      }
+      
+      function set(fields) {
+          return new processor.AddFields({
+              target: FIELDS_OBJECT,
+              fields: fields,
+          });
+      }
+      
+      function setf(dst, src) {
+          return function (evt) {
+              var val = evt.Get(FIELDS_PREFIX + src);
+              if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
+          };
+      }
+      
+      function setc(dst, value) {
+          return function (evt) {
+              evt.Put(FIELDS_PREFIX + dst, value);
+          };
+      }
+      
+      function set_field(opts) {
+          return function (evt) {
+              var val = opts.value(evt);
+              if (val != null) evt.Put(opts.dest, val);
+          };
+      }
+      
+      function dump(label) {
+          return function (evt) {
+              console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
+          };
+      }
+      
+      function date_time_join_args(evt, arglist) {
+          var str = "";
+          for (var i = 0; i < arglist.length; i++) {
+              var fname = FIELDS_PREFIX + arglist[i];
+              var val = evt.Get(fname);
+              if (val != null) {
+                  if (str !== "") str += " ";
+                  str += val;
+              } else {
+                  if (debug) console.warn("in date_time: input arg " + fname + " is not set");
+              }
+          }
+          return str;
+      }
+      
+      function to2Digit(num) {
+          return num? (num < 10? "0" + num : num) : "00";
+      }
+      
+      // Make two-digit dates 00-69 interpreted as 2000-2069
+      // and dates 70-99 translated to 1970-1999.
+      var twoDigitYearEpoch = 70;
+      var twoDigitYearCentury = 2000;
+      
+      // This is to accept dates up to 2 days in the future, only used when
+      // no year is specified in a date. 2 days should be enough to account for
+      // time differences between systems and different tz offsets.
+      var maxFutureDelta = 2*24*60*60*1000;
+      
+      // DateContainer stores date fields and then converts those fields into
+      // a Date. Necessary because building a Date using its set() methods gives
+      // different results depending on the order of components.
+      function DateContainer(tzOffset) {
+          this.offset = tzOffset === undefined? "Z" : tzOffset;
+      }
+      
+      DateContainer.prototype = {
+          setYear: function(v) {this.year = v;},
+          setMonth: function(v) {this.month = v;},
+          setDay: function(v) {this.day = v;},
+          setHours: function(v) {this.hours = v;},
+          setMinutes: function(v) {this.minutes = v;},
+          setSeconds: function(v) {this.seconds = v;},
+      
+          setUNIX: function(v) {this.unix = v;},
+      
+          set2DigitYear: function(v) {
+              this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
+          },
+      
+          toDate: function() {
+              if (this.unix !== undefined) {
+                  return new Date(this.unix * 1000);
+              }
+              if (this.day === undefined || this.month === undefined) {
+                  // Can't make a date from this.
+                  return undefined;
+              }
+              if (this.year === undefined) {
+                  // A date without a year. Set current year, or previous year
+                  // if date would be in the future.
+                  var now = new Date();
+                  this.year = now.getFullYear();
+                  var date = this.toDate();
+                  if (date.getTime() - now.getTime() > maxFutureDelta) {
+                      date.setFullYear(now.getFullYear() - 1);
+                  }
+                  return date;
+              }
+              var MM = to2Digit(this.month);
+              var DD = to2Digit(this.day);
+              var hh = to2Digit(this.hours);
+              var mm = to2Digit(this.minutes);
+              var ss = to2Digit(this.seconds);
+              return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
+          }
+      }
+      
+      function date_time_try_pattern(fmt, str, tzOffset) {
+          var date = new DateContainer(tzOffset);
+          var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
+          return pos !== undefined? date.toDate() : undefined;
+      }
+      
+      function date_time_try_pattern_at_pos(fmt, str, pos, date) {
+          var len = str.length;
+          for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
+              pos = fmt[proc](str, pos, date);
+          }
+          return pos;
+      }
+      
+      function date_time(opts) {
+          return function (evt) {
+              var tzOffset = opts.tz || tz_offset;
+              if (tzOffset === "event") {
+                  tzOffset = evt.Get("event.timezone");
+              }
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
+                  if (date !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, date);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
+          };
+      }
+      
+      var uA = 60 * 60 * 24;
+      var uD = 60 * 60 * 24;
+      var uF = 60 * 60;
+      var uG = 60 * 60 * 24 * 30;
+      var uH = 60 * 60;
+      var uI = 60 * 60;
+      var uJ = 60 * 60 * 24;
+      var uM = 60 * 60 * 24 * 30;
+      var uN = 60 * 60;
+      var uO = 1;
+      var uS = 1;
+      var uT = 60;
+      var uU = 60;
+      var uc = dc;
+      
+      function duration(opts) {
+          return function(evt) {
+              var str = date_time_join_args(evt, opts.args);
+              for (var i = 0; i < opts.fmts.length; i++) {
+                  var seconds = duration_try_pattern(opts.fmts[i], str);
+                  if (seconds !== undefined) {
+                      evt.Put(FIELDS_PREFIX + opts.dest, seconds);
+                      return;
+                  }
+              }
+              if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
+          };
+      }
+      
+      function duration_try_pattern(fmt, str) {
+          var secs = 0;
+          var pos = 0;
+          for (var i=0; i<fmt.length; i++) {
+              if (fmt[i] instanceof Function) {
+                  if ((pos = fmt[i](str, pos)) === undefined) return;
+                  continue;
+              }
+              var start = skipws(str, pos);
+              var end = skipdigits(str, start);
+              if (end === start) return;
+              var s = str.substr(start, end - start);
+              var value = parseInt(s, 10);
+              if (isNaN(value)) return;
+              secs += value * fmt[i];
+              pos = end;
+          }
+          return secs;
+      }
+      
+      function remove(fields) {
+          return function (evt) {
+              for (var i = 0; i < fields.length; i++) {
+                  evt.Delete(FIELDS_PREFIX + fields[i]);
+              }
+          };
+      }
+      
+      function dc(ct) {
+          var match = function (ct, str, pos) {
+              var n = str.length;
+              if (n - pos < ct.length) return;
+              var part = str.substr(pos, ct.length);
+              if (part !== ct) {
+                  return;
+              }
+              return pos + ct.length;
+          };
+          return function (str, pos, date) {
+              var outPos = match(ct, str, pos);
+              if (outPos === undefined) {
+                  // Try again, trimming leading space at str[pos:] and ct
+                  outPos = match(ct.substr(skipws(ct, 0)), str, skipws(str, pos));
+              }
+              return outPos;
+          };
+      }
+      
+      
+      var shortMonths = {
+          // mon => [ month_id , how many chars to skip if month in long form ]
+          "Jan": [0, 4],
+          "Feb": [1, 5],
+          "Mar": [2, 2],
+          "Apr": [3, 2],
+          "May": [4, 0],
+          "Jun": [5, 1],
+          "Jul": [6, 1],
+          "Aug": [7, 3],
+          "Sep": [8, 6],
+          "Oct": [9, 4],
+          "Nov": [10, 5],
+          "Dec": [11, 4],
+          "jan": [0, 4],
+          "feb": [1, 5],
+          "mar": [2, 2],
+          "apr": [3, 2],
+          "may": [4, 0],
+          "jun": [5, 1],
+          "jul": [6, 1],
+          "aug": [7, 3],
+          "sep": [8, 6],
+          "oct": [9, 4],
+          "nov": [10, 5],
+          "dec": [11, 4],
+      };
+      
+      // var dC = undefined;
+      var dR = dateMonthName(true);
+      var dB = dateMonthName(false);
+      var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
+      var dG = dateVariableWidthNumber("G", 1, 12,  DateContainer.prototype.setMonth);
+      var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
+      var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
+      var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
+      var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
+      var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
+      var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
+      var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
+      var dP = parseAMPM; // AM|PM
+      var dQ = parseAMPM; // A.M.|P.M
+      var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
+      var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
+      var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
+      var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
+      var dZ = parseHMS;
+      var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
+      
+      // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
+      // Only works if this modifier appears after the hour has been read from logs
+      // which is always the case in the 300 devices.
+      function parseAMPM(str, pos, date) {
+          var n = str.length;
+          var start = skipws(str, pos);
+          if (start + 2 > n) return;
+          var head = str.substr(start, 2).toUpperCase();
+          var isPM = false;
+          var skip = false;
+          switch (head) {
+              case "A.":
+                  skip = true;
+              /* falls through */
+              case "AM":
+                  break;
+              case "P.":
+                  skip = true;
+              /* falls through */
+              case "PM":
+                  isPM = true;
+                  break;
+              default:
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
+                  return;
+          }
+          pos = start + 2;
+          if (skip) {
+              if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
+                  if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
+                  return;
+              }
+              pos += 2;
+          }
+          var hh = date.hours;
+          if (isPM) {
+              // Accept existing hour in 24h format.
+              if (hh < 12) hh += 12;
+          } else {
+              if (hh === 12) hh = 0;
+          }
+          date.setHours(hh);
+          return pos;
+      }
+      
+      function parseHMS(str, pos, date) {
+          return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
+      }
+      
+      function skipws(str, pos) {
+          for ( var n = str.length;
+                pos < n && str.charAt(pos) === " ";
+                pos++)
+              ;
+          return pos;
+      }
+      
+      function skipdigits(str, pos) {
+          var c;
+          for (var n = str.length;
+               pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
+               pos++)
+              ;
+          return pos;
+      }
+      
+      function dSkip(str, pos, date) {
+          var chr;
+          for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
+          return pos < str.length? pos : undefined;
+      }
+      
+      function dateVariableWidthNumber(fmtChar, min, max, setter) {
+          return function (str, pos, date) {
+              var start = skipws(str, pos);
+              pos = skipdigits(str, start);
+              var s = str.substr(start, pos - start);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos;
+              }
+              return;
+          };
+      }
+      
+      function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + width > n) return;
+              var s = str.substr(pos, width);
+              var value = parseInt(s, 10);
+              if (value >= min && value <= max) {
+                  setter.call(date, value);
+                  return pos + width;
+              }
+              return;
+          };
+      }
+      
+      // Short month name (Jan..Dec).
+      function dateMonthName(long) {
+          return function (str, pos, date) {
+              pos = skipws(str, pos);
+              var n = str.length;
+              if (pos + 3 > n) return;
+              var mon = str.substr(pos, 3);
+              var idx = shortMonths[mon];
+              if (idx === undefined) {
+                  idx = shortMonths[mon.toLowerCase()];
+              }
+              if (idx === undefined) {
+                  //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
+                  return;
+              }
+              date.setMonth(idx[0]+1);
+              return pos + 3 + (long ? idx[1] : 0);
+          };
+      }
+      
+      function url_wrapper(dst, src, fn) {
+          return function(evt) {
+              var value = evt.Get(FIELDS_PREFIX + src), result;
+              if (value != null && (result = fn(value))!== undefined) {
+                  evt.Put(FIELDS_PREFIX + dst, result);
+              } else {
+                  console.debug(fn.name + " failed for '" + value + "'");
+              }
+          };
+      }
+      
+      // The following regular expression for parsing URLs from:
+      // https://github.com/wizard04wsu/URI_Parsing
+      //
+      // The MIT License (MIT)
+      //
+      // Copyright (c) 2014 Andrew Harrison
+      //
+      // Permission is hereby granted, free of charge, to any person obtaining a copy of
+      // this software and associated documentation files (the "Software"), to deal in
+      // the Software without restriction, including without limitation the rights to
+      // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+      // the Software, and to permit persons to whom the Software is furnished to do so,
+      // subject to the following conditions:
+      //
+      // The above copyright notice and this permission notice shall be included in all
+      // copies or substantial portions of the Software.
+      //
+      // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+      // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+      // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+      // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+      // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+      var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
+      
+      var uriScheme = 1;
+      var uriDomain = 5;
+      var uriPort = 6;
+      var uriPath = 7;
+      var uriPathAlt = 9;
+      var uriQuery = 11;
+      
+      function domain(dst, src) {
+          return url_wrapper(dst, src, extract_domain);
+      }
+      
+      function split_url(value) {
+          var m = value.match(uriRegExp);
+          if (m && m[uriDomain]) return m;
+          // Support input in the form "www.example.net/path", but not "/path".
+          m = ("null://" + value).match(uriRegExp);
+          if (m) return m;
+      }
+      
+      function extract_domain(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain]) return m[uriDomain];
+      }
+      
+      var extFromPage = /\.[^.]+$/;
+      function extract_ext(value) {
+          var page = extract_page(value);
+          if (page) {
+              var m = page.match(extFromPage);
+              if (m) return m[0];
+          }
+      }
+      
+      function ext(dst, src) {
+          return url_wrapper(dst, src, extract_ext);
+      }
+      
+      function fqdn(dst, src) {
+          // TODO: fqdn and domain(eTLD+1) are currently the same.
+          return domain(dst, src);
+      }
+      
+      var pageFromPathRegExp = /\/([^\/]+)$/;
+      var pageName = 1;
+      
+      function extract_page(value) {
+          value = extract_path(value);
+          if (!value) return undefined;
+          var m = value.match(pageFromPathRegExp);
+          if (m) return m[pageName];
+      }
+      
+      function page(dst, src) {
+          return url_wrapper(dst, src, extract_page);
+      }
+      
+      function extract_path(value) {
+          var m = split_url(value);
+          return m? m[uriPath] || m[uriPathAlt] : undefined;
+      }
+      
+      function path(dst, src) {
+          return url_wrapper(dst, src, extract_path);
+      }
+      
+      // Map common schemes to their default port.
+      // port has to be a string (will be converted at a later stage).
+      var schemePort = {
+          "ftp": "21",
+          "ssh": "22",
+          "http": "80",
+          "https": "443",
+      };
+      
+      function extract_port(value) {
+          var m = split_url(value);
+          if (!m) return undefined;
+          if (m[uriPort]) return m[uriPort];
+          if (m[uriScheme]) {
+              return schemePort[m[uriScheme]];
+          }
+      }
+      
+      function port(dst, src) {
+          return url_wrapper(dst, src, extract_port);
+      }
+      
+      function extract_query(value) {
+          var m = split_url(value);
+          if (m && m[uriQuery]) return m[uriQuery];
+      }
+      
+      function query(dst, src) {
+          return url_wrapper(dst, src, extract_query);
+      }
+      
+      function extract_root(value) {
+          var m = split_url(value);
+          if (m && m[uriDomain] && m[uriDomain]) {
+              var scheme = m[uriScheme] && m[uriScheme] !== "null"?
+                  m[uriScheme] + "://" : "";
+              var port = m[uriPort]? ":" + m[uriPort] : "";
+              return scheme + m[uriDomain] + port;
+          }
+      }
+      
+      function root(dst, src) {
+          return url_wrapper(dst, src, extract_root);
+      }
+      
+      function tagval(id, src, cfg, keys, on_success) {
+          var fail = function(evt) {
+              evt.Put(FLAG_FIELD, "tagval_parsing_error");
+          }
+          if (cfg.kv_separator.length !== 1) {
+              throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)");
+          }
+          var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0?
+              cfg.open_quote.length + cfg.close_quote.length : 0;
+          var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$');
+          return function(evt) {
+              var msg = evt.Get(src);
+              if (msg === undefined) {
+                  console.warn("tagval: input field is missing");
+                  return fail(evt);
+              }
+              var pairs = msg.split(cfg.pair_separator);
+              var i;
+              var success = false;
+              var prev = "";
+              for (i=0; i<pairs.length; i++) {
+                  var m = pairs[i].match(kv_regex);
+                  var field;
+                  if (m === null || m.length !== 3 || m[1] === undefined || m[2] === undefined) {
+                      prev += pairs[i] + cfg.pair_separator;
+                      continue;
+                  }
+                  var key = prev + m[1];
+                  prev = "";
+                  if ( (field=keys[key]) === undefined && (field=keys[key.trim()])===undefined ) {
+                      continue;
+                  }
+                  var value = m[2].trim();
+                  if (quotes_len > 0 &&
+                      value.length >= cfg.open_quote.length + cfg.close_quote.length &&
+                      value.substr(0, cfg.open_quote.length) === cfg.open_quote &&
+                      value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) {
+                      value = value.substr(cfg.open_quote.length, value.length - quotes_len);
+                  }
+                  evt.Put(FIELDS_PREFIX + field, value);
+                  success = true;
+              }
+              if (!success) {
+                  return fail(evt);
+              }
+              if (on_success != null) {
+                  on_success(evt);
+              }
+          }
+      }
+      
+      var ecs_mappings = {
+          "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
+          "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
+          "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
+          "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
+          "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
+          "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
+          "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
+          "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
+          "application": {to:[{field: "network.application", setter: fld_set}]},
+          "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
+          "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
+          "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
+          "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
+          "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
+          "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
+          "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
+          "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
+          "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
+          "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
+          "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
+          "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
+          "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]},
+          "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
+          "direction": {to:[{field: "network.direction", setter: fld_set}]},
+          "directory": {to:[{field: "file.directory", setter: fld_set}]},
+          "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
+          "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
+          "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
+          "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
+          "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]},
+          "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
+          "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
+          "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
+          "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
+          "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
+          "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
+          "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
+          "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
+          "event_source": {to:[{field: "related.hosts", setter: fld_append}]},
+          "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
+          "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
+          "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
+          "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
+          "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
+          "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
+          "filepath": {to:[{field: "file.path", setter: fld_set}]},
+          "filetype": {to:[{field: "file.type", setter: fld_set}]},
+          "fqdn": {to:[{field: "related.hosts", setter: fld_append}]},
+          "group": {to:[{field: "group.name", setter: fld_set}]},
+          "groupid": {to:[{field: "group.id", setter: fld_set}]},
+          "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]},
+          "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
+          "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
+          "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
+          "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
+          "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
+          "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
+          "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
+          "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
+          "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
+          "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
+          "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
+          "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
+          "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
+          "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
+          "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
+          "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
+          "method": {to:[{field: "http.request.method", setter: fld_set}]},
+          "msg": {to:[{field: "message", setter: fld_set}]},
+          "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
+          "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
+          "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]},
+          "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
+          "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
+          "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
+          "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
+          "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
+          "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
+          "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
+          "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
+          "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]},
+          "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
+          "product": {to:[{field: "observer.product", setter: fld_set}]},
+          "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
+          "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
+          "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
+          "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
+          "rulename": {to:[{field: "rule.name", setter: fld_set}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
+          "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
+          "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
+          "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
+          "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
+          "severity": {to:[{field: "log.level", setter: fld_set}]},
+          "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]},
+          "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
+          "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
+          "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
+          "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
+          "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
+          "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
+          "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
+          "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
+          "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
+          "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
+          "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
+          "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
+          "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
+          "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
+          "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
+          "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
+          "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
+          "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
+          "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
+          "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
+          "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
+          "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
+          "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
+          "version": {to:[{field: "observer.version", setter: fld_set}]},
+          "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]},
+          "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
+          "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
+          "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]},
+          "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
+          "web_root": {to:[{field: "url.path", setter: fld_set}]},
+          "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
+      };
+      
+      var rsa_mappings = {
+          "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
+          "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
+          "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
+          "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
+          "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
+          "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
+          "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
+          "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
+          "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
+          "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
+          "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
+          "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
+          "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
+          "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
+          "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
+          "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
+          "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
+          "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
+          "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
+          "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
+          "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
+          "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
+          "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
+          "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
+          "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
+          "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
+          "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
+          "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
+          "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
+          "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
+          "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
+          "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
+          "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
+          "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
+          "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
+          "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
+          "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
+          "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
+          "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
+          "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
+          "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
+          "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
+          "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
+          "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
+          "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
+          "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
+          "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
+          "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
+          "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
+          "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
+          "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
+          "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
+          "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
+          "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
+          "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
+          "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
+          "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
+          "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
+          "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
+          "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
+          "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
+          "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
+          "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
+          "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
+          "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
+          "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
+          "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
+          "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
+          "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
+          "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
+          "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
+          "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
+          "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
+          "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
+          "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
+          "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
+          "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
+          "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
+          "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
+          "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
+          "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
+          "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
+          "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
+          "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
+          "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
+          "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
+          "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
+          "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
+          "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
+          "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
+          "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
+          "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
+          "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
+          "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
+          "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
+          "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
+          "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
+          "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
+          "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
+          "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
+          "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
+          "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
+          "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
+          "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
+          "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
+          "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
+          "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
+          "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
+          "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
+          "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
+          "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
+          "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
+          "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
+          "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
+          "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
+          "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
+          "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
+          "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
+          "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
+          "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
+          "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
+          "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
+          "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
+          "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
+          "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
+          "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
+          "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
+          "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
+          "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
+          "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
+          "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
+          "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
+          "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
+          "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
+          "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
+          "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
+          "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
+          "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
+          "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
+          "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
+          "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
+          "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
+          "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
+          "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
+          "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
+          "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
+          "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
+          "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
+          "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
+          "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
+          "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
+          "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
+          "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
+          "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
+          "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
+          "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
+          "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
+          "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
+          "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
+          "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
+          "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
+          "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
+          "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
+          "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
+          "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
+          "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
+          "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
+          "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
+          "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
+          "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
+          "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
+          "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
+          "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
+          "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
+          "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
+          "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
+          "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
+          "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
+          "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
+          "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
+          "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
+          "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
+          "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
+          "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
+          "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
+          "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
+          "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
+          "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
+          "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
+          "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
+          "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
+          "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
+          "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
+          "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
+          "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
+          "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
+          "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
+          "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
+          "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
+          "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
+          "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
+          "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
+          "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
+          "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
+          "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
+          "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
+          "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
+          "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
+          "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
+          "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
+          "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
+          "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
+          "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
+          "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
+          "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
+          "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
+          "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
+          "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
+          "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
+          "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
+          "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
+          "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
+          "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
+          "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
+          "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
+          "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
+          "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
+          "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
+          "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
+          "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
+          "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
+          "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
+          "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
+          "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
+          "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
+          "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
+          "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
+          "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
+          "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
+          "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
+          "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
+          "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
+          "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
+          "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
+          "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
+          "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
+          "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
+          "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
+          "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
+          "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
+          "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
+          "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
+          "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
+          "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
+          "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
+          "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
+          "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
+          "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
+          "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
+          "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
+          "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
+          "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
+          "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
+          "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
+          "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
+          "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
+          "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
+          "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
+          "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
+          "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
+          "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
+          "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
+          "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
+          "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
+          "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
+          "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
+          "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
+          "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
+          "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
+          "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
+          "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
+          "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
+          "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
+          "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
+          "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
+          "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
+          "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
+          "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
+          "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
+          "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
+          "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
+          "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
+          "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
+          "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
+          "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
+          "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
+          "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
+          "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
+          "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
+          "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
+          "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
+          "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
+          "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
+          "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
+          "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
+          "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
+          "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
+          "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
+          "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
+          "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
+          "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
+          "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
+          "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
+          "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
+          "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
+          "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
+          "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
+          "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
+          "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
+          "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
+          "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
+          "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
+          "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
+          "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
+          "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
+          "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
+          "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
+          "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
+          "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
+          "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
+          "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
+          "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
+          "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
+          "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
+          "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
+          "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
+          "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
+          "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
+          "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
+          "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
+          "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
+          "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
+          "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
+          "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
+          "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
+          "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
+          "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
+          "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
+          "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
+          "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
+          "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
+          "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
+          "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
+          "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
+          "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
+          "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
+          "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
+          "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
+          "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
+          "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
+          "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
+          "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
+          "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
+          "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
+          "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
+          "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
+          "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
+          "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
+          "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
+          "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
+          "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
+          "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
+          "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
+          "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
+          "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
+          "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
+          "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
+          "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
+          "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
+          "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
+          "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
+          "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
+          "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
+          "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
+          "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
+          "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
+          "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
+          "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
+          "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
+          "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
+          "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
+          "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
+          "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
+          "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
+          "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
+          "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
+          "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
+          "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
+          "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
+          "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
+          "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
+          "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
+          "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
+          "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
+          "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
+          "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
+          "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
+          "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
+          "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
+          "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
+          "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
+          "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
+          "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
+          "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
+          "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
+          "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
+          "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
+          "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
+          "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
+          "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
+          "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
+          "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
+          "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
+          "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
+          "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
+          "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
+          "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
+          "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
+          "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
+          "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
+          "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
+          "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
+          "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
+          "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
+          "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
+          "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
+          "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
+          "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
+          "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
+          "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
+          "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
+          "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
+          "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
+          "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
+          "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
+          "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
+          "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
+          "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
+          "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
+          "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
+          "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
+          "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
+          "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
+          "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
+          "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
+          "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
+          "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
+          "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
+          "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
+          "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
+          "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
+          "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
+          "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
+          "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
+          "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
+          "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
+          "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
+          "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
+          "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
+          "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
+          "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
+          "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
+          "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
+          "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
+          "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
+          "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
+          "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
+          "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
+          "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
+          "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
+          "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
+          "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
+          "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
+          "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
+          "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
+          "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
+          "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
+          "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
+          "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
+          "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
+          "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
+          "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
+          "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
+          "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
+          "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
+          "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
+          "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
+          "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
+          "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
+          "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
+          "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
+          "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
+          "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
+          "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
+          "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
+          "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
+          "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
+          "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
+          "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
+          "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
+          "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
+          "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
+          "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
+          "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
+          "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
+          "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
+          "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
+          "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
+          "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
+          "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
+          "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
+          "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
+          "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
+          "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
+          "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
+          "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
+          "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
+          "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
+          "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
+          "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
+          "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
+          "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
+          "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
+          "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
+          "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
+          "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
+          "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
+          "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
+          "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
+          "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
+          "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
+          "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
+          "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
+          "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
+          "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
+          "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
+          "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
+          "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
+          "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
+          "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
+          "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
+          "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
+          "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
+          "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
+          "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
+          "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
+          "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
+          "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
+          "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
+          "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
+          "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
+          "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
+          "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
+          "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
+          "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
+          "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
+          "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
+          "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
+          "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
+          "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
+          "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
+          "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
+          "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
+          "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
+          "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
+          "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
+          "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
+          "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
+          "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
+          "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
+          "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
+          "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
+          "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
+          "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
+          "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
+          "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
+          "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
+          "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
+          "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
+          "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
+          "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
+          "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
+          "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
+          "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
+          "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
+          "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
+          "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
+          "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
+          "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
+          "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
+          "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
+          "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
+          "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
+          "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
+          "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
+          "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
+          "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
+          "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
+          "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
+          "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
+          "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
+          "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
+          "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
+          "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
+          "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
+          "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
+          "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
+          "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
+          "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
+          "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
+          "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
+          "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
+          "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
+          "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
+          "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
+          "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
+          "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
+          "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
+          "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
+          "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
+          "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
+          "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
+          "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
+          "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
+          "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
+          "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
+          "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
+          "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
+          "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
+          "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
+          "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
+          "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
+          "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
+          "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
+          "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
+          "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
+          "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
+          "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
+          "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
+          "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
+          "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
+          "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
+          "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
+          "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
+          "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
+          "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
+          "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
+          "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
+          "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
+          "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
+          "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
+          "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
+          "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
+          "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
+          "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
+          "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
+          "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
+          "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
+          "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
+          "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
+          "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
+          "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
+          "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
+          "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
+          "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
+          "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
+          "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
+          "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
+          "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
+          "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
+          "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
+          "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
+          "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
+      };
+      
+      function to_date(value) {
+          switch (typeof (value)) {
+              case "object":
+                  // This is a Date. But as it was obtained from evt.Get(), the VM
+                  // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
+                  // Have to trust that any object here is a valid Date for Go.
+                  return value;
+              case "string":
+                  var asDate = new Date(value);
+                  if (!isNaN(asDate)) return asDate;
+          }
+      }
+      
+      // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
+      var maxSafeInt = Math.pow(2, 53) - 1;
+      var minSafeInt = -maxSafeInt;
+      
+      function to_long(value) {
+          var num = parseInt(value);
+          // Better not to index a number if it's not safe (above 53 bits).
+          return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
+      }
+      
+      function to_ip(value) {
+          if (value.indexOf(":") === -1)
+              return to_ipv4(value);
+          return to_ipv6(value);
+      }
+      
+      var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+      var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
+      
+      function to_ipv4(value) {
+          var result = ipv4_regex.exec(value);
+          if (result == null || result.length !== 5) return;
+          for (var i = 1; i < 5; i++) {
+              var num = strictToInt(result[i]);
+              if (isNaN(num) || num < 0 || num > 255) return;
+          }
+          return value;
+      }
+      
+      function to_ipv6(value) {
+          var sqEnd = value.indexOf("]");
+          if (sqEnd > -1) {
+              if (value.charAt(0) !== "[") return;
+              value = value.substr(1, sqEnd - 1);
+          }
+          var zoneOffset = value.indexOf("%");
+          if (zoneOffset > -1) {
+              value = value.substr(0, zoneOffset);
+          }
+          var parts = value.split(":");
+          if (parts == null || parts.length < 3 || parts.length > 8) return;
+          var numEmpty = 0;
+          var innerEmpty = 0;
+          for (var i = 0; i < parts.length; i++) {
+              if (parts[i].length === 0) {
+                  numEmpty++;
+                  if (i > 0 && i + 1 < parts.length) innerEmpty++;
+              } else if (!parts[i].match(ipv6_hex_regex) &&
+                  // Accept an IPv6 with a valid IPv4 at the end.
+                  ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
+                  return;
+              }
+          }
+          return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
+      }
+      
+      function to_double(value) {
+          return parseFloat(value);
+      }
+      
+      function to_mac(value) {
+          // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
+          return value;
+      }
+      
+      function to_lowercase(value) {
+          // to_lowercase is used against keyword fields, which can accept
+          // any other type (numbers, dates).
+          return typeof(value) === "string"? value.toLowerCase() : value;
+      }
+      
+      function fld_set(dst, value) {
+          dst[this.field] = { v: value };
+      }
+      
+      function fld_append(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: [value] };
+          } else {
+              var base = dst[this.field];
+              if (base.v.indexOf(value)===-1) base.v.push(value);
+          }
+      }
+      
+      function fld_prio(dst, value) {
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value, prio: this.prio};
+          } else if(this.prio < dst[this.field].prio) {
+              dst[this.field].v = value;
+              dst[this.field].prio = this.prio;
+          }
+      }
+      
+      var valid_ecs_outcome = {
+          'failure': true,
+          'success': true,
+          'unknown': true
+      };
+      
+      function fld_ecs_outcome(dst, value) {
+          value = value.toLowerCase();
+          if (valid_ecs_outcome[value] === undefined) {
+              value = 'unknown';
+          }
+          if (dst[this.field] === undefined) {
+              dst[this.field] = { v: value };
+          } else if (dst[this.field].v === 'unknown') {
+              dst[this.field] = { v: value };
+          }
+      }
+      
+      function map_all(evt, targets, value) {
+          for (var i = 0; i < targets.length; i++) {
+              evt.Put(targets[i], value);
+          }
+      }
+      
+      function populate_fields(evt) {
+          var base = evt.Get(FIELDS_OBJECT);
+          if (base === null) return;
+          alternate_datetime(evt);
+          if (map_ecs) {
+              do_populate(evt, base, ecs_mappings);
+          }
+          if (map_rsa) {
+              do_populate(evt, base, rsa_mappings);
+          }
+          if (keep_raw) {
+              evt.Put("rsa.raw", base);
+          }
+          evt.Delete(FIELDS_OBJECT);
+      }
+      
+      var datetime_alt_components = [
+          {field: "day", fmts: [[dF]]},
+          {field: "year", fmts: [[dW]]},
+          {field: "month", fmts: [[dB],[dG]]},
+          {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
+          {field: "hour", fmts: [[dN]]},
+          {field: "min", fmts: [[dU]]},
+          {field: "secs", fmts: [[dO]]},
+          {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
+      ];
+      
+      function alternate_datetime(evt) {
+          if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
+              return;
+          }
+          var tzOffset = tz_offset;
+          if (tzOffset === "event") {
+              tzOffset = evt.Get("event.timezone");
+          }
+          var container = new DateContainer(tzOffset);
+          for (var i=0; i<datetime_alt_components.length; i++) {
+              var dtc = datetime_alt_components[i];
+              var value = evt.Get(FIELDS_PREFIX + dtc.field) || evt.Get(FIELDS_PREFIX + "h" + dtc.field);
+              if (value == null) continue;
+              for (var f=0; f<dtc.fmts.length; f++) {
+                  var pos = date_time_try_pattern_at_pos(dtc.fmts[f], value, 0, container);
+                  if (pos !== undefined) {
+                      break;
+                  }
+              }
+          }
+          var date = container.toDate();
+          if (date !== undefined) {
+              evt.Put(FIELDS_PREFIX + "event_time", date);
+          }
+      }
+      
+      function do_populate(evt, base, targets) {
+          var result = {};
+          var key;
+          for (key in base) {
+              if (!base.hasOwnProperty(key)) continue;
+              var mapping = targets[key];
+              if (mapping === undefined) continue;
+              var value = base[key];
+              if (value === "") continue;
+              if (mapping.convert !== undefined) {
+                  value = mapping.convert(value);
+                  if (value === undefined) {
+                      if (debug) {
+                          console.debug("Failed to convert field '" + key + "' = '" + base[key] + "' with " + mapping.convert.name);
+                      }
+                      continue;
+                  }
+              }
+              for (var i=0; i<mapping.to.length; i++) {
+                  var tgt = mapping.to[i];
+                  tgt.setter(result, value);
+              }
+          }
+          for (key in result) {
+              if (!result.hasOwnProperty(key)) continue;
+              evt.Put(key, result[key].v);
+          }
+      }
+      
+      function test() {
+          // Silence console output during test.
+          var saved = console;
+          console = {
+              debug: function() {},
+              warn: function() {},
+              error: function() {},
+          };
+          test_date_times();
+          test_tz();
+          test_conversions();
+          test_mappings();
+          test_url();
+          test_calls();
+          test_assumptions();
+          test_tvm();
+          console = saved;
+      }
+      
+      function pass_test(input, output) {
+          return {input: input, expected: output !== undefined ? output : input};
+      }
+      
+      function fail_test(input) {
+          return {input: input};
+      }
+      
+      function test_date_times() {
+          var date_time = function(input) {
+              var res = date_time_try_pattern(input.fmt, input.str, input.tz);
+              return res !== undefined? res.toISOString() : res;
+          };
+          test_fn_call(date_time, [
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42"
+                  },
+                  "2017-10-16T15:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW,dc("-"),dM,dc("-"),dD,dc("T"),dH,dc(":"),dT,dc(":"),dS],
+                      str: "2017-10-16T15:23:42",
+                      tz: "-02:00",
+                  },
+                  "2017-10-16T17:23:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dR, dF, dc("th"), dY, dc(","), dI, dQ, dU, dc("min"), dO, dc("secs")],
+                      str: "October 7th 22, 3 P.M. 5 min 12 secs"
+                  },
+                  "2022-10-07T15:05:12.000Z"),
+              pass_test(
+                  {
+                      fmt: [dF, dc("/"), dB, dY, dc(","), dI, dP],
+                      str: "31/OCT 70, 12am"
+                  },
+                  "1970-10-31T00:00:00.000Z"),
+              pass_test(
+                  {
+                      fmt: [dX],
+                      str: "1592241213",
+                      tz: "+00:00"
+                  },
+                  "2020-06-15T17:13:33.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+02:00"
+                  }, "2031-04-12T01:05:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "-07:30",
+                  }, "2031-04-12T10:35:42.000Z"),
+              pass_test(
+                  {
+                      fmt: [dW, dG, dF, dZ],
+                      str: "20314 12 3:5:42",
+                      tz: "+0500",
+                  }, "2031-04-11T22:05:42.000Z")
+          ]);
+      }
+      
+      function test_tz() {
+          test_fn_call(parse_local_tz_offset, [
+              pass_test(0, "+00:00"),
+              pass_test(59, "+00:59"),
+              pass_test(60, "+01:00"),
+              pass_test(61, "+01:01"),
+              pass_test(-1, "-00:01"),
+              pass_test(-59, "-00:59"),
+              pass_test(-60, "-01:00"),
+              pass_test(705, "+11:45"),
+              pass_test(-705, "-11:45"),
+          ]);
+          var date = new Date();
+          var localOff = parse_local_tz_offset(-date.getTimezoneOffset());
+          test_fn_call(parse_tz_offset, [
+              pass_test("local", localOff),
+              pass_test("event", "event"),
+              pass_test("-07:00", "-07:00"),
+              pass_test("-1145", "-11:45"),
+              pass_test("+02", "+02:00"),
+          ]);
+      }
+      
+      function test_conversions() {
+          test_fn_call(to_ip, [
+              pass_test("127.0.0.1"),
+              pass_test("255.255.255.255"),
+              pass_test("008.189.239.199"),
+              fail_test(""),
+              fail_test("not an IP"),
+              fail_test("42"),
+              fail_test("127.0.0.1."),
+              fail_test("127.0.0."),
+              fail_test("10.100.1000.1"),
+              pass_test("fd00:1111:2222:3333:4444:5555:6666:7777"),
+              pass_test("fd00::7777%eth0", "fd00::7777"),
+              pass_test("[fd00::7777]", "fd00::7777"),
+              pass_test("[fd00::7777%enp0s3]", "fd00::7777"),
+              pass_test("::1"),
+              pass_test("::"),
+              fail_test(":::"),
+              fail_test("fff::1::3"),
+              pass_test("ffff::ffff"),
+              fail_test("::1ffff"),
+              fail_test(":1234:"),
+              fail_test("::1234z"),
+              pass_test("1::3:4:5:6:7:8"),
+              pass_test("::255.255.255.255"),
+              pass_test("64:ff9b::192.0.2.33"),
+              fail_test("::255.255.255.255:8"),
+          ]);
+          test_fn_call(to_long, [
+              pass_test("1234", 1234),
+              pass_test("0x2a", 42),
+              fail_test("9007199254740992"),
+              fail_test("9223372036854775808"),
+              fail_test("NaN"),
+              pass_test("-0x1fffffffffffff", -9007199254740991),
+              pass_test("+9007199254740991", 9007199254740991),
+              fail_test("-0x20000000000000"),
+              fail_test("+9007199254740992"),
+              pass_test(42),
+          ]);
+          test_fn_call(to_date, [
+              {
+                  input: new Date("2017-10-16T08:30:42Z"),
+                  expected: "2017-10-16T08:30:42.000Z",
+                  convert: Date.prototype.toISOString,
+              },
+              {
+                  input: "2017-10-16T08:30:42Z",
+                  expected: new Date("2017-10-16T08:30:42Z").toISOString(),
+                  convert: Date.prototype.toISOString,
+              },
+              fail_test("Not really a date."),
+          ]);
+          test_fn_call(to_lowercase, [
+              pass_test("Hello", "hello"),
+              pass_test(45),
+              pass_test(Date.now()),
+          ]);
+      }
+      
+      function test_fn_call(fn, cases) {
+          cases.forEach(function (test, idx) {
+              var result = fn(test.input);
+              if (test.convert !== undefined) {
+                  result = test.convert.call(result);
+              }
+              if (result !== test.expected) {
+                  throw "test " + fn.name + "#" + idx + " failed."
+                      + " Input:" + JSON.stringify(test.input)
+                      + " Expected:" + JSON.stringify(test.expected)
+                      + " Got:" + JSON.stringify(result);
+              }
+          });
+          if (debug) console.debug("test " + fn.name + " PASS.");
+      }
+      
+      function test_mappings() {
+          var test_mappings = {
+              "a": {to: [{field: "raw.a", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "b": {to: [{field: "list", setter: fld_append}]},
+              "c": {to: [{field: "raw.c", setter: fld_set}, {field: "list", setter: fld_append}]},
+              "d": {to: [{field: "unique", setter: fld_prio, prio: 2}]},
+              "e": {to: [{field: "unique", setter: fld_prio, prio: 1}]},
+              "f": {to: [{field: "unique", setter: fld_prio, prio: 3}]}
+          };
+          var values = {
+              "a": "value1",
+              "b": "value2",
+              "c": "value1",
+              "d": "value3",
+              "e": "value4",
+              "f": "value5"
+          };
+          var expected = {
+              "raw.a": "value1",
+              "raw.c": "value1",
+              "list": ["value1", "value2"],
+              "unique": "value4"
+          };
+          var evt = new Event({});
+          do_populate(evt, values, test_mappings);
+          var key;
+          for (key in expected) {
+              var got = JSON.stringify(evt.Get(key));
+              var exp = JSON.stringify(expected[key]);
+              if (got !== exp) {
+                  throw "test test_mappings failed for key " + key
+                      + ". Expected:" + exp
+                      + " Got:" + got;
+              }
+          }
+      }
+      
+      function copy_name(dst, src) {
+          Object.defineProperty(dst, "name", { value: src.name });
+          return dst;
+      }
+      
+      function test_url() {
+          function test(fn) {
+              return copy_name(function (input) {
+                  var evt = new Event({});
+                  evt.Put(FIELDS_PREFIX + "src", input);
+                  fn("dst", "src")(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "dst");
+                  return result? result : undefined;
+              }, fn);
+          }
+          test_fn_call(test(domain), [
+              pass_test("http://example.com", "example.com"),
+              pass_test("http://example.com/", "example.com"),
+              pass_test("ftp+ssh://example.com/path", "example.com"),
+              pass_test("https://example.com:4443/path", "example.com"),
+              pass_test("www.example.net/foo/bar", "www.example.net"),
+              pass_test("http://127.0.0.1:8080", "127.0.0.1"),
+              pass_test("http://[::1]", "[::1]"),
+              pass_test("http://[::1]:8080", "[::1]"),
+              pass_test("https://root:pass@example.org:80/foo/bar", "example.org"),
+              pass_test("root:pass@example.org:80/foo/bar", "example.org"),
+              fail_test("/my/path"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(path), [
+              pass_test("http://example.net/a/b/d?x=z", "/a/b/d"),
+              pass_test("root:pass@www.example.net:80/a/b/d?x=z", "/a/b/d"),
+              pass_test("/a/b/d?x=z#frag", "/a/b/d"),
+              pass_test("localhost/", "/"),
+              fail_test("domain"),
+              fail_test(""),
+              fail_test(" "),
+          ]);
+          test_fn_call(test(page), [
+             pass_test("http://example.net/index.html", "index.html"),
+              pass_test("http://localhost/index.html", "index.html"),
+              pass_test("example.com/a/b/c", "c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main#fragment", "main"),
+              pass_test("ftp://example.com/0#fragment", "0"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(port), [
+              pass_test("http://0.0.0.0:1234", "1234"),
+              pass_test("https://0.0.0.0", "443"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "4443"),
+              fail_test("www.example.net"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(query), [
+              pass_test("http://localhost/post?request=1234&user=root", "request=1234&user=root"),
+              pass_test("http://localhost/post?request=1234&user=root#m1234", "request=1234&user=root"),
+              fail_test("http://localhost/post"),
+              fail_test("http://localhost/post?"),
+              fail_test(""),
+          ]);
+          test_fn_call(test(root), [
+              pass_test("http://localhost/post?request=1234&user=root", "http://localhost"),
+              pass_test("https://[::abcd:1234]:4443/a?b#c", "https://[::abcd:1234]:4443"),
+              pass_test("localhost"),
+              fail_test("/a/b/c"),
+              fail_test(""),
+              pass_test("http://user:pass@example.net", "http://example.net"),
+          ]);
+          test_fn_call(test(ext), [
+              pass_test("http://example.net/index.html", ".html"),
+              pass_test("http://localhost/index.html?a=b#c", ".html"),
+              fail_test("example.com/a/b/c"),
+              fail_test("ftp://example.com/"),
+              pass_test("ftp://example.com/main.txt#fragment", ".txt"),
+              fail_test("ftp://example.com/0#fragment"),
+              fail_test(""),
+          ]);
+      }
+      
+      function test_calls() {
+          test_fn_call(RMQ, [
+              fail_test(["a", "b"]),
+              fail_test([]),
+              pass_test(["unquoted"], "unquoted"),
+              pass_test([""], ""),
+              pass_test(["''"], ""),
+              pass_test(["'hello'"], "hello"),
+              pass_test([" 'world'  "], "world"),
+              pass_test(['" "'], " "),
+              pass_test(["``"], ""),
+              pass_test(["`woot'"], "`woot'"),
+          ]);
+          test_fn_call(CALC, [
+              fail_test([]),
+              fail_test(["1"]),
+              fail_test(["01", "+"]),
+              pass_test(["2","+","2"], "4"),
+              pass_test(["012","*","2"], "24"),
+              pass_test(["0x10","+","1"], "17"),
+              pass_test(["0","-","1"], "-1"),
+              fail_test(["15","/","3"]),
+          ]);
+          test_fn_call(STRCAT, [
+              pass_test([], ""),
+              pass_test(["1"], "1"),
+              pass_test(["01", "+"], "01+"),
+              pass_test(["hell", "oW", "ORLD"], "helloWORLD"),
+          ]);
+          var evt = new Event({});
+          evt.Put(FIELDS_PREFIX + "a", "7");
+          evt.Put(FIELDS_PREFIX + "b", "'hello'");
+          evt.Put(FIELDS_PREFIX + "c", "11");
+          var call_test = function(fn) {
+              return function(input) {
+                  call({
+                      args: input,
+                      "fn": fn,
+                      dest: FIELDS_PREFIX+"z",
+                  })(evt);
+                  var result = evt.Get(FIELDS_PREFIX + "z");
+                  evt.Delete(FIELDS_PREFIX + "z");
+                  return result != null? result : undefined;
+              }
+          }
+          test_fn_call(call_test(RMQ), [
+              pass_test([field("b")], "hello"),
+              pass_test([constant("'world'")], "world"),
+          ]);
+          test_fn_call(call_test(CALC), [
+              pass_test([field("a"), constant("-"), field("c")], "-4"),
+              pass_test([field("a"), constant("*"), constant("7")], "49"),
+              fail_test([field("a"), constant("*"), constant("7a")]),
+          ]);
+          test_fn_call(call_test(STRCAT), [
+              pass_test([field("a"), constant("-"), field("c")], "7-11"),
+          ]);
+      }
+      
+      function test_assumptions() {
+          var str = "011";
+          if (strictToInt(str) !== 11) {
+              throw("string conversion interprets leading zeros as octal");
+          }
+          if (parseInt(str) !== 11) {
+              throw("parseInt interprets leading zeros as octal");
+          }
+          if (Number(str) !== 11) {
+              throw("Number conversion interprets leading zeros as octal");
+          }
+          str = "17a";
+          if (!isNaN(strictToInt(str))) {
+              throw("string conversion accepts extra chars");
+          }
+          if (isNaN(parseInt(str))) {
+              throw("parseInt doesn't accept extra chars");
+          }
+          if (!isNaN(Number(str))) {
+              throw("Number conversion accepts extra chars");
+          }
+      }
+      
+      // Tests the TAGVALMAP feature.
+      function test_tvm() {
+          var tests = [
+              {
+                  config: {
+                      pair_separator: ',',
+                      kv_separator: '=',
+                      open_quote: '[',
+                      close_quote: ']'
+                  },
+                  mappings: {
+                      "key a": "url",
+                      "key_b": "b",
+                      "Operation": "operation",
+                  },
+                  on_success: processor_chain([
+                                      setf("d","b")
+                                  ]),
+                  message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore",
+                  expected: {
+                      "nwparser.url": "http://example.com/",
+                      "nwparser.b": "value for=B",
+                      "nwparser.operation": "COPY",
+                      "nwparser.d": "value for=B",
+                      "log.flags": null,
+                  }
+              },
+              {
+                  config: {
+                      pair_separator: ',',
+                      kv_separator: '=',
+                      open_quote: '[',
+                      close_quote: ']'
+                  },
+                  mappings: {
+                      "key a": "url",
+                      "key_b": "b",
+                      "Operation": "operation"
+                  },
+                  on_success: processor_chain([
+                      setf("d","b")
+                  ]),
+                  message: "nothing to see here",
+                  expected: {
+                      "nwparser.url": null,
+                      "nwparser.d": null,
+                      "log.flags": "tagval_parsing_error",
+                  }
+              },
+              {
+                  config: {
+                      pair_separator: ' ',
+                      kv_separator: ':',
+                      open_quote: '"',
+                      close_quote: '"'
+                  },
+                  mappings: {
+                      "ICMP Type": "icmp_type",
+                      "ICMP Code": "icmp_code",
+                      "Operation": "operation",
+                  },
+                  on_success: processor_chain([
+                      setc("success","true")
+                  ]),
+                  message: "Operation:drop ICMP Type:5 ICMP Code:1 ",
+                  expected: {
+                      "nwparser.icmp_code": "1",
+                      "nwparser.icmp_type": "5",
+                      "nwparser.operation": "drop",
+                      "nwparser.success": "true",
+                      "log.flags": null,
+                  }
+              },
+          ];
+          var assertEqual = function(evt, key, expected) {
+              var value = evt.Get(key);
+              if (value !== expected)
+                  throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'");
+          };
+          tests.forEach(function (test, idx) {
+              var processor = tagval("test", "message", test.config, test.mappings, test.on_success);
+              var evt = new Event({
+                  "message": test.message,
+              });
+              processor(evt);
+              for (var key in test.expected) {
+                  assertEqual(evt, key, test.expected[key]);
+              }
+          });
+      }
+      
+      //  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+      //  or more contributor license agreements. Licensed under the Elastic License;
+      //  you may not use this file except in compliance with the Elastic License.
+      
+      function DeviceProcessor() {
+      	var builder = new processor.Chain();
+      	builder.Add(save_flags);
+      	builder.Add(strip_syslog_priority);
+      	builder.Add(chain1);
+      	builder.Add(restore_flags);
+      	builder.Add(populate_fields);
+      	var chain = builder.Build();
+      	return {
+      		process: chain.Run,
+      	}
+      }
+      
+      var map_dir2SumType = {
+      	keyvaluepairs: {
+      		"0": constant("2"),
+      		"1": constant("3"),
+      	},
+      	"default": constant("2"),
+      };
+      
+      var map_dir2Addr = {
+      	keyvaluepairs: {
+      		"0": field("saddr"),
+      		"1": field("daddr"),
+      	},
+      	"default": field("saddr"),
+      };
+      
+      var map_dir2Port = {
+      	keyvaluepairs: {
+      		"0": field("sport"),
+      		"1": field("dport"),
+      	},
+      	"default": field("sport"),
+      };
+      
+      var dup1 = setc("eventcategory","1701000000");
+      
+      var dup2 = setf("hardware_id","hfld2");
+      
+      var dup3 = setf("vsys","hvsys");
+      
+      var dup4 = setf("msg","$MSG");
+      
+      var dup5 = setf("severity","hseverity");
+      
+      var dup6 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}");
+      
+      var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}");
+      
+      var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})");
+      
+      var dup9 = date_time({
+      	dest: "event_time",
+      	args: ["fld1"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})");
+      
+      var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1");
+      
+      var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}");
+      
+      var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}");
+      
+      var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}");
+      
+      var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}");
+      
+      var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0");
+      
+      var dup17 = setc("eventcategory","1502000000");
+      
+      var dup18 = setc("eventcategory","1703000000");
+      
+      var dup19 = setc("eventcategory","1603000000");
+      
+      var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} ");
+      
+      var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", "");
+      
+      var dup22 = setc("eventcategory","1502050000");
+      
+      var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}");
+      
+      var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}");
+      
+      var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}");
+      
+      var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator");
+      
+      var dup27 = setc("eventcategory","1801010000");
+      
+      var dup28 = setc("eventcategory","1401060000");
+      
+      var dup29 = setc("ec_subject","User");
+      
+      var dup30 = setc("ec_activity","Logon");
+      
+      var dup31 = setc("ec_theme","Authentication");
+      
+      var dup32 = setc("ec_outcome","Success");
+      
+      var dup33 = setc("eventcategory","1401070000");
+      
+      var dup34 = setc("ec_activity","Logoff");
+      
+      var dup35 = setc("eventcategory","1303000000");
+      
+      var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition");
+      
+      var dup37 = setc("eventcategory","1402020200");
+      
+      var dup38 = setc("ec_theme","UserGroup");
+      
+      var dup39 = setc("ec_outcome","Error");
+      
+      var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}");
+      
+      var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})");
+      
+      var dup42 = setc("eventcategory","1402020300");
+      
+      var dup43 = setc("ec_activity","Modify");
+      
+      var dup44 = setc("eventcategory","1605000000");
+      
+      var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}");
+      
+      var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}");
+      
+      var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}");
+      
+      var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}");
+      
+      var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})");
+      
+      var dup50 = setc("eventcategory","1701020000");
+      
+      var dup51 = setc("ec_theme","Configuration");
+      
+      var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}");
+      
+      var dup53 = setc("eventcategory","1301000000");
+      
+      var dup54 = setc("ec_outcome","Failure");
+      
+      var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}");
+      
+      var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}");
+      
+      var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}");
+      
+      var dup58 = setc("eventcategory","1001000000");
+      
+      var dup59 = setc("dclass_counter1_string","Number of times the attack occurred");
+      
+      var dup60 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$OUT"),
+      		field("saddr"),
+      		field("daddr"),
+      	],
+      });
+      
+      var dup61 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$OUT"),
+      		field("saddr"),
+      		field("daddr"),
+      		field("sport"),
+      		field("dport"),
+      	],
+      });
+      
+      var dup62 = setc("eventcategory","1608010000");
+      
+      var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}");
+      
+      var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}");
+      
+      var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}");
+      
+      var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}");
+      
+      var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}");
+      
+      var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}");
+      
+      var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}");
+      
+      var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}");
+      
+      var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}");
+      
+      var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}");
+      
+      var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}");
+      
+      var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}");
+      
+      var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}");
+      
+      var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}");
+      
+      var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}");
+      
+      var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}");
+      
+      var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}");
+      
+      var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}");
+      
+      var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var dup84 = setc("eventcategory","1002020000");
+      
+      var dup85 = setc("eventcategory","1002000000");
+      
+      var dup86 = setc("eventcategory","1603110000");
+      
+      var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}");
+      
+      var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}");
+      
+      var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}");
+      
+      var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}");
+      
+      var dup91 = setc("eventcategory","1613040200");
+      
+      var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}");
+      
+      var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}");
+      
+      var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}");
+      
+      var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}");
+      
+      var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}");
+      
+      var dup97 = setc("eventcategory","1613050200");
+      
+      var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}");
+      
+      var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}");
+      
+      var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}");
+      
+      var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}");
+      
+      var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}");
+      
+      var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}");
+      
+      var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}");
+      
+      var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}");
+      
+      var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}");
+      
+      var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}");
+      
+      var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}");
+      
+      var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}");
+      
+      var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}");
+      
+      var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}");
+      
+      var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}");
+      
+      var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}");
+      
+      var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}");
+      
+      var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}");
+      
+      var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}");
+      
+      var dup117 = setc("eventcategory","1603090000");
+      
+      var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}");
+      
+      var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}");
+      
+      var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}");
+      
+      var dup121 = setc("eventcategory","1603030000");
+      
+      var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}");
+      
+      var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}");
+      
+      var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface");
+      
+      var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}");
+      
+      var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}");
+      
+      var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}");
+      
+      var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}.");
+      
+      var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}");
+      
+      var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}");
+      
+      var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}");
+      
+      var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}");
+      
+      var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}");
+      
+      var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}");
+      
+      var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}");
+      
+      var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}");
+      
+      var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}");
+      
+      var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}");
+      
+      var dup141 = setc("eventcategory","1702030000");
+      
+      var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}");
+      
+      var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}");
+      
+      var dup144 = setc("eventcategory","1601000000");
+      
+      var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) ");
+      
+      var dup146 = date_time({
+      	dest: "event_time",
+      	args: ["fld2"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup147 = setc("eventcategory","1103000000");
+      
+      var dup148 = setc("ec_subject","NetworkComm");
+      
+      var dup149 = setc("ec_activity","Scan");
+      
+      var dup150 = setc("ec_theme","TEV");
+      
+      var dup151 = setc("eventcategory","1103010000");
+      
+      var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}");
+      
+      var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}");
+      
+      var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}");
+      
+      var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}");
+      
+      var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}");
+      
+      var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}");
+      
+      var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}");
+      
+      var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}");
+      
+      var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}");
+      
+      var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}");
+      
+      var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}");
+      
+      var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}");
+      
+      var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})");
+      
+      var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}");
+      
+      var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}");
+      
+      var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}");
+      
+      var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}");
+      
+      var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}");
+      
+      var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}");
+      
+      var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}");
+      
+      var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}");
+      
+      var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}");
+      
+      var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}");
+      
+      var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}");
+      
+      var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}");
+      
+      var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}");
+      
+      var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}");
+      
+      var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}");
+      
+      var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}");
+      
+      var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}");
+      
+      var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}");
+      
+      var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}");
+      
+      var dup184 = setc("eventcategory","1603020000");
+      
+      var dup185 = setc("eventcategory","1803000000");
+      
+      var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}");
+      
+      var dup187 = setc("eventcategory","1603010000");
+      
+      var dup188 = setc("eventcategory","1603100000");
+      
+      var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}");
+      
+      var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}");
+      
+      var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}");
+      
+      var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}");
+      
+      var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}");
+      
+      var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}");
+      
+      var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}");
+      
+      var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}");
+      
+      var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}");
+      
+      var dup198 = setc("eventcategory","1801030000");
+      
+      var dup199 = setc("eventcategory","1302010200");
+      
+      var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}");
+      
+      var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}");
+      
+      var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}");
+      
+      var dup203 = setc("eventcategory","1304000000");
+      
+      var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}");
+      
+      var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}");
+      
+      var dup206 = setc("eventcategory","1401030000");
+      
+      var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}");
+      
+      var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}");
+      
+      var dup209 = setc("eventcategory","1605020000");
+      
+      var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}");
+      
+      var dup211 = setc("ec_subject","Certificate");
+      
+      var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}");
+      
+      var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}");
+      
+      var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}");
+      
+      var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}");
+      
+      var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}");
+      
+      var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}");
+      
+      var dup218 = setc("ec_subject","CryptoKey");
+      
+      var dup219 = setc("ec_subject","Configuration");
+      
+      var dup220 = setc("ec_activity","Request");
+      
+      var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}");
+      
+      var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}");
+      
+      var dup223 = setc("eventcategory","1612000000");
+      
+      var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}");
+      
+      var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}");
+      
+      var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}");
+      
+      var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}");
+      
+      var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}");
+      
+      var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}");
+      
+      var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}");
+      
+      var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})");
+      
+      var dup232 = setc("eventcategory","1201000000");
+      
+      var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}");
+      
+      var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}");
+      
+      var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}");
+      
+      var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}");
+      
+      var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}");
+      
+      var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}");
+      
+      var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup240 = setc("eventcategory","1401000000");
+      
+      var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}");
+      
+      var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}");
+      
+      var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}");
+      
+      var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}");
+      
+      var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}");
+      
+      var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}");
+      
+      var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}");
+      
+      var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}");
+      
+      var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}");
+      
+      var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}");
+      
+      var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}");
+      
+      var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}");
+      
+      var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}");
+      
+      var dup254 = setc("eventcategory","1608000000");
+      
+      var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}");
+      
+      var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}");
+      
+      var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}");
+      
+      var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}");
+      
+      var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}");
+      
+      var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}");
+      
+      var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}");
+      
+      var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}");
+      
+      var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}");
+      
+      var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}");
+      
+      var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}");
+      
+      var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}");
+      
+      var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}");
+      
+      var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}");
+      
+      var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}");
+      
+      var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state");
+      
+      var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}");
+      
+      var dup272 = setc("eventcategory","1805010000");
+      
+      var dup273 = setc("eventcategory","1805000000");
+      
+      var dup274 = date_time({
+      	dest: "starttime",
+      	args: ["fld2"],
+      	fmts: [
+      		[dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO],
+      	],
+      });
+      
+      var dup275 = call({
+      	dest: "nwparser.bytes",
+      	fn: CALC,
+      	args: [
+      		field("sbytes"),
+      		constant("+"),
+      		field("rbytes"),
+      	],
+      });
+      
+      var dup276 = setc("action","Deny");
+      
+      var dup277 = setc("disposition","Deny");
+      
+      var dup278 = setc("direction","outgoing");
+      
+      var dup279 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$IN"),
+      		field("saddr"),
+      		field("daddr"),
+      		field("sport"),
+      		field("dport"),
+      	],
+      });
+      
+      var dup280 = setc("direction","incoming");
+      
+      var dup281 = setc("eventcategory","1801000000");
+      
+      var dup282 = setf("action","disposition");
+      
+      var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}");
+      
+      var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}");
+      
+      var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}");
+      
+      var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr");
+      
+      var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}");
+      
+      var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}");
+      
+      var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}");
+      
+      var dup290 = setc("eventcategory","1401050200");
+      
+      var dup291 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$IN"),
+      		field("daddr"),
+      		field("saddr"),
+      	],
+      });
+      
+      var dup292 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$IN"),
+      		field("daddr"),
+      		field("saddr"),
+      		field("dport"),
+      		field("sport"),
+      	],
+      });
+      
+      var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times.");
+      
+      var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.");
+      
+      var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}");
+      
+      var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup297 = setc("eventcategory","1204000000");
+      
+      var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}");
+      
+      var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})");
+      
+      var dup301 = setc("eventcategory","1801020000");
+      
+      var dup302 = setc("disposition","failed");
+      
+      var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}");
+      
+      var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}");
+      
+      var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}");
+      
+      var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}");
+      
+      var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}");
+      
+      var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}");
+      
+      var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}");
+      
+      var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}");
+      
+      var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}");
+      
+      var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}");
+      
+      var dup313 = setc("eventcategory","1803020000");
+      
+      var dup314 = setc("eventcategory","1613030000");
+      
+      var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}");
+      
+      var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}");
+      
+      var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}");
+      
+      var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}");
+      
+      var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}");
+      
+      var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}");
+      
+      var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}");
+      
+      var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}");
+      
+      var dup323 = setc("event_description","Cannot connect to NSM server");
+      
+      var dup324 = setc("eventcategory","1603040000");
+      
+      var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}");
+      
+      var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}");
+      
+      var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}");
+      
+      var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}");
+      
+      var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}");
+      
+      var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}");
+      
+      var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}");
+      
+      var dup332 = call({
+      	dest: "nwparser.inout",
+      	fn: DIRCHK,
+      	args: [
+      		field("$OUT"),
+      		field("daddr"),
+      		field("saddr"),
+      		field("dport"),
+      		field("sport"),
+      	],
+      });
+      
+      var dup333 = linear_select([
+      	dup10,
+      	dup11,
+      ]);
+      
+      var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var dup335 = linear_select([
+      	dup13,
+      	dup14,
+      ]);
+      
+      var dup336 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var dup337 = linear_select([
+      	dup56,
+      	dup57,
+      ]);
+      
+      var dup338 = linear_select([
+      	dup65,
+      	dup66,
+      ]);
+      
+      var dup339 = linear_select([
+      	dup68,
+      	dup69,
+      ]);
+      
+      var dup340 = linear_select([
+      	dup71,
+      	dup72,
+      ]);
+      
+      var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var dup342 = linear_select([
+      	dup74,
+      	dup75,
+      ]);
+      
+      var dup343 = linear_select([
+      	dup81,
+      	dup82,
+      ]);
+      
+      var dup344 = linear_select([
+      	dup24,
+      	dup90,
+      ]);
+      
+      var dup345 = linear_select([
+      	dup94,
+      	dup95,
+      ]);
+      
+      var dup346 = linear_select([
+      	dup98,
+      	dup99,
+      ]);
+      
+      var dup347 = linear_select([
+      	dup100,
+      	dup101,
+      	dup102,
+      ]);
+      
+      var dup348 = linear_select([
+      	dup113,
+      	dup114,
+      ]);
+      
+      var dup349 = linear_select([
+      	dup111,
+      	dup16,
+      ]);
+      
+      var dup350 = linear_select([
+      	dup127,
+      	dup107,
+      ]);
+      
+      var dup351 = linear_select([
+      	dup8,
+      	dup21,
+      ]);
+      
+      var dup352 = linear_select([
+      	dup122,
+      	dup133,
+      ]);
+      
+      var dup353 = linear_select([
+      	dup142,
+      	dup143,
+      ]);
+      
+      var dup354 = linear_select([
+      	dup145,
+      	dup21,
+      ]);
+      
+      var dup355 = linear_select([
+      	dup127,
+      	dup106,
+      ]);
+      
+      var dup356 = linear_select([
+      	dup152,
+      	dup96,
+      ]);
+      
+      var dup357 = linear_select([
+      	dup154,
+      	dup155,
+      ]);
+      
+      var dup358 = linear_select([
+      	dup156,
+      	dup157,
+      ]);
+      
+      var dup359 = linear_select([
+      	dup99,
+      	dup134,
+      ]);
+      
+      var dup360 = linear_select([
+      	dup158,
+      	dup159,
+      ]);
+      
+      var dup361 = linear_select([
+      	dup161,
+      	dup162,
+      ]);
+      
+      var dup362 = linear_select([
+      	dup163,
+      	dup103,
+      ]);
+      
+      var dup363 = linear_select([
+      	dup162,
+      	dup161,
+      ]);
+      
+      var dup364 = linear_select([
+      	dup46,
+      	dup47,
+      ]);
+      
+      var dup365 = linear_select([
+      	dup166,
+      	dup167,
+      ]);
+      
+      var dup366 = linear_select([
+      	dup172,
+      	dup173,
+      ]);
+      
+      var dup367 = linear_select([
+      	dup174,
+      	dup175,
+      	dup176,
+      	dup177,
+      	dup178,
+      	dup179,
+      	dup180,
+      	dup181,
+      	dup182,
+      ]);
+      
+      var dup368 = linear_select([
+      	dup49,
+      	dup21,
+      ]);
+      
+      var dup369 = linear_select([
+      	dup189,
+      	dup190,
+      ]);
+      
+      var dup370 = linear_select([
+      	dup96,
+      	dup152,
+      ]);
+      
+      var dup371 = linear_select([
+      	dup196,
+      	dup197,
+      ]);
+      
+      var dup372 = linear_select([
+      	dup24,
+      	dup200,
+      ]);
+      
+      var dup373 = linear_select([
+      	dup103,
+      	dup163,
+      ]);
+      
+      var dup374 = linear_select([
+      	dup205,
+      	dup118,
+      ]);
+      
+      var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var dup376 = linear_select([
+      	dup212,
+      	dup213,
+      ]);
+      
+      var dup377 = linear_select([
+      	dup215,
+      	dup216,
+      ]);
+      
+      var dup378 = linear_select([
+      	dup222,
+      	dup215,
+      ]);
+      
+      var dup379 = linear_select([
+      	dup224,
+      	dup225,
+      ]);
+      
+      var dup380 = linear_select([
+      	dup231,
+      	dup124,
+      ]);
+      
+      var dup381 = linear_select([
+      	dup229,
+      	dup230,
+      ]);
+      
+      var dup382 = linear_select([
+      	dup233,
+      	dup234,
+      ]);
+      
+      var dup383 = linear_select([
+      	dup236,
+      	dup237,
+      ]);
+      
+      var dup384 = linear_select([
+      	dup242,
+      	dup243,
+      ]);
+      
+      var dup385 = linear_select([
+      	dup245,
+      	dup246,
+      ]);
+      
+      var dup386 = linear_select([
+      	dup247,
+      	dup248,
+      ]);
+      
+      var dup387 = linear_select([
+      	dup249,
+      	dup250,
+      ]);
+      
+      var dup388 = linear_select([
+      	dup251,
+      	dup252,
+      ]);
+      
+      var dup389 = linear_select([
+      	dup260,
+      	dup261,
+      ]);
+      
+      var dup390 = linear_select([
+      	dup264,
+      	dup265,
+      ]);
+      
+      var dup391 = linear_select([
+      	dup268,
+      	dup269,
+      ]);
+      
+      var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var dup393 = linear_select([
+      	dup284,
+      	dup285,
+      ]);
+      
+      var dup394 = linear_select([
+      	dup287,
+      	dup288,
+      ]);
+      
+      var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var dup397 = linear_select([
+      	dup300,
+      	dup26,
+      ]);
+      
+      var dup398 = linear_select([
+      	dup115,
+      	dup303,
+      ]);
+      
+      var dup399 = linear_select([
+      	dup125,
+      	dup96,
+      ]);
+      
+      var dup400 = linear_select([
+      	dup189,
+      	dup308,
+      	dup309,
+      ]);
+      
+      var dup401 = linear_select([
+      	dup310,
+      	dup16,
+      ]);
+      
+      var dup402 = linear_select([
+      	dup317,
+      	dup318,
+      ]);
+      
+      var dup403 = linear_select([
+      	dup319,
+      	dup315,
+      ]);
+      
+      var dup404 = linear_select([
+      	dup322,
+      	dup250,
+      ]);
+      
+      var dup405 = linear_select([
+      	dup327,
+      	dup329,
+      ]);
+      
+      var dup406 = linear_select([
+      	dup330,
+      	dup129,
+      ]);
+      
+      var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup60,
+      ]));
+      
+      var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup61,
+      ]));
+      
+      var dup411 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		dup266,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var dup412 = all_match({
+      	processors: [
+      		dup267,
+      		dup391,
+      		dup270,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var dup413 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup293,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var dup414 = all_match({
+      	processors: [
+      		dup296,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup297,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var dup415 = all_match({
+      	processors: [
+      		dup298,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup297,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([
+      	setc("header_id","0001"),
+      ]));
+      
+      var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([
+      	setc("header_id","0003"),
+      ]));
+      
+      var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([
+      	setc("header_id","0004"),
+      ]));
+      
+      var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}");
+      
+      var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}");
+      
+      var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}");
+      
+      var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}");
+      
+      var select1 = linear_select([
+      	part1,
+      	part2,
+      	part3,
+      ]);
+      
+      var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}");
+      
+      var all1 = all_match({
+      	processors: [
+      		hdr4,
+      		select1,
+      		part4,
+      	],
+      	on_success: processor_chain([
+      		setc("header_id","0002"),
+      	]),
+      });
+      
+      var select2 = linear_select([
+      	hdr1,
+      	hdr2,
+      	hdr3,
+      	all1,
+      ]);
+      
+      var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1 = msg("00001", part5);
+      
+      var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg2 = msg("00001:01", part6);
+      
+      var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}");
+      
+      var select3 = linear_select([
+      	part7,
+      	dup7,
+      ]);
+      
+      var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}");
+      
+      var all2 = all_match({
+      	processors: [
+      		dup6,
+      		select3,
+      		part8,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg3 = msg("00001:02", all2);
+      
+      var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg4 = msg("00001:03", part9);
+      
+      var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}");
+      
+      var select4 = linear_select([
+      	part10,
+      	dup7,
+      ]);
+      
+      var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}");
+      
+      var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}");
+      
+      var select5 = linear_select([
+      	dup8,
+      	part12,
+      ]);
+      
+      var all3 = all_match({
+      	processors: [
+      		dup6,
+      		select4,
+      		part11,
+      		select5,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg5 = msg("00001:04", all3);
+      
+      var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}");
+      
+      var all4 = all_match({
+      	processors: [
+      		part13,
+      		dup333,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg6 = msg("00001:05", all4);
+      
+      var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg7 = msg("00001:06", part14);
+      
+      var msg8 = msg("00001:07", dup334);
+      
+      var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}");
+      
+      var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})");
+      
+      var all5 = all_match({
+      	processors: [
+      		dup12,
+      		dup335,
+      		part15,
+      		dup336,
+      		part16,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg9 = msg("00001:08", all5);
+      
+      var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})");
+      
+      var all6 = all_match({
+      	processors: [
+      		dup12,
+      		dup335,
+      		part17,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg10 = msg("00001:09", all6);
+      
+      var select6 = linear_select([
+      	msg1,
+      	msg2,
+      	msg3,
+      	msg4,
+      	msg5,
+      	msg6,
+      	msg7,
+      	msg8,
+      	msg9,
+      	msg10,
+      ]);
+      
+      var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg11 = msg("00002:03", part18);
+      
+      var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg12 = msg("00002:04", part19);
+      
+      var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg13 = msg("00002:05", part20);
+      
+      var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg14 = msg("00002:06", part21);
+      
+      var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg15 = msg("00002:07", part22);
+      
+      var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg16 = msg("00002:55", part23);
+      
+      var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg17 = msg("00002:08", part24);
+      
+      var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg18 = msg("00002:09", part25);
+      
+      var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg19 = msg("00002:10", part26);
+      
+      var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg20 = msg("00002:11", part27);
+      
+      var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg21 = msg("00002:12", part28);
+      
+      var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg22 = msg("00002:15", part29);
+      
+      var msg23 = msg("00002:17", dup334);
+      
+      var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}");
+      
+      var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}");
+      
+      var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}");
+      
+      var select7 = linear_select([
+      	part31,
+      	part32,
+      ]);
+      
+      var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):");
+      
+      var all7 = all_match({
+      	processors: [
+      		part30,
+      		select7,
+      		part33,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg24 = msg("00002:18", all7);
+      
+      var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg25 = msg("00002:19", part34);
+      
+      var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}");
+      
+      var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}");
+      
+      var select8 = linear_select([
+      	part36,
+      	dup20,
+      	dup21,
+      ]);
+      
+      var all8 = all_match({
+      	processors: [
+      		part35,
+      		select8,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg26 = msg("00002:20", all8);
+      
+      var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}");
+      
+      var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}");
+      
+      var select9 = linear_select([
+      	part37,
+      	part38,
+      ]);
+      
+      var select10 = linear_select([
+      	dup24,
+      	dup25,
+      ]);
+      
+      var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}");
+      
+      var all9 = all_match({
+      	processors: [
+      		select9,
+      		dup23,
+      		select10,
+      		part39,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg27 = msg("00002:21", all9);
+      
+      var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}");
+      
+      var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console");
+      
+      var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}");
+      
+      var select11 = linear_select([
+      	part41,
+      	part42,
+      	dup26,
+      ]);
+      
+      var all10 = all_match({
+      	processors: [
+      		part40,
+      		select11,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg28 = msg("00002:22", all10);
+      
+      var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}");
+      
+      var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}");
+      
+      var select12 = linear_select([
+      	dup20,
+      	part44,
+      	dup21,
+      ]);
+      
+      var all11 = all_match({
+      	processors: [
+      		part43,
+      		select12,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg29 = msg("00002:23", all11);
+      
+      var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}");
+      
+      var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}");
+      
+      var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}");
+      
+      var select13 = linear_select([
+      	part46,
+      	part47,
+      ]);
+      
+      var all12 = all_match({
+      	processors: [
+      		part45,
+      		select13,
+      	],
+      	on_success: processor_chain([
+      		dup22,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg30 = msg("00002:24", all12);
+      
+      var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	setc("eventcategory","1402000000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg31 = msg("00002:25", part48);
+      
+      var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg32 = msg("00002:26", part49);
+      
+      var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg33 = msg("00002:27", part50);
+      
+      var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg34 = msg("00002:28", part51);
+      
+      var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg35 = msg("00002:29", part52);
+      
+      var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([
+      	dup28,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg36 = msg("00002:30", part53);
+      
+      var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([
+      	dup33,
+      	dup29,
+      	dup34,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg37 = msg("00002:41", part54);
+      
+      var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([
+      	dup35,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg38 = msg("00002:31", part55);
+      
+      var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}");
+      
+      var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}");
+      
+      var select14 = linear_select([
+      	part56,
+      	part57,
+      ]);
+      
+      var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}");
+      
+      var all13 = all_match({
+      	processors: [
+      		select14,
+      		part58,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg39 = msg("00002:32", all13);
+      
+      var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg40 = msg("00002:35", part59);
+      
+      var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}");
+      
+      var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}");
+      
+      var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}");
+      
+      var select15 = linear_select([
+      	part61,
+      	part62,
+      ]);
+      
+      var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}");
+      
+      var all14 = all_match({
+      	processors: [
+      		part60,
+      		select15,
+      		part63,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg41 = msg("00002:36", all14);
+      
+      var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}");
+      
+      var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}");
+      
+      var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}");
+      
+      var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}");
+      
+      var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}");
+      
+      var select16 = linear_select([
+      	part65,
+      	part66,
+      	part67,
+      	part68,
+      ]);
+      
+      var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}");
+      
+      var all15 = all_match({
+      	processors: [
+      		part64,
+      		select16,
+      		part69,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg42 = msg("00002:37", all15);
+      
+      var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}");
+      
+      var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}");
+      
+      var select17 = linear_select([
+      	part71,
+      	dup36,
+      ]);
+      
+      var all16 = all_match({
+      	processors: [
+      		part70,
+      		select17,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg43 = msg("00002:38", all16);
+      
+      var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg44 = msg("00002:39", part72);
+      
+      var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([
+      	dup37,
+      	dup29,
+      	setc("ec_activity","Create"),
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg45 = msg("00002:40", part73);
+      
+      var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([
+      	dup35,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg46 = msg("00002:44", part74);
+      
+      var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}");
+      
+      var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}");
+      
+      var select18 = linear_select([
+      	part76,
+      	dup40,
+      ]);
+      
+      var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}");
+      
+      var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}");
+      
+      var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}");
+      
+      var select19 = linear_select([
+      	part78,
+      	part79,
+      ]);
+      
+      var all17 = all_match({
+      	processors: [
+      		part75,
+      		select18,
+      		part77,
+      		select19,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup42,
+      		dup43,
+      		dup38,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg47 = msg("00002:42", all17);
+      
+      var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}");
+      
+      var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}");
+      
+      var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}");
+      
+      var select20 = linear_select([
+      	part81,
+      	part82,
+      ]);
+      
+      var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})");
+      
+      var all18 = all_match({
+      	processors: [
+      		part80,
+      		select20,
+      		part83,
+      	],
+      	on_success: processor_chain([
+      		dup42,
+      		dup29,
+      		dup43,
+      		dup38,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg48 = msg("00002:43", all18);
+      
+      var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([
+      	dup42,
+      	dup29,
+      	dup43,
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg49 = msg("00002:50", part84);
+      
+      var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([
+      	dup42,
+      	dup29,
+      	dup43,
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg50 = msg("00002:51", part85);
+      
+      var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg51 = msg("00002:45", part86);
+      
+      var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}");
+      
+      var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}");
+      
+      var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}");
+      
+      var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}");
+      
+      var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}");
+      
+      var select21 = linear_select([
+      	part87,
+      	part88,
+      	part89,
+      	part90,
+      	part91,
+      ]);
+      
+      var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})");
+      
+      var all19 = all_match({
+      	processors: [
+      		select21,
+      		part92,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg52 = msg("00002:47", all19);
+      
+      var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}");
+      
+      var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}");
+      
+      var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}");
+      
+      var select22 = linear_select([
+      	part94,
+      	part95,
+      ]);
+      
+      var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}");
+      
+      var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}");
+      
+      var select23 = linear_select([
+      	part97,
+      	dup45,
+      ]);
+      
+      var all20 = all_match({
+      	processors: [
+      		part93,
+      		select22,
+      		part96,
+      		select23,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg53 = msg("00002:48", all20);
+      
+      var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}");
+      
+      var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}");
+      
+      var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}");
+      
+      var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}");
+      
+      var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}");
+      
+      var select24 = linear_select([
+      	part99,
+      	part100,
+      	part101,
+      	part102,
+      ]);
+      
+      var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}");
+      
+      var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}");
+      
+      var select25 = linear_select([
+      	dup46,
+      	part104,
+      	dup47,
+      ]);
+      
+      var select26 = linear_select([
+      	dup48,
+      	dup45,
+      ]);
+      
+      var all21 = all_match({
+      	processors: [
+      		part98,
+      		select24,
+      		part103,
+      		select25,
+      		select26,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg54 = msg("00002:52", all21);
+      
+      var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([
+      	dup42,
+      	dup43,
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg55 = msg("00002:53", part105);
+      
+      var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}");
+      
+      var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}");
+      
+      var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}");
+      
+      var select27 = linear_select([
+      	part107,
+      	part108,
+      ]);
+      
+      var all22 = all_match({
+      	processors: [
+      		part106,
+      		select27,
+      		dup49,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg56 = msg("00002:54", all22);
+      
+      var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}");
+      
+      var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}");
+      
+      var select28 = linear_select([
+      	part110,
+      	dup52,
+      ]);
+      
+      var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}");
+      
+      var all23 = all_match({
+      	processors: [
+      		part109,
+      		select28,
+      		part111,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg57 = msg("00002", all23);
+      
+      var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([
+      	dup53,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg58 = msg("00002:56", part112);
+      
+      var select29 = linear_select([
+      	msg11,
+      	msg12,
+      	msg13,
+      	msg14,
+      	msg15,
+      	msg16,
+      	msg17,
+      	msg18,
+      	msg19,
+      	msg20,
+      	msg21,
+      	msg22,
+      	msg23,
+      	msg24,
+      	msg25,
+      	msg26,
+      	msg27,
+      	msg28,
+      	msg29,
+      	msg30,
+      	msg31,
+      	msg32,
+      	msg33,
+      	msg34,
+      	msg35,
+      	msg36,
+      	msg37,
+      	msg38,
+      	msg39,
+      	msg40,
+      	msg41,
+      	msg42,
+      	msg43,
+      	msg44,
+      	msg45,
+      	msg46,
+      	msg47,
+      	msg48,
+      	msg49,
+      	msg50,
+      	msg51,
+      	msg52,
+      	msg53,
+      	msg54,
+      	msg55,
+      	msg56,
+      	msg57,
+      	msg58,
+      ]);
+      
+      var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([
+      	dup53,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg59 = msg("00003", part113);
+      
+      var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([
+      	dup53,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg60 = msg("00003:01", part114);
+      
+      var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg61 = msg("00003:02", part115);
+      
+      var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg62 = msg("00003:03", part116);
+      
+      var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}");
+      
+      var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}");
+      
+      var select30 = linear_select([
+      	part117,
+      	part118,
+      ]);
+      
+      var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}.");
+      
+      var all24 = all_match({
+      	processors: [
+      		dup55,
+      		select30,
+      		part119,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg63 = msg("00003:05", all24);
+      
+      var select31 = linear_select([
+      	msg59,
+      	msg60,
+      	msg61,
+      	msg62,
+      	msg63,
+      ]);
+      
+      var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg64 = msg("00004", part120);
+      
+      var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg65 = msg("00004:01", part121);
+      
+      var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg66 = msg("00004:02", part122);
+      
+      var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg67 = msg("00004:03", part123);
+      
+      var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}");
+      
+      var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all25 = all_match({
+      	processors: [
+      		part124,
+      		dup337,
+      		part125,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup59,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg68 = msg("00004:04", all25);
+      
+      var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg69 = msg("00004:05", part126);
+      
+      var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg70 = msg("00004:06", part127);
+      
+      var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg71 = msg("00004:07", part128);
+      
+      var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg72 = msg("00004:08", part129);
+      
+      var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([
+      	dup62,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg73 = msg("00004:09", part130);
+      
+      var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([
+      	dup62,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg74 = msg("00004:10", part131);
+      
+      var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg75 = msg("00004:11", part132);
+      
+      var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg76 = msg("00004:12", part133);
+      
+      var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg77 = msg("00004:13", part134);
+      
+      var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}");
+      
+      var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}");
+      
+      var select32 = linear_select([
+      	part135,
+      	part136,
+      ]);
+      
+      var all26 = all_match({
+      	processors: [
+      		dup63,
+      		select32,
+      		dup49,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg78 = msg("00004:14", all26);
+      
+      var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg79 = msg("00004:15", part137);
+      
+      var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg80 = msg("00004:16", part138);
+      
+      var all27 = all_match({
+      	processors: [
+      		dup64,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup4,
+      		dup59,
+      		dup9,
+      		dup5,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg81 = msg("00004:17", all27);
+      
+      var select33 = linear_select([
+      	msg64,
+      	msg65,
+      	msg66,
+      	msg67,
+      	msg68,
+      	msg69,
+      	msg70,
+      	msg71,
+      	msg72,
+      	msg73,
+      	msg74,
+      	msg75,
+      	msg76,
+      	msg77,
+      	msg78,
+      	msg79,
+      	msg80,
+      	msg81,
+      ]);
+      
+      var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg82 = msg("00005", part139);
+      
+      var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg83 = msg("00005:01", part140);
+      
+      var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg84 = msg("00005:02", part141);
+      
+      var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}");
+      
+      var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}");
+      
+      var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}");
+      
+      var select34 = linear_select([
+      	part144,
+      	dup73,
+      ]);
+      
+      var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all28 = all_match({
+      	processors: [
+      		part142,
+      		dup339,
+      		dup70,
+      		dup340,
+      		part143,
+      		select34,
+      		part145,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup59,
+      		dup61,
+      	]),
+      });
+      
+      var msg85 = msg("00005:03", all28);
+      
+      var msg86 = msg("00005:04", dup341);
+      
+      var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([
+      	setc("eventcategory","1001020100"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg87 = msg("00005:05", part146);
+      
+      var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}.");
+      
+      var all29 = all_match({
+      	processors: [
+      		dup342,
+      		part147,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg88 = msg("00005:06", all29);
+      
+      var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}");
+      
+      var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}");
+      
+      var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}");
+      
+      var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}");
+      
+      var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}");
+      
+      var select35 = linear_select([
+      	part149,
+      	part150,
+      	dup76,
+      	part151,
+      	part152,
+      ]);
+      
+      var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}.");
+      
+      var all30 = all_match({
+      	processors: [
+      		part148,
+      		select35,
+      		part153,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg89 = msg("00005:07", all30);
+      
+      var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}");
+      
+      var select36 = linear_select([
+      	dup77,
+      	dup78,
+      ]);
+      
+      var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}.");
+      
+      var all31 = all_match({
+      	processors: [
+      		dup342,
+      		part154,
+      		select36,
+      		part155,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg90 = msg("00005:08", all31);
+      
+      var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg91 = msg("00005:09", part156);
+      
+      var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg92 = msg("00005:10", part157);
+      
+      var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}");
+      
+      var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}");
+      
+      var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}");
+      
+      var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}");
+      
+      var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}");
+      
+      var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}");
+      
+      var select37 = linear_select([
+      	part159,
+      	part160,
+      	part161,
+      	part162,
+      	part163,
+      ]);
+      
+      var all32 = all_match({
+      	processors: [
+      		part158,
+      		select37,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg93 = msg("00005:11", all32);
+      
+      var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg94 = msg("00005:12", part164);
+      
+      var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg95 = msg("00005:13", part165);
+      
+      var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg96 = msg("00005:14", part166);
+      
+      var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg97 = msg("00005:15", part167);
+      
+      var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg98 = msg("00005:16", part168);
+      
+      var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}");
+      
+      var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}");
+      
+      var select38 = linear_select([
+      	part169,
+      	part170,
+      ]);
+      
+      var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}.");
+      
+      var all33 = all_match({
+      	processors: [
+      		dup79,
+      		select38,
+      		part171,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg99 = msg("00005:17", all33);
+      
+      var all34 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup84,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg100 = msg("00005:18", all34);
+      
+      var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup84,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup61,
+      ]));
+      
+      var msg101 = msg("00005:19", part172);
+      
+      var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([
+      	dup84,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg102 = msg("00005:20", part173);
+      
+      var select39 = linear_select([
+      	msg82,
+      	msg83,
+      	msg84,
+      	msg85,
+      	msg86,
+      	msg87,
+      	msg88,
+      	msg89,
+      	msg90,
+      	msg91,
+      	msg92,
+      	msg93,
+      	msg94,
+      	msg95,
+      	msg96,
+      	msg97,
+      	msg98,
+      	msg99,
+      	msg100,
+      	msg101,
+      	msg102,
+      ]);
+      
+      var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup85,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg103 = msg("00006", part174);
+      
+      var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg104 = msg("00006:01", part175);
+      
+      var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg105 = msg("00006:02", part176);
+      
+      var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg106 = msg("00006:03", part177);
+      
+      var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}");
+      
+      var all35 = all_match({
+      	processors: [
+      		part178,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup84,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg107 = msg("00006:04", all35);
+      
+      var all36 = all_match({
+      	processors: [
+      		dup64,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup84,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg108 = msg("00006:05", all36);
+      
+      var select40 = linear_select([
+      	msg103,
+      	msg104,
+      	msg105,
+      	msg106,
+      	msg107,
+      	msg108,
+      ]);
+      
+      var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg109 = msg("00007", part179);
+      
+      var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg110 = msg("00007:01", part180);
+      
+      var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}");
+      
+      var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}");
+      
+      var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}");
+      
+      var select41 = linear_select([
+      	part182,
+      	part183,
+      ]);
+      
+      var all37 = all_match({
+      	processors: [
+      		part181,
+      		select41,
+      	],
+      	on_success: processor_chain([
+      		dup86,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg111 = msg("00007:02", all37);
+      
+      var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg112 = msg("00007:03", part184);
+      
+      var select42 = linear_select([
+      	dup88,
+      	dup89,
+      ]);
+      
+      var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}");
+      
+      var all38 = all_match({
+      	processors: [
+      		dup87,
+      		select42,
+      		dup23,
+      		dup344,
+      		part185,
+      	],
+      	on_success: processor_chain([
+      		dup91,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg113 = msg("00007:04", all38);
+      
+      var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg114 = msg("00007:05", part186);
+      
+      var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg115 = msg("00007:06", part187);
+      
+      var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg116 = msg("00007:07", part188);
+      
+      var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg117 = msg("00007:08", part189);
+      
+      var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg118 = msg("00007:09", part190);
+      
+      var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg119 = msg("00007:10", part191);
+      
+      var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}");
+      
+      var select43 = linear_select([
+      	dup92,
+      	dup93,
+      ]);
+      
+      var all39 = all_match({
+      	processors: [
+      		part192,
+      		select43,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg120 = msg("00007:11", all39);
+      
+      var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg121 = msg("00007:12", part193);
+      
+      var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg122 = msg("00007:13", part194);
+      
+      var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup85,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup60,
+      ]));
+      
+      var msg123 = msg("00007:14", part195);
+      
+      var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg124 = msg("00007:15", part196);
+      
+      var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg125 = msg("00007:16", part197);
+      
+      var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg126 = msg("00007:17", part198);
+      
+      var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}");
+      
+      var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}");
+      
+      var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}");
+      
+      var select44 = linear_select([
+      	part200,
+      	part201,
+      ]);
+      
+      var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}");
+      
+      var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}");
+      
+      var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}");
+      
+      var select45 = linear_select([
+      	part203,
+      	part204,
+      ]);
+      
+      var all40 = all_match({
+      	processors: [
+      		part199,
+      		select44,
+      		part202,
+      		select45,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg127 = msg("00007:18", all40);
+      
+      var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg128 = msg("00007:20", part205);
+      
+      var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}");
+      
+      var all41 = all_match({
+      	processors: [
+      		part206,
+      		dup345,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg129 = msg("00007:21", all41);
+      
+      var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg130 = msg("00007:22", part207);
+      
+      var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg131 = msg("00007:23", part208);
+      
+      var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg132 = msg("00007:24", part209);
+      
+      var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg133 = msg("00007:25", part210);
+      
+      var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}");
+      
+      var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}");
+      
+      var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}");
+      
+      var select46 = linear_select([
+      	part212,
+      	part213,
+      ]);
+      
+      var all42 = all_match({
+      	processors: [
+      		part211,
+      		select46,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg134 = msg("00007:26", all42);
+      
+      var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg135 = msg("00007:27", part214);
+      
+      var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg136 = msg("00007:28", part215);
+      
+      var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}");
+      
+      var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}");
+      
+      var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}");
+      
+      var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}");
+      
+      var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}");
+      
+      var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}");
+      
+      var select47 = linear_select([
+      	part217,
+      	part218,
+      	part219,
+      	part220,
+      	part221,
+      ]);
+      
+      var all43 = all_match({
+      	processors: [
+      		part216,
+      		select47,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg137 = msg("00007:29", all43);
+      
+      var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg138 = msg("00007:30", part222);
+      
+      var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}");
+      
+      var all44 = all_match({
+      	processors: [
+      		part223,
+      		dup345,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg139 = msg("00007:31", all44);
+      
+      var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}");
+      
+      var select48 = linear_select([
+      	dup89,
+      	dup88,
+      ]);
+      
+      var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}");
+      
+      var all45 = all_match({
+      	processors: [
+      		part224,
+      		select48,
+      		dup23,
+      		dup344,
+      		part225,
+      	],
+      	on_success: processor_chain([
+      		dup91,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg140 = msg("00007:32", all45);
+      
+      var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}");
+      
+      var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}");
+      
+      var select49 = linear_select([
+      	part226,
+      	part227,
+      ]);
+      
+      var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}");
+      
+      var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}");
+      
+      var select50 = linear_select([
+      	part229,
+      	dup96,
+      ]);
+      
+      var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode.");
+      
+      var all46 = all_match({
+      	processors: [
+      		select49,
+      		part228,
+      		select50,
+      		part230,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg141 = msg("00007:33", all46);
+      
+      var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([
+      	dup97,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg142 = msg("00007:34", part231);
+      
+      var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg143 = msg("00007:35", part232);
+      
+      var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg144 = msg("00007:36", part233);
+      
+      var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}");
+      
+      var all47 = all_match({
+      	processors: [
+      		part234,
+      		dup346,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg145 = msg("00007:37", all47);
+      
+      var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}");
+      
+      var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}");
+      
+      var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}");
+      
+      var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}");
+      
+      var select51 = linear_select([
+      	part237,
+      	part238,
+      ]);
+      
+      var all48 = all_match({
+      	processors: [
+      		part235,
+      		dup347,
+      		dup103,
+      		dup347,
+      		part236,
+      		select51,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg146 = msg("00007:38", all48);
+      
+      var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}");
+      
+      var all49 = all_match({
+      	processors: [
+      		part239,
+      		dup346,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg147 = msg("00007:39", all49);
+      
+      var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg148 = msg("00007:40", part240);
+      
+      var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg149 = msg("00007:41", part241);
+      
+      var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg150 = msg("00007:42", part242);
+      
+      var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg151 = msg("00007:43", part243);
+      
+      var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg152 = msg("00007:44", part244);
+      
+      var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg153 = msg("00007:45", part245);
+      
+      var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup85,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup60,
+      ]));
+      
+      var msg154 = msg("00007:46", part246);
+      
+      var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg155 = msg("00007:47", part247);
+      
+      var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([
+      	dup97,
+      	dup2,
+      	dup3,
+      	dup4,
+      	setc("disposition","dropped"),
+      	setc("result","Invalid encryption Password"),
+      ]));
+      
+      var msg156 = msg("00007:48", part248);
+      
+      var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([
+      	setc("eventcategory","1604000000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg157 = msg("00007:49", part249);
+      
+      var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}");
+      
+      var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}");
+      
+      var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}");
+      
+      var select52 = linear_select([
+      	part251,
+      	part252,
+      ]);
+      
+      var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}");
+      
+      var all50 = all_match({
+      	processors: [
+      		part250,
+      		select52,
+      		part253,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg158 = msg("00007:50", all50);
+      
+      var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}");
+      
+      var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}");
+      
+      var select53 = linear_select([
+      	dup104,
+      	part255,
+      ]);
+      
+      var select54 = linear_select([
+      	dup105,
+      	dup73,
+      ]);
+      
+      var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}");
+      
+      var select55 = linear_select([
+      	dup106,
+      	dup107,
+      ]);
+      
+      var all51 = all_match({
+      	processors: [
+      		part254,
+      		select53,
+      		dup23,
+      		select54,
+      		part256,
+      		select55,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg159 = msg("00007:51", all51);
+      
+      var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg160 = msg("00007:52", part257);
+      
+      var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg161 = msg("00007:53", part258);
+      
+      var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg162 = msg("00007:54", part259);
+      
+      var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg163 = msg("00007:55", part260);
+      
+      var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg164 = msg("00007:56", part261);
+      
+      var select56 = linear_select([
+      	dup109,
+      	dup110,
+      ]);
+      
+      var select57 = linear_select([
+      	dup111,
+      	dup112,
+      ]);
+      
+      var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}");
+      
+      var all52 = all_match({
+      	processors: [
+      		dup55,
+      		select56,
+      		dup23,
+      		select57,
+      		part262,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg165 = msg("00007:57", all52);
+      
+      var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg166 = msg("00007:58", part263);
+      
+      var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg167 = msg("00007:59", part264);
+      
+      var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg168 = msg("00007:60", part265);
+      
+      var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg169 = msg("00007:61", part266);
+      
+      var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg170 = msg("00007:62", part267);
+      
+      var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg171 = msg("00007:63", part268);
+      
+      var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}");
+      
+      var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}");
+      
+      var all53 = all_match({
+      	processors: [
+      		dup348,
+      		part269,
+      		dup349,
+      		part270,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg172 = msg("00007:64", all53);
+      
+      var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}");
+      
+      var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}");
+      
+      var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}");
+      
+      var select58 = linear_select([
+      	part272,
+      	part273,
+      ]);
+      
+      var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}");
+      
+      var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}");
+      
+      var all54 = all_match({
+      	processors: [
+      		dup348,
+      		part271,
+      		select58,
+      		part274,
+      		dup349,
+      		part275,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg173 = msg("00007:65", all54);
+      
+      var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}");
+      
+      var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}");
+      
+      var select59 = linear_select([
+      	part276,
+      	part277,
+      ]);
+      
+      var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}");
+      
+      var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}");
+      
+      var select60 = linear_select([
+      	part279,
+      	dup115,
+      ]);
+      
+      var all55 = all_match({
+      	processors: [
+      		select59,
+      		part278,
+      		select60,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg174 = msg("00007:66", all55);
+      
+      var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg175 = msg("00007:67", part280);
+      
+      var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}");
+      
+      var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}");
+      
+      var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}");
+      
+      var select61 = linear_select([
+      	part282,
+      	part283,
+      ]);
+      
+      var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}");
+      
+      var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}");
+      
+      var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}");
+      
+      var select62 = linear_select([
+      	part285,
+      	part286,
+      ]);
+      
+      var all56 = all_match({
+      	processors: [
+      		part281,
+      		select61,
+      		part284,
+      		select62,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg176 = msg("00007:68", all56);
+      
+      var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg177 = msg("00007:69", part287);
+      
+      var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg178 = msg("00007:70", part288);
+      
+      var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg179 = msg("00007:71", part289);
+      
+      var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg180 = msg("00007:72", part290);
+      
+      var select63 = linear_select([
+      	msg109,
+      	msg110,
+      	msg111,
+      	msg112,
+      	msg113,
+      	msg114,
+      	msg115,
+      	msg116,
+      	msg117,
+      	msg118,
+      	msg119,
+      	msg120,
+      	msg121,
+      	msg122,
+      	msg123,
+      	msg124,
+      	msg125,
+      	msg126,
+      	msg127,
+      	msg128,
+      	msg129,
+      	msg130,
+      	msg131,
+      	msg132,
+      	msg133,
+      	msg134,
+      	msg135,
+      	msg136,
+      	msg137,
+      	msg138,
+      	msg139,
+      	msg140,
+      	msg141,
+      	msg142,
+      	msg143,
+      	msg144,
+      	msg145,
+      	msg146,
+      	msg147,
+      	msg148,
+      	msg149,
+      	msg150,
+      	msg151,
+      	msg152,
+      	msg153,
+      	msg154,
+      	msg155,
+      	msg156,
+      	msg157,
+      	msg158,
+      	msg159,
+      	msg160,
+      	msg161,
+      	msg162,
+      	msg163,
+      	msg164,
+      	msg165,
+      	msg166,
+      	msg167,
+      	msg168,
+      	msg169,
+      	msg170,
+      	msg171,
+      	msg172,
+      	msg173,
+      	msg174,
+      	msg175,
+      	msg176,
+      	msg177,
+      	msg178,
+      	msg179,
+      	msg180,
+      ]);
+      
+      var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg181 = msg("00008", part291);
+      
+      var msg182 = msg("00008:01", dup341);
+      
+      var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg183 = msg("00008:02", part292);
+      
+      var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg184 = msg("00008:03", part293);
+      
+      var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}");
+      
+      var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}");
+      
+      var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}");
+      
+      var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}");
+      
+      var select64 = linear_select([
+      	part295,
+      	part296,
+      	part297,
+      ]);
+      
+      var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}");
+      
+      var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}");
+      
+      var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})");
+      
+      var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}");
+      
+      var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}");
+      
+      var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}");
+      
+      var select65 = linear_select([
+      	part299,
+      	part300,
+      	part301,
+      	part302,
+      	part303,
+      	dup21,
+      ]);
+      
+      var all57 = all_match({
+      	processors: [
+      		part294,
+      		select64,
+      		part298,
+      		select65,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg185 = msg("00008:04", all57);
+      
+      var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg186 = msg("00008:05", part304);
+      
+      var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup61,
+      ]));
+      
+      var msg187 = msg("00008:06", part305);
+      
+      var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup60,
+      ]));
+      
+      var msg188 = msg("00008:07", part306);
+      
+      var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup60,
+      ]));
+      
+      var msg189 = msg("00008:08", part307);
+      
+      var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg190 = msg("00008:09", part308);
+      
+      var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}");
+      
+      var all58 = all_match({
+      	processors: [
+      		part309,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup60,
+      	]),
+      });
+      
+      var msg191 = msg("00008:10", all58);
+      
+      var select66 = linear_select([
+      	msg181,
+      	msg182,
+      	msg183,
+      	msg184,
+      	msg185,
+      	msg186,
+      	msg187,
+      	msg188,
+      	msg189,
+      	msg190,
+      	msg191,
+      ]);
+      
+      var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg192 = msg("00009", part310);
+      
+      var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg193 = msg("00009:01", part311);
+      
+      var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg194 = msg("00009:02", part312);
+      
+      var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg195 = msg("00009:03", part313);
+      
+      var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg196 = msg("00009:05", part314);
+      
+      var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}");
+      
+      var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}");
+      
+      var select67 = linear_select([
+      	part315,
+      	part316,
+      ]);
+      
+      var select68 = linear_select([
+      	dup119,
+      	dup16,
+      ]);
+      
+      var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}");
+      
+      var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}");
+      
+      var select69 = linear_select([
+      	dup120,
+      	part318,
+      ]);
+      
+      var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}");
+      
+      var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info");
+      
+      var select70 = linear_select([
+      	part319,
+      	part320,
+      ]);
+      
+      var all59 = all_match({
+      	processors: [
+      		select67,
+      		dup118,
+      		select68,
+      		part317,
+      		select69,
+      		dup23,
+      		select70,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg197 = msg("00009:06", all59);
+      
+      var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}");
+      
+      var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}");
+      
+      var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}");
+      
+      var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}");
+      
+      var select71 = linear_select([
+      	part323,
+      	part324,
+      ]);
+      
+      var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}");
+      
+      var all60 = all_match({
+      	processors: [
+      		part321,
+      		dup337,
+      		part322,
+      		select71,
+      		part325,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg198 = msg("00009:07", all60);
+      
+      var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg199 = msg("00009:09", part326);
+      
+      var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}");
+      
+      var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}");
+      
+      var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}");
+      
+      var select72 = linear_select([
+      	part328,
+      	part329,
+      ]);
+      
+      var all61 = all_match({
+      	processors: [
+      		part327,
+      		select72,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg200 = msg("00009:10", all61);
+      
+      var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}");
+      
+      var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}");
+      
+      var select73 = linear_select([
+      	part330,
+      	part331,
+      ]);
+      
+      var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}");
+      
+      var all62 = all_match({
+      	processors: [
+      		select73,
+      		part332,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg201 = msg("00009:11", all62);
+      
+      var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg202 = msg("00009:12", part333);
+      
+      var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg203 = msg("00009:13", part334);
+      
+      var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}");
+      
+      var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}");
+      
+      var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}");
+      
+      var select74 = linear_select([
+      	part335,
+      	part336,
+      	part337,
+      ]);
+      
+      var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}");
+      
+      var select75 = linear_select([
+      	dup122,
+      	dup123,
+      ]);
+      
+      var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})");
+      
+      var select76 = linear_select([
+      	part339,
+      	dup124,
+      ]);
+      
+      var all63 = all_match({
+      	processors: [
+      		select74,
+      		part338,
+      		select75,
+      		dup23,
+      		select76,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg204 = msg("00009:14", all63);
+      
+      var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}");
+      
+      var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}");
+      
+      var select77 = linear_select([
+      	part341,
+      	dup125,
+      ]);
+      
+      var all64 = all_match({
+      	processors: [
+      		part340,
+      		select77,
+      		dup126,
+      		dup350,
+      		dup128,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg205 = msg("00009:15", all64);
+      
+      var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}");
+      
+      var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}");
+      
+      var select78 = linear_select([
+      	dup129,
+      	dup130,
+      	part343,
+      ]);
+      
+      var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}.");
+      
+      var all65 = all_match({
+      	processors: [
+      		part342,
+      		dup350,
+      		dup23,
+      		select78,
+      		part344,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg206 = msg("00009:16", all65);
+      
+      var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}");
+      
+      var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}");
+      
+      var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}");
+      
+      var select79 = linear_select([
+      	part346,
+      	part347,
+      ]);
+      
+      var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}.");
+      
+      var all66 = all_match({
+      	processors: [
+      		part345,
+      		select79,
+      		part348,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg207 = msg("00009:17", all66);
+      
+      var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg208 = msg("00009:18", part349);
+      
+      var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg209 = msg("00009:19", part350);
+      
+      var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg210 = msg("00009:27", part351);
+      
+      var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}");
+      
+      var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}");
+      
+      var select80 = linear_select([
+      	part352,
+      	part353,
+      ]);
+      
+      var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}");
+      
+      var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}");
+      
+      var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}");
+      
+      var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}");
+      
+      var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})");
+      
+      var select81 = linear_select([
+      	part355,
+      	part356,
+      	part357,
+      	part358,
+      ]);
+      
+      var all67 = all_match({
+      	processors: [
+      		select80,
+      		part354,
+      		select81,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg211 = msg("00009:20", all67);
+      
+      var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var all68 = all_match({
+      	processors: [
+      		part359,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup60,
+      	]),
+      });
+      
+      var msg212 = msg("00009:21", all68);
+      
+      var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg213 = msg("00009:22", part360);
+      
+      var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup9,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg214 = msg("00009:23", part361);
+      
+      var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}");
+      
+      var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}");
+      
+      var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}");
+      
+      var select82 = linear_select([
+      	part363,
+      	part364,
+      ]);
+      
+      var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}");
+      
+      var all69 = all_match({
+      	processors: [
+      		part362,
+      		select82,
+      		part365,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg215 = msg("00009:24", all69);
+      
+      var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup9,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg216 = msg("00009:25", part366);
+      
+      var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}");
+      
+      var all70 = all_match({
+      	processors: [
+      		part367,
+      		dup333,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg217 = msg("00009:26", all70);
+      
+      var select83 = linear_select([
+      	msg192,
+      	msg193,
+      	msg194,
+      	msg195,
+      	msg196,
+      	msg197,
+      	msg198,
+      	msg199,
+      	msg200,
+      	msg201,
+      	msg202,
+      	msg203,
+      	msg204,
+      	msg205,
+      	msg206,
+      	msg207,
+      	msg208,
+      	msg209,
+      	msg210,
+      	msg211,
+      	msg212,
+      	msg213,
+      	msg214,
+      	msg215,
+      	msg216,
+      	msg217,
+      ]);
+      
+      var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}");
+      
+      var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}");
+      
+      var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}");
+      
+      var select84 = linear_select([
+      	part369,
+      	part370,
+      ]);
+      
+      var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}");
+      
+      var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}");
+      
+      var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}");
+      
+      var select85 = linear_select([
+      	part372,
+      	part373,
+      	dup126,
+      ]);
+      
+      var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}");
+      
+      var all71 = all_match({
+      	processors: [
+      		part368,
+      		select84,
+      		part371,
+      		select85,
+      		part374,
+      		dup351,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup4,
+      		dup59,
+      		dup5,
+      		dup9,
+      		dup3,
+      		dup61,
+      	]),
+      });
+      
+      var msg218 = msg("00010", all71);
+      
+      var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg219 = msg("00010:01", part375);
+      
+      var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg220 = msg("00010:02", part376);
+      
+      var all72 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg221 = msg("00010:03", all72);
+      
+      var select86 = linear_select([
+      	msg218,
+      	msg219,
+      	msg220,
+      	msg221,
+      ]);
+      
+      var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg222 = msg("00011", part377);
+      
+      var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}");
+      
+      var select87 = linear_select([
+      	dup57,
+      	dup56,
+      ]);
+      
+      var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}");
+      
+      var all73 = all_match({
+      	processors: [
+      		part378,
+      		select87,
+      		part379,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg223 = msg("00011:01", all73);
+      
+      var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg224 = msg("00011:02", part380);
+      
+      var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}");
+      
+      var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}");
+      
+      var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}");
+      
+      var select88 = linear_select([
+      	part382,
+      	part383,
+      ]);
+      
+      var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}");
+      
+      var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}");
+      
+      var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}");
+      
+      var select89 = linear_select([
+      	part385,
+      	part386,
+      ]);
+      
+      var all74 = all_match({
+      	processors: [
+      		part381,
+      		select88,
+      		part384,
+      		select89,
+      		dup36,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg225 = msg("00011:03", all74);
+      
+      var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}");
+      
+      var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}");
+      
+      var all75 = all_match({
+      	processors: [
+      		part387,
+      		dup352,
+      		part388,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg226 = msg("00011:04", all75);
+      
+      var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}");
+      
+      var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}");
+      
+      var select90 = linear_select([
+      	part389,
+      	part390,
+      ]);
+      
+      var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}");
+      
+      var all76 = all_match({
+      	processors: [
+      		dup79,
+      		select90,
+      		part391,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg227 = msg("00011:05", all76);
+      
+      var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var msg228 = msg("00011:07", part392);
+      
+      var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg229 = msg("00011:08", part393);
+      
+      var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg230 = msg("00011:09", part394);
+      
+      var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg231 = msg("00011:10", part395);
+      
+      var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg232 = msg("00011:11", part396);
+      
+      var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg233 = msg("00011:12", part397);
+      
+      var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg234 = msg("00011:13", part398);
+      
+      var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}");
+      
+      var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}");
+      
+      var select91 = linear_select([
+      	dup134,
+      	part400,
+      ]);
+      
+      var all77 = all_match({
+      	processors: [
+      		part399,
+      		select91,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg235 = msg("00011:14", all77);
+      
+      var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg236 = msg("00011:15", part401);
+      
+      var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg237 = msg("00011:16", part402);
+      
+      var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}");
+      
+      var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}");
+      
+      var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}");
+      
+      var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}");
+      
+      var select92 = linear_select([
+      	part404,
+      	part405,
+      	part406,
+      ]);
+      
+      var all78 = all_match({
+      	processors: [
+      		part403,
+      		select92,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg238 = msg("00011:17", all78);
+      
+      var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}");
+      
+      var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}");
+      
+      var select93 = linear_select([
+      	part407,
+      	part408,
+      ]);
+      
+      var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}");
+      
+      var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}");
+      
+      var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}");
+      
+      var select94 = linear_select([
+      	part410,
+      	part411,
+      ]);
+      
+      var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}");
+      
+      var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}");
+      
+      var select95 = linear_select([
+      	part413,
+      	dup135,
+      ]);
+      
+      var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}");
+      
+      var all79 = all_match({
+      	processors: [
+      		select93,
+      		part409,
+      		select94,
+      		part412,
+      		select95,
+      		part414,
+      		dup350,
+      		dup128,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg239 = msg("00011:18", all79);
+      
+      var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}");
+      
+      var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}");
+      
+      var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}");
+      
+      var select96 = linear_select([
+      	part416,
+      	part417,
+      ]);
+      
+      var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}");
+      
+      var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}");
+      
+      var select97 = linear_select([
+      	part419,
+      	dup135,
+      ]);
+      
+      var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}");
+      
+      var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}");
+      
+      var select98 = linear_select([
+      	dup107,
+      	part421,
+      ]);
+      
+      var all80 = all_match({
+      	processors: [
+      		part415,
+      		select96,
+      		part418,
+      		select97,
+      		part420,
+      		select98,
+      		dup136,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg240 = msg("00011:19", all80);
+      
+      var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}");
+      
+      var select99 = linear_select([
+      	part422,
+      	dup79,
+      ]);
+      
+      var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\"");
+      
+      var all81 = all_match({
+      	processors: [
+      		select99,
+      		part423,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg241 = msg("00011:20", all81);
+      
+      var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg242 = msg("00011:21", part424);
+      
+      var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg243 = msg("00011:22", part425);
+      
+      var all82 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		call({
+      			dest: "nwparser.inout",
+      			fn: DIRCHK,
+      			args: [
+      				field("$IN"),
+      				field("saddr"),
+      				field("daddr"),
+      			],
+      		}),
+      	]),
+      });
+      
+      var msg244 = msg("00011:23", all82);
+      
+      var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg245 = msg("00011:24", part426);
+      
+      var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg246 = msg("00011:25", part427);
+      
+      var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg247 = msg("00011:26", part428);
+      
+      var select100 = linear_select([
+      	msg222,
+      	msg223,
+      	msg224,
+      	msg225,
+      	msg226,
+      	msg227,
+      	msg228,
+      	msg229,
+      	msg230,
+      	msg231,
+      	msg232,
+      	msg233,
+      	msg234,
+      	msg235,
+      	msg236,
+      	msg237,
+      	msg238,
+      	msg239,
+      	msg240,
+      	msg241,
+      	msg242,
+      	msg243,
+      	msg244,
+      	msg245,
+      	msg246,
+      	msg247,
+      ]);
+      
+      var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg248 = msg("00012:02", part429);
+      
+      var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg249 = msg("00012:03", part430);
+      
+      var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg250 = msg("00012:04", part431);
+      
+      var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg251 = msg("00012:05", part432);
+      
+      var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup59,
+      	dup61,
+      ]));
+      
+      var msg252 = msg("00012:06", part433);
+      
+      var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      	dup59,
+      ]));
+      
+      var msg253 = msg("00012:07", part434);
+      
+      var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg254 = msg("00012:08", part435);
+      
+      var all83 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg255 = msg("00012:09", all83);
+      
+      var all84 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg256 = msg("00012:10", all84);
+      
+      var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      	dup61,
+      ]));
+      
+      var msg257 = msg("00012:11", part436);
+      
+      var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg258 = msg("00012:12", part437);
+      
+      var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg259 = msg("00012", part438);
+      
+      var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg260 = msg("00012:01", part439);
+      
+      var select101 = linear_select([
+      	msg248,
+      	msg249,
+      	msg250,
+      	msg251,
+      	msg252,
+      	msg253,
+      	msg254,
+      	msg255,
+      	msg256,
+      	msg257,
+      	msg258,
+      	msg259,
+      	msg260,
+      ]);
+      
+      var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg261 = msg("00013", part440);
+      
+      var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      	setc("signame","An Attempt to connect to NetScreen-Global Manager Port."),
+      ]));
+      
+      var msg262 = msg("00013:01", part441);
+      
+      var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg263 = msg("00013:02", part442);
+      
+      var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg264 = msg("00013:03", part443);
+      
+      var select102 = linear_select([
+      	msg261,
+      	msg262,
+      	msg263,
+      	msg264,
+      ]);
+      
+      var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg265 = msg("00014", part444);
+      
+      var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}");
+      
+      var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}");
+      
+      var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}");
+      
+      var select103 = linear_select([
+      	part446,
+      	part447,
+      ]);
+      
+      var all85 = all_match({
+      	processors: [
+      		part445,
+      		select103,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg266 = msg("00014:01", all85);
+      
+      var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg267 = msg("00014:02", part448);
+      
+      var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg268 = msg("00014:03", part449);
+      
+      var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg269 = msg("00014:04", part450);
+      
+      var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg270 = msg("00014:05", part451);
+      
+      var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg271 = msg("00014:06", part452);
+      
+      var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg272 = msg("00014:07", part453);
+      
+      var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg273 = msg("00014:08", part454);
+      
+      var select104 = linear_select([
+      	msg265,
+      	msg266,
+      	msg267,
+      	msg268,
+      	msg269,
+      	msg270,
+      	msg271,
+      	msg272,
+      	msg273,
+      ]);
+      
+      var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg274 = msg("00015", part455);
+      
+      var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg275 = msg("00015:01", part456);
+      
+      var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}");
+      
+      var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}");
+      
+      var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}");
+      
+      var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}");
+      
+      var select105 = linear_select([
+      	part458,
+      	dup137,
+      	part459,
+      	part460,
+      ]);
+      
+      var all86 = all_match({
+      	processors: [
+      		part457,
+      		select105,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg276 = msg("00015:02", all86);
+      
+      var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg277 = msg("00015:03", part461);
+      
+      var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}");
+      
+      var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}");
+      
+      var select106 = linear_select([
+      	dup139,
+      	dup140,
+      	part463,
+      ]);
+      
+      var all87 = all_match({
+      	processors: [
+      		part462,
+      		select106,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg278 = msg("00015:04", all87);
+      
+      var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}");
+      
+      var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}");
+      
+      var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}");
+      
+      var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}");
+      
+      var select107 = linear_select([
+      	part465,
+      	part466,
+      	dup76,
+      	part467,
+      ]);
+      
+      var all88 = all_match({
+      	processors: [
+      		part464,
+      		select107,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg279 = msg("00015:05", all88);
+      
+      var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}");
+      
+      var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}");
+      
+      var select108 = linear_select([
+      	part468,
+      	part469,
+      ]);
+      
+      var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}");
+      
+      var all89 = all_match({
+      	processors: [
+      		select108,
+      		part470,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg280 = msg("00015:06", all89);
+      
+      var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg281 = msg("00015:07", part471);
+      
+      var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([
+      	dup141,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg282 = msg("00015:08", part472);
+      
+      var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}");
+      
+      var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}");
+      
+      var select109 = linear_select([
+      	part473,
+      	part474,
+      ]);
+      
+      var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}");
+      
+      var all90 = all_match({
+      	processors: [
+      		select109,
+      		part475,
+      	],
+      	on_success: processor_chain([
+      		dup141,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg283 = msg("00015:09", all90);
+      
+      var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg284 = msg("00015:10", part476);
+      
+      var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg285 = msg("00015:11", part477);
+      
+      var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}");
+      
+      var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}");
+      
+      var select110 = linear_select([
+      	part478,
+      	part479,
+      ]);
+      
+      var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}");
+      
+      var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})");
+      
+      var all91 = all_match({
+      	processors: [
+      		dup87,
+      		select110,
+      		part480,
+      		dup353,
+      		dup103,
+      		dup353,
+      		part481,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg286 = msg("00015:12", all91);
+      
+      var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([
+      	dup144,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg287 = msg("00015:13", part482);
+      
+      var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}");
+      
+      var all92 = all_match({
+      	processors: [
+      		part483,
+      		dup353,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg288 = msg("00015:14", all92);
+      
+      var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg289 = msg("00015:15", part484);
+      
+      var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg290 = msg("00015:16", part485);
+      
+      var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg291 = msg("00015:17", part486);
+      
+      var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([
+      	dup121,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("change_attribute","RTO mirror group"),
+      ]));
+      
+      var msg292 = msg("00015:18", part487);
+      
+      var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg293 = msg("00015:19", part488);
+      
+      var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg294 = msg("00015:20", part489);
+      
+      var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}");
+      
+      var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}");
+      
+      var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}");
+      
+      var select111 = linear_select([
+      	part491,
+      	part492,
+      ]);
+      
+      var all93 = all_match({
+      	processors: [
+      		part490,
+      		select111,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg295 = msg("00015:21", all93);
+      
+      var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}");
+      
+      var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}");
+      
+      var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}");
+      
+      var select112 = linear_select([
+      	part493,
+      	part494,
+      	part495,
+      ]);
+      
+      var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}");
+      
+      var all94 = all_match({
+      	processors: [
+      		select112,
+      		part496,
+      		dup354,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg296 = msg("00015:22", all94);
+      
+      var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg297 = msg("00015:23", part497);
+      
+      var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg298 = msg("00015:24", part498);
+      
+      var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([
+      	setc("eventcategory","1613050100"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg299 = msg("00015:25", part499);
+      
+      var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([
+      	dup97,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg300 = msg("00015:29", part500);
+      
+      var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}");
+      
+      var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}");
+      
+      var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}");
+      
+      var select113 = linear_select([
+      	part502,
+      	part503,
+      ]);
+      
+      var all95 = all_match({
+      	processors: [
+      		part501,
+      		select113,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg301 = msg("00015:26", all95);
+      
+      var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup146,
+      ]));
+      
+      var msg302 = msg("00015:33", part504);
+      
+      var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg303 = msg("00015:27", part505);
+      
+      var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg304 = msg("00015:28", part506);
+      
+      var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}");
+      
+      var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})");
+      
+      var all96 = all_match({
+      	processors: [
+      		part507,
+      		dup355,
+      		part508,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg305 = msg("00015:30", all96);
+      
+      var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg306 = msg("00015:31", part509);
+      
+      var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg307 = msg("00015:32", part510);
+      
+      var select114 = linear_select([
+      	msg274,
+      	msg275,
+      	msg276,
+      	msg277,
+      	msg278,
+      	msg279,
+      	msg280,
+      	msg281,
+      	msg282,
+      	msg283,
+      	msg284,
+      	msg285,
+      	msg286,
+      	msg287,
+      	msg288,
+      	msg289,
+      	msg290,
+      	msg291,
+      	msg292,
+      	msg293,
+      	msg294,
+      	msg295,
+      	msg296,
+      	msg297,
+      	msg298,
+      	msg299,
+      	msg300,
+      	msg301,
+      	msg302,
+      	msg303,
+      	msg304,
+      	msg305,
+      	msg306,
+      	msg307,
+      ]);
+      
+      var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup147,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg308 = msg("00016", part511);
+      
+      var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg309 = msg("00016:01", part512);
+      
+      var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([
+      	dup1,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg310 = msg("00016:02", part513);
+      
+      var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([
+      	dup147,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg311 = msg("00016:03", part514);
+      
+      var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg312 = msg("00016:05", part515);
+      
+      var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup147,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg313 = msg("00016:06", part516);
+      
+      var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}");
+      
+      var all97 = all_match({
+      	processors: [
+      		part517,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup147,
+      		dup148,
+      		dup149,
+      		dup150,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg314 = msg("00016:07", all97);
+      
+      var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	setc("eventcategory","1001020305"),
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg315 = msg("00016:08", part518);
+      
+      var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	setc("eventcategory","1001030305"),
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg316 = msg("00016:09", part519);
+      
+      var select115 = linear_select([
+      	msg308,
+      	msg309,
+      	msg310,
+      	msg311,
+      	msg312,
+      	msg313,
+      	msg314,
+      	msg315,
+      	msg316,
+      ]);
+      
+      var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup151,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg317 = msg("00017", part520);
+      
+      var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}");
+      
+      var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}");
+      
+      var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}");
+      
+      var select116 = linear_select([
+      	part522,
+      	part523,
+      ]);
+      
+      var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}");
+      
+      var all98 = all_match({
+      	processors: [
+      		part521,
+      		select116,
+      		part524,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg318 = msg("00017:23", all98);
+      
+      var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}");
+      
+      var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}");
+      
+      var select117 = linear_select([
+      	part525,
+      	part526,
+      ]);
+      
+      var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}");
+      
+      var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}");
+      
+      var all99 = all_match({
+      	processors: [
+      		select117,
+      		part527,
+      		dup356,
+      		part528,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg319 = msg("00017:01", all99);
+      
+      var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg320 = msg("00017:02", part529);
+      
+      var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg321 = msg("00017:03", part530);
+      
+      var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}");
+      
+      var all100 = all_match({
+      	processors: [
+      		dup153,
+      		dup357,
+      		part531,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg322 = msg("00017:04", all100);
+      
+      var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg323 = msg("00017:05", part532);
+      
+      var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}");
+      
+      var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}");
+      
+      var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}");
+      
+      var select118 = linear_select([
+      	part534,
+      	dup101,
+      	part535,
+      ]);
+      
+      var all101 = all_match({
+      	processors: [
+      		part533,
+      		select118,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg324 = msg("00017:06", all101);
+      
+      var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}");
+      
+      var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}");
+      
+      var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}");
+      
+      var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}");
+      
+      var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}");
+      
+      var select119 = linear_select([
+      	part537,
+      	part538,
+      	dup98,
+      	part539,
+      	part540,
+      ]);
+      
+      var all102 = all_match({
+      	processors: [
+      		part536,
+      		select119,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg325 = msg("00017:07", all102);
+      
+      var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg326 = msg("00017:08", part541);
+      
+      var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}");
+      
+      var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}");
+      
+      var select120 = linear_select([
+      	part542,
+      	part543,
+      ]);
+      
+      var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}");
+      
+      var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}");
+      
+      var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}");
+      
+      var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}");
+      
+      var select121 = linear_select([
+      	part545,
+      	part546,
+      	part547,
+      ]);
+      
+      var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}");
+      
+      var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit");
+      
+      var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}");
+      
+      var select122 = linear_select([
+      	part549,
+      	part550,
+      	dup36,
+      ]);
+      
+      var all103 = all_match({
+      	processors: [
+      		select120,
+      		part544,
+      		select121,
+      		part548,
+      		select122,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg327 = msg("00017:09", all103);
+      
+      var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}");
+      
+      var all104 = all_match({
+      	processors: [
+      		part551,
+      		dup358,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg328 = msg("00017:10", all104);
+      
+      var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg329 = msg("00017:11", part552);
+      
+      var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}");
+      
+      var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}");
+      
+      var select123 = linear_select([
+      	dup109,
+      	dup110,
+      	part554,
+      ]);
+      
+      var all105 = all_match({
+      	processors: [
+      		part553,
+      		select123,
+      		dup127,
+      		dup359,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg330 = msg("00017:12", all105);
+      
+      var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg331 = msg("00017:26", part555);
+      
+      var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg332 = msg("00017:13", part556);
+      
+      var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup9,
+      	dup5,
+      ]));
+      
+      var msg333 = msg("00017:14", part557);
+      
+      var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}");
+      
+      var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}.");
+      
+      var all106 = all_match({
+      	processors: [
+      		part558,
+      		dup360,
+      		part559,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg334 = msg("00017:15", all106);
+      
+      var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}");
+      
+      var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}.");
+      
+      var all107 = all_match({
+      	processors: [
+      		part560,
+      		dup360,
+      		part561,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg335 = msg("00017:31", all107);
+      
+      var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}");
+      
+      var all108 = all_match({
+      	processors: [
+      		part562,
+      		dup359,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg336 = msg("00017:16", all108);
+      
+      var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}");
+      
+      var select124 = linear_select([
+      	dup99,
+      	dup93,
+      ]);
+      
+      var all109 = all_match({
+      	processors: [
+      		part563,
+      		select124,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg337 = msg("00017:17", all109);
+      
+      var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}");
+      
+      var all110 = all_match({
+      	processors: [
+      		dup153,
+      		dup357,
+      		part564,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg338 = msg("00017:18", all110);
+      
+      var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}");
+      
+      var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all111 = all_match({
+      	processors: [
+      		part565,
+      		dup337,
+      		part566,
+      	],
+      	on_success: processor_chain([
+      		dup151,
+      		dup2,
+      		dup3,
+      		dup59,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg339 = msg("00017:19", all111);
+      
+      var all112 = all_match({
+      	processors: [
+      		dup64,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup151,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg340 = msg("00017:20", all112);
+      
+      var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup151,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg341 = msg("00017:21", part567);
+      
+      var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg342 = msg("00017:22", part568);
+      
+      var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg343 = msg("00017:24", part569);
+      
+      var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg344 = msg("00017:25", part570);
+      
+      var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg345 = msg("00017:28", part571);
+      
+      var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg346 = msg("00017:29", part572);
+      
+      var select125 = linear_select([
+      	msg317,
+      	msg318,
+      	msg319,
+      	msg320,
+      	msg321,
+      	msg322,
+      	msg323,
+      	msg324,
+      	msg325,
+      	msg326,
+      	msg327,
+      	msg328,
+      	msg329,
+      	msg330,
+      	msg331,
+      	msg332,
+      	msg333,
+      	msg334,
+      	msg335,
+      	msg336,
+      	msg337,
+      	msg338,
+      	msg339,
+      	msg340,
+      	msg341,
+      	msg342,
+      	msg343,
+      	msg344,
+      	msg345,
+      	msg346,
+      ]);
+      
+      var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg347 = msg("00018", part573);
+      
+      var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([
+      	setc("eventcategory","1502010000"),
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg348 = msg("00018:01", part574);
+      
+      var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg349 = msg("00018:02", part575);
+      
+      var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg350 = msg("00018:04", part576);
+      
+      var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg351 = msg("00018:16", part577);
+      
+      var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}");
+      
+      var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}");
+      
+      var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}");
+      
+      var select126 = linear_select([
+      	part579,
+      	part580,
+      ]);
+      
+      var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}");
+      
+      var all113 = all_match({
+      	processors: [
+      		part578,
+      		select126,
+      		part581,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg352 = msg("00018:06", all113);
+      
+      var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg353 = msg("00018:08", part582);
+      
+      var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup3,
+      	dup2,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg354 = msg("00018:09", part583);
+      
+      var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}");
+      
+      var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}");
+      
+      var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}");
+      
+      var select127 = linear_select([
+      	part585,
+      	part586,
+      ]);
+      
+      var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})");
+      
+      var all114 = all_match({
+      	processors: [
+      		part584,
+      		select127,
+      		part587,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup3,
+      		dup2,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg355 = msg("00018:10", all114);
+      
+      var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}");
+      
+      var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}");
+      
+      var select128 = linear_select([
+      	part588,
+      	part589,
+      ]);
+      
+      var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}");
+      
+      var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}");
+      
+      var select129 = linear_select([
+      	part591,
+      	dup16,
+      ]);
+      
+      var all115 = all_match({
+      	processors: [
+      		dup160,
+      		select128,
+      		part590,
+      		select129,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg356 = msg("00018:11", all115);
+      
+      var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}");
+      
+      var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}");
+      
+      var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}");
+      
+      var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}");
+      
+      var select130 = linear_select([
+      	part593,
+      	part594,
+      	part595,
+      ]);
+      
+      var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})");
+      
+      var all116 = all_match({
+      	processors: [
+      		part592,
+      		select130,
+      		part596,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg357 = msg("00018:12", all116);
+      
+      var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}");
+      
+      var all117 = all_match({
+      	processors: [
+      		dup361,
+      		part597,
+      		dup362,
+      		dup164,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg358 = msg("00018:32", all117);
+      
+      var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}");
+      
+      var all118 = all_match({
+      	processors: [
+      		dup361,
+      		part598,
+      		dup362,
+      		dup164,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg359 = msg("00018:22", all118);
+      
+      var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}");
+      
+      var select131 = linear_select([
+      	dup78,
+      	dup77,
+      ]);
+      
+      var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer");
+      
+      var all119 = all_match({
+      	processors: [
+      		part599,
+      		select131,
+      		part600,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg360 = msg("00018:15", all119);
+      
+      var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}");
+      
+      var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}");
+      
+      var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}");
+      
+      var select132 = linear_select([
+      	part602,
+      	part603,
+      ]);
+      
+      var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}");
+      
+      var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}");
+      
+      var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}");
+      
+      var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}");
+      
+      var select133 = linear_select([
+      	part605,
+      	part606,
+      	part607,
+      ]);
+      
+      var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})");
+      
+      var all120 = all_match({
+      	processors: [
+      		part601,
+      		select132,
+      		part604,
+      		select133,
+      		part608,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg361 = msg("00018:14", all120);
+      
+      var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg362 = msg("00018:29", part609);
+      
+      var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg363 = msg("00018:07", part610);
+      
+      var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg364 = msg("00018:18", part611);
+      
+      var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg365 = msg("00018:17", part612);
+      
+      var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg366 = msg("00018:19", part613);
+      
+      var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}");
+      
+      var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}");
+      
+      var select134 = linear_select([
+      	part614,
+      	part615,
+      ]);
+      
+      var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}");
+      
+      var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}");
+      
+      var select135 = linear_select([
+      	part617,
+      	dup103,
+      ]);
+      
+      var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}");
+      
+      var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}");
+      
+      var select136 = linear_select([
+      	part618,
+      	part619,
+      ]);
+      
+      var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})");
+      
+      var all121 = all_match({
+      	processors: [
+      		select134,
+      		part616,
+      		select135,
+      		dup23,
+      		select136,
+      		part620,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg367 = msg("00018:23", all121);
+      
+      var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg368 = msg("00018:21", part621);
+      
+      var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg369 = msg("00018:24", part622);
+      
+      var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})");
+      
+      var all122 = all_match({
+      	processors: [
+      		dup363,
+      		part623,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg370 = msg("00018:25", all122);
+      
+      var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})");
+      
+      var all123 = all_match({
+      	processors: [
+      		dup363,
+      		part624,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg371 = msg("00018:30", all123);
+      
+      var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}");
+      
+      var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}");
+      
+      var select137 = linear_select([
+      	dup48,
+      	part626,
+      ]);
+      
+      var all124 = all_match({
+      	processors: [
+      		part625,
+      		dup364,
+      		select137,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup17,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg372 = msg("00018:26", all124);
+      
+      var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg373 = msg("00018:27", part627);
+      
+      var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      	setc("info","the DI attack component was modified"),
+      ]));
+      
+      var msg374 = msg("00018:28", part628);
+      
+      var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg375 = msg("00018:03", part629);
+      
+      var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg376 = msg("00018:31", part630);
+      
+      var select138 = linear_select([
+      	msg347,
+      	msg348,
+      	msg349,
+      	msg350,
+      	msg351,
+      	msg352,
+      	msg353,
+      	msg354,
+      	msg355,
+      	msg356,
+      	msg357,
+      	msg358,
+      	msg359,
+      	msg360,
+      	msg361,
+      	msg362,
+      	msg363,
+      	msg364,
+      	msg365,
+      	msg366,
+      	msg367,
+      	msg368,
+      	msg369,
+      	msg370,
+      	msg371,
+      	msg372,
+      	msg373,
+      	msg374,
+      	msg375,
+      	msg376,
+      ]);
+      
+      var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg377 = msg("00019", part631);
+      
+      var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured");
+      
+      var all125 = all_match({
+      	processors: [
+      		dup165,
+      		dup365,
+      		part632,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg378 = msg("00019:01", all125);
+      
+      var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}");
+      
+      var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}");
+      
+      var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}");
+      
+      var select139 = linear_select([
+      	part634,
+      	part635,
+      ]);
+      
+      var all126 = all_match({
+      	processors: [
+      		part633,
+      		select139,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg379 = msg("00019:02", all126);
+      
+      var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([
+      	dup91,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg380 = msg("00019:03", part636);
+      
+      var select140 = linear_select([
+      	dup169,
+      	dup78,
+      ]);
+      
+      var select141 = linear_select([
+      	dup139,
+      	dup170,
+      	dup137,
+      	dup122,
+      ]);
+      
+      var all127 = all_match({
+      	processors: [
+      		dup168,
+      		select140,
+      		dup23,
+      		select141,
+      		dup171,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg381 = msg("00019:04", all127);
+      
+      var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}");
+      
+      var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}");
+      
+      var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}");
+      
+      var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}");
+      
+      var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}");
+      
+      var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}");
+      
+      var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}");
+      
+      var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}");
+      
+      var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}");
+      
+      var select142 = linear_select([
+      	part638,
+      	part639,
+      	part640,
+      	part641,
+      	part642,
+      	part643,
+      	part644,
+      	part645,
+      ]);
+      
+      var all128 = all_match({
+      	processors: [
+      		part637,
+      		select142,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg382 = msg("00019:05", all128);
+      
+      var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}");
+      
+      var all129 = all_match({
+      	processors: [
+      		dup168,
+      		dup366,
+      		part646,
+      		dup367,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg383 = msg("00019:06", all129);
+      
+      var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([
+      	dup91,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg384 = msg("00019:07", part647);
+      
+      var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg385 = msg("00019:08", part648);
+      
+      var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}");
+      
+      var select143 = linear_select([
+      	dup139,
+      	dup170,
+      	dup137,
+      ]);
+      
+      var all130 = all_match({
+      	processors: [
+      		part649,
+      		select143,
+      		dup171,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg386 = msg("00019:09", all130);
+      
+      var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}");
+      
+      var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}");
+      
+      var select144 = linear_select([
+      	part650,
+      	part651,
+      ]);
+      
+      var all131 = all_match({
+      	processors: [
+      		dup183,
+      		select144,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg387 = msg("00019:10", all131);
+      
+      var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined");
+      
+      var all132 = all_match({
+      	processors: [
+      		dup165,
+      		dup365,
+      		part652,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg388 = msg("00019:11", all132);
+      
+      var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg389 = msg("00019:12", part653);
+      
+      var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}");
+      
+      var select145 = linear_select([
+      	dup107,
+      	dup106,
+      ]);
+      
+      var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}");
+      
+      var all133 = all_match({
+      	processors: [
+      		part654,
+      		select145,
+      		part655,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg390 = msg("00019:13", all133);
+      
+      var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}");
+      
+      var all134 = all_match({
+      	processors: [
+      		dup168,
+      		dup366,
+      		part656,
+      		dup367,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg391 = msg("00019:14", all134);
+      
+      var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg392 = msg("00019:15", part657);
+      
+      var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([
+      	setc("eventcategory","1701030000"),
+      	setc("ec_activity","Delete"),
+      	dup51,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg393 = msg("00019:16", part658);
+      
+      var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg394 = msg("00019:17", part659);
+      
+      var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}");
+      
+      var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}");
+      
+      var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}");
+      
+      var select146 = linear_select([
+      	part661,
+      	part662,
+      ]);
+      
+      var all135 = all_match({
+      	processors: [
+      		part660,
+      		select146,
+      		dup138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg395 = msg("00019:18", all135);
+      
+      var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg396 = msg("00019:19", part663);
+      
+      var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([
+      	dup50,
+      	dup43,
+      	dup51,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg397 = msg("00019:20", part664);
+      
+      var select147 = linear_select([
+      	msg377,
+      	msg378,
+      	msg379,
+      	msg380,
+      	msg381,
+      	msg382,
+      	msg383,
+      	msg384,
+      	msg385,
+      	msg386,
+      	msg387,
+      	msg388,
+      	msg389,
+      	msg390,
+      	msg391,
+      	msg392,
+      	msg393,
+      	msg394,
+      	msg395,
+      	msg396,
+      	msg397,
+      ]);
+      
+      var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg398 = msg("00020", part665);
+      
+      var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}");
+      
+      var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}");
+      
+      var select148 = linear_select([
+      	dup152,
+      	part667,
+      ]);
+      
+      var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}");
+      
+      var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes");
+      
+      var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total");
+      
+      var select149 = linear_select([
+      	part669,
+      	part670,
+      ]);
+      
+      var all136 = all_match({
+      	processors: [
+      		part666,
+      		select148,
+      		part668,
+      		select149,
+      	],
+      	on_success: processor_chain([
+      		dup184,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg399 = msg("00020:01", all136);
+      
+      var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([
+      	dup184,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg400 = msg("00020:02", part671);
+      
+      var select150 = linear_select([
+      	msg398,
+      	msg399,
+      	msg400,
+      ]);
+      
+      var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg401 = msg("00021", part672);
+      
+      var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg402 = msg("00021:01", part673);
+      
+      var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg403 = msg("00021:02", part674);
+      
+      var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg404 = msg("00021:03", part675);
+      
+      var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg405 = msg("00021:04", part676);
+      
+      var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg406 = msg("00021:05", part677);
+      
+      var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      	setc("info","DIP port-translation stickiness was modified"),
+      ]));
+      
+      var msg407 = msg("00021:06", part678);
+      
+      var select151 = linear_select([
+      	msg401,
+      	msg402,
+      	msg403,
+      	msg404,
+      	msg405,
+      	msg406,
+      	msg407,
+      ]);
+      
+      var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}");
+      
+      var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}");
+      
+      var select152 = linear_select([
+      	part679,
+      	part680,
+      ]);
+      
+      var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly");
+      
+      var all137 = all_match({
+      	processors: [
+      		dup186,
+      		select152,
+      		part681,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg408 = msg("00022", all137);
+      
+      var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}");
+      
+      var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}");
+      
+      var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}");
+      
+      var select153 = linear_select([
+      	part682,
+      	part683,
+      	part684,
+      ]);
+      
+      var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}");
+      
+      var all138 = all_match({
+      	processors: [
+      		select153,
+      		part685,
+      		dup368,
+      	],
+      	on_success: processor_chain([
+      		dup187,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg409 = msg("00022:01", all138);
+      
+      var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg410 = msg("00022:02", part686);
+      
+      var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg411 = msg("00022:03", part687);
+      
+      var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}");
+      
+      var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}");
+      
+      var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}");
+      
+      var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}");
+      
+      var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}");
+      
+      var select154 = linear_select([
+      	part689,
+      	part690,
+      	part691,
+      	part692,
+      ]);
+      
+      var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}");
+      
+      var all139 = all_match({
+      	processors: [
+      		part688,
+      		select154,
+      		part693,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg412 = msg("00022:04", all139);
+      
+      var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg413 = msg("00022:05", part694);
+      
+      var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}");
+      
+      var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}");
+      
+      var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}");
+      
+      var select155 = linear_select([
+      	part696,
+      	part697,
+      ]);
+      
+      var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}");
+      
+      var all140 = all_match({
+      	processors: [
+      		part695,
+      		select155,
+      		part698,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg414 = msg("00022:06", all140);
+      
+      var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg415 = msg("00022:07", part699);
+      
+      var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}");
+      
+      var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}");
+      
+      var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}");
+      
+      var select156 = linear_select([
+      	part700,
+      	part701,
+      	part702,
+      ]);
+      
+      var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}");
+      
+      var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}");
+      
+      var select157 = linear_select([
+      	part704,
+      	dup96,
+      ]);
+      
+      var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}");
+      
+      var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}");
+      
+      var select158 = linear_select([
+      	part706,
+      	dup96,
+      ]);
+      
+      var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}");
+      
+      var all141 = all_match({
+      	processors: [
+      		select156,
+      		part703,
+      		select157,
+      		part705,
+      		select158,
+      		part707,
+      	],
+      	on_success: processor_chain([
+      		dup188,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg416 = msg("00022:08", all141);
+      
+      var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}");
+      
+      var select159 = linear_select([
+      	dup191,
+      	dup192,
+      ]);
+      
+      var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}");
+      
+      var all142 = all_match({
+      	processors: [
+      		dup55,
+      		dup369,
+      		part708,
+      		select159,
+      		part709,
+      	],
+      	on_success: processor_chain([
+      		dup188,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg417 = msg("00022:09", all142);
+      
+      var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}");
+      
+      var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}");
+      
+      var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}");
+      
+      var select160 = linear_select([
+      	part711,
+      	part712,
+      ]);
+      
+      var all143 = all_match({
+      	processors: [
+      		part710,
+      		select160,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg418 = msg("00022:10", all143);
+      
+      var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}");
+      
+      var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}");
+      
+      var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}");
+      
+      var select161 = linear_select([
+      	part714,
+      	part715,
+      ]);
+      
+      var all144 = all_match({
+      	processors: [
+      		part713,
+      		select161,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg419 = msg("00022:11", all144);
+      
+      var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}");
+      
+      var select162 = linear_select([
+      	dup192,
+      	dup191,
+      ]);
+      
+      var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}");
+      
+      var all145 = all_match({
+      	processors: [
+      		part716,
+      		select162,
+      		part717,
+      	],
+      	on_success: processor_chain([
+      		dup188,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg420 = msg("00022:12", all145);
+      
+      var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg421 = msg("00022:13", part718);
+      
+      var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg422 = msg("00022:14", part719);
+      
+      var select163 = linear_select([
+      	msg408,
+      	msg409,
+      	msg410,
+      	msg411,
+      	msg412,
+      	msg413,
+      	msg414,
+      	msg415,
+      	msg416,
+      	msg417,
+      	msg418,
+      	msg419,
+      	msg420,
+      	msg421,
+      	msg422,
+      ]);
+      
+      var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([
+      	dup187,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg423 = msg("00023", part720);
+      
+      var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([
+      	dup187,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg424 = msg("00023:01", part721);
+      
+      var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([
+      	dup187,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg425 = msg("00023:02", part722);
+      
+      var select164 = linear_select([
+      	msg423,
+      	msg424,
+      	msg425,
+      ]);
+      
+      var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}");
+      
+      var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}");
+      
+      var select165 = linear_select([
+      	part723,
+      	part724,
+      ]);
+      
+      var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}");
+      
+      var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}");
+      
+      var select166 = linear_select([
+      	part725,
+      	part726,
+      ]);
+      
+      var all146 = all_match({
+      	processors: [
+      		select165,
+      		dup193,
+      		select166,
+      		dup52,
+      		dup368,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg426 = msg("00024", all146);
+      
+      var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}");
+      
+      var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}");
+      
+      var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}");
+      
+      var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}");
+      
+      var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}");
+      
+      var select167 = linear_select([
+      	part727,
+      	part728,
+      	part729,
+      	part730,
+      	part731,
+      ]);
+      
+      var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}");
+      
+      var all147 = all_match({
+      	processors: [
+      		select167,
+      		part732,
+      	],
+      	on_success: processor_chain([
+      		dup117,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg427 = msg("00024:01", all147);
+      
+      var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}");
+      
+      var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}");
+      
+      var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}");
+      
+      var select168 = linear_select([
+      	part734,
+      	part735,
+      ]);
+      
+      var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})");
+      
+      var all148 = all_match({
+      	processors: [
+      		part733,
+      		select168,
+      		part736,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg428 = msg("00024:02", all148);
+      
+      var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}");
+      
+      var select169 = linear_select([
+      	dup194,
+      	dup106,
+      ]);
+      
+      var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})");
+      
+      var all149 = all_match({
+      	processors: [
+      		part737,
+      		select169,
+      		part738,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg429 = msg("00024:03", all149);
+      
+      var select170 = linear_select([
+      	msg426,
+      	msg427,
+      	msg428,
+      	msg429,
+      ]);
+      
+      var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg430 = msg("00025", part739);
+      
+      var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg431 = msg("00025:01", part740);
+      
+      var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg432 = msg("00025:02", part741);
+      
+      var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg433 = msg("00025:03", part742);
+      
+      var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg434 = msg("00025:04", part743);
+      
+      var select171 = linear_select([
+      	msg430,
+      	msg431,
+      	msg432,
+      	msg433,
+      	msg434,
+      ]);
+      
+      var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg435 = msg("00026", part744);
+      
+      var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg436 = msg("00026:13", part745);
+      
+      var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}");
+      
+      var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})");
+      
+      var all150 = all_match({
+      	processors: [
+      		dup195,
+      		dup370,
+      		part746,
+      		dup371,
+      		part747,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg437 = msg("00026:01", all150);
+      
+      var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}");
+      
+      var select172 = linear_select([
+      	part748,
+      	dup96,
+      ]);
+      
+      var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}");
+      
+      var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}");
+      
+      var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}");
+      
+      var select173 = linear_select([
+      	part750,
+      	part751,
+      ]);
+      
+      var all151 = all_match({
+      	processors: [
+      		dup195,
+      		select172,
+      		part749,
+      		select173,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg438 = msg("00026:02", all151);
+      
+      var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}");
+      
+      var all152 = all_match({
+      	processors: [
+      		dup195,
+      		dup370,
+      		part752,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg439 = msg("00026:03", all152);
+      
+      var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([
+      	dup198,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg440 = msg("00026:04", part753);
+      
+      var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([
+      	dup198,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg441 = msg("00026:05", part754);
+      
+      var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([
+      	dup199,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg442 = msg("00026:06", part755);
+      
+      var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([
+      	dup199,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup32,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg443 = msg("00026:07", part756);
+      
+      var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}");
+      
+      var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]");
+      
+      var all153 = all_match({
+      	processors: [
+      		part757,
+      		dup372,
+      		part758,
+      	],
+      	on_success: processor_chain([
+      		dup199,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg444 = msg("00026:08", all153);
+      
+      var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg445 = msg("00026:09", part759);
+      
+      var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}");
+      
+      var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}");
+      
+      var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}");
+      
+      var select174 = linear_select([
+      	part761,
+      	part762,
+      ]);
+      
+      var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}");
+      
+      var select175 = linear_select([
+      	part763,
+      	dup201,
+      ]);
+      
+      var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})");
+      
+      var all154 = all_match({
+      	processors: [
+      		part760,
+      		select174,
+      		dup103,
+      		select175,
+      		dup202,
+      		dup373,
+      		part764,
+      	],
+      	on_success: processor_chain([
+      		dup203,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg446 = msg("00026:10", all154);
+      
+      var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg447 = msg("00026:11", part765);
+      
+      var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg448 = msg("00026:12", part766);
+      
+      var select176 = linear_select([
+      	msg435,
+      	msg436,
+      	msg437,
+      	msg438,
+      	msg439,
+      	msg440,
+      	msg441,
+      	msg442,
+      	msg443,
+      	msg444,
+      	msg445,
+      	msg446,
+      	msg447,
+      	msg448,
+      ]);
+      
+      var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}");
+      
+      var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}");
+      
+      var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}");
+      
+      var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}");
+      
+      var select177 = linear_select([
+      	part768,
+      	part769,
+      	part770,
+      ]);
+      
+      var all155 = all_match({
+      	processors: [
+      		dup204,
+      		dup374,
+      		part767,
+      		select177,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup30,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg449 = msg("00027", all155);
+      
+      var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg450 = msg("00027:01", part771);
+      
+      var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg451 = msg("00027:02", part772);
+      
+      var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg452 = msg("00027:03", part773);
+      
+      var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg453 = msg("00027:04", part774);
+      
+      var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}");
+      
+      var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}");
+      
+      var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}");
+      
+      var select178 = linear_select([
+      	part776,
+      	part777,
+      ]);
+      
+      var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}");
+      
+      var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}");
+      
+      var select179 = linear_select([
+      	part779,
+      	dup127,
+      ]);
+      
+      var select180 = linear_select([
+      	dup207,
+      	dup208,
+      ]);
+      
+      var all156 = all_match({
+      	processors: [
+      		part775,
+      		select178,
+      		part778,
+      		select179,
+      		dup23,
+      		select180,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg454 = msg("00027:05", all156);
+      
+      var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}");
+      
+      var select181 = linear_select([
+      	dup208,
+      	dup207,
+      ]);
+      
+      var all157 = all_match({
+      	processors: [
+      		part780,
+      		select181,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1606000000"),
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg455 = msg("00027:06", all157);
+      
+      var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg456 = msg("00027:07", part781);
+      
+      var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg457 = msg("00027:08", part782);
+      
+      var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg458 = msg("00027:09", part783);
+      
+      var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg459 = msg("00027:10", part784);
+      
+      var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg460 = msg("00027:11", part785);
+      
+      var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}");
+      
+      var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}");
+      
+      var select182 = linear_select([
+      	part787,
+      	dup193,
+      ]);
+      
+      var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}");
+      
+      var all158 = all_match({
+      	processors: [
+      		part786,
+      		select182,
+      		part788,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg461 = msg("00027:12", all158);
+      
+      var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}");
+      
+      var all159 = all_match({
+      	processors: [
+      		dup204,
+      		dup374,
+      		part789,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup30,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg462 = msg("00027:13", all159);
+      
+      var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}");
+      
+      var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}");
+      
+      var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}");
+      
+      var select183 = linear_select([
+      	part791,
+      	part792,
+      ]);
+      
+      var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})");
+      
+      var all160 = all_match({
+      	processors: [
+      		part790,
+      		select183,
+      		part793,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg463 = msg("00027:14", all160);
+      
+      var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg464 = msg("00027:15", part794);
+      
+      var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg465 = msg("00027:16", part795);
+      
+      var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg466 = msg("00027:17", part796);
+      
+      var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg467 = msg("00027:18", part797);
+      
+      var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg468 = msg("00027:19", part798);
+      
+      var select184 = linear_select([
+      	msg449,
+      	msg450,
+      	msg451,
+      	msg452,
+      	msg453,
+      	msg454,
+      	msg455,
+      	msg456,
+      	msg457,
+      	msg458,
+      	msg459,
+      	msg460,
+      	msg461,
+      	msg462,
+      	msg463,
+      	msg464,
+      	msg465,
+      	msg466,
+      	msg467,
+      	msg468,
+      ]);
+      
+      var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}");
+      
+      var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}");
+      
+      var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}");
+      
+      var select185 = linear_select([
+      	part799,
+      	part800,
+      	part801,
+      ]);
+      
+      var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all161 = all_match({
+      	processors: [
+      		select185,
+      		part802,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      		setc("signame","Attempt to Connect to the NetScreen-Global Port"),
+      	]),
+      });
+      
+      var msg469 = msg("00028", all161);
+      
+      var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg470 = msg("00029", part803);
+      
+      var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([
+      	dup184,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg471 = msg("00029:01", part804);
+      
+      var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}");
+      
+      var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}");
+      
+      var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}");
+      
+      var select186 = linear_select([
+      	part806,
+      	part807,
+      ]);
+      
+      var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}");
+      
+      var all162 = all_match({
+      	processors: [
+      		part805,
+      		select186,
+      		part808,
+      	],
+      	on_success: processor_chain([
+      		dup117,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg472 = msg("00029:02", all162);
+      
+      var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}");
+      
+      var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}");
+      
+      var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}");
+      
+      var select187 = linear_select([
+      	part810,
+      	part811,
+      ]);
+      
+      var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}");
+      
+      var all163 = all_match({
+      	processors: [
+      		dup210,
+      		dup337,
+      		part809,
+      		select187,
+      		part812,
+      	],
+      	on_success: processor_chain([
+      		dup117,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg473 = msg("00029:03", all163);
+      
+      var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg474 = msg("00029:04", part813);
+      
+      var select188 = linear_select([
+      	msg470,
+      	msg471,
+      	msg472,
+      	msg473,
+      	msg474,
+      ]);
+      
+      var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg475 = msg("00030", part814);
+      
+      var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}");
+      
+      var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}");
+      
+      var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}");
+      
+      var select189 = linear_select([
+      	part816,
+      	part817,
+      ]);
+      
+      var all164 = all_match({
+      	processors: [
+      		part815,
+      		select189,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg476 = msg("00030:01", all164);
+      
+      var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg477 = msg("00030:05", part818);
+      
+      var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg478 = msg("00030:06", part819);
+      
+      var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg479 = msg("00030:07", part820);
+      
+      var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg480 = msg("00030:10", part821);
+      
+      var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg481 = msg("00030:12", part822);
+      
+      var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}");
+      
+      var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}");
+      
+      var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}");
+      
+      var select190 = linear_select([
+      	part824,
+      	part825,
+      ]);
+      
+      var all165 = all_match({
+      	processors: [
+      		part823,
+      		select190,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg482 = msg("00030:13", all165);
+      
+      var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}");
+      
+      var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}");
+      
+      var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}");
+      
+      var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}");
+      
+      var select191 = linear_select([
+      	part826,
+      	part827,
+      	part828,
+      	part829,
+      ]);
+      
+      var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}");
+      
+      var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}");
+      
+      var select192 = linear_select([
+      	part831,
+      	dup16,
+      ]);
+      
+      var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}");
+      
+      var all166 = all_match({
+      	processors: [
+      		dup55,
+      		select191,
+      		part830,
+      		select192,
+      		part832,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg483 = msg("00030:14", all166);
+      
+      var msg484 = msg("00030:02", dup375);
+      
+      var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg485 = msg("00030:15", part833);
+      
+      var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg486 = msg("00030:16", part834);
+      
+      var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg487 = msg("00030:18", part835);
+      
+      var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}");
+      
+      var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}");
+      
+      var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}");
+      
+      var select193 = linear_select([
+      	part837,
+      	part838,
+      ]);
+      
+      var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}");
+      
+      var all167 = all_match({
+      	processors: [
+      		part836,
+      		select193,
+      		part839,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg488 = msg("00030:19", all167);
+      
+      var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg489 = msg("00030:30", part840);
+      
+      var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg490 = msg("00030:31", part841);
+      
+      var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg491 = msg("00030:32", part842);
+      
+      var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg492 = msg("00030:33", part843);
+      
+      var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg493 = msg("00030:34", part844);
+      
+      var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg494 = msg("00030:35", part845);
+      
+      var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg495 = msg("00030:36", part846);
+      
+      var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg496 = msg("00030:37", part847);
+      
+      var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg497 = msg("00030:38", part848);
+      
+      var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}");
+      
+      var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}");
+      
+      var select194 = linear_select([
+      	part850,
+      	dup16,
+      ]);
+      
+      var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}");
+      
+      var all168 = all_match({
+      	processors: [
+      		part849,
+      		select194,
+      		part851,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg498 = msg("00030:39", all168);
+      
+      var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}");
+      
+      var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}");
+      
+      var all169 = all_match({
+      	processors: [
+      		part852,
+      		dup376,
+      		part853,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg499 = msg("00030:17", all169);
+      
+      var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}");
+      
+      var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}");
+      
+      var select195 = linear_select([
+      	dup214,
+      	part855,
+      ]);
+      
+      var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}");
+      
+      var all170 = all_match({
+      	processors: [
+      		part854,
+      		select195,
+      		part856,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg500 = msg("00030:40", all170);
+      
+      var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg501 = msg("00030:41", part857);
+      
+      var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg502 = msg("00030:42", part858);
+      
+      var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg503 = msg("00030:43", part859);
+      
+      var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg504 = msg("00030:44", part860);
+      
+      var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg505 = msg("00030:45", part861);
+      
+      var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg506 = msg("00030:46", part862);
+      
+      var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg507 = msg("00030:47", part863);
+      
+      var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg508 = msg("00030:48", part864);
+      
+      var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg509 = msg("00030:49", part865);
+      
+      var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg510 = msg("00030:50", part866);
+      
+      var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg511 = msg("00030:51", part867);
+      
+      var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg512 = msg("00030:52", part868);
+      
+      var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg513 = msg("00030:53", part869);
+      
+      var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([
+      	dup44,
+      	dup211,
+      	dup31,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg514 = msg("00030:54", part870);
+      
+      var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}");
+      
+      var all171 = all_match({
+      	processors: [
+      		part871,
+      		dup377,
+      		dup217,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg515 = msg("00030:55", all171);
+      
+      var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg516 = msg("00030:56", part872);
+      
+      var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([
+      	dup35,
+      	dup218,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg517 = msg("00030:57", part873);
+      
+      var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([
+      	dup86,
+      	dup218,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg518 = msg("00030:58", part874);
+      
+      var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([
+      	dup35,
+      	dup218,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg519 = msg("00030:59", part875);
+      
+      var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([
+      	dup35,
+      	dup218,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg520 = msg("00030:60", part876);
+      
+      var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg521 = msg("00030:61", part877);
+      
+      var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg522 = msg("00030:62", part878);
+      
+      var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([
+      	dup18,
+      	dup219,
+      	dup51,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg523 = msg("00030:63", part879);
+      
+      var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([
+      	dup18,
+      	dup218,
+      	dup51,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg524 = msg("00030:64", part880);
+      
+      var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([
+      	dup18,
+      	dup218,
+      	dup51,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg525 = msg("00030:65", part881);
+      
+      var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg526 = msg("00030:66", part882);
+      
+      var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg527 = msg("00030:67", part883);
+      
+      var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg528 = msg("00030:68", part884);
+      
+      var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg529 = msg("00030:69", part885);
+      
+      var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}");
+      
+      var all172 = all_match({
+      	processors: [
+      		part886,
+      		dup377,
+      		dup217,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg530 = msg("00030:70", all172);
+      
+      var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg531 = msg("00030:71", part887);
+      
+      var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg532 = msg("00030:72", part888);
+      
+      var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}");
+      
+      var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}");
+      
+      var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}");
+      
+      var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}");
+      
+      var select196 = linear_select([
+      	part890,
+      	part891,
+      	part892,
+      ]);
+      
+      var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}.");
+      
+      var all173 = all_match({
+      	processors: [
+      		part889,
+      		select196,
+      		part893,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup211,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg533 = msg("00030:73", all173);
+      
+      var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg534 = msg("00030:74", part894);
+      
+      var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg535 = msg("00030:75", part895);
+      
+      var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}");
+      
+      var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}.");
+      
+      var all174 = all_match({
+      	processors: [
+      		part896,
+      		dup376,
+      		part897,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg536 = msg("00030:76", all174);
+      
+      var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([
+      	dup18,
+      	dup218,
+      	dup51,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg537 = msg("00030:77", part898);
+      
+      var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([
+      	dup35,
+      	dup211,
+      	dup220,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg538 = msg("00030:78", part899);
+      
+      var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup220,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg539 = msg("00030:79", part900);
+      
+      var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg540 = msg("00030:80", part901);
+      
+      var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg541 = msg("00030:81", part902);
+      
+      var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg542 = msg("00030:82", part903);
+      
+      var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([
+      	dup35,
+      	dup211,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg543 = msg("00030:83", part904);
+      
+      var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg544 = msg("00030:84", part905);
+      
+      var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([
+      	setc("eventcategory","1603080000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg545 = msg("00030:85", part906);
+      
+      var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})");
+      
+      var all175 = all_match({
+      	processors: [
+      		dup221,
+      		dup378,
+      		part907,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg546 = msg("00030:86", all175);
+      
+      var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg547 = msg("00030:87", part908);
+      
+      var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>");
+      
+      var all176 = all_match({
+      	processors: [
+      		dup221,
+      		dup378,
+      		part909,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg548 = msg("00030:88", all176);
+      
+      var select197 = linear_select([
+      	msg475,
+      	msg476,
+      	msg477,
+      	msg478,
+      	msg479,
+      	msg480,
+      	msg481,
+      	msg482,
+      	msg483,
+      	msg484,
+      	msg485,
+      	msg486,
+      	msg487,
+      	msg488,
+      	msg489,
+      	msg490,
+      	msg491,
+      	msg492,
+      	msg493,
+      	msg494,
+      	msg495,
+      	msg496,
+      	msg497,
+      	msg498,
+      	msg499,
+      	msg500,
+      	msg501,
+      	msg502,
+      	msg503,
+      	msg504,
+      	msg505,
+      	msg506,
+      	msg507,
+      	msg508,
+      	msg509,
+      	msg510,
+      	msg511,
+      	msg512,
+      	msg513,
+      	msg514,
+      	msg515,
+      	msg516,
+      	msg517,
+      	msg518,
+      	msg519,
+      	msg520,
+      	msg521,
+      	msg522,
+      	msg523,
+      	msg524,
+      	msg525,
+      	msg526,
+      	msg527,
+      	msg528,
+      	msg529,
+      	msg530,
+      	msg531,
+      	msg532,
+      	msg533,
+      	msg534,
+      	msg535,
+      	msg536,
+      	msg537,
+      	msg538,
+      	msg539,
+      	msg540,
+      	msg541,
+      	msg542,
+      	msg543,
+      	msg544,
+      	msg545,
+      	msg546,
+      	msg547,
+      	msg548,
+      ]);
+      
+      var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([
+      	dup121,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg549 = msg("00031:13", part910);
+      
+      var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg550 = msg("00031", part911);
+      
+      var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg551 = msg("00031:01", part912);
+      
+      var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}");
+      
+      var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}");
+      
+      var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}");
+      
+      var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}");
+      
+      var all177 = all_match({
+      	processors: [
+      		part913,
+      		dup379,
+      		part914,
+      		dup379,
+      		part915,
+      		dup379,
+      		part916,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg552 = msg("00031:02", all177);
+      
+      var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}");
+      
+      var select198 = linear_select([
+      	dup130,
+      	dup129,
+      ]);
+      
+      var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}");
+      
+      var all178 = all_match({
+      	processors: [
+      		part917,
+      		select198,
+      		part918,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg553 = msg("00031:03", all178);
+      
+      var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}");
+      
+      var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}");
+      
+      var select199 = linear_select([
+      	part920,
+      	dup226,
+      ]);
+      
+      var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}");
+      
+      var all179 = all_match({
+      	processors: [
+      		part919,
+      		select199,
+      		part921,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg554 = msg("00031:04", all179);
+      
+      var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}");
+      
+      var select200 = linear_select([
+      	dup226,
+      	dup25,
+      ]);
+      
+      var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})");
+      
+      var all180 = all_match({
+      	processors: [
+      		part922,
+      		select200,
+      		part923,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg555 = msg("00031:11", all180);
+      
+      var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}");
+      
+      var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}");
+      
+      var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}");
+      
+      var select201 = linear_select([
+      	part925,
+      	part926,
+      ]);
+      
+      var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}");
+      
+      var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}");
+      
+      var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}");
+      
+      var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}");
+      
+      var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}");
+      
+      var select202 = linear_select([
+      	part931,
+      	dup96,
+      ]);
+      
+      var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}");
+      
+      var all181 = all_match({
+      	processors: [
+      		part924,
+      		select201,
+      		part927,
+      		dup379,
+      		part928,
+      		dup379,
+      		part929,
+      		dup379,
+      		part930,
+      		select202,
+      		part932,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg556 = msg("00031:08", all181);
+      
+      var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}");
+      
+      var all182 = all_match({
+      	processors: [
+      		part933,
+      		dup337,
+      		dup227,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg557 = msg("00031:05", all182);
+      
+      var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}");
+      
+      var select203 = linear_select([
+      	part934,
+      	dup229,
+      	dup230,
+      ]);
+      
+      var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}");
+      
+      var select204 = linear_select([
+      	dup105,
+      	dup96,
+      ]);
+      
+      var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}");
+      
+      var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}");
+      
+      var all183 = all_match({
+      	processors: [
+      		dup228,
+      		select203,
+      		part935,
+      		select204,
+      		part936,
+      		dup356,
+      		part937,
+      		dup352,
+      		dup23,
+      		dup380,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg558 = msg("00031:06", all183);
+      
+      var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}");
+      
+      var all184 = all_match({
+      	processors: [
+      		dup228,
+      		dup381,
+      		part938,
+      		dup337,
+      		dup227,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg559 = msg("00031:07", all184);
+      
+      var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}");
+      
+      var all185 = all_match({
+      	processors: [
+      		dup228,
+      		dup381,
+      		part939,
+      		dup380,
+      	],
+      	on_success: processor_chain([
+      		dup121,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg560 = msg("00031:09", all185);
+      
+      var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg561 = msg("00031:10", part940);
+      
+      var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg562 = msg("00031:12", part941);
+      
+      var select205 = linear_select([
+      	msg549,
+      	msg550,
+      	msg551,
+      	msg552,
+      	msg553,
+      	msg554,
+      	msg555,
+      	msg556,
+      	msg557,
+      	msg558,
+      	msg559,
+      	msg560,
+      	msg561,
+      	msg562,
+      ]);
+      
+      var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg563 = msg("00032", part942);
+      
+      var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg564 = msg("00032:01", part943);
+      
+      var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}");
+      
+      var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}");
+      
+      var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}");
+      
+      var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}");
+      
+      var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}");
+      
+      var select206 = linear_select([
+      	part945,
+      	part946,
+      	part947,
+      	part948,
+      ]);
+      
+      var all186 = all_match({
+      	processors: [
+      		part944,
+      		select206,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg565 = msg("00032:03", all186);
+      
+      var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg566 = msg("00032:04", part949);
+      
+      var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg567 = msg("00032:05", part950);
+      
+      var msg568 = msg("00032:02", dup375);
+      
+      var select207 = linear_select([
+      	msg563,
+      	msg564,
+      	msg565,
+      	msg566,
+      	msg567,
+      	msg568,
+      ]);
+      
+      var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("agent","NSM"),
+      ]));
+      
+      var msg569 = msg("00033:25", part951);
+      
+      var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}");
+      
+      var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}");
+      
+      var select208 = linear_select([
+      	dup52,
+      	part953,
+      ]);
+      
+      var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}");
+      
+      var all187 = all_match({
+      	processors: [
+      		dup382,
+      		part952,
+      		select208,
+      		part954,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg570 = msg("00033", all187);
+      
+      var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}");
+      
+      var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}");
+      
+      var select209 = linear_select([
+      	part955,
+      	part956,
+      ]);
+      
+      var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}");
+      
+      var all188 = all_match({
+      	processors: [
+      		dup160,
+      		select209,
+      		dup23,
+      		dup369,
+      		part957,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg571 = msg("00033:03", all188);
+      
+      var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}");
+      
+      var all189 = all_match({
+      	processors: [
+      		dup382,
+      		dup23,
+      		dup369,
+      		part958,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg572 = msg("00033:02", all189);
+      
+      var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg573 = msg("00033:04", part959);
+      
+      var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg574 = msg("00033:05", part960);
+      
+      var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg575 = msg("00033:06", part961);
+      
+      var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	setc("dclass_counter1_string","Number of times the threshold was exceeded"),
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg576 = msg("00033:01", part962);
+      
+      var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg577 = msg("00033:07", part963);
+      
+      var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}");
+      
+      var all190 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part964,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg578 = msg("00033:08", all190);
+      
+      var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}");
+      
+      var all191 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part965,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg579 = msg("00033:09", all191);
+      
+      var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}");
+      
+      var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}");
+      
+      var select210 = linear_select([
+      	part967,
+      	dup238,
+      ]);
+      
+      var all192 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part966,
+      		select210,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg580 = msg("00033:10", all192);
+      
+      var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}");
+      
+      var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}");
+      
+      var all193 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part968,
+      		dup383,
+      		part969,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg581 = msg("00033:11", all193);
+      
+      var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}");
+      
+      var select211 = linear_select([
+      	dup101,
+      	dup238,
+      ]);
+      
+      var all194 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part970,
+      		select211,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg582 = msg("00033:12", all194);
+      
+      var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}");
+      
+      var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}");
+      
+      var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}.");
+      
+      var select212 = linear_select([
+      	part972,
+      	part973,
+      ]);
+      
+      var all195 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part971,
+      		select212,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg583 = msg("00033:13", all195);
+      
+      var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}.");
+      
+      var all196 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part974,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg584 = msg("00033:14", all196);
+      
+      var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}.");
+      
+      var all197 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part975,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg585 = msg("00033:15", all197);
+      
+      var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}.");
+      
+      var all198 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part976,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg586 = msg("00033:16", all198);
+      
+      var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}");
+      
+      var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}");
+      
+      var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}");
+      
+      var select213 = linear_select([
+      	part978,
+      	part979,
+      ]);
+      
+      var all199 = all_match({
+      	processors: [
+      		dup235,
+      		dup383,
+      		part977,
+      		select213,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg587 = msg("00033:17", all199);
+      
+      var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}");
+      
+      var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.");
+      
+      var all200 = all_match({
+      	processors: [
+      		part980,
+      		dup339,
+      		dup70,
+      		dup340,
+      		part981,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup59,
+      		dup61,
+      	]),
+      });
+      
+      var msg588 = msg("00033:19", all200);
+      
+      var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([
+      	dup27,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup59,
+      	dup60,
+      ]));
+      
+      var msg589 = msg("00033:20", part982);
+      
+      var all201 = all_match({
+      	processors: [
+      		dup239,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg590 = msg("00033:21", all201);
+      
+      var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var all202 = all_match({
+      	processors: [
+      		part983,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup9,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg591 = msg("00033:22", all202);
+      
+      var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg592 = msg("00033:23", part984);
+      
+      var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([
+      	setc("eventcategory","1001030500"),
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg593 = msg("00033:24", part985);
+      
+      var select214 = linear_select([
+      	msg569,
+      	msg570,
+      	msg571,
+      	msg572,
+      	msg573,
+      	msg574,
+      	msg575,
+      	msg576,
+      	msg577,
+      	msg578,
+      	msg579,
+      	msg580,
+      	msg581,
+      	msg582,
+      	msg583,
+      	msg584,
+      	msg585,
+      	msg586,
+      	msg587,
+      	msg588,
+      	msg589,
+      	msg590,
+      	msg591,
+      	msg592,
+      	msg593,
+      ]);
+      
+      var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}");
+      
+      var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}");
+      
+      var select215 = linear_select([
+      	part986,
+      	part987,
+      ]);
+      
+      var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}");
+      
+      var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}");
+      
+      var select216 = linear_select([
+      	part988,
+      	dup201,
+      	part989,
+      ]);
+      
+      var select217 = linear_select([
+      	dup196,
+      	dup103,
+      	dup163,
+      ]);
+      
+      var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})");
+      
+      var all203 = all_match({
+      	processors: [
+      		select215,
+      		dup103,
+      		select216,
+      		dup202,
+      		select217,
+      		part990,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg594 = msg("00034", all203);
+      
+      var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}");
+      
+      var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}");
+      
+      var select218 = linear_select([
+      	part991,
+      	part992,
+      ]);
+      
+      var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}");
+      
+      var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}");
+      
+      var select219 = linear_select([
+      	part994,
+      	dup241,
+      ]);
+      
+      var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}");
+      
+      var all204 = all_match({
+      	processors: [
+      		select218,
+      		part993,
+      		select219,
+      		part995,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg595 = msg("00034:01", all204);
+      
+      var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg596 = msg("00034:02", part996);
+      
+      var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}");
+      
+      var all205 = all_match({
+      	processors: [
+      		dup384,
+      		part997,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg597 = msg("00034:03", all205);
+      
+      var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg598 = msg("00034:04", part998);
+      
+      var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg599 = msg("00034:05", part999);
+      
+      var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}");
+      
+      var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}");
+      
+      var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}");
+      
+      var select220 = linear_select([
+      	part1001,
+      	part1002,
+      ]);
+      
+      var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}");
+      
+      var all206 = all_match({
+      	processors: [
+      		dup384,
+      		part1000,
+      		select220,
+      		part1003,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg600 = msg("00034:06", all206);
+      
+      var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg601 = msg("00034:07", part1004);
+      
+      var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg602 = msg("00034:08", part1005);
+      
+      var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg603 = msg("00034:09", part1006);
+      
+      var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}");
+      
+      var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}");
+      
+      var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}");
+      
+      var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}");
+      
+      var select221 = linear_select([
+      	part1009,
+      	part1010,
+      ]);
+      
+      var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}");
+      
+      var all207 = all_match({
+      	processors: [
+      		dup244,
+      		dup385,
+      		part1007,
+      		dup352,
+      		part1008,
+      		select221,
+      		part1011,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg604 = msg("00034:10", all207);
+      
+      var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}");
+      
+      var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}");
+      
+      var all208 = all_match({
+      	processors: [
+      		dup244,
+      		dup385,
+      		part1012,
+      		dup386,
+      		part1013,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg605 = msg("00034:12", all208);
+      
+      var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}");
+      
+      var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}");
+      
+      var all209 = all_match({
+      	processors: [
+      		dup244,
+      		dup385,
+      		part1014,
+      		dup386,
+      		part1015,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg606 = msg("00034:11", all209);
+      
+      var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg607 = msg("00034:15", part1016);
+      
+      var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}");
+      
+      var all210 = all_match({
+      	processors: [
+      		dup244,
+      		dup387,
+      		part1017,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg608 = msg("00034:18", all210);
+      
+      var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge");
+      
+      var all211 = all_match({
+      	processors: [
+      		dup244,
+      		dup387,
+      		part1018,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg609 = msg("00034:20", all211);
+      
+      var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}");
+      
+      var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}");
+      
+      var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}");
+      
+      var select222 = linear_select([
+      	part1021,
+      	dup156,
+      ]);
+      
+      var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}");
+      
+      var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}");
+      
+      var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}");
+      
+      var select223 = linear_select([
+      	part1023,
+      	part1024,
+      ]);
+      
+      var all212 = all_match({
+      	processors: [
+      		dup244,
+      		dup387,
+      		part1019,
+      		dup372,
+      		part1020,
+      		select222,
+      		part1022,
+      		select223,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg610 = msg("00034:21", all212);
+      
+      var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg611 = msg("00034:22", part1025);
+      
+      var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}");
+      
+      var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}");
+      
+      var select224 = linear_select([
+      	part1026,
+      	part1027,
+      ]);
+      
+      var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}");
+      
+      var all213 = all_match({
+      	processors: [
+      		dup160,
+      		select224,
+      		part1028,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg612 = msg("00034:23", all213);
+      
+      var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg613 = msg("00034:24", part1029);
+      
+      var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg614 = msg("00034:25", part1030);
+      
+      var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg615 = msg("00034:26", part1031);
+      
+      var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg616 = msg("00034:27", part1032);
+      
+      var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg617 = msg("00034:28", part1033);
+      
+      var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg618 = msg("00034:29", part1034);
+      
+      var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg619 = msg("00034:30", part1035);
+      
+      var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg620 = msg("00034:31", part1036);
+      
+      var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg621 = msg("00034:32", part1037);
+      
+      var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg622 = msg("00034:33", part1038);
+      
+      var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg623 = msg("00034:34", part1039);
+      
+      var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg624 = msg("00034:35", part1040);
+      
+      var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg625 = msg("00034:36", part1041);
+      
+      var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg626 = msg("00034:37", part1042);
+      
+      var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg627 = msg("00034:38", part1043);
+      
+      var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg628 = msg("00034:39", part1044);
+      
+      var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg629 = msg("00034:40", part1045);
+      
+      var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}");
+      
+      var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}");
+      
+      var all214 = all_match({
+      	processors: [
+      		part1046,
+      		dup373,
+      		part1047,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg630 = msg("00034:41", all214);
+      
+      var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg631 = msg("00034:42", part1048);
+      
+      var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg632 = msg("00034:43", part1049);
+      
+      var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg633 = msg("00034:44", part1050);
+      
+      var select225 = linear_select([
+      	msg594,
+      	msg595,
+      	msg596,
+      	msg597,
+      	msg598,
+      	msg599,
+      	msg600,
+      	msg601,
+      	msg602,
+      	msg603,
+      	msg604,
+      	msg605,
+      	msg606,
+      	msg607,
+      	msg608,
+      	msg609,
+      	msg610,
+      	msg611,
+      	msg612,
+      	msg613,
+      	msg614,
+      	msg615,
+      	msg616,
+      	msg617,
+      	msg618,
+      	msg619,
+      	msg620,
+      	msg621,
+      	msg622,
+      	msg623,
+      	msg624,
+      	msg625,
+      	msg626,
+      	msg627,
+      	msg628,
+      	msg629,
+      	msg630,
+      	msg631,
+      	msg632,
+      	msg633,
+      ]);
+      
+      var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg634 = msg("00035", part1051);
+      
+      var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg635 = msg("00035:01", part1052);
+      
+      var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg636 = msg("00035:02", part1053);
+      
+      var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg637 = msg("00035:03", part1054);
+      
+      var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}");
+      
+      var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}");
+      
+      var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}");
+      
+      var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}");
+      
+      var select226 = linear_select([
+      	part1056,
+      	part1057,
+      	part1058,
+      ]);
+      
+      var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}");
+      
+      var all215 = all_match({
+      	processors: [
+      		part1055,
+      		select226,
+      		part1059,
+      	],
+      	on_success: processor_chain([
+      		dup117,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg638 = msg("00035:04", all215);
+      
+      var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg639 = msg("00035:05", part1060);
+      
+      var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}");
+      
+      var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}");
+      
+      var all216 = all_match({
+      	processors: [
+      		part1061,
+      		dup388,
+      		part1062,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg640 = msg("00035:06", all216);
+      
+      var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg641 = msg("00035:07", part1063);
+      
+      var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg642 = msg("00035:08", part1064);
+      
+      var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}");
+      
+      var select227 = linear_select([
+      	part1065,
+      	dup92,
+      ]);
+      
+      var all217 = all_match({
+      	processors: [
+      		dup253,
+      		select227,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg643 = msg("00035:09", all217);
+      
+      var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}");
+      
+      var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}");
+      
+      var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}");
+      
+      var select228 = linear_select([
+      	part1067,
+      	part1068,
+      ]);
+      
+      var all218 = all_match({
+      	processors: [
+      		part1066,
+      		select228,
+      	],
+      	on_success: processor_chain([
+      		dup184,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg644 = msg("00035:10", all218);
+      
+      var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}");
+      
+      var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}");
+      
+      var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}");
+      
+      var select229 = linear_select([
+      	part1070,
+      	part1071,
+      ]);
+      
+      var all219 = all_match({
+      	processors: [
+      		part1069,
+      		select229,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg645 = msg("00035:11", all219);
+      
+      var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}");
+      
+      var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}");
+      
+      var all220 = all_match({
+      	processors: [
+      		part1072,
+      		dup388,
+      		part1073,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg646 = msg("00035:12", all220);
+      
+      var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}");
+      
+      var select230 = linear_select([
+      	dup101,
+      	part1074,
+      ]);
+      
+      var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}");
+      
+      var all221 = all_match({
+      	processors: [
+      		dup253,
+      		select230,
+      		part1075,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg647 = msg("00035:13", all221);
+      
+      var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg648 = msg("00035:14", part1076);
+      
+      var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}");
+      
+      var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}");
+      
+      var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}");
+      
+      var select231 = linear_select([
+      	part1078,
+      	part1079,
+      ]);
+      
+      var all222 = all_match({
+      	processors: [
+      		part1077,
+      		select231,
+      	],
+      	on_success: processor_chain([
+      		dup184,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg649 = msg("00035:15", all222);
+      
+      var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg650 = msg("00035:16", part1080);
+      
+      var select232 = linear_select([
+      	msg634,
+      	msg635,
+      	msg636,
+      	msg637,
+      	msg638,
+      	msg639,
+      	msg640,
+      	msg641,
+      	msg642,
+      	msg643,
+      	msg644,
+      	msg645,
+      	msg646,
+      	msg647,
+      	msg648,
+      	msg649,
+      	msg650,
+      ]);
+      
+      var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg651 = msg("00036", part1081);
+      
+      var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}");
+      
+      var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}");
+      
+      var select233 = linear_select([
+      	dup214,
+      	part1083,
+      ]);
+      
+      var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}");
+      
+      var all223 = all_match({
+      	processors: [
+      		part1082,
+      		select233,
+      		part1084,
+      	],
+      	on_success: processor_chain([
+      		dup254,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg652 = msg("00036:01", all223);
+      
+      var select234 = linear_select([
+      	msg651,
+      	msg652,
+      ]);
+      
+      var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}");
+      
+      var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}");
+      
+      var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}");
+      
+      var select235 = linear_select([
+      	part1086,
+      	part1087,
+      ]);
+      
+      var all224 = all_match({
+      	processors: [
+      		part1085,
+      		select235,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg653 = msg("00037", all224);
+      
+      var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}");
+      
+      var select236 = linear_select([
+      	dup255,
+      	dup256,
+      ]);
+      
+      var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}");
+      
+      var all225 = all_match({
+      	processors: [
+      		part1088,
+      		select236,
+      		part1089,
+      		dup351,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg654 = msg("00037:01", all225);
+      
+      var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg655 = msg("00037:02", part1090);
+      
+      var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}");
+      
+      var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}");
+      
+      var select237 = linear_select([
+      	part1091,
+      	part1092,
+      ]);
+      
+      var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}");
+      
+      var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})");
+      
+      var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}.");
+      
+      var select238 = linear_select([
+      	part1094,
+      	part1095,
+      ]);
+      
+      var all226 = all_match({
+      	processors: [
+      		dup113,
+      		select237,
+      		dup371,
+      		part1093,
+      		select238,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg656 = msg("00037:03", all226);
+      
+      var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg657 = msg("00037:04", part1096);
+      
+      var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}");
+      
+      var select239 = linear_select([
+      	dup256,
+      	dup255,
+      ]);
+      
+      var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}");
+      
+      var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space");
+      
+      var select240 = linear_select([
+      	dup10,
+      	part1099,
+      ]);
+      
+      var all227 = all_match({
+      	processors: [
+      		part1097,
+      		select239,
+      		part1098,
+      		select240,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg658 = msg("00037:05", all227);
+      
+      var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg659 = msg("00037:06", part1100);
+      
+      var select241 = linear_select([
+      	msg653,
+      	msg654,
+      	msg655,
+      	msg656,
+      	msg657,
+      	msg658,
+      	msg659,
+      ]);
+      
+      var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}");
+      
+      var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}");
+      
+      var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}");
+      
+      var select242 = linear_select([
+      	part1102,
+      	part1103,
+      ]);
+      
+      var all228 = all_match({
+      	processors: [
+      		part1101,
+      		select242,
+      		dup36,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg660 = msg("00038", all228);
+      
+      var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg661 = msg("00039", part1104);
+      
+      var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}");
+      
+      var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}");
+      
+      var select243 = linear_select([
+      	part1105,
+      	part1106,
+      ]);
+      
+      var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}");
+      
+      var all229 = all_match({
+      	processors: [
+      		select243,
+      		part1107,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg662 = msg("00040", all229);
+      
+      var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg663 = msg("00040:01", part1108);
+      
+      var select244 = linear_select([
+      	msg662,
+      	msg663,
+      ]);
+      
+      var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg664 = msg("00041", part1109);
+      
+      var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg665 = msg("00041:01", part1110);
+      
+      var select245 = linear_select([
+      	msg664,
+      	msg665,
+      ]);
+      
+      var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg666 = msg("00042", part1111);
+      
+      var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup60,
+      ]));
+      
+      var msg667 = msg("00042:01", part1112);
+      
+      var select246 = linear_select([
+      	msg666,
+      	msg667,
+      ]);
+      
+      var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg668 = msg("00043", part1113);
+      
+      var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}");
+      
+      var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}");
+      
+      var select247 = linear_select([
+      	dup257,
+      	part1115,
+      ]);
+      
+      var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}");
+      
+      var all230 = all_match({
+      	processors: [
+      		part1114,
+      		select247,
+      		part1116,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg669 = msg("00044", all230);
+      
+      var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg670 = msg("00044:01", part1117);
+      
+      var select248 = linear_select([
+      	msg669,
+      	msg670,
+      ]);
+      
+      var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg671 = msg("00045", part1118);
+      
+      var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}");
+      
+      var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}");
+      
+      var select249 = linear_select([
+      	part1119,
+      	part1120,
+      ]);
+      
+      var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})");
+      
+      var all231 = all_match({
+      	processors: [
+      		dup183,
+      		select249,
+      		part1121,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg672 = msg("00047", all231);
+      
+      var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}");
+      
+      var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}");
+      
+      var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}");
+      
+      var select250 = linear_select([
+      	part1123,
+      	part1124,
+      ]);
+      
+      var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}");
+      
+      var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}");
+      
+      var select251 = linear_select([
+      	part1126,
+      	dup112,
+      ]);
+      
+      var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}");
+      
+      var select252 = linear_select([
+      	part1127,
+      	dup139,
+      ]);
+      
+      var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}");
+      
+      var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}");
+      
+      var select253 = linear_select([
+      	part1129,
+      	dup16,
+      ]);
+      
+      var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}");
+      
+      var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}");
+      
+      var select254 = linear_select([
+      	part1131,
+      	dup129,
+      ]);
+      
+      var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})");
+      
+      var all232 = all_match({
+      	processors: [
+      		part1122,
+      		select250,
+      		part1125,
+      		select251,
+      		dup257,
+      		select252,
+      		part1128,
+      		select253,
+      		part1130,
+      		select254,
+      		part1132,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1501000000"),
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg673 = msg("00048", all232);
+      
+      var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}");
+      
+      var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}");
+      
+      var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}");
+      
+      var select255 = linear_select([
+      	part1134,
+      	part1135,
+      ]);
+      
+      var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}");
+      
+      var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}");
+      
+      var select256 = linear_select([
+      	part1137,
+      	dup105,
+      ]);
+      
+      var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})");
+      
+      var all233 = all_match({
+      	processors: [
+      		part1133,
+      		select255,
+      		part1136,
+      		select256,
+      		part1138,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg674 = msg("00048:01", all233);
+      
+      var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg675 = msg("00048:02", part1139);
+      
+      var select257 = linear_select([
+      	msg673,
+      	msg674,
+      	msg675,
+      ]);
+      
+      var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg676 = msg("00049", part1140);
+      
+      var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg677 = msg("00049:01", part1141);
+      
+      var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg678 = msg("00049:02", part1142);
+      
+      var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg679 = msg("00049:03", part1143);
+      
+      var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg680 = msg("00049:04", part1144);
+      
+      var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg681 = msg("00049:05", part1145);
+      
+      var select258 = linear_select([
+      	msg676,
+      	msg677,
+      	msg678,
+      	msg679,
+      	msg680,
+      	msg681,
+      ]);
+      
+      var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg682 = msg("00050", part1146);
+      
+      var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg683 = msg("00051", part1147);
+      
+      var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg684 = msg("00052", part1148);
+      
+      var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}");
+      
+      var select259 = linear_select([
+      	dup169,
+      	part1149,
+      ]);
+      
+      var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}.");
+      
+      var all234 = all_match({
+      	processors: [
+      		dup258,
+      		select259,
+      		part1150,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg685 = msg("00055", all234);
+      
+      var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}");
+      
+      var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}");
+      
+      var select260 = linear_select([
+      	part1151,
+      	part1152,
+      ]);
+      
+      var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}.");
+      
+      var all235 = all_match({
+      	processors: [
+      		dup258,
+      		select260,
+      		part1153,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg686 = msg("00055:01", all235);
+      
+      var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}.");
+      
+      var all236 = all_match({
+      	processors: [
+      		dup259,
+      		dup389,
+      		part1154,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg687 = msg("00055:02", all236);
+      
+      var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}.");
+      
+      var all237 = all_match({
+      	processors: [
+      		dup259,
+      		dup389,
+      		part1155,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg688 = msg("00055:03", all237);
+      
+      var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg689 = msg("00055:04", part1156);
+      
+      var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}");
+      
+      var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}");
+      
+      var select261 = linear_select([
+      	dup110,
+      	part1158,
+      ]);
+      
+      var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}");
+      
+      var all238 = all_match({
+      	processors: [
+      		part1157,
+      		select261,
+      		part1159,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg690 = msg("00055:05", all238);
+      
+      var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}");
+      
+      var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}");
+      
+      var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}");
+      
+      var select262 = linear_select([
+      	part1161,
+      	part1162,
+      ]);
+      
+      var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}.");
+      
+      var all239 = all_match({
+      	processors: [
+      		part1160,
+      		select262,
+      		part1163,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg691 = msg("00055:06", all239);
+      
+      var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}");
+      
+      var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}");
+      
+      var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}");
+      
+      var select263 = linear_select([
+      	part1164,
+      	part1165,
+      	part1166,
+      ]);
+      
+      var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}.");
+      
+      var all240 = all_match({
+      	processors: [
+      		dup258,
+      		select263,
+      		part1167,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg692 = msg("00055:07", all240);
+      
+      var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}");
+      
+      var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}");
+      
+      var select264 = linear_select([
+      	part1168,
+      	part1169,
+      ]);
+      
+      var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}.");
+      
+      var all241 = all_match({
+      	processors: [
+      		dup258,
+      		select264,
+      		part1170,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg693 = msg("00055:08", all241);
+      
+      var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg694 = msg("00055:09", part1171);
+      
+      var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg695 = msg("00055:10", part1172);
+      
+      var select265 = linear_select([
+      	msg685,
+      	msg686,
+      	msg687,
+      	msg688,
+      	msg689,
+      	msg690,
+      	msg691,
+      	msg692,
+      	msg693,
+      	msg694,
+      	msg695,
+      ]);
+      
+      var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg696 = msg("00056", part1173);
+      
+      var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg697 = msg("00057", part1174);
+      
+      var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg698 = msg("00058", part1175);
+      
+      var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}");
+      
+      var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}");
+      
+      var select266 = linear_select([
+      	part1177,
+      	dup262,
+      	dup157,
+      	dup156,
+      ]);
+      
+      var all242 = all_match({
+      	processors: [
+      		part1176,
+      		select266,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg699 = msg("00059", all242);
+      
+      var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}");
+      
+      var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}");
+      
+      var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}");
+      
+      var select267 = linear_select([
+      	part1179,
+      	part1180,
+      ]);
+      
+      var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}");
+      
+      var all243 = all_match({
+      	processors: [
+      		part1178,
+      		select267,
+      		part1181,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg700 = msg("00059:02", all243);
+      
+      var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg701 = msg("00059:03", part1182);
+      
+      var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg702 = msg("00059:04", part1183);
+      
+      var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}");
+      
+      var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}");
+      
+      var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}");
+      
+      var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}");
+      
+      var select268 = linear_select([
+      	part1184,
+      	part1185,
+      	part1186,
+      	part1187,
+      ]);
+      
+      var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared.");
+      
+      var all244 = all_match({
+      	processors: [
+      		select268,
+      		part1188,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg703 = msg("00059:05", all244);
+      
+      var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg704 = msg("00059:06", part1189);
+      
+      var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg705 = msg("00059:07", part1190);
+      
+      var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}");
+      
+      var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}");
+      
+      var select269 = linear_select([
+      	part1191,
+      	part1192,
+      ]);
+      
+      var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3}).");
+      
+      var all245 = all_match({
+      	processors: [
+      		select269,
+      		part1193,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg706 = msg("00059:08", all245);
+      
+      var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}");
+      
+      var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}");
+      
+      var select270 = linear_select([
+      	part1194,
+      	part1195,
+      ]);
+      
+      var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}");
+      
+      var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}");
+      
+      var select271 = linear_select([
+      	dup261,
+      	part1197,
+      ]);
+      
+      var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\"");
+      
+      var all246 = all_match({
+      	processors: [
+      		dup160,
+      		select270,
+      		part1196,
+      		select271,
+      		part1198,
+      	],
+      	on_success: processor_chain([
+      		dup209,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg707 = msg("00059:09", all246);
+      
+      var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg708 = msg("00059:01", part1199);
+      
+      var select272 = linear_select([
+      	msg699,
+      	msg700,
+      	msg701,
+      	msg702,
+      	msg703,
+      	msg704,
+      	msg705,
+      	msg706,
+      	msg707,
+      	msg708,
+      ]);
+      
+      var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Track IP failed"),
+      ]));
+      
+      var msg709 = msg("00062:01", part1200);
+      
+      var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Track IP failure reached threshold"),
+      ]));
+      
+      var msg710 = msg("00062:02", part1201);
+      
+      var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Track IP succeeded"),
+      ]));
+      
+      var msg711 = msg("00062:03", part1202);
+      
+      var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg712 = msg("00062", part1203);
+      
+      var select273 = linear_select([
+      	msg709,
+      	msg710,
+      	msg711,
+      	msg712,
+      ]);
+      
+      var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg713 = msg("00063", part1204);
+      
+      var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg714 = msg("00064", part1205);
+      
+      var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg715 = msg("00064:01", part1206);
+      
+      var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([
+      	dup17,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg716 = msg("00064:02", part1207);
+      
+      var select274 = linear_select([
+      	msg714,
+      	msg715,
+      	msg716,
+      ]);
+      
+      var msg717 = msg("00070", dup411);
+      
+      var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}");
+      
+      var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}");
+      
+      var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})");
+      
+      var select275 = linear_select([
+      	part1209,
+      	part1210,
+      ]);
+      
+      var all247 = all_match({
+      	processors: [
+      		dup267,
+      		dup391,
+      		part1208,
+      		select275,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg718 = msg("00070:01", all247);
+      
+      var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg719 = msg("00070:02", part1211);
+      
+      var select276 = linear_select([
+      	msg717,
+      	msg718,
+      	msg719,
+      ]);
+      
+      var msg720 = msg("00071", dup411);
+      
+      var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg721 = msg("00071:01", part1212);
+      
+      var select277 = linear_select([
+      	msg720,
+      	msg721,
+      ]);
+      
+      var msg722 = msg("00072", dup411);
+      
+      var msg723 = msg("00072:01", dup412);
+      
+      var select278 = linear_select([
+      	msg722,
+      	msg723,
+      ]);
+      
+      var msg724 = msg("00073", dup411);
+      
+      var msg725 = msg("00073:01", dup412);
+      
+      var select279 = linear_select([
+      	msg724,
+      	msg725,
+      ]);
+      
+      var msg726 = msg("00074", dup392);
+      
+      var all248 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		dup271,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg727 = msg("00075", all248);
+      
+      var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("event_description","local device in the Virtual Security Device group changed state to inoperable"),
+      ]));
+      
+      var msg728 = msg("00075:02", part1213);
+      
+      var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg729 = msg("00075:01", part1214);
+      
+      var select280 = linear_select([
+      	msg727,
+      	msg728,
+      	msg729,
+      ]);
+      
+      var msg730 = msg("00076", dup392);
+      
+      var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}");
+      
+      var all249 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		part1215,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg731 = msg("00076:01", all249);
+      
+      var select281 = linear_select([
+      	msg730,
+      	msg731,
+      ]);
+      
+      var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([
+      	dup144,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg732 = msg("00077", part1216);
+      
+      var all250 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		dup271,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg733 = msg("00077:01", all250);
+      
+      var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([
+      	setc("eventcategory","1607000000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg734 = msg("00077:02", part1217);
+      
+      var select282 = linear_select([
+      	msg732,
+      	msg733,
+      	msg734,
+      ]);
+      
+      var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg735 = msg("00084", part1218);
+      
+      var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}");
+      
+      var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}");
+      
+      var select283 = linear_select([
+      	part1219,
+      	part1220,
+      ]);
+      
+      var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}");
+      
+      var all251 = all_match({
+      	processors: [
+      		select283,
+      		dup103,
+      		dup369,
+      		part1221,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg736 = msg("00090", all251);
+      
+      var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg737 = msg("00200", part1222);
+      
+      var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg738 = msg("00201", part1223);
+      
+      var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([
+      	dup272,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg739 = msg("00202", part1224);
+      
+      var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([
+      	dup272,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg740 = msg("00203", part1225);
+      
+      var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}");
+      
+      var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}");
+      
+      var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}");
+      
+      var select284 = linear_select([
+      	part1227,
+      	part1228,
+      ]);
+      
+      var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})");
+      
+      var all252 = all_match({
+      	processors: [
+      		part1226,
+      		select284,
+      		part1229,
+      	],
+      	on_success: processor_chain([
+      		dup272,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg741 = msg("00206", all252);
+      
+      var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}");
+      
+      var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet.");
+      
+      var all253 = all_match({
+      	processors: [
+      		part1230,
+      		dup352,
+      		part1231,
+      	],
+      	on_success: processor_chain([
+      		dup273,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg742 = msg("00206:01", all253);
+      
+      var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}");
+      
+      var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet.");
+      
+      var all254 = all_match({
+      	processors: [
+      		part1232,
+      		dup352,
+      		part1233,
+      	],
+      	on_success: processor_chain([
+      		dup273,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg743 = msg("00206:02", all254);
+      
+      var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg744 = msg("00206:03", part1234);
+      
+      var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg745 = msg("00206:04", part1235);
+      
+      var select285 = linear_select([
+      	msg741,
+      	msg742,
+      	msg743,
+      	msg744,
+      	msg745,
+      ]);
+      
+      var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg746 = msg("00207", part1236);
+      
+      var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg747 = msg("00207:01", part1237);
+      
+      var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg748 = msg("00207:02", part1238);
+      
+      var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg749 = msg("00207:03", part1239);
+      
+      var select286 = linear_select([
+      	msg746,
+      	msg747,
+      	msg748,
+      	msg749,
+      ]);
+      
+      var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup276,
+      	dup277,
+      	dup278,
+      ]));
+      
+      var msg750 = msg("00257", part1240);
+      
+      var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup279,
+      	dup276,
+      	dup277,
+      	dup280,
+      ]));
+      
+      var msg751 = msg("00257:14", part1241);
+      
+      var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup282,
+      	dup278,
+      ]));
+      
+      var msg752 = msg("00257:01", part1242);
+      
+      var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup279,
+      	dup282,
+      	dup280,
+      ]));
+      
+      var msg753 = msg("00257:15", part1243);
+      
+      var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup276,
+      	dup277,
+      ]));
+      
+      var msg754 = msg("00257:02", part1244);
+      
+      var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg755 = msg("00257:03", part1245);
+      
+      var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup276,
+      	dup277,
+      ]));
+      
+      var msg756 = msg("00257:04", part1246);
+      
+      var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg757 = msg("00257:05", part1247);
+      
+      var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}");
+      
+      var all255 = all_match({
+      	processors: [
+      		dup283,
+      		dup393,
+      		part1248,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup282,
+      	]),
+      });
+      
+      var msg758 = msg("00257:19", all255);
+      
+      var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}");
+      
+      var all256 = all_match({
+      	processors: [
+      		dup283,
+      		dup393,
+      		part1249,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup282,
+      	]),
+      });
+      
+      var msg759 = msg("00257:16", all256);
+      
+      var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}");
+      
+      var all257 = all_match({
+      	processors: [
+      		dup283,
+      		dup393,
+      		part1250,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup61,
+      		dup282,
+      	]),
+      });
+      
+      var msg760 = msg("00257:17", all257);
+      
+      var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}");
+      
+      var all258 = all_match({
+      	processors: [
+      		dup283,
+      		dup393,
+      		part1251,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup61,
+      		dup282,
+      	]),
+      });
+      
+      var msg761 = msg("00257:18", all258);
+      
+      var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}");
+      
+      var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}");
+      
+      var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport");
+      
+      var select287 = linear_select([
+      	part1253,
+      	part1254,
+      ]);
+      
+      var all259 = all_match({
+      	processors: [
+      		part1252,
+      		select287,
+      	],
+      	on_success: processor_chain([
+      		dup185,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup61,
+      		dup276,
+      		dup277,
+      	]),
+      });
+      
+      var msg762 = msg("00257:06", all259);
+      
+      var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg763 = msg("00257:07", part1255);
+      
+      var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup60,
+      	dup276,
+      	dup277,
+      ]));
+      
+      var msg764 = msg("00257:08", part1256);
+      
+      var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}");
+      
+      var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}");
+      
+      var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}");
+      
+      var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype");
+      
+      var select288 = linear_select([
+      	part1258,
+      	part1259,
+      	part1260,
+      ]);
+      
+      var all260 = all_match({
+      	processors: [
+      		part1257,
+      		select288,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup282,
+      	]),
+      });
+      
+      var msg765 = msg("00257:09", all260);
+      
+      var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}");
+      
+      var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}");
+      
+      var select289 = linear_select([
+      	part1262,
+      	dup286,
+      ]);
+      
+      var all261 = all_match({
+      	processors: [
+      		part1261,
+      		select289,
+      	],
+      	on_success: processor_chain([
+      		dup185,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup276,
+      		dup277,
+      	]),
+      });
+      
+      var msg766 = msg("00257:10", all261);
+      
+      var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}");
+      
+      var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}");
+      
+      var select290 = linear_select([
+      	part1264,
+      	dup286,
+      ]);
+      
+      var all262 = all_match({
+      	processors: [
+      		part1263,
+      		select290,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup274,
+      		dup275,
+      		dup60,
+      		dup282,
+      	]),
+      });
+      
+      var msg767 = msg("00257:11", all262);
+      
+      var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup274,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var msg768 = msg("00257:12", part1265);
+      
+      var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup3,
+      	dup274,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg769 = msg("00257:13", part1266);
+      
+      var select291 = linear_select([
+      	msg750,
+      	msg751,
+      	msg752,
+      	msg753,
+      	msg754,
+      	msg755,
+      	msg756,
+      	msg757,
+      	msg758,
+      	msg759,
+      	msg760,
+      	msg761,
+      	msg762,
+      	msg763,
+      	msg764,
+      	msg765,
+      	msg766,
+      	msg767,
+      	msg768,
+      	msg769,
+      ]);
+      
+      var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}");
+      
+      var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}");
+      
+      var select292 = linear_select([
+      	part1268,
+      	dup289,
+      	dup241,
+      ]);
+      
+      var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}");
+      
+      var all263 = all_match({
+      	processors: [
+      		dup394,
+      		part1267,
+      		select292,
+      		part1269,
+      	],
+      	on_success: processor_chain([
+      		dup28,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup32,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg770 = msg("00259", all263);
+      
+      var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}");
+      
+      var all264 = all_match({
+      	processors: [
+      		dup394,
+      		part1270,
+      	],
+      	on_success: processor_chain([
+      		dup33,
+      		dup29,
+      		dup34,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg771 = msg("00259:07", all264);
+      
+      var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg772 = msg("00259:01", part1271);
+      
+      var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg773 = msg("00259:02", part1272);
+      
+      var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([
+      	dup206,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg774 = msg("00259:03", part1273);
+      
+      var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([
+      	dup206,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg775 = msg("00259:04", part1274);
+      
+      var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}");
+      
+      var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}");
+      
+      var select293 = linear_select([
+      	dup241,
+      	dup289,
+      	part1276,
+      ]);
+      
+      var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}");
+      
+      var all265 = all_match({
+      	processors: [
+      		part1275,
+      		select293,
+      		part1277,
+      	],
+      	on_success: processor_chain([
+      		dup290,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg776 = msg("00259:05", all265);
+      
+      var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg777 = msg("00259:06", part1278);
+      
+      var select294 = linear_select([
+      	msg770,
+      	msg771,
+      	msg772,
+      	msg773,
+      	msg774,
+      	msg775,
+      	msg776,
+      	msg777,
+      ]);
+      
+      var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg778 = msg("00262", part1279);
+      
+      var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([
+      	setc("eventcategory","1401050100"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg779 = msg("00263", part1280);
+      
+      var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}");
+      
+      var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}");
+      
+      var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}");
+      
+      var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}");
+      
+      var select295 = linear_select([
+      	part1281,
+      	part1282,
+      	part1283,
+      	part1284,
+      ]);
+      
+      var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}");
+      
+      var all266 = all_match({
+      	processors: [
+      		select295,
+      		part1285,
+      	],
+      	on_success: processor_chain([
+      		setc("eventcategory","1003000000"),
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup61,
+      	]),
+      });
+      
+      var msg780 = msg("00400", all266);
+      
+      var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup85,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup291,
+      ]));
+      
+      var msg781 = msg("00401", part1286);
+      
+      var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup85,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup292,
+      ]));
+      
+      var msg782 = msg("00402", part1287);
+      
+      var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}");
+      
+      var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}");
+      
+      var all267 = all_match({
+      	processors: [
+      		part1288,
+      		dup337,
+      		part1289,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup292,
+      	]),
+      });
+      
+      var msg783 = msg("00402:01", all267);
+      
+      var select296 = linear_select([
+      	msg782,
+      	msg783,
+      ]);
+      
+      var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup85,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup291,
+      ]));
+      
+      var msg784 = msg("00403", part1290);
+      
+      var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup147,
+      	dup148,
+      	dup149,
+      	dup150,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup292,
+      ]));
+      
+      var msg785 = msg("00404", part1291);
+      
+      var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([
+      	dup147,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup291,
+      ]));
+      
+      var msg786 = msg("00405", part1292);
+      
+      var msg787 = msg("00406", dup413);
+      
+      var msg788 = msg("00407", dup413);
+      
+      var msg789 = msg("00408", dup413);
+      
+      var all268 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup293,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg790 = msg("00409", all268);
+      
+      var msg791 = msg("00410", dup413);
+      
+      var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup60,
+      ]));
+      
+      var msg792 = msg("00410:01", part1293);
+      
+      var select297 = linear_select([
+      	msg791,
+      	msg792,
+      ]);
+      
+      var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}");
+      
+      var all269 = all_match({
+      	processors: [
+      		part1294,
+      		dup343,
+      		dup293,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg793 = msg("00411", all269);
+      
+      var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}");
+      
+      var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times");
+      
+      var all270 = all_match({
+      	processors: [
+      		part1295,
+      		dup337,
+      		part1296,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg794 = msg("00413", all270);
+      
+      var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}");
+      
+      var all271 = all_match({
+      	processors: [
+      		part1297,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup61,
+      	]),
+      });
+      
+      var msg795 = msg("00413:01", all271);
+      
+      var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg796 = msg("00413:02", part1298);
+      
+      var select298 = linear_select([
+      	msg794,
+      	msg795,
+      	msg796,
+      ]);
+      
+      var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg797 = msg("00414", part1299);
+      
+      var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg798 = msg("00414:01", part1300);
+      
+      var select299 = linear_select([
+      	msg797,
+      	msg798,
+      ]);
+      
+      var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg799 = msg("00415", part1301);
+      
+      var all272 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup294,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg800 = msg("00423", all272);
+      
+      var all273 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg801 = msg("00429", all273);
+      
+      var all274 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg802 = msg("00429:01", all274);
+      
+      var select300 = linear_select([
+      	msg801,
+      	msg802,
+      ]);
+      
+      var all275 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup295,
+      		dup351,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var msg803 = msg("00430", all275);
+      
+      var all276 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup295,
+      		dup351,
+      	],
+      	on_success: processor_chain([
+      		dup85,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      		dup60,
+      	]),
+      });
+      
+      var msg804 = msg("00430:01", all276);
+      
+      var select301 = linear_select([
+      	msg803,
+      	msg804,
+      ]);
+      
+      var msg805 = msg("00431", dup414);
+      
+      var msg806 = msg("00432", dup414);
+      
+      var msg807 = msg("00433", dup415);
+      
+      var msg808 = msg("00434", dup415);
+      
+      var msg809 = msg("00435", dup395);
+      
+      var all277 = all_match({
+      	processors: [
+      		dup132,
+      		dup343,
+      		dup294,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup4,
+      		dup59,
+      		dup5,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg810 = msg("00435:01", all277);
+      
+      var select302 = linear_select([
+      	msg809,
+      	msg810,
+      ]);
+      
+      var msg811 = msg("00436", dup395);
+      
+      var all278 = all_match({
+      	processors: [
+      		dup64,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup9,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup60,
+      	]),
+      });
+      
+      var msg812 = msg("00436:01", all278);
+      
+      var select303 = linear_select([
+      	msg811,
+      	msg812,
+      ]);
+      
+      var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg813 = msg("00437", part1302);
+      
+      var all279 = all_match({
+      	processors: [
+      		dup299,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      		dup9,
+      	]),
+      });
+      
+      var msg814 = msg("00437:01", all279);
+      
+      var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      	dup9,
+      ]));
+      
+      var msg815 = msg("00437:02", part1303);
+      
+      var select304 = linear_select([
+      	msg813,
+      	msg814,
+      	msg815,
+      ]);
+      
+      var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg816 = msg("00438", part1304);
+      
+      var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg817 = msg("00438:01", part1305);
+      
+      var all280 = all_match({
+      	processors: [
+      		dup299,
+      		dup338,
+      		dup67,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup61,
+      	]),
+      });
+      
+      var msg818 = msg("00438:02", all280);
+      
+      var select305 = linear_select([
+      	msg816,
+      	msg817,
+      	msg818,
+      ]);
+      
+      var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup9,
+      	dup60,
+      ]));
+      
+      var msg819 = msg("00440", part1306);
+      
+      var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg820 = msg("00440:02", part1307);
+      
+      var all281 = all_match({
+      	processors: [
+      		dup239,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup9,
+      		dup61,
+      	]),
+      });
+      
+      var msg821 = msg("00440:01", all281);
+      
+      var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}");
+      
+      var all282 = all_match({
+      	processors: [
+      		part1308,
+      		dup343,
+      		dup83,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup3,
+      		dup9,
+      		dup60,
+      	]),
+      });
+      
+      var msg822 = msg("00440:03", all282);
+      
+      var select306 = linear_select([
+      	msg819,
+      	msg820,
+      	msg821,
+      	msg822,
+      ]);
+      
+      var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var msg823 = msg("00441", part1309);
+      
+      var msg824 = msg("00442", dup396);
+      
+      var msg825 = msg("00443", dup396);
+      
+      var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg826 = msg("00511", part1310);
+      
+      var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}");
+      
+      var all283 = all_match({
+      	processors: [
+      		part1311,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg827 = msg("00511:01", all283);
+      
+      var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg828 = msg("00511:02", part1312);
+      
+      var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}");
+      
+      var all284 = all_match({
+      	processors: [
+      		part1313,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg829 = msg("00511:03", all284);
+      
+      var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}");
+      
+      var all285 = all_match({
+      	processors: [
+      		part1314,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg830 = msg("00511:04", all285);
+      
+      var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}");
+      
+      var all286 = all_match({
+      	processors: [
+      		part1315,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg831 = msg("00511:05", all286);
+      
+      var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}");
+      
+      var all287 = all_match({
+      	processors: [
+      		part1316,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg832 = msg("00511:06", all287);
+      
+      var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}");
+      
+      var all288 = all_match({
+      	processors: [
+      		part1317,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg833 = msg("00511:07", all288);
+      
+      var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}");
+      
+      var all289 = all_match({
+      	processors: [
+      		part1318,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg834 = msg("00511:08", all289);
+      
+      var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}");
+      
+      var all290 = all_match({
+      	processors: [
+      		part1319,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg835 = msg("00511:09", all290);
+      
+      var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}");
+      
+      var all291 = all_match({
+      	processors: [
+      		part1320,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg836 = msg("00511:10", all291);
+      
+      var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}");
+      
+      var all292 = all_match({
+      	processors: [
+      		part1321,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg837 = msg("00511:11", all292);
+      
+      var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}");
+      
+      var all293 = all_match({
+      	processors: [
+      		part1322,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg838 = msg("00511:12", all293);
+      
+      var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}");
+      
+      var all294 = all_match({
+      	processors: [
+      		part1323,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg839 = msg("00511:13", all294);
+      
+      var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg840 = msg("00511:14", part1324);
+      
+      var select307 = linear_select([
+      	msg826,
+      	msg827,
+      	msg828,
+      	msg829,
+      	msg830,
+      	msg831,
+      	msg832,
+      	msg833,
+      	msg834,
+      	msg835,
+      	msg836,
+      	msg837,
+      	msg838,
+      	msg839,
+      	msg840,
+      ]);
+      
+      var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}");
+      
+      var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}");
+      
+      var select308 = linear_select([
+      	dup123,
+      	part1326,
+      	dup122,
+      ]);
+      
+      var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}");
+      
+      var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})");
+      
+      var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result");
+      
+      var select309 = linear_select([
+      	part1328,
+      	part1329,
+      ]);
+      
+      var all295 = all_match({
+      	processors: [
+      		part1325,
+      		select308,
+      		part1327,
+      		select309,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg841 = msg("00513", all295);
+      
+      var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}");
+      
+      var select310 = linear_select([
+      	part1330,
+      	dup287,
+      ]);
+      
+      var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}");
+      
+      var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}");
+      
+      var select311 = linear_select([
+      	dup96,
+      	part1332,
+      ]);
+      
+      var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}");
+      
+      var all296 = all_match({
+      	processors: [
+      		select310,
+      		part1331,
+      		select311,
+      		part1333,
+      	],
+      	on_success: processor_chain([
+      		dup301,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg842 = msg("00515", all296);
+      
+      var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}");
+      
+      var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}");
+      
+      var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}");
+      
+      var select312 = linear_select([
+      	part1335,
+      	part1336,
+      ]);
+      
+      var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2");
+      
+      var all297 = all_match({
+      	processors: [
+      		part1334,
+      		select312,
+      		part1337,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup302,
+      		dup3,
+      	]),
+      });
+      
+      var msg843 = msg("00515:01", all297);
+      
+      var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}");
+      
+      var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}");
+      
+      var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}");
+      
+      var select313 = linear_select([
+      	part1339,
+      	part1340,
+      ]);
+      
+      var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}");
+      
+      var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}");
+      
+      var select314 = linear_select([
+      	part1341,
+      	part1342,
+      	dup15,
+      ]);
+      
+      var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out");
+      
+      var all298 = all_match({
+      	processors: [
+      		part1338,
+      		select313,
+      		select314,
+      		part1343,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg844 = msg("00515:02", all298);
+      
+      var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}");
+      
+      var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}");
+      
+      var select315 = linear_select([
+      	part1344,
+      	part1345,
+      ]);
+      
+      var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}");
+      
+      var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type");
+      
+      var select316 = linear_select([
+      	dup304,
+      	part1347,
+      ]);
+      
+      var all299 = all_match({
+      	processors: [
+      		select315,
+      		part1346,
+      		dup398,
+      		dup40,
+      		select316,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg845 = msg("00515:04", all299);
+      
+      var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg846 = msg("00515:06", part1348);
+      
+      var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}");
+      
+      var select317 = linear_select([
+      	dup305,
+      	dup16,
+      ]);
+      
+      var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}");
+      
+      var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})");
+      
+      var select318 = linear_select([
+      	dup306,
+      	part1351,
+      	dup304,
+      ]);
+      
+      var all300 = all_match({
+      	processors: [
+      		part1349,
+      		select317,
+      		part1350,
+      		dup398,
+      		dup40,
+      		select318,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg847 = msg("00515:05", all300);
+      
+      var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg848 = msg("00515:07", part1352);
+      
+      var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}");
+      
+      var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}");
+      
+      var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}");
+      
+      var select319 = linear_select([
+      	part1354,
+      	part1355,
+      ]);
+      
+      var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}");
+      
+      var all301 = all_match({
+      	processors: [
+      		part1353,
+      		select319,
+      		part1356,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg849 = msg("00515:08", all301);
+      
+      var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg850 = msg("00515:09", part1357);
+      
+      var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg851 = msg("00515:10", part1358);
+      
+      var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg852 = msg("00515:11", part1359);
+      
+      var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}");
+      
+      var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})");
+      
+      var all302 = all_match({
+      	processors: [
+      		part1360,
+      		dup399,
+      		part1361,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg853 = msg("00515:12", all302);
+      
+      var select320 = linear_select([
+      	dup288,
+      	dup287,
+      ]);
+      
+      var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}");
+      
+      var select321 = linear_select([
+      	dup306,
+      	dup304,
+      ]);
+      
+      var all303 = all_match({
+      	processors: [
+      		select320,
+      		part1362,
+      		dup398,
+      		dup40,
+      		select321,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg854 = msg("00515:13", all303);
+      
+      var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}");
+      
+      var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}");
+      
+      var select322 = linear_select([
+      	part1363,
+      	part1364,
+      ]);
+      
+      var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}");
+      
+      var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session.");
+      
+      var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})");
+      
+      var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}");
+      
+      var select323 = linear_select([
+      	part1366,
+      	part1367,
+      	part1368,
+      ]);
+      
+      var all304 = all_match({
+      	processors: [
+      		select322,
+      		dup398,
+      		part1365,
+      		select323,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg855 = msg("00515:14", all304);
+      
+      var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}");
+      
+      var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}");
+      
+      var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}");
+      
+      var select324 = linear_select([
+      	part1370,
+      	part1371,
+      ]);
+      
+      var all305 = all_match({
+      	processors: [
+      		part1369,
+      		dup398,
+      		dup40,
+      		select324,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg856 = msg("00515:15", all305);
+      
+      var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}");
+      
+      var select325 = linear_select([
+      	part1372,
+      	dup287,
+      ]);
+      
+      var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}");
+      
+      var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})");
+      
+      var all306 = all_match({
+      	processors: [
+      		select325,
+      		part1373,
+      		dup399,
+      		part1374,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg857 = msg("00515:16", all306);
+      
+      var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}");
+      
+      var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}");
+      
+      var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}");
+      
+      var select326 = linear_select([
+      	part1376,
+      	part1377,
+      ]);
+      
+      var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}");
+      
+      var all307 = all_match({
+      	processors: [
+      		part1375,
+      		select326,
+      		part1378,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg858 = msg("00515:17", all307);
+      
+      var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg859 = msg("00515:18", part1379);
+      
+      var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}");
+      
+      var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}");
+      
+      var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}");
+      
+      var select327 = linear_select([
+      	part1381,
+      	part1382,
+      ]);
+      
+      var all308 = all_match({
+      	processors: [
+      		part1380,
+      		select327,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup240,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg860 = msg("00515:19", all308);
+      
+      var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg861 = msg("00515:20", part1383);
+      
+      var select328 = linear_select([
+      	msg842,
+      	msg843,
+      	msg844,
+      	msg845,
+      	msg846,
+      	msg847,
+      	msg848,
+      	msg849,
+      	msg850,
+      	msg851,
+      	msg852,
+      	msg853,
+      	msg854,
+      	msg855,
+      	msg856,
+      	msg857,
+      	msg858,
+      	msg859,
+      	msg860,
+      	msg861,
+      ]);
+      
+      var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg862 = msg("00518", part1384);
+      
+      var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg863 = msg("00518:17", part1385);
+      
+      var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg864 = msg("00518:01", part1386);
+      
+      var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg865 = msg("00518:02", part1387);
+      
+      var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg866 = msg("00518:03", part1388);
+      
+      var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg867 = msg("00518:04", part1389);
+      
+      var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg868 = msg("00518:05", part1390);
+      
+      var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([
+      	dup35,
+      	dup29,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg869 = msg("00518:06", part1391);
+      
+      var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}");
+      
+      var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}");
+      
+      var select329 = linear_select([
+      	dup24,
+      	part1393,
+      ]);
+      
+      var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}");
+      
+      var all309 = all_match({
+      	processors: [
+      		part1392,
+      		select329,
+      		part1394,
+      	],
+      	on_success: processor_chain([
+      		dup53,
+      		dup29,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg870 = msg("00518:07", all309);
+      
+      var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([
+      	dup35,
+      	dup29,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg871 = msg("00518:08", part1395);
+      
+      var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg872 = msg("00518:09", part1396);
+      
+      var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([
+      	dup206,
+      	dup29,
+      	dup30,
+      	dup31,
+      	dup54,
+      	dup2,
+      	dup4,
+      	dup9,
+      	dup5,
+      	dup3,
+      	dup302,
+      ]));
+      
+      var msg873 = msg("00518:10", part1397);
+      
+      var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}");
+      
+      var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}");
+      
+      var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}");
+      
+      var select330 = linear_select([
+      	part1399,
+      	part1400,
+      ]);
+      
+      var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})");
+      
+      var all310 = all_match({
+      	processors: [
+      		part1398,
+      		select330,
+      		part1401,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup29,
+      		dup30,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup9,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg874 = msg("00518:11", all310);
+      
+      var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup4,
+      	dup9,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg875 = msg("00518:12", part1402);
+      
+      var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([
+      	dup290,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup9,
+      	dup5,
+      ]));
+      
+      var msg876 = msg("00518:13", part1403);
+      
+      var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([
+      	dup290,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg877 = msg("00518:14", part1404);
+      
+      var select331 = linear_select([
+      	msg862,
+      	msg863,
+      	msg864,
+      	msg865,
+      	msg866,
+      	msg867,
+      	msg868,
+      	msg869,
+      	msg870,
+      	msg871,
+      	msg872,
+      	msg873,
+      	msg874,
+      	msg875,
+      	msg876,
+      	msg877,
+      ]);
+      
+      var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}");
+      
+      var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}");
+      
+      var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}");
+      
+      var select332 = linear_select([
+      	dup194,
+      	part1406,
+      	part1407,
+      ]);
+      
+      var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}");
+      
+      var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}");
+      
+      var select333 = linear_select([
+      	part1409,
+      	dup16,
+      ]);
+      
+      var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}");
+      
+      var all311 = all_match({
+      	processors: [
+      		part1405,
+      		select332,
+      		part1408,
+      		select333,
+      		part1410,
+      	],
+      	on_success: processor_chain([
+      		dup203,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg878 = msg("00519", all311);
+      
+      var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}");
+      
+      var select334 = linear_select([
+      	dup307,
+      	dup305,
+      ]);
+      
+      var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}");
+      
+      var all312 = all_match({
+      	processors: [
+      		part1411,
+      		select334,
+      		part1412,
+      	],
+      	on_success: processor_chain([
+      		dup203,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg879 = msg("00519:01", all312);
+      
+      var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}");
+      
+      var select335 = linear_select([
+      	dup307,
+      	part1413,
+      ]);
+      
+      var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}");
+      
+      var all313 = all_match({
+      	processors: [
+      		dup160,
+      		select335,
+      		part1414,
+      	],
+      	on_success: processor_chain([
+      		dup203,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg880 = msg("00519:02", all313);
+      
+      var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([
+      	dup240,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg881 = msg("00519:03", part1415);
+      
+      var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg882 = msg("00519:04", part1416);
+      
+      var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([
+      	dup240,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg883 = msg("00519:05", part1417);
+      
+      var select336 = linear_select([
+      	msg878,
+      	msg879,
+      	msg880,
+      	msg881,
+      	msg882,
+      	msg883,
+      ]);
+      
+      var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([
+      	dup35,
+      	dup31,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg884 = msg("00520", part1418);
+      
+      var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}");
+      
+      var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}");
+      
+      var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}");
+      
+      var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}");
+      
+      var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}");
+      
+      var select337 = linear_select([
+      	part1420,
+      	part1421,
+      	part1422,
+      	part1423,
+      ]);
+      
+      var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}");
+      
+      var all314 = all_match({
+      	processors: [
+      		part1419,
+      		select337,
+      		part1424,
+      	],
+      	on_success: processor_chain([
+      		dup35,
+      		dup31,
+      		dup39,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg885 = msg("00520:01", all314);
+      
+      var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}");
+      
+      var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}");
+      
+      var all315 = all_match({
+      	processors: [
+      		part1425,
+      		dup400,
+      		part1426,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg886 = msg("00520:02", all315);
+      
+      var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}");
+      
+      var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}");
+      
+      var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}");
+      
+      var select338 = linear_select([
+      	part1427,
+      	part1428,
+      	part1429,
+      ]);
+      
+      var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}");
+      
+      var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}");
+      
+      var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed");
+      
+      var all316 = all_match({
+      	processors: [
+      		dup160,
+      		select338,
+      		part1430,
+      		dup400,
+      		part1431,
+      		dup400,
+      		part1432,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg887 = msg("00520:03", all316);
+      
+      var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg888 = msg("00520:04", part1433);
+      
+      var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg889 = msg("00520:05", part1434);
+      
+      var select339 = linear_select([
+      	msg884,
+      	msg885,
+      	msg886,
+      	msg887,
+      	msg888,
+      	msg889,
+      ]);
+      
+      var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg890 = msg("00521", part1435);
+      
+      var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg891 = msg("00522", part1436);
+      
+      var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg892 = msg("00523", part1437);
+      
+      var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([
+      	dup209,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg893 = msg("00524", part1438);
+      
+      var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg894 = msg("00524:02", part1439);
+      
+      var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg895 = msg("00524:03", part1440);
+      
+      var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg896 = msg("00524:04", part1441);
+      
+      var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg897 = msg("00524:05", part1442);
+      
+      var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg898 = msg("00524:06", part1443);
+      
+      var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg899 = msg("00524:12", part1444);
+      
+      var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([
+      	dup19,
+      	dup2,
+      	dup4,
+      	setc("result","the SNMP version type is incorrect"),
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg900 = msg("00524:14", part1445);
+      
+      var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}");
+      
+      var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}");
+      
+      var all317 = all_match({
+      	processors: [
+      		part1446,
+      		dup401,
+      		part1447,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg901 = msg("00524:13", all317);
+      
+      var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg902 = msg("00524:07", part1448);
+      
+      var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg903 = msg("00524:08", part1449);
+      
+      var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg904 = msg("00524:09", part1450);
+      
+      var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg905 = msg("00524:10", part1451);
+      
+      var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg906 = msg("00524:11", part1452);
+      
+      var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg907 = msg("00524:16", part1453);
+      
+      var select340 = linear_select([
+      	msg893,
+      	msg894,
+      	msg895,
+      	msg896,
+      	msg897,
+      	msg898,
+      	msg899,
+      	msg900,
+      	msg901,
+      	msg902,
+      	msg903,
+      	msg904,
+      	msg905,
+      	msg906,
+      	msg907,
+      ]);
+      
+      var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([
+      	dup203,
+      	setc("ec_subject","Password"),
+      	dup38,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg908 = msg("00525", part1454);
+      
+      var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg909 = msg("00525:01", part1455);
+      
+      var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg910 = msg("00525:02", part1456);
+      
+      var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg911 = msg("00525:03", part1457);
+      
+      var select341 = linear_select([
+      	msg908,
+      	msg909,
+      	msg910,
+      	msg911,
+      ]);
+      
+      var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([
+      	dup37,
+      	dup219,
+      	dup38,
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg912 = msg("00526", part1458);
+      
+      var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}");
+      
+      var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}");
+      
+      var select342 = linear_select([
+      	dup311,
+      	part1460,
+      ]);
+      
+      var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}");
+      
+      var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}");
+      
+      var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}");
+      
+      var select343 = linear_select([
+      	dup312,
+      	part1462,
+      	part1463,
+      ]);
+      
+      var all318 = all_match({
+      	processors: [
+      		part1459,
+      		select342,
+      		part1461,
+      		select343,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg913 = msg("00527", all318);
+      
+      var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg914 = msg("00527:01", part1464);
+      
+      var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}");
+      
+      var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}");
+      
+      var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}");
+      
+      var select344 = linear_select([
+      	dup311,
+      	part1466,
+      	part1467,
+      ]);
+      
+      var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}");
+      
+      var all319 = all_match({
+      	processors: [
+      		part1465,
+      		select344,
+      		part1468,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg915 = msg("00527:02", all319);
+      
+      var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg916 = msg("00527:03", part1469);
+      
+      var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg917 = msg("00527:04", part1470);
+      
+      var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated.");
+      
+      var all320 = all_match({
+      	processors: [
+      		dup210,
+      		dup337,
+      		part1471,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg918 = msg("00527:05", all320);
+      
+      var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}");
+      
+      var select345 = linear_select([
+      	dup106,
+      	dup127,
+      ]);
+      
+      var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}");
+      
+      var select346 = linear_select([
+      	dup312,
+      	part1473,
+      ]);
+      
+      var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})");
+      
+      var all321 = all_match({
+      	processors: [
+      		part1472,
+      		select345,
+      		dup23,
+      		select346,
+      		part1474,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg919 = msg("00527:06", all321);
+      
+      var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg920 = msg("00527:07", part1475);
+      
+      var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg921 = msg("00527:08", part1476);
+      
+      var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}");
+      
+      var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}");
+      
+      var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}");
+      
+      var select347 = linear_select([
+      	part1478,
+      	part1479,
+      ]);
+      
+      var all322 = all_match({
+      	processors: [
+      		part1477,
+      		select347,
+      		dup41,
+      	],
+      	on_success: processor_chain([
+      		dup272,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg922 = msg("00527:09", all322);
+      
+      var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg923 = msg("00527:10", part1480);
+      
+      var select348 = linear_select([
+      	msg913,
+      	msg914,
+      	msg915,
+      	msg916,
+      	msg917,
+      	msg918,
+      	msg919,
+      	msg920,
+      	msg921,
+      	msg922,
+      	msg923,
+      ]);
+      
+      var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([
+      	setc("eventcategory","1302010000"),
+      	dup29,
+      	dup31,
+      	dup32,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg924 = msg("00528", part1481);
+      
+      var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg925 = msg("00528:01", part1482);
+      
+      var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg926 = msg("00528:02", part1483);
+      
+      var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg927 = msg("00528:03", part1484);
+      
+      var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg928 = msg("00528:04", part1485);
+      
+      var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([
+      	dup203,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg929 = msg("00528:05", part1486);
+      
+      var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([
+      	dup313,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("result","invalid version string"),
+      ]));
+      
+      var msg930 = msg("00528:06", part1487);
+      
+      var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}");
+      
+      var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}");
+      
+      var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}");
+      
+      var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}");
+      
+      var select349 = linear_select([
+      	dup88,
+      	part1489,
+      	part1490,
+      	part1491,
+      ]);
+      
+      var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}");
+      
+      var all323 = all_match({
+      	processors: [
+      		part1488,
+      		select349,
+      		part1492,
+      	],
+      	on_success: processor_chain([
+      		dup314,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg931 = msg("00528:07", all323);
+      
+      var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg932 = msg("00528:08", part1493);
+      
+      var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg933 = msg("00528:09", part1494);
+      
+      var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg934 = msg("00528:10", part1495);
+      
+      var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg935 = msg("00528:11", part1496);
+      
+      var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	setc("disposition","disabled"),
+      ]));
+      
+      var msg936 = msg("00528:12", part1497);
+      
+      var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}");
+      
+      var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}");
+      
+      var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}");
+      
+      var select350 = linear_select([
+      	part1499,
+      	part1500,
+      ]);
+      
+      var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}");
+      
+      var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}");
+      
+      var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}");
+      
+      var select351 = linear_select([
+      	part1503,
+      	dup157,
+      ]);
+      
+      var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}");
+      
+      var all324 = all_match({
+      	processors: [
+      		part1498,
+      		select350,
+      		part1501,
+      		dup337,
+      		part1502,
+      		select351,
+      		part1504,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg937 = msg("00528:13", all324);
+      
+      var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg938 = msg("00528:14", part1505);
+      
+      var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}");
+      
+      var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}");
+      
+      var select352 = linear_select([
+      	dup315,
+      	part1507,
+      ]);
+      
+      var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}");
+      
+      var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}");
+      
+      var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}");
+      
+      var select353 = linear_select([
+      	part1509,
+      	part1510,
+      ]);
+      
+      var all325 = all_match({
+      	processors: [
+      		part1506,
+      		select352,
+      		part1508,
+      		select353,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg939 = msg("00528:15", all325);
+      
+      var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg940 = msg("00528:16", part1511);
+      
+      var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg941 = msg("00528:17", part1512);
+      
+      var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}");
+      
+      var all326 = all_match({
+      	processors: [
+      		dup316,
+      		dup402,
+      		part1513,
+      		dup403,
+      		dup320,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		setc("disposition","successful"),
+      		setc("event_description","authentication successful for admin user"),
+      	]),
+      });
+      
+      var msg942 = msg("00528:18", all326);
+      
+      var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}");
+      
+      var all327 = all_match({
+      	processors: [
+      		dup316,
+      		dup402,
+      		part1514,
+      		dup403,
+      		dup320,
+      	],
+      	on_success: processor_chain([
+      		dup206,
+      		dup29,
+      		dup31,
+      		dup54,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup302,
+      		dup3,
+      		setc("event_description","authentication failed for admin user"),
+      	]),
+      });
+      
+      var msg943 = msg("00528:26", all327);
+      
+      var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}");
+      
+      var all328 = all_match({
+      	processors: [
+      		dup321,
+      		dup404,
+      		part1515,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg944 = msg("00528:19", all328);
+      
+      var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}");
+      
+      var all329 = all_match({
+      	processors: [
+      		dup321,
+      		dup404,
+      		part1516,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg945 = msg("00528:20", all329);
+      
+      var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg946 = msg("00528:21", part1517);
+      
+      var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}");
+      
+      var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface.");
+      
+      var all330 = all_match({
+      	processors: [
+      		part1518,
+      		dup337,
+      		part1519,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      		setc("result","SCS is not enabled for that interface"),
+      	]),
+      });
+      
+      var msg947 = msg("00528:22", all330);
+      
+      var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	setc("result","SCS cannot generate the host and server keys before timing out"),
+      ]));
+      
+      var msg948 = msg("00528:23", part1520);
+      
+      var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg949 = msg("00528:24", part1521);
+      
+      var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}");
+      
+      var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled.");
+      
+      var all331 = all_match({
+      	processors: [
+      		part1522,
+      		dup403,
+      		part1523,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup3,
+      	]),
+      });
+      
+      var msg950 = msg("00528:25", all331);
+      
+      var select354 = linear_select([
+      	msg924,
+      	msg925,
+      	msg926,
+      	msg927,
+      	msg928,
+      	msg929,
+      	msg930,
+      	msg931,
+      	msg932,
+      	msg933,
+      	msg934,
+      	msg935,
+      	msg936,
+      	msg937,
+      	msg938,
+      	msg939,
+      	msg940,
+      	msg941,
+      	msg942,
+      	msg943,
+      	msg944,
+      	msg945,
+      	msg946,
+      	msg947,
+      	msg948,
+      	msg949,
+      	msg950,
+      ]);
+      
+      var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}");
+      
+      var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}");
+      
+      var select355 = linear_select([
+      	part1524,
+      	part1525,
+      ]);
+      
+      var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}");
+      
+      var all332 = all_match({
+      	processors: [
+      		dup63,
+      		select355,
+      		part1526,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg951 = msg("00529", all332);
+      
+      var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}");
+      
+      var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}");
+      
+      var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}");
+      
+      var select356 = linear_select([
+      	part1528,
+      	part1529,
+      ]);
+      
+      var all333 = all_match({
+      	processors: [
+      		part1527,
+      		select356,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg952 = msg("00529:01", all333);
+      
+      var select357 = linear_select([
+      	msg951,
+      	msg952,
+      ]);
+      
+      var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg953 = msg("00530", part1530);
+      
+      var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}");
+      
+      var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released");
+      
+      var all334 = all_match({
+      	processors: [
+      		part1531,
+      		dup337,
+      		part1532,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg954 = msg("00530:01", all334);
+      
+      var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg955 = msg("00530:02", part1533);
+      
+      var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg956 = msg("00530:03", part1534);
+      
+      var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg957 = msg("00530:04", part1535);
+      
+      var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg958 = msg("00530:05", part1536);
+      
+      var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg959 = msg("00530:06", part1537);
+      
+      var select358 = linear_select([
+      	msg953,
+      	msg954,
+      	msg955,
+      	msg956,
+      	msg957,
+      	msg958,
+      	msg959,
+      ]);
+      
+      var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}");
+      
+      var all335 = all_match({
+      	processors: [
+      		part1538,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg960 = msg("00531", all335);
+      
+      var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg961 = msg("00531:01", part1539);
+      
+      var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg962 = msg("00531:02", part1540);
+      
+      var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}");
+      
+      var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}");
+      
+      var select359 = linear_select([
+      	part1542,
+      	dup115,
+      ]);
+      
+      var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}");
+      
+      var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})");
+      
+      var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5");
+      
+      var select360 = linear_select([
+      	part1544,
+      	part1545,
+      ]);
+      
+      var all336 = all_match({
+      	processors: [
+      		part1541,
+      		select359,
+      		part1543,
+      		select360,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup146,
+      	]),
+      });
+      
+      var msg963 = msg("00531:03", all336);
+      
+      var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}");
+      
+      var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}");
+      
+      var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}");
+      
+      var select361 = linear_select([
+      	part1547,
+      	part1548,
+      	dup189,
+      ]);
+      
+      var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}");
+      
+      var all337 = all_match({
+      	processors: [
+      		part1546,
+      		select361,
+      		part1549,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg964 = msg("00531:04", all337);
+      
+      var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg965 = msg("00531:05", part1550);
+      
+      var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg966 = msg("00531:06", part1551);
+      
+      var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg967 = msg("00531:07", part1552);
+      
+      var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg968 = msg("00531:08", part1553);
+      
+      var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg969 = msg("00531:09", part1554);
+      
+      var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg970 = msg("00531:10", part1555);
+      
+      var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("event_description","system clock changed based on receive from primary NTP server"),
+      ]));
+      
+      var msg971 = msg("00531:11", part1556);
+      
+      var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg972 = msg("00531:12", part1557);
+      
+      var select362 = linear_select([
+      	msg960,
+      	msg961,
+      	msg962,
+      	msg963,
+      	msg964,
+      	msg965,
+      	msg966,
+      	msg967,
+      	msg968,
+      	msg969,
+      	msg970,
+      	msg971,
+      	msg972,
+      ]);
+      
+      var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg973 = msg("00533", part1558);
+      
+      var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg974 = msg("00534", part1559);
+      
+      var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg975 = msg("00535", part1560);
+      
+      var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg976 = msg("00535:01", part1561);
+      
+      var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg977 = msg("00535:02", part1562);
+      
+      var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg978 = msg("00535:03", part1563);
+      
+      var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("result","SCEP_FAILURE message"),
+      ]));
+      
+      var msg979 = msg("00535:04", part1564);
+      
+      var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg980 = msg("00535:05", part1565);
+      
+      var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([
+      	dup314,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Saved CA configuration - cert subject name"),
+      ]));
+      
+      var msg981 = msg("00535:06", part1566);
+      
+      var select363 = linear_select([
+      	msg975,
+      	msg976,
+      	msg977,
+      	msg978,
+      	msg979,
+      	msg980,
+      	msg981,
+      ]);
+      
+      var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}");
+      
+      var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}");
+      
+      var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}");
+      
+      var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}");
+      
+      var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}");
+      
+      var select364 = linear_select([
+      	part1568,
+      	part1569,
+      	part1570,
+      	part1571,
+      ]);
+      
+      var all338 = all_match({
+      	processors: [
+      		part1567,
+      		select364,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup9,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg982 = msg("00536:49", all338);
+      
+      var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg983 = msg("00536", part1572);
+      
+      var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg984 = msg("00536:01", part1573);
+      
+      var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg985 = msg("00536:02", part1574);
+      
+      var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg986 = msg("00536:03", part1575);
+      
+      var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([
+      	setc("eventcategory","1801010100"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg987 = msg("00536:04", part1576);
+      
+      var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg988 = msg("00536:05", part1577);
+      
+      var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg989 = msg("00536:06", part1578);
+      
+      var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg990 = msg("00536:07", part1579);
+      
+      var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg991 = msg("00536:08", part1580);
+      
+      var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg992 = msg("00536:09", part1581);
+      
+      var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg993 = msg("00536:10", part1582);
+      
+      var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg994 = msg("00536:11", part1583);
+      
+      var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg995 = msg("00536:12", part1584);
+      
+      var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg996 = msg("00536:13", part1585);
+      
+      var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}");
+      
+      var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}");
+      
+      var all339 = all_match({
+      	processors: [
+      		part1586,
+      		dup383,
+      		part1587,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg997 = msg("00536:14", all339);
+      
+      var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup9,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg998 = msg("00536:50", part1588);
+      
+      var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg999 = msg("00536:15", part1589);
+      
+      var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1000 = msg("00536:16", part1590);
+      
+      var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1001 = msg("00536:17", part1591);
+      
+      var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1002 = msg("00536:18", part1592);
+      
+      var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1003 = msg("00536:19", part1593);
+      
+      var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1004 = msg("00536:20", part1594);
+      
+      var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1005 = msg("00536:21", part1595);
+      
+      var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("result","Negotiations failed"),
+      ]));
+      
+      var msg1006 = msg("00536:22", part1596);
+      
+      var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("result","The time limit has elapsed"),
+      	setc("disposition","Aborted"),
+      ]));
+      
+      var msg1007 = msg("00536:23", part1597);
+      
+      var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1008 = msg("00536:24", part1598);
+      
+      var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1009 = msg("00536:25", part1599);
+      
+      var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1010 = msg("00536:26", part1600);
+      
+      var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1011 = msg("00536:27", part1601);
+      
+      var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1012 = msg("00536:28", part1602);
+      
+      var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1013 = msg("00536:29", part1603);
+      
+      var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1014 = msg("00536:30", part1604);
+      
+      var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1015 = msg("00536:31", part1605);
+      
+      var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1016 = msg("00536:32", part1606);
+      
+      var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1017 = msg("00536:33", part1607);
+      
+      var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1018 = msg("00536:34", part1608);
+      
+      var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1019 = msg("00536:35", part1609);
+      
+      var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}");
+      
+      var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first");
+      
+      var all340 = all_match({
+      	processors: [
+      		part1610,
+      		dup401,
+      		part1611,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1020 = msg("00536:36", all340);
+      
+      var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1021 = msg("00536:37", part1612);
+      
+      var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1022 = msg("00536:38", part1613);
+      
+      var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1023 = msg("00536:39", part1614);
+      
+      var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1024 = msg("00536:40", part1615);
+      
+      var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1025 = msg("00536:47", part1616);
+      
+      var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1026 = msg("00536:41", part1617);
+      
+      var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1027 = msg("00536:42", part1618);
+      
+      var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1028 = msg("00536:43", part1619);
+      
+      var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1029 = msg("00536:44", part1620);
+      
+      var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1030 = msg("00536:45", part1621);
+      
+      var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	setc("event_description","Received an IKE packet on interface"),
+      ]));
+      
+      var msg1031 = msg("00536:48", part1622);
+      
+      var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1032 = msg("00536:46", part1623);
+      
+      var select365 = linear_select([
+      	msg982,
+      	msg983,
+      	msg984,
+      	msg985,
+      	msg986,
+      	msg987,
+      	msg988,
+      	msg989,
+      	msg990,
+      	msg991,
+      	msg992,
+      	msg993,
+      	msg994,
+      	msg995,
+      	msg996,
+      	msg997,
+      	msg998,
+      	msg999,
+      	msg1000,
+      	msg1001,
+      	msg1002,
+      	msg1003,
+      	msg1004,
+      	msg1005,
+      	msg1006,
+      	msg1007,
+      	msg1008,
+      	msg1009,
+      	msg1010,
+      	msg1011,
+      	msg1012,
+      	msg1013,
+      	msg1014,
+      	msg1015,
+      	msg1016,
+      	msg1017,
+      	msg1018,
+      	msg1019,
+      	msg1020,
+      	msg1021,
+      	msg1022,
+      	msg1023,
+      	msg1024,
+      	msg1025,
+      	msg1026,
+      	msg1027,
+      	msg1028,
+      	msg1029,
+      	msg1030,
+      	msg1031,
+      	msg1032,
+      ]);
+      
+      var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg1033 = msg("00537", part1624);
+      
+      var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1034 = msg("00537:01", part1625);
+      
+      var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1035 = msg("00537:02", part1626);
+      
+      var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1036 = msg("00537:03", part1627);
+      
+      var select366 = linear_select([
+      	msg1033,
+      	msg1034,
+      	msg1035,
+      	msg1036,
+      ]);
+      
+      var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}");
+      
+      var select367 = linear_select([
+      	dup111,
+      	dup119,
+      ]);
+      
+      var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}");
+      
+      var all341 = all_match({
+      	processors: [
+      		part1628,
+      		select367,
+      		part1629,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1037 = msg("00538", all341);
+      
+      var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1038 = msg("00538:01", part1630);
+      
+      var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1039 = msg("00538:02", part1631);
+      
+      var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      ]));
+      
+      var msg1040 = msg("00538:03", part1632);
+      
+      var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1041 = msg("00538:04", part1633);
+      
+      var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}");
+      
+      var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}");
+      
+      var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}");
+      
+      var select368 = linear_select([
+      	part1635,
+      	part1636,
+      ]);
+      
+      var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}");
+      
+      var all342 = all_match({
+      	processors: [
+      		part1634,
+      		select368,
+      		part1637,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1042 = msg("00538:05", all342);
+      
+      var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}");
+      
+      var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}");
+      
+      var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}");
+      
+      var select369 = linear_select([
+      	part1639,
+      	part1640,
+      ]);
+      
+      var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip");
+      
+      var all343 = all_match({
+      	processors: [
+      		part1638,
+      		select369,
+      		part1641,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1043 = msg("00538:06", all343);
+      
+      var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}");
+      
+      var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}");
+      
+      var select370 = linear_select([
+      	part1643,
+      	dup16,
+      ]);
+      
+      var all344 = all_match({
+      	processors: [
+      		part1642,
+      		select370,
+      		dup136,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1044 = msg("00538:07", all344);
+      
+      var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1045 = msg("00538:08", part1644);
+      
+      var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([
+      	dup301,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("event_description","Connected to NSM server"),
+      ]));
+      
+      var msg1046 = msg("00538:09", part1645);
+      
+      var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}");
+      
+      var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})");
+      
+      var select371 = linear_select([
+      	part1647,
+      	dup41,
+      ]);
+      
+      var all345 = all_match({
+      	processors: [
+      		part1646,
+      		select371,
+      	],
+      	on_success: processor_chain([
+      		dup198,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      		setc("event_description","Connection to NSM server is down"),
+      	]),
+      });
+      
+      var msg1047 = msg("00538:10", all345);
+      
+      var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([
+      	dup198,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup323,
+      ]));
+      
+      var msg1048 = msg("00538:11", part1648);
+      
+      var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([
+      	dup198,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup323,
+      ]));
+      
+      var msg1049 = msg("00538:12", part1649);
+      
+      var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	setc("event_description","Sent 2B message"),
+      ]));
+      
+      var msg1050 = msg("00538:13", part1650);
+      
+      var select372 = linear_select([
+      	msg1037,
+      	msg1038,
+      	msg1039,
+      	msg1040,
+      	msg1041,
+      	msg1042,
+      	msg1043,
+      	msg1044,
+      	msg1045,
+      	msg1046,
+      	msg1047,
+      	msg1048,
+      	msg1049,
+      	msg1050,
+      ]);
+      
+      var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1051 = msg("00539", part1651);
+      
+      var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1052 = msg("00539:01", part1652);
+      
+      var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([
+      	dup117,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1053 = msg("00539:02", part1653);
+      
+      var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1054 = msg("00539:03", part1654);
+      
+      var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1055 = msg("00539:04", part1655);
+      
+      var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1056 = msg("00539:05", part1656);
+      
+      var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1057 = msg("00539:06", part1657);
+      
+      var select373 = linear_select([
+      	msg1051,
+      	msg1052,
+      	msg1053,
+      	msg1054,
+      	msg1055,
+      	msg1056,
+      	msg1057,
+      ]);
+      
+      var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([
+      	dup324,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1058 = msg("00541", part1658);
+      
+      var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([
+      	dup273,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1059 = msg("00541:01", part1659);
+      
+      var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([
+      	dup273,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1060 = msg("00541:02", part1660);
+      
+      var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}");
+      
+      var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>");
+      
+      var select374 = linear_select([
+      	part1662,
+      	dup21,
+      ]);
+      
+      var all346 = all_match({
+      	processors: [
+      		part1661,
+      		select374,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup9,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1061 = msg("00541:03", all346);
+      
+      var select375 = linear_select([
+      	msg1058,
+      	msg1059,
+      	msg1060,
+      	msg1061,
+      ]);
+      
+      var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1062 = msg("00542", part1663);
+      
+      var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}");
+      
+      var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}");
+      
+      var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}");
+      
+      var select376 = linear_select([
+      	part1665,
+      	part1666,
+      ]);
+      
+      var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}");
+      
+      var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}");
+      
+      var select377 = linear_select([
+      	part1668,
+      	dup106,
+      ]);
+      
+      var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})");
+      
+      var all347 = all_match({
+      	processors: [
+      		part1664,
+      		select376,
+      		part1667,
+      		select377,
+      		part1669,
+      	],
+      	on_success: processor_chain([
+      		dup281,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      		dup3,
+      	]),
+      });
+      
+      var msg1063 = msg("00543", all347);
+      
+      var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup60,
+      	setc("action","RADIUS server challenge"),
+      ]));
+      
+      var msg1064 = msg("00544", part1670);
+      
+      var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1065 = msg("00546", part1671);
+      
+      var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg1066 = msg("00547", part1672);
+      
+      var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup61,
+      ]));
+      
+      var msg1067 = msg("00547:01", part1673);
+      
+      var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1068 = msg("00547:02", part1674);
+      
+      var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}");
+      
+      var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}");
+      
+      var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}");
+      
+      var select378 = linear_select([
+      	part1676,
+      	part1677,
+      ]);
+      
+      var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})");
+      
+      var all348 = all_match({
+      	processors: [
+      		part1675,
+      		select378,
+      		part1678,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		setc("event_description","Content is bypassed for connection"),
+      	]),
+      });
+      
+      var msg1069 = msg("00547:03", all348);
+      
+      var select379 = linear_select([
+      	msg1066,
+      	msg1067,
+      	msg1068,
+      	msg1069,
+      ]);
+      
+      var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1070 = msg("00549", part1679);
+      
+      var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1071 = msg("00551", part1680);
+      
+      var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([
+      	dup86,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1072 = msg("00551:01", part1681);
+      
+      var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}");
+      
+      var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}");
+      
+      var select380 = linear_select([
+      	part1683,
+      	dup89,
+      ]);
+      
+      var all349 = all_match({
+      	processors: [
+      		part1682,
+      		select380,
+      		dup128,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1073 = msg("00551:02", all349);
+      
+      var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1074 = msg("00551:03", part1684);
+      
+      var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1075 = msg("00551:04", part1685);
+      
+      var select381 = linear_select([
+      	msg1071,
+      	msg1072,
+      	msg1073,
+      	msg1074,
+      	msg1075,
+      ]);
+      
+      var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}");
+      
+      var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}");
+      
+      var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}");
+      
+      var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}");
+      
+      var select382 = linear_select([
+      	part1687,
+      	part1688,
+      	part1689,
+      ]);
+      
+      var all350 = all_match({
+      	processors: [
+      		part1686,
+      		select382,
+      		dup325,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1076 = msg("00553", all350);
+      
+      var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1077 = msg("00553:01", part1690);
+      
+      var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1078 = msg("00553:02", part1691);
+      
+      var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1079 = msg("00553:03", part1692);
+      
+      var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}");
+      
+      var select383 = linear_select([
+      	dup326,
+      	dup327,
+      ]);
+      
+      var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}.");
+      
+      var all351 = all_match({
+      	processors: [
+      		part1693,
+      		select383,
+      		part1694,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1080 = msg("00553:04", all351);
+      
+      var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1081 = msg("00553:05", part1695);
+      
+      var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1082 = msg("00553:06", part1696);
+      
+      var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1083 = msg("00553:07", part1697);
+      
+      var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}");
+      
+      var select384 = linear_select([
+      	dup327,
+      	dup326,
+      ]);
+      
+      var all352 = all_match({
+      	processors: [
+      		part1698,
+      		select384,
+      		dup328,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1084 = msg("00553:08", all352);
+      
+      var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1085 = msg("00553:09", part1699);
+      
+      var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1086 = msg("00553:10", part1700);
+      
+      var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([
+      	dup18,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1087 = msg("00553:11", part1701);
+      
+      var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1088 = msg("00553:12", part1702);
+      
+      var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1089 = msg("00553:13", part1703);
+      
+      var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1090 = msg("00553:14", part1704);
+      
+      var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1091 = msg("00553:15", part1705);
+      
+      var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1092 = msg("00553:16", part1706);
+      
+      var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1093 = msg("00553:17", part1707);
+      
+      var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1094 = msg("00553:18", part1708);
+      
+      var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1095 = msg("00553:19", part1709);
+      
+      var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1096 = msg("00553:20", part1710);
+      
+      var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1097 = msg("00553:21", part1711);
+      
+      var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1098 = msg("00553:22", part1712);
+      
+      var select385 = linear_select([
+      	msg1076,
+      	msg1077,
+      	msg1078,
+      	msg1079,
+      	msg1080,
+      	msg1081,
+      	msg1082,
+      	msg1083,
+      	msg1084,
+      	msg1085,
+      	msg1086,
+      	msg1087,
+      	msg1088,
+      	msg1089,
+      	msg1090,
+      	msg1091,
+      	msg1092,
+      	msg1093,
+      	msg1094,
+      	msg1095,
+      	msg1096,
+      	msg1097,
+      	msg1098,
+      ]);
+      
+      var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}");
+      
+      var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}");
+      
+      var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}");
+      
+      var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}");
+      
+      var select386 = linear_select([
+      	part1714,
+      	part1715,
+      	part1716,
+      ]);
+      
+      var all353 = all_match({
+      	processors: [
+      		part1713,
+      		select386,
+      		dup325,
+      	],
+      	on_success: processor_chain([
+      		dup144,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1099 = msg("00554", all353);
+      
+      var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1100 = msg("00554:01", part1717);
+      
+      var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1101 = msg("00554:02", part1718);
+      
+      var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1102 = msg("00554:03", part1719);
+      
+      var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}");
+      
+      var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}.");
+      
+      var all354 = all_match({
+      	processors: [
+      		part1720,
+      		dup405,
+      		part1721,
+      	],
+      	on_success: processor_chain([
+      		dup144,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1103 = msg("00554:04", all354);
+      
+      var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}");
+      
+      var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}");
+      
+      var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}");
+      
+      var select387 = linear_select([
+      	part1723,
+      	part1724,
+      ]);
+      
+      var all355 = all_match({
+      	processors: [
+      		part1722,
+      		select387,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup144,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1104 = msg("00554:05", all355);
+      
+      var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([
+      	dup144,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1105 = msg("00554:06", part1725);
+      
+      var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}");
+      
+      var all356 = all_match({
+      	processors: [
+      		part1726,
+      		dup405,
+      		dup328,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1106 = msg("00554:07", all356);
+      
+      var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}");
+      
+      var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}");
+      
+      var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}");
+      
+      var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}");
+      
+      var select388 = linear_select([
+      	part1728,
+      	part1729,
+      	part1730,
+      ]);
+      
+      var all357 = all_match({
+      	processors: [
+      		part1727,
+      		select388,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1107 = msg("00554:08", all357);
+      
+      var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1108 = msg("00554:09", part1731);
+      
+      var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1109 = msg("00554:10", part1732);
+      
+      var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1110 = msg("00554:11", part1733);
+      
+      var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}");
+      
+      var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}");
+      
+      var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}");
+      
+      var select389 = linear_select([
+      	part1735,
+      	part1736,
+      ]);
+      
+      var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}");
+      
+      var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}");
+      
+      var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}");
+      
+      var select390 = linear_select([
+      	part1738,
+      	part1739,
+      ]);
+      
+      var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}");
+      
+      var all358 = all_match({
+      	processors: [
+      		part1734,
+      		select389,
+      		part1737,
+      		select390,
+      		part1740,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1111 = msg("00554:12", all358);
+      
+      var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1112 = msg("00554:13", part1741);
+      
+      var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1113 = msg("00554:14", part1742);
+      
+      var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1114 = msg("00554:15", part1743);
+      
+      var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1115 = msg("00554:16", part1744);
+      
+      var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1116 = msg("00554:17", part1745);
+      
+      var select391 = linear_select([
+      	msg1099,
+      	msg1100,
+      	msg1101,
+      	msg1102,
+      	msg1103,
+      	msg1104,
+      	msg1105,
+      	msg1106,
+      	msg1107,
+      	msg1108,
+      	msg1109,
+      	msg1110,
+      	msg1111,
+      	msg1112,
+      	msg1113,
+      	msg1114,
+      	msg1115,
+      	msg1116,
+      ]);
+      
+      var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1117 = msg("00555", part1746);
+      
+      var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1118 = msg("00556", part1747);
+      
+      var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1119 = msg("00556:01", part1748);
+      
+      var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}");
+      
+      var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}");
+      
+      var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}");
+      
+      var select392 = linear_select([
+      	part1750,
+      	part1751,
+      ]);
+      
+      var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}");
+      
+      var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}");
+      
+      var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}");
+      
+      var select393 = linear_select([
+      	part1753,
+      	part1754,
+      ]);
+      
+      var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3}).");
+      
+      var all359 = all_match({
+      	processors: [
+      		part1749,
+      		select392,
+      		part1752,
+      		select393,
+      		part1755,
+      	],
+      	on_success: processor_chain([
+      		dup254,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1120 = msg("00556:02", all359);
+      
+      var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}");
+      
+      var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}");
+      
+      var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}");
+      
+      var select394 = linear_select([
+      	part1757,
+      	part1758,
+      ]);
+      
+      var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}");
+      
+      var all360 = all_match({
+      	processors: [
+      		part1756,
+      		select394,
+      		part1759,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1121 = msg("00556:03", all360);
+      
+      var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1122 = msg("00556:04", part1760);
+      
+      var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1123 = msg("00556:05", part1761);
+      
+      var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1124 = msg("00556:06", part1762);
+      
+      var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1125 = msg("00556:07", part1763);
+      
+      var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}");
+      
+      var all361 = all_match({
+      	processors: [
+      		part1764,
+      		dup358,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1126 = msg("00556:08", all361);
+      
+      var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup282,
+      ]));
+      
+      var msg1127 = msg("00556:09", part1765);
+      
+      var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1128 = msg("00556:10", part1766);
+      
+      var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1129 = msg("00556:11", part1767);
+      
+      var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}");
+      
+      var select395 = linear_select([
+      	dup140,
+      	dup169,
+      ]);
+      
+      var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}.");
+      
+      var all362 = all_match({
+      	processors: [
+      		part1768,
+      		select395,
+      		part1769,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1130 = msg("00556:12", all362);
+      
+      var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1131 = msg("00556:13", part1770);
+      
+      var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}");
+      
+      var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}.");
+      
+      var all363 = all_match({
+      	processors: [
+      		part1771,
+      		dup406,
+      		part1772,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1132 = msg("00556:14", all363);
+      
+      var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}");
+      
+      var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}.");
+      
+      var all364 = all_match({
+      	processors: [
+      		part1773,
+      		dup406,
+      		part1774,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup282,
+      	]),
+      });
+      
+      var msg1133 = msg("00556:15", all364);
+      
+      var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}");
+      
+      var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}");
+      
+      var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}");
+      
+      var select396 = linear_select([
+      	part1776,
+      	part1777,
+      ]);
+      
+      var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}");
+      
+      var select397 = linear_select([
+      	dup104,
+      	dup120,
+      ]);
+      
+      var all365 = all_match({
+      	processors: [
+      		part1775,
+      		select396,
+      		part1778,
+      		select397,
+      		dup116,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1134 = msg("00556:16", all365);
+      
+      var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}");
+      
+      var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}");
+      
+      var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}");
+      
+      var select398 = linear_select([
+      	part1780,
+      	part1781,
+      ]);
+      
+      var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}");
+      
+      var all366 = all_match({
+      	processors: [
+      		part1779,
+      		select398,
+      		part1782,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1135 = msg("00556:17", all366);
+      
+      var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}");
+      
+      var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}");
+      
+      var select399 = linear_select([
+      	dup101,
+      	part1784,
+      ]);
+      
+      var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}.");
+      
+      var all367 = all_match({
+      	processors: [
+      		part1783,
+      		select399,
+      		part1785,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1136 = msg("00556:18", all367);
+      
+      var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}");
+      
+      var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}");
+      
+      var select400 = linear_select([
+      	dup103,
+      	dup96,
+      ]);
+      
+      var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}");
+      
+      var all368 = all_match({
+      	processors: [
+      		part1786,
+      		dup355,
+      		part1787,
+      		select400,
+      		part1788,
+      	],
+      	on_success: processor_chain([
+      		dup19,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1137 = msg("00556:20", all368);
+      
+      var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup282,
+      ]));
+      
+      var msg1138 = msg("00556:21", part1789);
+      
+      var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([
+      	dup232,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1139 = msg("00556:22", part1790);
+      
+      var select401 = linear_select([
+      	msg1118,
+      	msg1119,
+      	msg1120,
+      	msg1121,
+      	msg1122,
+      	msg1123,
+      	msg1124,
+      	msg1125,
+      	msg1126,
+      	msg1127,
+      	msg1128,
+      	msg1129,
+      	msg1130,
+      	msg1131,
+      	msg1132,
+      	msg1133,
+      	msg1134,
+      	msg1135,
+      	msg1136,
+      	msg1137,
+      	msg1138,
+      	msg1139,
+      ]);
+      
+      var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1140 = msg("00572", part1791);
+      
+      var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1141 = msg("00572:01", part1792);
+      
+      var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1142 = msg("00572:03", part1793);
+      
+      var select402 = linear_select([
+      	msg1140,
+      	msg1141,
+      	msg1142,
+      ]);
+      
+      var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1143 = msg("00615", part1794);
+      
+      var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1144 = msg("00615:01", part1795);
+      
+      var select403 = linear_select([
+      	msg1143,
+      	msg1144,
+      ]);
+      
+      var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg1145 = msg("00601", part1796);
+      
+      var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var msg1146 = msg("00601:01", part1797);
+      
+      var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1147 = msg("00601:18", part1798);
+      
+      var select404 = linear_select([
+      	msg1145,
+      	msg1146,
+      	msg1147,
+      ]);
+      
+      var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([
+      	dup19,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1148 = msg("00602", part1799);
+      
+      var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}");
+      
+      var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}");
+      
+      var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}");
+      
+      var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}");
+      
+      var select405 = linear_select([
+      	part1802,
+      	part1803,
+      ]);
+      
+      var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}");
+      
+      var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}");
+      
+      var select406 = linear_select([
+      	part1805,
+      	dup96,
+      ]);
+      
+      var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})");
+      
+      var all369 = all_match({
+      	processors: [
+      		part1800,
+      		dup353,
+      		part1801,
+      		select405,
+      		part1804,
+      		select406,
+      		part1806,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1149 = msg("00612", all369);
+      
+      var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1150 = msg("00620", part1807);
+      
+      var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}");
+      
+      var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}");
+      
+      var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}");
+      
+      var select407 = linear_select([
+      	part1809,
+      	part1810,
+      ]);
+      
+      var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})");
+      
+      var all370 = all_match({
+      	processors: [
+      		part1808,
+      		select407,
+      		part1811,
+      	],
+      	on_success: processor_chain([
+      		dup272,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1151 = msg("00620:01", all370);
+      
+      var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1152 = msg("00620:02", part1812);
+      
+      var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1153 = msg("00620:03", part1813);
+      
+      var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1154 = msg("00620:04", part1814);
+      
+      var select408 = linear_select([
+      	msg1150,
+      	msg1151,
+      	msg1152,
+      	msg1153,
+      	msg1154,
+      ]);
+      
+      var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([
+      	dup273,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1155 = msg("00622", part1815);
+      
+      var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}");
+      
+      var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}");
+      
+      var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}");
+      
+      var select409 = linear_select([
+      	part1817,
+      	part1818,
+      ]);
+      
+      var all371 = all_match({
+      	processors: [
+      		part1816,
+      		select409,
+      		dup49,
+      	],
+      	on_success: processor_chain([
+      		dup273,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg1156 = msg("00625", all371);
+      
+      var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}");
+      
+      var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}");
+      
+      var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}");
+      
+      var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}");
+      
+      var select410 = linear_select([
+      	part1820,
+      	part1821,
+      	part1822,
+      ]);
+      
+      var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})");
+      
+      var all372 = all_match({
+      	processors: [
+      		part1819,
+      		select410,
+      		part1823,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg1157 = msg("00628", all372);
+      
+      var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      	dup282,
+      ]));
+      
+      var msg1158 = msg("00767:50", part1824);
+      
+      var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1159 = msg("00767:51", part1825);
+      
+      var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1160 = msg("00767:52", part1826);
+      
+      var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1161 = msg("00767:53", part1827);
+      
+      var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([
+      	dup27,
+      	setc("ec_theme","Communication"),
+      	dup39,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1162 = msg("00767", part1828);
+      
+      var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}");
+      
+      var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}");
+      
+      var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}");
+      
+      var select411 = linear_select([
+      	part1830,
+      	part1831,
+      ]);
+      
+      var all373 = all_match({
+      	processors: [
+      		part1829,
+      		select411,
+      	],
+      	on_success: processor_chain([
+      		dup44,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1163 = msg("00767:01", all373);
+      
+      var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([
+      	setc("eventcategory","1702000000"),
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1164 = msg("00767:02", part1832);
+      
+      var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1165 = msg("00767:03", part1833);
+      
+      var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1166 = msg("00767:04", part1834);
+      
+      var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1167 = msg("00767:05", part1835);
+      
+      var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([
+      	dup27,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1168 = msg("00767:06", part1836);
+      
+      var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1169 = msg("00767:07", part1837);
+      
+      var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}");
+      
+      var all374 = all_match({
+      	processors: [
+      		part1838,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1170 = msg("00767:08", all374);
+      
+      var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}");
+      
+      var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}");
+      
+      var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}");
+      
+      var select412 = linear_select([
+      	part1840,
+      	part1841,
+      ]);
+      
+      var all375 = all_match({
+      	processors: [
+      		part1839,
+      		select412,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1171 = msg("00767:09", all375);
+      
+      var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}");
+      
+      var all376 = all_match({
+      	processors: [
+      		part1842,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1172 = msg("00767:10", all376);
+      
+      var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}");
+      
+      var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}");
+      
+      var select413 = linear_select([
+      	dup331,
+      	part1844,
+      ]);
+      
+      var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}");
+      
+      var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}");
+      
+      var select414 = linear_select([
+      	dup331,
+      	part1846,
+      ]);
+      
+      var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}");
+      
+      var all377 = all_match({
+      	processors: [
+      		part1843,
+      		select413,
+      		part1845,
+      		select414,
+      		part1847,
+      	],
+      	on_success: processor_chain([
+      		dup18,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1173 = msg("00767:11", all377);
+      
+      var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1174 = msg("00767:12", part1848);
+      
+      var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}");
+      
+      var all378 = all_match({
+      	processors: [
+      		part1849,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1175 = msg("00767:13", all378);
+      
+      var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}");
+      
+      var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}");
+      
+      var select415 = linear_select([
+      	part1851,
+      	dup262,
+      ]);
+      
+      var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}");
+      
+      var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}");
+      
+      var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username");
+      
+      var select416 = linear_select([
+      	part1853,
+      	part1854,
+      ]);
+      
+      var all379 = all_match({
+      	processors: [
+      		part1850,
+      		select415,
+      		part1852,
+      		select416,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1176 = msg("00767:14", all379);
+      
+      var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}");
+      
+      var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}");
+      
+      var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}");
+      
+      var select417 = linear_select([
+      	part1855,
+      	part1856,
+      	part1857,
+      ]);
+      
+      var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}");
+      
+      var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}.");
+      
+      var all380 = all_match({
+      	processors: [
+      		dup183,
+      		select417,
+      		part1858,
+      		dup336,
+      		part1859,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1177 = msg("00767:15", all380);
+      
+      var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1178 = msg("00767:16", part1860);
+      
+      var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}");
+      
+      var all381 = all_match({
+      	processors: [
+      		part1861,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1179 = msg("00767:17", all381);
+      
+      var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1180 = msg("00767:18", part1862);
+      
+      var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1181 = msg("00767:19", part1863);
+      
+      var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1182 = msg("00767:20", part1864);
+      
+      var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1183 = msg("00767:21", part1865);
+      
+      var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}");
+      
+      var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}");
+      
+      var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}");
+      
+      var select418 = linear_select([
+      	part1867,
+      	part1868,
+      ]);
+      
+      var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}");
+      
+      var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}");
+      
+      var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}");
+      
+      var select419 = linear_select([
+      	part1870,
+      	part1871,
+      ]);
+      
+      var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}");
+      
+      var all382 = all_match({
+      	processors: [
+      		part1866,
+      		select418,
+      		part1869,
+      		select419,
+      		part1872,
+      		dup354,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1184 = msg("00767:22", all382);
+      
+      var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1185 = msg("00767:23", part1873);
+      
+      var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}");
+      
+      var select420 = linear_select([
+      	dup169,
+      	dup16,
+      ]);
+      
+      var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}");
+      
+      var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}");
+      
+      var select421 = linear_select([
+      	part1875,
+      	part1876,
+      ]);
+      
+      var all383 = all_match({
+      	processors: [
+      		part1874,
+      		select420,
+      		dup23,
+      		select421,
+      		dup108,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1186 = msg("00767:25", all383);
+      
+      var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}");
+      
+      var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}");
+      
+      var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}");
+      
+      var select422 = linear_select([
+      	part1878,
+      	part1879,
+      ]);
+      
+      var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}");
+      
+      var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}");
+      
+      var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})");
+      
+      var select423 = linear_select([
+      	part1881,
+      	part1882,
+      ]);
+      
+      var all384 = all_match({
+      	processors: [
+      		part1877,
+      		select422,
+      		part1880,
+      		select423,
+      	],
+      	on_success: processor_chain([
+      		dup50,
+      		dup43,
+      		dup51,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1187 = msg("00767:26", all384);
+      
+      var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}");
+      
+      var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})");
+      
+      var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3");
+      
+      var select424 = linear_select([
+      	part1884,
+      	part1885,
+      ]);
+      
+      var all385 = all_match({
+      	processors: [
+      		part1883,
+      		select424,
+      	],
+      	on_success: processor_chain([
+      		dup223,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1188 = msg("00767:27", all385);
+      
+      var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1189 = msg("00767:28", part1886);
+      
+      var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1190 = msg("00767:29", part1887);
+      
+      var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1191 = msg("00767:30", part1888);
+      
+      var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}");
+      
+      var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}");
+      
+      var select425 = linear_select([
+      	part1889,
+      	part1890,
+      ]);
+      
+      var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}");
+      
+      var all386 = all_match({
+      	processors: [
+      		dup186,
+      		select425,
+      		part1891,
+      		dup397,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1192 = msg("00767:31", all386);
+      
+      var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}");
+      
+      var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}");
+      
+      var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}");
+      
+      var select426 = linear_select([
+      	part1893,
+      	part1894,
+      ]);
+      
+      var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})");
+      
+      var all387 = all_match({
+      	processors: [
+      		part1892,
+      		select426,
+      		part1895,
+      	],
+      	on_success: processor_chain([
+      		dup27,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1193 = msg("00767:32", all387);
+      
+      var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1194 = msg("00767:33", part1896);
+      
+      var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([
+      	dup313,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1195 = msg("00767:34", part1897);
+      
+      var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1196 = msg("00767:35", part1898);
+      
+      var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1197 = msg("00767:36", part1899);
+      
+      var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([
+      	dup254,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1198 = msg("00767:37", part1900);
+      
+      var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([
+      	setc("eventcategory","1602000000"),
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1199 = msg("00767:38", part1901);
+      
+      var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}");
+      
+      var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}");
+      
+      var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}");
+      
+      var select427 = linear_select([
+      	part1903,
+      	part1904,
+      ]);
+      
+      var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}");
+      
+      var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}");
+      
+      var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}");
+      
+      var select428 = linear_select([
+      	part1906,
+      	part1907,
+      ]);
+      
+      var all388 = all_match({
+      	processors: [
+      		part1902,
+      		select427,
+      		part1905,
+      		select428,
+      		dup10,
+      	],
+      	on_success: processor_chain([
+      		dup324,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1200 = msg("00767:39", all388);
+      
+      var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([
+      	dup62,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1201 = msg("00767:40", part1908);
+      
+      var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1202 = msg("00767:42", part1909);
+      
+      var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1203 = msg("00767:43", part1910);
+      
+      var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([
+      	dup44,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1204 = msg("00767:44", part1911);
+      
+      var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1205 = msg("00767:45", part1912);
+      
+      var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1206 = msg("00767:46", part1913);
+      
+      var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup9,
+      ]));
+      
+      var msg1207 = msg("00767:47", part1914);
+      
+      var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}");
+      
+      var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})");
+      
+      var all389 = all_match({
+      	processors: [
+      		part1915,
+      		dup364,
+      		part1916,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var msg1208 = msg("00767:24", all389);
+      
+      var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([
+      	dup272,
+      	dup2,
+      	dup3,
+      	dup9,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var msg1209 = msg("00767:48", part1917);
+      
+      var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}");
+      
+      var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}");
+      
+      var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}");
+      
+      var select429 = linear_select([
+      	part1919,
+      	part1920,
+      ]);
+      
+      var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})");
+      
+      var all390 = all_match({
+      	processors: [
+      		part1918,
+      		select429,
+      		part1921,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup4,
+      		dup5,
+      		dup9,
+      	]),
+      });
+      
+      var msg1210 = msg("00767:49", all390);
+      
+      var select430 = linear_select([
+      	msg1158,
+      	msg1159,
+      	msg1160,
+      	msg1161,
+      	msg1162,
+      	msg1163,
+      	msg1164,
+      	msg1165,
+      	msg1166,
+      	msg1167,
+      	msg1168,
+      	msg1169,
+      	msg1170,
+      	msg1171,
+      	msg1172,
+      	msg1173,
+      	msg1174,
+      	msg1175,
+      	msg1176,
+      	msg1177,
+      	msg1178,
+      	msg1179,
+      	msg1180,
+      	msg1181,
+      	msg1182,
+      	msg1183,
+      	msg1184,
+      	msg1185,
+      	msg1186,
+      	msg1187,
+      	msg1188,
+      	msg1189,
+      	msg1190,
+      	msg1191,
+      	msg1192,
+      	msg1193,
+      	msg1194,
+      	msg1195,
+      	msg1196,
+      	msg1197,
+      	msg1198,
+      	msg1199,
+      	msg1200,
+      	msg1201,
+      	msg1202,
+      	msg1203,
+      	msg1204,
+      	msg1205,
+      	msg1206,
+      	msg1207,
+      	msg1208,
+      	msg1209,
+      	msg1210,
+      ]);
+      
+      var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup277,
+      	dup3,
+      	dup275,
+      	dup60,
+      ]));
+      
+      var msg1211 = msg("01269", part1922);
+      
+      var msg1212 = msg("01269:01", dup407);
+      
+      var msg1213 = msg("01269:02", dup408);
+      
+      var msg1214 = msg("01269:03", dup409);
+      
+      var select431 = linear_select([
+      	msg1211,
+      	msg1212,
+      	msg1213,
+      	msg1214,
+      ]);
+      
+      var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup276,
+      	dup277,
+      	dup275,
+      	dup332,
+      ]));
+      
+      var msg1215 = msg("17852", part1923);
+      
+      var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup332,
+      	dup282,
+      ]));
+      
+      var msg1216 = msg("17852:01", part1924);
+      
+      var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup61,
+      ]));
+      
+      var msg1217 = msg("17852:02", part1925);
+      
+      var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup332,
+      	dup282,
+      ]));
+      
+      var msg1218 = msg("17852:03", part1926);
+      
+      var select432 = linear_select([
+      	msg1215,
+      	msg1216,
+      	msg1217,
+      	msg1218,
+      ]);
+      
+      var msg1219 = msg("23184", dup410);
+      
+      var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg1220 = msg("23184:01", part1927);
+      
+      var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup276,
+      	dup277,
+      	dup275,
+      	dup61,
+      ]));
+      
+      var msg1221 = msg("23184:02", part1928);
+      
+      var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup332,
+      	dup282,
+      ]));
+      
+      var msg1222 = msg("23184:03", part1929);
+      
+      var select433 = linear_select([
+      	msg1219,
+      	msg1220,
+      	msg1221,
+      	msg1222,
+      ]);
+      
+      var msg1223 = msg("27052", dup410);
+      
+      var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup61,
+      	dup282,
+      ]));
+      
+      var msg1224 = msg("27052:01", part1930);
+      
+      var select434 = linear_select([
+      	msg1223,
+      	msg1224,
+      ]);
+      
+      var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup277,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup60,
+      ]));
+      
+      var msg1225 = msg("39568", part1931);
+      
+      var msg1226 = msg("39568:01", dup407);
+      
+      var msg1227 = msg("39568:02", dup408);
+      
+      var msg1228 = msg("39568:03", dup409);
+      
+      var select435 = linear_select([
+      	msg1225,
+      	msg1226,
+      	msg1227,
+      	msg1228,
+      ]);
+      
+      var chain1 = processor_chain([
+      	select2,
+      	msgid_select({
+      		"00001": select6,
+      		"00002": select29,
+      		"00003": select31,
+      		"00004": select33,
+      		"00005": select39,
+      		"00006": select40,
+      		"00007": select63,
+      		"00008": select66,
+      		"00009": select83,
+      		"00010": select86,
+      		"00011": select100,
+      		"00012": select101,
+      		"00013": select102,
+      		"00014": select104,
+      		"00015": select114,
+      		"00016": select115,
+      		"00017": select125,
+      		"00018": select138,
+      		"00019": select147,
+      		"00020": select150,
+      		"00021": select151,
+      		"00022": select163,
+      		"00023": select164,
+      		"00024": select170,
+      		"00025": select171,
+      		"00026": select176,
+      		"00027": select184,
+      		"00028": msg469,
+      		"00029": select188,
+      		"00030": select197,
+      		"00031": select205,
+      		"00032": select207,
+      		"00033": select214,
+      		"00034": select225,
+      		"00035": select232,
+      		"00036": select234,
+      		"00037": select241,
+      		"00038": msg660,
+      		"00039": msg661,
+      		"00040": select244,
+      		"00041": select245,
+      		"00042": select246,
+      		"00043": msg668,
+      		"00044": select248,
+      		"00045": msg671,
+      		"00047": msg672,
+      		"00048": select257,
+      		"00049": select258,
+      		"00050": msg682,
+      		"00051": msg683,
+      		"00052": msg684,
+      		"00055": select265,
+      		"00056": msg696,
+      		"00057": msg697,
+      		"00058": msg698,
+      		"00059": select272,
+      		"00062": select273,
+      		"00063": msg713,
+      		"00064": select274,
+      		"00070": select276,
+      		"00071": select277,
+      		"00072": select278,
+      		"00073": select279,
+      		"00074": msg726,
+      		"00075": select280,
+      		"00076": select281,
+      		"00077": select282,
+      		"00084": msg735,
+      		"00090": msg736,
+      		"00200": msg737,
+      		"00201": msg738,
+      		"00202": msg739,
+      		"00203": msg740,
+      		"00206": select285,
+      		"00207": select286,
+      		"00257": select291,
+      		"00259": select294,
+      		"00262": msg778,
+      		"00263": msg779,
+      		"00400": msg780,
+      		"00401": msg781,
+      		"00402": select296,
+      		"00403": msg784,
+      		"00404": msg785,
+      		"00405": msg786,
+      		"00406": msg787,
+      		"00407": msg788,
+      		"00408": msg789,
+      		"00409": msg790,
+      		"00410": select297,
+      		"00411": msg793,
+      		"00413": select298,
+      		"00414": select299,
+      		"00415": msg799,
+      		"00423": msg800,
+      		"00429": select300,
+      		"00430": select301,
+      		"00431": msg805,
+      		"00432": msg806,
+      		"00433": msg807,
+      		"00434": msg808,
+      		"00435": select302,
+      		"00436": select303,
+      		"00437": select304,
+      		"00438": select305,
+      		"00440": select306,
+      		"00441": msg823,
+      		"00442": msg824,
+      		"00443": msg825,
+      		"00511": select307,
+      		"00513": msg841,
+      		"00515": select328,
+      		"00518": select331,
+      		"00519": select336,
+      		"00520": select339,
+      		"00521": msg890,
+      		"00522": msg891,
+      		"00523": msg892,
+      		"00524": select340,
+      		"00525": select341,
+      		"00526": msg912,
+      		"00527": select348,
+      		"00528": select354,
+      		"00529": select357,
+      		"00530": select358,
+      		"00531": select362,
+      		"00533": msg973,
+      		"00534": msg974,
+      		"00535": select363,
+      		"00536": select365,
+      		"00537": select366,
+      		"00538": select372,
+      		"00539": select373,
+      		"00541": select375,
+      		"00542": msg1062,
+      		"00543": msg1063,
+      		"00544": msg1064,
+      		"00546": msg1065,
+      		"00547": select379,
+      		"00549": msg1070,
+      		"00551": select381,
+      		"00553": select385,
+      		"00554": select391,
+      		"00555": msg1117,
+      		"00556": select401,
+      		"00572": select402,
+      		"00601": select404,
+      		"00602": msg1148,
+      		"00612": msg1149,
+      		"00615": select403,
+      		"00620": select408,
+      		"00622": msg1155,
+      		"00625": msg1156,
+      		"00628": msg1157,
+      		"00767": select430,
+      		"01269": select431,
+      		"17852": select432,
+      		"23184": select433,
+      		"27052": select434,
+      		"39568": select435,
+      	}),
+      ]);
+      
+      var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}");
+      
+      var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}");
+      
+      var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})");
+      
+      var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})");
+      
+      var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1");
+      
+      var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}");
+      
+      var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}");
+      
+      var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}");
+      
+      var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}");
+      
+      var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0");
+      
+      var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} ");
+      
+      var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", "");
+      
+      var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}");
+      
+      var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}");
+      
+      var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}");
+      
+      var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator");
+      
+      var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition");
+      
+      var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}");
+      
+      var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})");
+      
+      var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}");
+      
+      var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}");
+      
+      var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}");
+      
+      var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}");
+      
+      var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})");
+      
+      var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}");
+      
+      var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}");
+      
+      var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}");
+      
+      var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}");
+      
+      var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}");
+      
+      var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}");
+      
+      var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}");
+      
+      var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}");
+      
+      var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}");
+      
+      var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}");
+      
+      var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}");
+      
+      var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}");
+      
+      var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}");
+      
+      var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}");
+      
+      var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}");
+      
+      var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}");
+      
+      var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}");
+      
+      var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}");
+      
+      var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}");
+      
+      var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}");
+      
+      var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}");
+      
+      var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}");
+      
+      var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}");
+      
+      var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}");
+      
+      var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}");
+      
+      var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}");
+      
+      var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}");
+      
+      var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}");
+      
+      var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}");
+      
+      var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}");
+      
+      var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}");
+      
+      var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}");
+      
+      var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}");
+      
+      var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}");
+      
+      var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}");
+      
+      var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}");
+      
+      var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}");
+      
+      var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}");
+      
+      var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}");
+      
+      var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}");
+      
+      var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}");
+      
+      var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}");
+      
+      var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}");
+      
+      var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}");
+      
+      var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}");
+      
+      var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}");
+      
+      var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}");
+      
+      var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}");
+      
+      var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}");
+      
+      var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}");
+      
+      var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}");
+      
+      var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}");
+      
+      var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}");
+      
+      var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}");
+      
+      var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}");
+      
+      var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface");
+      
+      var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}");
+      
+      var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}");
+      
+      var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}");
+      
+      var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}.");
+      
+      var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}");
+      
+      var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}");
+      
+      var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})");
+      
+      var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}");
+      
+      var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}");
+      
+      var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}");
+      
+      var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}");
+      
+      var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}");
+      
+      var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}");
+      
+      var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}");
+      
+      var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}");
+      
+      var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}");
+      
+      var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}");
+      
+      var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) ");
+      
+      var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}");
+      
+      var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}");
+      
+      var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}");
+      
+      var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}");
+      
+      var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}");
+      
+      var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}");
+      
+      var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}");
+      
+      var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}");
+      
+      var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}");
+      
+      var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}");
+      
+      var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}");
+      
+      var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}");
+      
+      var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})");
+      
+      var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}");
+      
+      var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}");
+      
+      var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}");
+      
+      var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}");
+      
+      var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}");
+      
+      var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}");
+      
+      var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}");
+      
+      var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}");
+      
+      var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}");
+      
+      var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}");
+      
+      var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}");
+      
+      var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}");
+      
+      var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}");
+      
+      var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}");
+      
+      var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}");
+      
+      var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}");
+      
+      var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}");
+      
+      var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}");
+      
+      var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}");
+      
+      var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}");
+      
+      var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}");
+      
+      var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}");
+      
+      var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}");
+      
+      var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}");
+      
+      var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}");
+      
+      var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}");
+      
+      var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}");
+      
+      var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}");
+      
+      var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}");
+      
+      var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}");
+      
+      var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}");
+      
+      var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}");
+      
+      var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}");
+      
+      var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}");
+      
+      var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}");
+      
+      var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}");
+      
+      var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}");
+      
+      var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}");
+      
+      var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}");
+      
+      var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}");
+      
+      var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}");
+      
+      var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}");
+      
+      var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}");
+      
+      var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}");
+      
+      var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}");
+      
+      var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}");
+      
+      var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}");
+      
+      var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}");
+      
+      var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}");
+      
+      var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}");
+      
+      var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}");
+      
+      var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}");
+      
+      var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})");
+      
+      var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}");
+      
+      var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}");
+      
+      var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}");
+      
+      var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}");
+      
+      var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}");
+      
+      var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}");
+      
+      var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}");
+      
+      var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}");
+      
+      var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}");
+      
+      var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}");
+      
+      var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}");
+      
+      var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}");
+      
+      var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}");
+      
+      var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}");
+      
+      var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}");
+      
+      var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}");
+      
+      var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}");
+      
+      var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}");
+      
+      var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}");
+      
+      var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}");
+      
+      var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}");
+      
+      var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}");
+      
+      var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}");
+      
+      var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}");
+      
+      var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}");
+      
+      var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}");
+      
+      var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}");
+      
+      var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}");
+      
+      var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}");
+      
+      var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}");
+      
+      var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}");
+      
+      var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}");
+      
+      var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}");
+      
+      var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}");
+      
+      var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state");
+      
+      var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}");
+      
+      var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}");
+      
+      var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}");
+      
+      var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}");
+      
+      var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr");
+      
+      var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}");
+      
+      var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}");
+      
+      var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}");
+      
+      var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times.");
+      
+      var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.");
+      
+      var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}");
+      
+      var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}");
+      
+      var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}");
+      
+      var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})");
+      
+      var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}");
+      
+      var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}");
+      
+      var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}");
+      
+      var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}");
+      
+      var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}");
+      
+      var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}");
+      
+      var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}");
+      
+      var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}");
+      
+      var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}");
+      
+      var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}");
+      
+      var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}");
+      
+      var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}");
+      
+      var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}");
+      
+      var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}");
+      
+      var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}");
+      
+      var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}");
+      
+      var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}");
+      
+      var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}");
+      
+      var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}");
+      
+      var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}");
+      
+      var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}");
+      
+      var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}");
+      
+      var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}");
+      
+      var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}");
+      
+      var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}");
+      
+      var select436 = linear_select([
+      	dup10,
+      	dup11,
+      ]);
+      
+      var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var select437 = linear_select([
+      	dup13,
+      	dup14,
+      ]);
+      
+      var select438 = linear_select([
+      	dup15,
+      	dup16,
+      ]);
+      
+      var select439 = linear_select([
+      	dup56,
+      	dup57,
+      ]);
+      
+      var select440 = linear_select([
+      	dup65,
+      	dup66,
+      ]);
+      
+      var select441 = linear_select([
+      	dup68,
+      	dup69,
+      ]);
+      
+      var select442 = linear_select([
+      	dup71,
+      	dup72,
+      ]);
+      
+      var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([
+      	dup58,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      	dup61,
+      ]));
+      
+      var select443 = linear_select([
+      	dup74,
+      	dup75,
+      ]);
+      
+      var select444 = linear_select([
+      	dup81,
+      	dup82,
+      ]);
+      
+      var select445 = linear_select([
+      	dup24,
+      	dup90,
+      ]);
+      
+      var select446 = linear_select([
+      	dup94,
+      	dup95,
+      ]);
+      
+      var select447 = linear_select([
+      	dup98,
+      	dup99,
+      ]);
+      
+      var select448 = linear_select([
+      	dup100,
+      	dup101,
+      	dup102,
+      ]);
+      
+      var select449 = linear_select([
+      	dup113,
+      	dup114,
+      ]);
+      
+      var select450 = linear_select([
+      	dup111,
+      	dup16,
+      ]);
+      
+      var select451 = linear_select([
+      	dup127,
+      	dup107,
+      ]);
+      
+      var select452 = linear_select([
+      	dup8,
+      	dup21,
+      ]);
+      
+      var select453 = linear_select([
+      	dup122,
+      	dup133,
+      ]);
+      
+      var select454 = linear_select([
+      	dup142,
+      	dup143,
+      ]);
+      
+      var select455 = linear_select([
+      	dup145,
+      	dup21,
+      ]);
+      
+      var select456 = linear_select([
+      	dup127,
+      	dup106,
+      ]);
+      
+      var select457 = linear_select([
+      	dup152,
+      	dup96,
+      ]);
+      
+      var select458 = linear_select([
+      	dup154,
+      	dup155,
+      ]);
+      
+      var select459 = linear_select([
+      	dup156,
+      	dup157,
+      ]);
+      
+      var select460 = linear_select([
+      	dup99,
+      	dup134,
+      ]);
+      
+      var select461 = linear_select([
+      	dup158,
+      	dup159,
+      ]);
+      
+      var select462 = linear_select([
+      	dup161,
+      	dup162,
+      ]);
+      
+      var select463 = linear_select([
+      	dup163,
+      	dup103,
+      ]);
+      
+      var select464 = linear_select([
+      	dup162,
+      	dup161,
+      ]);
+      
+      var select465 = linear_select([
+      	dup46,
+      	dup47,
+      ]);
+      
+      var select466 = linear_select([
+      	dup166,
+      	dup167,
+      ]);
+      
+      var select467 = linear_select([
+      	dup172,
+      	dup173,
+      ]);
+      
+      var select468 = linear_select([
+      	dup174,
+      	dup175,
+      	dup176,
+      	dup177,
+      	dup178,
+      	dup179,
+      	dup180,
+      	dup181,
+      	dup182,
+      ]);
+      
+      var select469 = linear_select([
+      	dup49,
+      	dup21,
+      ]);
+      
+      var select470 = linear_select([
+      	dup189,
+      	dup190,
+      ]);
+      
+      var select471 = linear_select([
+      	dup96,
+      	dup152,
+      ]);
+      
+      var select472 = linear_select([
+      	dup196,
+      	dup197,
+      ]);
+      
+      var select473 = linear_select([
+      	dup24,
+      	dup200,
+      ]);
+      
+      var select474 = linear_select([
+      	dup103,
+      	dup163,
+      ]);
+      
+      var select475 = linear_select([
+      	dup205,
+      	dup118,
+      ]);
+      
+      var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var select476 = linear_select([
+      	dup212,
+      	dup213,
+      ]);
+      
+      var select477 = linear_select([
+      	dup215,
+      	dup216,
+      ]);
+      
+      var select478 = linear_select([
+      	dup222,
+      	dup215,
+      ]);
+      
+      var select479 = linear_select([
+      	dup224,
+      	dup225,
+      ]);
+      
+      var select480 = linear_select([
+      	dup231,
+      	dup124,
+      ]);
+      
+      var select481 = linear_select([
+      	dup229,
+      	dup230,
+      ]);
+      
+      var select482 = linear_select([
+      	dup233,
+      	dup234,
+      ]);
+      
+      var select483 = linear_select([
+      	dup236,
+      	dup237,
+      ]);
+      
+      var select484 = linear_select([
+      	dup242,
+      	dup243,
+      ]);
+      
+      var select485 = linear_select([
+      	dup245,
+      	dup246,
+      ]);
+      
+      var select486 = linear_select([
+      	dup247,
+      	dup248,
+      ]);
+      
+      var select487 = linear_select([
+      	dup249,
+      	dup250,
+      ]);
+      
+      var select488 = linear_select([
+      	dup251,
+      	dup252,
+      ]);
+      
+      var select489 = linear_select([
+      	dup260,
+      	dup261,
+      ]);
+      
+      var select490 = linear_select([
+      	dup264,
+      	dup265,
+      ]);
+      
+      var select491 = linear_select([
+      	dup268,
+      	dup269,
+      ]);
+      
+      var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([
+      	dup1,
+      	dup2,
+      	dup3,
+      	dup4,
+      	dup5,
+      ]));
+      
+      var select492 = linear_select([
+      	dup284,
+      	dup285,
+      ]);
+      
+      var select493 = linear_select([
+      	dup287,
+      	dup288,
+      ]);
+      
+      var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([
+      	dup58,
+      	dup2,
+      	dup59,
+      	dup4,
+      	dup5,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([
+      	dup58,
+      	dup4,
+      	dup59,
+      	dup5,
+      	dup9,
+      	dup2,
+      	dup3,
+      	dup60,
+      ]));
+      
+      var select494 = linear_select([
+      	dup300,
+      	dup26,
+      ]);
+      
+      var select495 = linear_select([
+      	dup115,
+      	dup303,
+      ]);
+      
+      var select496 = linear_select([
+      	dup125,
+      	dup96,
+      ]);
+      
+      var select497 = linear_select([
+      	dup189,
+      	dup308,
+      	dup309,
+      ]);
+      
+      var select498 = linear_select([
+      	dup310,
+      	dup16,
+      ]);
+      
+      var select499 = linear_select([
+      	dup317,
+      	dup318,
+      ]);
+      
+      var select500 = linear_select([
+      	dup319,
+      	dup315,
+      ]);
+      
+      var select501 = linear_select([
+      	dup322,
+      	dup250,
+      ]);
+      
+      var select502 = linear_select([
+      	dup327,
+      	dup329,
+      ]);
+      
+      var select503 = linear_select([
+      	dup330,
+      	dup129,
+      ]);
+      
+      var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup60,
+      ]));
+      
+      var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([
+      	dup281,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup60,
+      	dup282,
+      ]));
+      
+      var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([
+      	dup185,
+      	dup2,
+      	dup4,
+      	dup5,
+      	dup274,
+      	dup3,
+      	dup275,
+      	dup276,
+      	dup277,
+      	dup61,
+      ]));
+      
+      var all391 = all_match({
+      	processors: [
+      		dup263,
+      		dup390,
+      		dup266,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var all392 = all_match({
+      	processors: [
+      		dup267,
+      		dup391,
+      		dup270,
+      	],
+      	on_success: processor_chain([
+      		dup1,
+      		dup2,
+      		dup3,
+      		dup4,
+      		dup5,
+      	]),
+      });
+      
+      var all393 = all_match({
+      	processors: [
+      		dup80,
+      		dup343,
+      		dup293,
+      	],
+      	on_success: processor_chain([
+      		dup58,
+      		dup2,
+      		dup59,
+      		dup3,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var all394 = all_match({
+      	processors: [
+      		dup296,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup297,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+      var all395 = all_match({
+      	processors: [
+      		dup298,
+      		dup343,
+      		dup131,
+      	],
+      	on_success: processor_chain([
+      		dup297,
+      		dup2,
+      		dup3,
+      		dup9,
+      		dup59,
+      		dup4,
+      		dup5,
+      		dup61,
+      	]),
+      });
+      
+- community_id:
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: dns.question.name
+    target_field: dns.question.registered_domain
+    target_subdomain_field: dns.question.subdomain
+    target_etld_field: dns.question.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: client.domain
+    target_field: client.registered_domain
+    target_subdomain_field: client.subdomain
+    target_etld_field: client.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: server.domain
+    target_field: server.registered_domain
+    target_subdomain_field: server.subdomain
+    target_etld_field: server.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: destination.domain
+    target_field: destination.registered_domain
+    target_subdomain_field: destination.subdomain
+    target_etld_field: destination.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: source.domain
+    target_field: source.registered_domain
+    target_subdomain_field: source.subdomain
+    target_etld_field: source.top_level_domain
+- registered_domain:
+    ignore_missing: true
+    ignore_failure: true
+    field: url.domain
+    target_field: url.registered_domain
+    target_subdomain_field: url.subdomain
+    target_etld_field: url.top_level_domain
+- add_locale: ~
diff --git a/packages/juniper_netscreen/0.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/juniper_netscreen/0.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..f14a2cebc8
--- /dev/null
+++ b/packages/juniper_netscreen/0.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,68 @@
+---
+description: Pipeline for Netscreen
+
+processors:
+  - set:
+      field: ecs.version
+      value: '8.3.0'
+  # User agent
+  - user_agent:
+      field: user_agent.original
+      ignore_missing: true
+  # IP Geolocation Lookup
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+  - geoip:
+      field: destination.ip
+      target_field: destination.geo
+      ignore_missing: true
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+          - asn
+          - organization_name
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: destination.ip
+      target_field: destination.as
+      properties:
+          - asn
+          - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - rename:
+      field: destination.as.asn
+      target_field: destination.as.number
+      ignore_missing: true
+  - rename:
+      field: destination.as.organization_name
+      target_field: destination.as.organization.name
+      ignore_missing: true
+  - append:
+      field: related.hosts
+      value: '{{host.name}}'
+      allow_duplicates: false
+      if: ctx.host?.name != null && ctx.host?.name != ''
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - append:
+      field: error.message
+      value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/juniper_netscreen/0.3.1/data_stream/log/fields/agent.yml b/packages/juniper_netscreen/0.3.1/data_stream/log/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/juniper_netscreen/0.3.1/data_stream/log/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/juniper_netscreen/0.3.1/data_stream/log/fields/base-fields.yml b/packages/juniper_netscreen/0.3.1/data_stream/log/fields/base-fields.yml
new file mode 100755
index 0000000000..82882053b6
--- /dev/null
+++ b/packages/juniper_netscreen/0.3.1/data_stream/log/fields/base-fields.yml
@@ -0,0 +1,46 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: juniper_netscreen
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: juniper_netscreen.log
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: container.id
+  description: Unique container id.
+  ignore_above: 1024
+  type: keyword
+- name: input.type
+  description: Type of Filebeat input.
+  type: keyword
+- name: log.file.path
+  description: Full path to the log file this event came from.
+  example: /var/log/fun-times.log
+  ignore_above: 1024
+  type: keyword
+- name: log.source.address
+  description: Source address from which the log event was read / sent from.
+  type: keyword
+- name: log.flags
+  description: Flags for the log file.
+  type: keyword
+- name: log.offset
+  description: Offset of the entry in the log file.
+  type: long
+- name: tags
+  description: List of keywords used to tag each event.
+  example: '["production", "env2"]'
+  ignore_above: 1024
+  type: keyword
diff --git a/packages/juniper_netscreen/0.3.1/data_stream/log/fields/ecs.yml b/packages/juniper_netscreen/0.3.1/data_stream/log/fields/ecs.yml
new file mode 100755
index 0000000000..1ed22e435e
--- /dev/null
+++ b/packages/juniper_netscreen/0.3.1/data_stream/log/fields/ecs.yml
@@ -0,0 +1,544 @@
+- description: |-
+    Date/time when the event originated.
+    This is the date/time extracted from the event, typically representing when the event was generated by the source.
+    If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.
+    Required field for all events.
+  name: '@timestamp'
+  type: date
+- description: |-
+    The domain name of the client system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: client.domain
+  type: keyword
+- description: |-
+    The highest registered client domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: client.registered_domain
+  type: keyword
+- description: |-
+    The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+  name: client.subdomain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: client.top_level_domain
+  type: keyword
+- description: |-
+    Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: destination.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: destination.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.as.organization.name
+  type: keyword
+- description: Bytes sent from the destination to the source.
+  name: destination.bytes
+  type: long
+- description: |-
+    The domain name of the destination system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: destination.domain
+  type: keyword
+- description: City name.
+  name: destination.geo.city_name
+  type: keyword
+- description: Country name.
+  name: destination.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: destination.geo.location
+  type: geo_point
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: |-
+    MAC address of the destination.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: destination.mac
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  type: keyword
+- description: |-
+    Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+    Typically used with load balancers, firewalls, or routers.
+  name: destination.nat.ip
+  type: ip
+- description: |-
+    Port the source session is translated to by NAT Device.
+    Typically used with load balancers, firewalls, or routers.
+  name: destination.nat.port
+  type: long
+- description: Port of the destination.
+  name: destination.port
+  type: long
+- description: |-
+    The highest registered destination domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: destination.registered_domain
+  type: keyword
+- description: |-
+    The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+  name: destination.subdomain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: destination.top_level_domain
+  type: keyword
+- description: |-
+    The domain name to which this resource record pertains.
+    If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.
+  name: dns.answers.name
+  type: keyword
+- description: The type of data contained in this resource record.
+  name: dns.answers.type
+  type: keyword
+- description: |-
+    The highest registered domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: dns.question.registered_domain
+  type: keyword
+- description: |-
+    The subdomain is all of the labels under the registered_domain.
+    If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+  name: dns.question.subdomain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: dns.question.top_level_domain
+  type: keyword
+- description: The type of record being queried.
+  name: dns.question.type
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    Identification code for this event, if one exists.
+    Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+  name: event.code
+  type: keyword
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
+    Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+  name: event.timezone
+  type: keyword
+- description: |-
+    Array of file attributes.
+    Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
+  name: file.attributes
+  type: keyword
+- description: Directory where the file is located. It should include the drive letter, when appropriate.
+  name: file.directory
+  type: keyword
+- description: |-
+    File extension, excluding the leading dot.
+    Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+  name: file.extension
+  type: keyword
+- description: Name of the file including the extension, without the directory.
+  name: file.name
+  type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: file.path
+  type: keyword
+- description: |-
+    File size in bytes.
+    Only relevant when `file.type` is "file".
+  name: file.size
+  type: long
+- description: File type (file, dir, or symlink).
+  name: file.type
+  type: keyword
+- description: City name.
+  name: geo.city_name
+  type: keyword
+- description: Country name.
+  name: geo.country_name
+  type: keyword
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: geo.name
+  type: keyword
+- description: Region name.
+  name: geo.region_name
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: group.id
+  type: keyword
+- description: Name of the group.
+  name: group.name
+  type: keyword
+- description: |-
+    Hostname of the host.
+    It normally contains what the `hostname` command returns on the host machine.
+  name: host.hostname
+  type: keyword
+- description: Host ip addresses.
+  name: host.ip
+  type: ip
+- description: |-
+    Host MAC addresses.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: host.mac
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  type: keyword
+- description: |-
+    Name of the host.
+    It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+  name: host.name
+  type: keyword
+- description: |-
+    HTTP request method.
+    The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+  name: http.request.method
+  type: keyword
+- description: Referrer for this HTTP request.
+  name: http.request.referrer
+  type: keyword
+- description: |-
+    Original log level of the log event.
+    If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
+    Some examples are `warn`, `err`, `i`, `informational`.
+  name: log.level
+  type: keyword
+- description: |-
+    The Syslog numeric facility of the log event, if available.
+    According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
+  name: log.syslog.facility.code
+  type: long
+- description: |-
+    Syslog numeric priority of the event, if available.
+    According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+  name: log.syslog.priority
+  type: long
+- description: |-
+    The Syslog numeric severity of the log event, if available.
+    If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
+  name: log.syslog.severity.code
+  type: long
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: |-
+    When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+    For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+    The field value must be normalized to lowercase for querying.
+  name: network.application
+  type: keyword
+- description: |-
+    Total bytes transferred in both directions.
+    If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+  name: network.bytes
+  type: long
+- description: |-
+    Direction of the network traffic.
+    Recommended values are:
+      * ingress
+      * egress
+      * inbound
+      * outbound
+      * internal
+      * external
+      * unknown
+
+    When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+    When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+    Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+  name: network.direction
+  type: keyword
+- description: Host IP address when the source IP address is the proxy.
+  name: network.forwarded_ip
+  type: ip
+- description: |-
+    Total packets transferred in both directions.
+    If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+  name: network.packets
+  type: long
+- description: |-
+    In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+    The field value must be normalized to lowercase for querying.
+  name: network.protocol
+  type: keyword
+- description: Interface name as reported by the system.
+  name: observer.egress.interface.name
+  type: keyword
+- description: Interface name as reported by the system.
+  name: observer.ingress.interface.name
+  type: keyword
+- description: The product name of the observer.
+  name: observer.product
+  type: keyword
+- description: |-
+    The type of the observer the data is coming from.
+    There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+  name: observer.type
+  type: keyword
+- description: Vendor name of the observer.
+  name: observer.vendor
+  type: keyword
+- description: Observer version.
+  name: observer.version
+  type: keyword
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.name
+  type: keyword
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.parent.name
+  type: keyword
+- description: |-
+    Process title.
+    The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.parent.title
+  type: keyword
+- description: Process id.
+  name: process.pid
+  type: long
+- description: Process id.
+  name: process.parent.pid
+  type: long
+- description: |-
+    Process title.
+    The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.title
+  type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+  name: related.hosts
+  type: keyword
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: The name of the rule or signature generating the event.
+  name: rule.name
+  type: keyword
+- description: |-
+    The domain name of the server system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: server.domain
+  type: keyword
+- description: |-
+    The highest registered server domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: server.registered_domain
+  type: keyword
+- description: |-
+    The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+  name: server.subdomain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: server.top_level_domain
+  type: keyword
+- description: |-
+    Name of the service data is collected from.
+    The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.
+    In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+  name: service.name
+  type: keyword
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: Bytes sent from the source to the destination.
+  name: source.bytes
+  type: long
+- description: |-
+    The domain name of the source system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: source.domain
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  level: core
+  name: source.geo.location
+  type: geo_point
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: |-
+    MAC address of the source.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: source.mac
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  type: keyword
+- description: |-
+    Translated ip of source based NAT sessions (e.g. internal client to internet)
+    Typically connections traversing load balancers, firewalls, or routers.
+  name: source.nat.ip
+  type: ip
+- description: |-
+    Translated port of source based NAT sessions. (e.g. internal client to internet)
+    Typically used with load balancers, firewalls, or routers.
+  name: source.nat.port
+  type: long
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: |-
+    The highest registered source domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: source.registered_domain
+  type: keyword
+- description: |-
+    The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+  name: source.subdomain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: source.top_level_domain
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    Domain of the url, such as "www.elastic.co".
+    In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+    If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+  name: url.domain
+  type: keyword
+- description: |-
+    Unmodified original url as seen in the event source.
+    Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+    This field is meant to represent the URL as it was observed, complete or not.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.original
+  type: wildcard
+- description: Path of the request, such as "/search".
+  name: url.path
+  type: wildcard
+- description: |-
+    The query field describes the query string of the request, such as "q=elasticsearch".
+    The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+  name: url.query
+  type: keyword
+- description: |-
+    The highest registered url domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: url.registered_domain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: url.top_level_domain
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.domain
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.full_name
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: Unparsed user_agent string.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.original
+  type: keyword
diff --git a/packages/juniper_netscreen/0.3.1/data_stream/log/fields/fields.yml b/packages/juniper_netscreen/0.3.1/data_stream/log/fields/fields.yml
new file mode 100755
index 0000000000..ea69cd79e3
--- /dev/null
+++ b/packages/juniper_netscreen/0.3.1/data_stream/log/fields/fields.yml
@@ -0,0 +1,1754 @@
+- name: rsa
+  type: group
+  fields:
+    - name: internal
+      type: group
+      fields:
+        - name: msg
+          type: keyword
+          description: This key is used to capture the raw message that comes into the Log Decoder
+        - name: messageid
+          type: keyword
+        - name: event_desc
+          type: keyword
+        - name: message
+          type: keyword
+          description: This key captures the contents of instant messages
+        - name: time
+          type: date
+          description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.
+        - name: level
+          type: long
+          description: Deprecated key defined only in table map.
+        - name: msg_id
+          type: keyword
+          description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: msg_vid
+          type: keyword
+          description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: data
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: obj_server
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: obj_val
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: resource
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: obj_id
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: statement
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: audit_class
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: entry
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: hcode
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: inode
+          type: long
+          description: Deprecated key defined only in table map.
+        - name: resource_class
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: dead
+          type: long
+          description: Deprecated key defined only in table map.
+        - name: feed_desc
+          type: keyword
+          description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: feed_name
+          type: keyword
+          description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: cid
+          type: keyword
+          description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: device_class
+          type: keyword
+          description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: device_group
+          type: keyword
+          description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: device_host
+          type: keyword
+          description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: device_ip
+          type: ip
+          description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: device_ipv6
+          type: ip
+          description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: device_type
+          type: keyword
+          description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: device_type_id
+          type: long
+          description: Deprecated key defined only in table map.
+        - name: did
+          type: keyword
+          description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: entropy_req
+          type: long
+          description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration
+        - name: entropy_res
+          type: long
+          description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration
+        - name: event_name
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: feed_category
+          type: keyword
+          description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: forward_ip
+          type: ip
+          description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.
+        - name: forward_ipv6
+          type: ip
+          description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: header_id
+          type: keyword
+          description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: lc_cid
+          type: keyword
+          description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: lc_ctime
+          type: date
+          description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: mcb_req
+          type: long
+          description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most
+        - name: mcb_res
+          type: long
+          description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most
+        - name: mcbc_req
+          type: long
+          description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams
+        - name: mcbc_res
+          type: long
+          description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams
+        - name: medium
+          type: long
+          description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session"
+        - name: node_name
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: nwe_callback_id
+          type: keyword
+          description: This key denotes that event is endpoint related
+        - name: parse_error
+          type: keyword
+          description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: payload_req
+          type: long
+          description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep
+        - name: payload_res
+          type: long
+          description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep
+        - name: process_vid_dst
+          type: keyword
+          description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.
+        - name: process_vid_src
+          type: keyword
+          description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.
+        - name: rid
+          type: long
+          description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: session_split
+          type: keyword
+          description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: site
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: size
+          type: long
+          description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: sourcefile
+          type: keyword
+          description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: ubc_req
+          type: long
+          description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once
+        - name: ubc_res
+          type: long
+          description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once
+        - name: word
+          type: keyword
+          description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log
+    - name: time
+      type: group
+      fields:
+        - name: event_time
+          type: date
+          description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form
+        - name: duration_time
+          type: double
+          description: This key is used to capture the normalized duration/lifetime in seconds.
+        - name: event_time_str
+          type: keyword
+          description: This key is used to capture the incomplete time mentioned in a session as a string
+        - name: starttime
+          type: date
+          description: This key is used to capture the Start time mentioned in a session in a standard form
+        - name: month
+          type: keyword
+        - name: day
+          type: keyword
+        - name: endtime
+          type: date
+          description: This key is used to capture the End time mentioned in a session in a standard form
+        - name: timezone
+          type: keyword
+          description: This key is used to capture the timezone of the Event Time
+        - name: duration_str
+          type: keyword
+          description: A text string version of the duration
+        - name: date
+          type: keyword
+        - name: year
+          type: keyword
+        - name: recorded_time
+          type: date
+          description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format.
+        - name: datetime
+          type: keyword
+        - name: effective_time
+          type: date
+          description: This key is the effective time referenced by an individual event in a Standard Timestamp format
+        - name: expire_time
+          type: date
+          description: This key is the timestamp that explicitly refers to an expiration.
+        - name: process_time
+          type: keyword
+          description: Deprecated, use duration.time
+        - name: hour
+          type: keyword
+        - name: min
+          type: keyword
+        - name: timestamp
+          type: keyword
+        - name: event_queue_time
+          type: date
+          description: This key is the Time that the event was queued.
+        - name: p_time1
+          type: keyword
+        - name: tzone
+          type: keyword
+        - name: eventtime
+          type: keyword
+        - name: gmtdate
+          type: keyword
+        - name: gmttime
+          type: keyword
+        - name: p_date
+          type: keyword
+        - name: p_month
+          type: keyword
+        - name: p_time
+          type: keyword
+        - name: p_time2
+          type: keyword
+        - name: p_year
+          type: keyword
+        - name: expire_time_str
+          type: keyword
+          description: This key is used to capture incomplete timestamp that explicitly refers to an expiration.
+        - name: stamp
+          type: date
+          description: Deprecated key defined only in table map.
+    - name: misc
+      type: group
+      fields:
+        - name: action
+          type: keyword
+        - name: result
+          type: keyword
+          description: This key is used to capture the outcome/result string value of an action in a session.
+        - name: severity
+          type: keyword
+          description: This key is used to capture the severity given the session
+        - name: event_type
+          type: keyword
+          description: This key captures the event category type as specified by the event source.
+        - name: reference_id
+          type: keyword
+          description: This key is used to capture an event id from the session directly
+        - name: version
+          type: keyword
+          description: This key captures Version of the application or OS which is generating the event.
+        - name: disposition
+          type: keyword
+          description: This key captures the The end state of an action.
+        - name: result_code
+          type: keyword
+          description: This key is used to capture the outcome/result numeric value of an action in a session
+        - name: category
+          type: keyword
+          description: This key is used to capture the category of an event given by the vendor in the session
+        - name: obj_name
+          type: keyword
+          description: This is used to capture name of object
+        - name: obj_type
+          type: keyword
+          description: This is used to capture type of object
+        - name: event_source
+          type: keyword
+          description: "This key captures Source of the event that’s not a hostname"
+        - name: log_session_id
+          type: keyword
+          description: This key is used to capture a sessionid from the session directly
+        - name: group
+          type: keyword
+          description: This key captures the Group Name value
+        - name: policy_name
+          type: keyword
+          description: This key is used to capture the Policy Name only.
+        - name: rule_name
+          type: keyword
+          description: This key captures the Rule Name
+        - name: context
+          type: keyword
+          description: This key captures Information which adds additional context to the event.
+        - name: change_new
+          type: keyword
+          description: "This key is used to capture the new values of the attribute that’s changing in a session"
+        - name: space
+          type: keyword
+        - name: client
+          type: keyword
+          description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.
+        - name: msgIdPart1
+          type: keyword
+        - name: msgIdPart2
+          type: keyword
+        - name: change_old
+          type: keyword
+          description: "This key is used to capture the old value of the attribute that’s changing in a session"
+        - name: operation_id
+          type: keyword
+          description: An alert number or operation number. The values should be unique and non-repeating.
+        - name: event_state
+          type: keyword
+          description: This key captures the current state of the object/item referenced within the event. Describing an on-going event.
+        - name: group_object
+          type: keyword
+          description: This key captures a collection/grouping of entities. Specific usage
+        - name: node
+          type: keyword
+          description: Common use case is the node name within a cluster. The cluster name is reflected by the host name.
+        - name: rule
+          type: keyword
+          description: This key captures the Rule number
+        - name: device_name
+          type: keyword
+          description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc'
+        - name: param
+          type: keyword
+          description: This key is the parameters passed as part of a command or application, etc.
+        - name: change_attrib
+          type: keyword
+          description: "This key is used to capture the name of the attribute that’s changing in a session"
+        - name: event_computer
+          type: keyword
+          description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.
+        - name: reference_id1
+          type: keyword
+          description: This key is for Linked ID to be used as an addition to "reference.id"
+        - name: event_log
+          type: keyword
+          description: This key captures the Name of the event log
+        - name: OS
+          type: keyword
+          description: This key captures the Name of the Operating System
+        - name: terminal
+          type: keyword
+          description: This key captures the Terminal Names only
+        - name: msgIdPart3
+          type: keyword
+        - name: filter
+          type: keyword
+          description: This key captures Filter used to reduce result set
+        - name: serial_number
+          type: keyword
+          description: This key is the Serial number associated with a physical asset.
+        - name: checksum
+          type: keyword
+          description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.
+        - name: event_user
+          type: keyword
+          description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.
+        - name: virusname
+          type: keyword
+          description: This key captures the name of the virus
+        - name: content_type
+          type: keyword
+          description: This key is used to capture Content Type only.
+        - name: group_id
+          type: keyword
+          description: This key captures Group ID Number (related to the group name)
+        - name: policy_id
+          type: keyword
+          description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise
+        - name: vsys
+          type: keyword
+          description: This key captures Virtual System Name
+        - name: connection_id
+          type: keyword
+          description: This key captures the Connection ID
+        - name: reference_id2
+          type: keyword
+          description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.
+        - name: sensor
+          type: keyword
+          description: This key captures Name of the sensor. Typically used in IDS/IPS based devices
+        - name: sig_id
+          type: long
+          description: This key captures IDS/IPS Int Signature ID
+        - name: port_name
+          type: keyword
+          description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).'
+        - name: rule_group
+          type: keyword
+          description: This key captures the Rule group name
+        - name: risk_num
+          type: double
+          description: This key captures a Numeric Risk value
+        - name: trigger_val
+          type: keyword
+          description: This key captures the Value of the trigger or threshold condition.
+        - name: log_session_id1
+          type: keyword
+          description: This key is used to capture a Linked (Related) Session ID from the session directly
+        - name: comp_version
+          type: keyword
+          description: This key captures the Version level of a sub-component of a product.
+        - name: content_version
+          type: keyword
+          description: This key captures Version level of a signature or database content.
+        - name: hardware_id
+          type: keyword
+          description: This key is used to capture unique identifier for a device or system (NOT a Mac address)
+        - name: risk
+          type: keyword
+          description: This key captures the non-numeric risk value
+        - name: event_id
+          type: keyword
+        - name: reason
+          type: keyword
+        - name: status
+          type: keyword
+        - name: mail_id
+          type: keyword
+          description: This key is used to capture the mailbox id/name
+        - name: rule_uid
+          type: keyword
+          description: This key is the Unique Identifier for a rule.
+        - name: trigger_desc
+          type: keyword
+          description: This key captures the Description of the trigger or threshold condition.
+        - name: inout
+          type: keyword
+        - name: p_msgid
+          type: keyword
+        - name: data_type
+          type: keyword
+        - name: msgIdPart4
+          type: keyword
+        - name: error
+          type: keyword
+          description: This key captures All non successful Error codes or responses
+        - name: index
+          type: keyword
+        - name: listnum
+          type: keyword
+          description: This key is used to capture listname or listnumber, primarily for collecting access-list
+        - name: ntype
+          type: keyword
+        - name: observed_val
+          type: keyword
+          description: This key captures the Value observed (from the perspective of the device generating the log).
+        - name: policy_value
+          type: keyword
+          description: This key captures the contents of the policy. This contains details about the policy
+        - name: pool_name
+          type: keyword
+          description: This key captures the name of a resource pool
+        - name: rule_template
+          type: keyword
+          description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template
+        - name: count
+          type: keyword
+        - name: number
+          type: keyword
+        - name: sigcat
+          type: keyword
+        - name: type
+          type: keyword
+        - name: comments
+          type: keyword
+          description: Comment information provided in the log message
+        - name: doc_number
+          type: long
+          description: This key captures File Identification number
+        - name: expected_val
+          type: keyword
+          description: This key captures the Value expected (from the perspective of the device generating the log).
+        - name: job_num
+          type: keyword
+          description: This key captures the Job Number
+        - name: spi_dst
+          type: keyword
+          description: Destination SPI Index
+        - name: spi_src
+          type: keyword
+          description: Source SPI Index
+        - name: code
+          type: keyword
+        - name: agent_id
+          type: keyword
+          description: This key is used to capture agent id
+        - name: message_body
+          type: keyword
+          description: This key captures the The contents of the message body.
+        - name: phone
+          type: keyword
+        - name: sig_id_str
+          type: keyword
+          description: This key captures a string object of the sigid variable.
+        - name: cmd
+          type: keyword
+        - name: misc
+          type: keyword
+        - name: name
+          type: keyword
+        - name: cpu
+          type: long
+          description: This key is the CPU time used in the execution of the event being recorded.
+        - name: event_desc
+          type: keyword
+          description: This key is used to capture a description of an event available directly or inferred
+        - name: sig_id1
+          type: long
+          description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id
+        - name: im_buddyid
+          type: keyword
+        - name: im_client
+          type: keyword
+        - name: im_userid
+          type: keyword
+        - name: pid
+          type: keyword
+        - name: priority
+          type: keyword
+        - name: context_subject
+          type: keyword
+          description: This key is to be used in an audit context where the subject is the object being identified
+        - name: context_target
+          type: keyword
+        - name: cve
+          type: keyword
+          description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.
+        - name: fcatnum
+          type: keyword
+          description: This key captures Filter Category Number. Legacy Usage
+        - name: library
+          type: keyword
+          description: This key is used to capture library information in mainframe devices
+        - name: parent_node
+          type: keyword
+          description: This key captures the Parent Node Name. Must be related to node variable.
+        - name: risk_info
+          type: keyword
+          description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+        - name: tcp_flags
+          type: long
+          description: This key is captures the TCP flags set in any packet of session
+        - name: tos
+          type: long
+          description: This key describes the type of service
+        - name: vm_target
+          type: keyword
+          description: VMWare Target **VMWARE** only varaible.
+        - name: workspace
+          type: keyword
+          description: This key captures Workspace Description
+        - name: command
+          type: keyword
+        - name: event_category
+          type: keyword
+        - name: facilityname
+          type: keyword
+        - name: forensic_info
+          type: keyword
+        - name: jobname
+          type: keyword
+        - name: mode
+          type: keyword
+        - name: policy
+          type: keyword
+        - name: policy_waiver
+          type: keyword
+        - name: second
+          type: keyword
+        - name: space1
+          type: keyword
+        - name: subcategory
+          type: keyword
+        - name: tbdstr2
+          type: keyword
+        - name: alert_id
+          type: keyword
+          description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+        - name: checksum_dst
+          type: keyword
+          description: This key is used to capture the checksum or hash of the the target entity such as a process or file.
+        - name: checksum_src
+          type: keyword
+          description: This key is used to capture the checksum or hash of the source entity such as a file or process.
+        - name: fresult
+          type: long
+          description: This key captures the Filter Result
+        - name: payload_dst
+          type: keyword
+          description: This key is used to capture destination payload
+        - name: payload_src
+          type: keyword
+          description: This key is used to capture source payload
+        - name: pool_id
+          type: keyword
+          description: This key captures the identifier (typically numeric field) of a resource pool
+        - name: process_id_val
+          type: keyword
+          description: This key is a failure key for Process ID when it is not an integer value
+        - name: risk_num_comm
+          type: double
+          description: This key captures Risk Number Community
+        - name: risk_num_next
+          type: double
+          description: This key captures Risk Number NextGen
+        - name: risk_num_sand
+          type: double
+          description: This key captures Risk Number SandBox
+        - name: risk_num_static
+          type: double
+          description: This key captures Risk Number Static
+        - name: risk_suspicious
+          type: keyword
+          description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+        - name: risk_warning
+          type: keyword
+          description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
+        - name: snmp_oid
+          type: keyword
+          description: SNMP Object Identifier
+        - name: sql
+          type: keyword
+          description: This key captures the SQL query
+        - name: vuln_ref
+          type: keyword
+          description: This key captures the Vulnerability Reference details
+        - name: acl_id
+          type: keyword
+        - name: acl_op
+          type: keyword
+        - name: acl_pos
+          type: keyword
+        - name: acl_table
+          type: keyword
+        - name: admin
+          type: keyword
+        - name: alarm_id
+          type: keyword
+        - name: alarmname
+          type: keyword
+        - name: app_id
+          type: keyword
+        - name: audit
+          type: keyword
+        - name: audit_object
+          type: keyword
+        - name: auditdata
+          type: keyword
+        - name: benchmark
+          type: keyword
+        - name: bypass
+          type: keyword
+        - name: cache
+          type: keyword
+        - name: cache_hit
+          type: keyword
+        - name: cefversion
+          type: keyword
+        - name: cfg_attr
+          type: keyword
+        - name: cfg_obj
+          type: keyword
+        - name: cfg_path
+          type: keyword
+        - name: changes
+          type: keyword
+        - name: client_ip
+          type: keyword
+        - name: clustermembers
+          type: keyword
+        - name: cn_acttimeout
+          type: keyword
+        - name: cn_asn_src
+          type: keyword
+        - name: cn_bgpv4nxthop
+          type: keyword
+        - name: cn_ctr_dst_code
+          type: keyword
+        - name: cn_dst_tos
+          type: keyword
+        - name: cn_dst_vlan
+          type: keyword
+        - name: cn_engine_id
+          type: keyword
+        - name: cn_engine_type
+          type: keyword
+        - name: cn_f_switch
+          type: keyword
+        - name: cn_flowsampid
+          type: keyword
+        - name: cn_flowsampintv
+          type: keyword
+        - name: cn_flowsampmode
+          type: keyword
+        - name: cn_inacttimeout
+          type: keyword
+        - name: cn_inpermbyts
+          type: keyword
+        - name: cn_inpermpckts
+          type: keyword
+        - name: cn_invalid
+          type: keyword
+        - name: cn_ip_proto_ver
+          type: keyword
+        - name: cn_ipv4_ident
+          type: keyword
+        - name: cn_l_switch
+          type: keyword
+        - name: cn_log_did
+          type: keyword
+        - name: cn_log_rid
+          type: keyword
+        - name: cn_max_ttl
+          type: keyword
+        - name: cn_maxpcktlen
+          type: keyword
+        - name: cn_min_ttl
+          type: keyword
+        - name: cn_minpcktlen
+          type: keyword
+        - name: cn_mpls_lbl_1
+          type: keyword
+        - name: cn_mpls_lbl_10
+          type: keyword
+        - name: cn_mpls_lbl_2
+          type: keyword
+        - name: cn_mpls_lbl_3
+          type: keyword
+        - name: cn_mpls_lbl_4
+          type: keyword
+        - name: cn_mpls_lbl_5
+          type: keyword
+        - name: cn_mpls_lbl_6
+          type: keyword
+        - name: cn_mpls_lbl_7
+          type: keyword
+        - name: cn_mpls_lbl_8
+          type: keyword
+        - name: cn_mpls_lbl_9
+          type: keyword
+        - name: cn_mplstoplabel
+          type: keyword
+        - name: cn_mplstoplabip
+          type: keyword
+        - name: cn_mul_dst_byt
+          type: keyword
+        - name: cn_mul_dst_pks
+          type: keyword
+        - name: cn_muligmptype
+          type: keyword
+        - name: cn_sampalgo
+          type: keyword
+        - name: cn_sampint
+          type: keyword
+        - name: cn_seqctr
+          type: keyword
+        - name: cn_spackets
+          type: keyword
+        - name: cn_src_tos
+          type: keyword
+        - name: cn_src_vlan
+          type: keyword
+        - name: cn_sysuptime
+          type: keyword
+        - name: cn_template_id
+          type: keyword
+        - name: cn_totbytsexp
+          type: keyword
+        - name: cn_totflowexp
+          type: keyword
+        - name: cn_totpcktsexp
+          type: keyword
+        - name: cn_unixnanosecs
+          type: keyword
+        - name: cn_v6flowlabel
+          type: keyword
+        - name: cn_v6optheaders
+          type: keyword
+        - name: comp_class
+          type: keyword
+        - name: comp_name
+          type: keyword
+        - name: comp_rbytes
+          type: keyword
+        - name: comp_sbytes
+          type: keyword
+        - name: cpu_data
+          type: keyword
+        - name: criticality
+          type: keyword
+        - name: cs_agency_dst
+          type: keyword
+        - name: cs_analyzedby
+          type: keyword
+        - name: cs_av_other
+          type: keyword
+        - name: cs_av_primary
+          type: keyword
+        - name: cs_av_secondary
+          type: keyword
+        - name: cs_bgpv6nxthop
+          type: keyword
+        - name: cs_bit9status
+          type: keyword
+        - name: cs_context
+          type: keyword
+        - name: cs_control
+          type: keyword
+        - name: cs_data
+          type: keyword
+        - name: cs_datecret
+          type: keyword
+        - name: cs_dst_tld
+          type: keyword
+        - name: cs_eth_dst_ven
+          type: keyword
+        - name: cs_eth_src_ven
+          type: keyword
+        - name: cs_event_uuid
+          type: keyword
+        - name: cs_filetype
+          type: keyword
+        - name: cs_fld
+          type: keyword
+        - name: cs_if_desc
+          type: keyword
+        - name: cs_if_name
+          type: keyword
+        - name: cs_ip_next_hop
+          type: keyword
+        - name: cs_ipv4dstpre
+          type: keyword
+        - name: cs_ipv4srcpre
+          type: keyword
+        - name: cs_lifetime
+          type: keyword
+        - name: cs_log_medium
+          type: keyword
+        - name: cs_loginname
+          type: keyword
+        - name: cs_modulescore
+          type: keyword
+        - name: cs_modulesign
+          type: keyword
+        - name: cs_opswatresult
+          type: keyword
+        - name: cs_payload
+          type: keyword
+        - name: cs_registrant
+          type: keyword
+        - name: cs_registrar
+          type: keyword
+        - name: cs_represult
+          type: keyword
+        - name: cs_rpayload
+          type: keyword
+        - name: cs_sampler_name
+          type: keyword
+        - name: cs_sourcemodule
+          type: keyword
+        - name: cs_streams
+          type: keyword
+        - name: cs_targetmodule
+          type: keyword
+        - name: cs_v6nxthop
+          type: keyword
+        - name: cs_whois_server
+          type: keyword
+        - name: cs_yararesult
+          type: keyword
+        - name: description
+          type: keyword
+        - name: devvendor
+          type: keyword
+        - name: distance
+          type: keyword
+        - name: dstburb
+          type: keyword
+        - name: edomain
+          type: keyword
+        - name: edomaub
+          type: keyword
+        - name: euid
+          type: keyword
+        - name: facility
+          type: keyword
+        - name: finterface
+          type: keyword
+        - name: flags
+          type: keyword
+        - name: gaddr
+          type: keyword
+        - name: id3
+          type: keyword
+        - name: im_buddyname
+          type: keyword
+        - name: im_croomid
+          type: keyword
+        - name: im_croomtype
+          type: keyword
+        - name: im_members
+          type: keyword
+        - name: im_username
+          type: keyword
+        - name: ipkt
+          type: keyword
+        - name: ipscat
+          type: keyword
+        - name: ipspri
+          type: keyword
+        - name: latitude
+          type: keyword
+        - name: linenum
+          type: keyword
+        - name: list_name
+          type: keyword
+        - name: load_data
+          type: keyword
+        - name: location_floor
+          type: keyword
+        - name: location_mark
+          type: keyword
+        - name: log_id
+          type: keyword
+        - name: log_type
+          type: keyword
+        - name: logid
+          type: keyword
+        - name: logip
+          type: keyword
+        - name: logname
+          type: keyword
+        - name: longitude
+          type: keyword
+        - name: lport
+          type: keyword
+        - name: mbug_data
+          type: keyword
+        - name: misc_name
+          type: keyword
+        - name: msg_type
+          type: keyword
+        - name: msgid
+          type: keyword
+        - name: netsessid
+          type: keyword
+        - name: num
+          type: keyword
+        - name: number1
+          type: keyword
+        - name: number2
+          type: keyword
+        - name: nwwn
+          type: keyword
+        - name: object
+          type: keyword
+        - name: operation
+          type: keyword
+        - name: opkt
+          type: keyword
+        - name: orig_from
+          type: keyword
+        - name: owner_id
+          type: keyword
+        - name: p_action
+          type: keyword
+        - name: p_filter
+          type: keyword
+        - name: p_group_object
+          type: keyword
+        - name: p_id
+          type: keyword
+        - name: p_msgid1
+          type: keyword
+        - name: p_msgid2
+          type: keyword
+        - name: p_result1
+          type: keyword
+        - name: password_chg
+          type: keyword
+        - name: password_expire
+          type: keyword
+        - name: permgranted
+          type: keyword
+        - name: permwanted
+          type: keyword
+        - name: pgid
+          type: keyword
+        - name: policyUUID
+          type: keyword
+        - name: prog_asp_num
+          type: keyword
+        - name: program
+          type: keyword
+        - name: real_data
+          type: keyword
+        - name: rec_asp_device
+          type: keyword
+        - name: rec_asp_num
+          type: keyword
+        - name: rec_library
+          type: keyword
+        - name: recordnum
+          type: keyword
+        - name: ruid
+          type: keyword
+        - name: sburb
+          type: keyword
+        - name: sdomain_fld
+          type: keyword
+        - name: sec
+          type: keyword
+        - name: sensorname
+          type: keyword
+        - name: seqnum
+          type: keyword
+        - name: session
+          type: keyword
+        - name: sessiontype
+          type: keyword
+        - name: sigUUID
+          type: keyword
+        - name: spi
+          type: keyword
+        - name: srcburb
+          type: keyword
+        - name: srcdom
+          type: keyword
+        - name: srcservice
+          type: keyword
+        - name: state
+          type: keyword
+        - name: status1
+          type: keyword
+        - name: svcno
+          type: keyword
+        - name: system
+          type: keyword
+        - name: tbdstr1
+          type: keyword
+        - name: tgtdom
+          type: keyword
+        - name: tgtdomain
+          type: keyword
+        - name: threshold
+          type: keyword
+        - name: type1
+          type: keyword
+        - name: udb_class
+          type: keyword
+        - name: url_fld
+          type: keyword
+        - name: user_div
+          type: keyword
+        - name: userid
+          type: keyword
+        - name: username_fld
+          type: keyword
+        - name: utcstamp
+          type: keyword
+        - name: v_instafname
+          type: keyword
+        - name: virt_data
+          type: keyword
+        - name: vpnid
+          type: keyword
+        - name: autorun_type
+          type: keyword
+          description: This is used to capture Auto Run type
+        - name: cc_number
+          type: long
+          description: Valid Credit Card Numbers only
+        - name: content
+          type: keyword
+          description: This key captures the content type from protocol headers
+        - name: ein_number
+          type: long
+          description: Employee Identification Numbers only
+        - name: found
+          type: keyword
+          description: This is used to capture the results of regex match
+        - name: language
+          type: keyword
+          description: This is used to capture list of languages the client support and what it prefers
+        - name: lifetime
+          type: long
+          description: This key is used to capture the session lifetime in seconds.
+        - name: link
+          type: keyword
+          description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
+        - name: match
+          type: keyword
+          description: This key is for regex match name from search.ini
+        - name: param_dst
+          type: keyword
+          description: This key captures the command line/launch argument of the target process or file
+        - name: param_src
+          type: keyword
+          description: This key captures source parameter
+        - name: search_text
+          type: keyword
+          description: This key captures the Search Text used
+        - name: sig_name
+          type: keyword
+          description: This key is used to capture the Signature Name only.
+        - name: snmp_value
+          type: keyword
+          description: SNMP set request value
+        - name: streams
+          type: long
+          description: This key captures number of streams in session
+    - name: db
+      type: group
+      fields:
+        - name: index
+          type: keyword
+          description: This key captures IndexID of the index.
+        - name: instance
+          type: keyword
+          description: This key is used to capture the database server instance name
+        - name: database
+          type: keyword
+          description: This key is used to capture the name of a database or an instance as seen in a session
+        - name: transact_id
+          type: keyword
+          description: This key captures the SQL transantion ID of the current session
+        - name: permissions
+          type: keyword
+          description: This key captures permission or privilege level assigned to a resource.
+        - name: table_name
+          type: keyword
+          description: This key is used to capture the table name
+        - name: db_id
+          type: keyword
+          description: This key is used to capture the unique identifier for a database
+        - name: db_pid
+          type: long
+          description: This key captures the process id of a connection with database server
+        - name: lread
+          type: long
+          description: This key is used for the number of logical reads
+        - name: lwrite
+          type: long
+          description: This key is used for the number of logical writes
+        - name: pread
+          type: long
+          description: This key is used for the number of physical writes
+    - name: network
+      type: group
+      fields:
+        - name: alias_host
+          type: keyword
+          description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.
+        - name: domain
+          type: keyword
+        - name: host_dst
+          type: keyword
+          description: "This key should only be used when it’s a Destination Hostname"
+        - name: network_service
+          type: keyword
+          description: This is used to capture layer 7 protocols/service names
+        - name: interface
+          type: keyword
+          description: This key should be used when the source or destination context of an interface is not clear
+        - name: network_port
+          type: long
+          description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
+        - name: eth_host
+          type: keyword
+          description: Deprecated, use alias.mac
+        - name: sinterface
+          type: keyword
+          description: "This key should only be used when it’s a Source Interface"
+        - name: dinterface
+          type: keyword
+          description: "This key should only be used when it’s a Destination Interface"
+        - name: vlan
+          type: long
+          description: This key should only be used to capture the ID of the Virtual LAN
+        - name: zone_src
+          type: keyword
+          description: "This key should only be used when it’s a Source Zone."
+        - name: zone
+          type: keyword
+          description: This key should be used when the source or destination context of a Zone is not clear
+        - name: zone_dst
+          type: keyword
+          description: "This key should only be used when it’s a Destination Zone."
+        - name: gateway
+          type: keyword
+          description: This key is used to capture the IP Address of the gateway
+        - name: icmp_type
+          type: long
+          description: This key is used to capture the ICMP type only
+        - name: mask
+          type: keyword
+          description: This key is used to capture the device network IPmask.
+        - name: icmp_code
+          type: long
+          description: This key is used to capture the ICMP code only
+        - name: protocol_detail
+          type: keyword
+          description: This key should be used to capture additional protocol information
+        - name: dmask
+          type: keyword
+          description: This key is used for Destionation Device network mask
+        - name: port
+          type: long
+          description: This key should only be used to capture a Network Port when the directionality is not clear
+        - name: smask
+          type: keyword
+          description: This key is used for capturing source Network Mask
+        - name: netname
+          type: keyword
+          description: This key is used to capture the network name associated with an IP range. This is configured by the end user.
+        - name: paddr
+          type: ip
+          description: Deprecated
+        - name: faddr
+          type: keyword
+        - name: lhost
+          type: keyword
+        - name: origin
+          type: keyword
+        - name: remote_domain_id
+          type: keyword
+        - name: addr
+          type: keyword
+        - name: dns_a_record
+          type: keyword
+        - name: dns_ptr_record
+          type: keyword
+        - name: fhost
+          type: keyword
+        - name: fport
+          type: keyword
+        - name: laddr
+          type: keyword
+        - name: linterface
+          type: keyword
+        - name: phost
+          type: keyword
+        - name: ad_computer_dst
+          type: keyword
+          description: Deprecated, use host.dst
+        - name: eth_type
+          type: long
+          description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only
+        - name: ip_proto
+          type: long
+          description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI
+        - name: dns_cname_record
+          type: keyword
+        - name: dns_id
+          type: keyword
+        - name: dns_opcode
+          type: keyword
+        - name: dns_resp
+          type: keyword
+        - name: dns_type
+          type: keyword
+        - name: domain1
+          type: keyword
+        - name: host_type
+          type: keyword
+        - name: packet_length
+          type: keyword
+        - name: host_orig
+          type: keyword
+          description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.
+        - name: rpayload
+          type: keyword
+          description: This key is used to capture the total number of payload bytes seen in the retransmitted packets.
+        - name: vlan_name
+          type: keyword
+          description: This key should only be used to capture the name of the Virtual LAN
+    - name: investigations
+      type: group
+      fields:
+        - name: ec_activity
+          type: keyword
+          description: This key captures the particular event activity(Ex:Logoff)
+        - name: ec_theme
+          type: keyword
+          description: This key captures the Theme of a particular Event(Ex:Authentication)
+        - name: ec_subject
+          type: keyword
+          description: This key captures the Subject of a particular Event(Ex:User)
+        - name: ec_outcome
+          type: keyword
+          description: This key captures the outcome of a particular Event(Ex:Success)
+        - name: event_cat
+          type: long
+          description: This key captures the Event category number
+        - name: event_cat_name
+          type: keyword
+          description: This key captures the event category name corresponding to the event cat code
+        - name: event_vcat
+          type: keyword
+          description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.
+        - name: analysis_file
+          type: keyword
+          description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file
+        - name: analysis_service
+          type: keyword
+          description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service
+        - name: analysis_session
+          type: keyword
+          description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session
+        - name: boc
+          type: keyword
+          description: This is used to capture behaviour of compromise
+        - name: eoc
+          type: keyword
+          description: This is used to capture Enablers of Compromise
+        - name: inv_category
+          type: keyword
+          description: This used to capture investigation category
+        - name: inv_context
+          type: keyword
+          description: This used to capture investigation context
+        - name: ioc
+          type: keyword
+          description: This is key capture indicator of compromise
+    - name: counters
+      type: group
+      fields:
+        - name: dclass_c1
+          type: long
+          description: This is a generic counter key that should be used with the label dclass.c1.str only
+        - name: dclass_c2
+          type: long
+          description: This is a generic counter key that should be used with the label dclass.c2.str only
+        - name: event_counter
+          type: long
+          description: This is used to capture the number of times an event repeated
+        - name: dclass_r1
+          type: keyword
+          description: This is a generic ratio key that should be used with the label dclass.r1.str only
+        - name: dclass_c3
+          type: long
+          description: This is a generic counter key that should be used with the label dclass.c3.str only
+        - name: dclass_c1_str
+          type: keyword
+          description: This is a generic counter string key that should be used with the label dclass.c1 only
+        - name: dclass_c2_str
+          type: keyword
+          description: This is a generic counter string key that should be used with the label dclass.c2 only
+        - name: dclass_r1_str
+          type: keyword
+          description: This is a generic ratio string key that should be used with the label dclass.r1 only
+        - name: dclass_r2
+          type: keyword
+          description: This is a generic ratio key that should be used with the label dclass.r2.str only
+        - name: dclass_c3_str
+          type: keyword
+          description: This is a generic counter string key that should be used with the label dclass.c3 only
+        - name: dclass_r3
+          type: keyword
+          description: This is a generic ratio key that should be used with the label dclass.r3.str only
+        - name: dclass_r2_str
+          type: keyword
+          description: This is a generic ratio string key that should be used with the label dclass.r2 only
+        - name: dclass_r3_str
+          type: keyword
+          description: This is a generic ratio string key that should be used with the label dclass.r3 only
+    - name: identity
+      type: group
+      fields:
+        - name: auth_method
+          type: keyword
+          description: This key is used to capture authentication methods used only
+        - name: user_role
+          type: keyword
+          description: This key is used to capture the Role of a user only
+        - name: dn
+          type: keyword
+          description: X.500 (LDAP) Distinguished Name
+        - name: logon_type
+          type: keyword
+          description: This key is used to capture the type of logon method used.
+        - name: profile
+          type: keyword
+          description: This key is used to capture the user profile
+        - name: accesses
+          type: keyword
+          description: This key is used to capture actual privileges used in accessing an object
+        - name: realm
+          type: keyword
+          description: Radius realm or similar grouping of accounts
+        - name: user_sid_dst
+          type: keyword
+          description: This key captures Destination User Session ID
+        - name: dn_src
+          type: keyword
+          description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn
+        - name: org
+          type: keyword
+          description: This key captures the User organization
+        - name: dn_dst
+          type: keyword
+          description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn
+        - name: firstname
+          type: keyword
+          description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information
+        - name: lastname
+          type: keyword
+          description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information
+        - name: user_dept
+          type: keyword
+          description: User's Department Names only
+        - name: user_sid_src
+          type: keyword
+          description: This key captures Source User Session ID
+        - name: federated_sp
+          type: keyword
+          description: This key is the Federated Service Provider. This is the application requesting authentication.
+        - name: federated_idp
+          type: keyword
+          description: This key is the federated Identity Provider. This is the server providing the authentication.
+        - name: logon_type_desc
+          type: keyword
+          description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'.
+        - name: middlename
+          type: keyword
+          description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information
+        - name: password
+          type: keyword
+          description: This key is for Passwords seen in any session, plain text or encrypted
+        - name: host_role
+          type: keyword
+          description: This key should only be used to capture the role of a Host Machine
+        - name: ldap
+          type: keyword
+          description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context"
+        - name: ldap_query
+          type: keyword
+          description: This key is the Search criteria from an LDAP search
+        - name: ldap_response
+          type: keyword
+          description: This key is to capture Results from an LDAP search
+        - name: owner
+          type: keyword
+          description: This is used to capture username the process or service is running as, the author of the task
+        - name: service_account
+          type: keyword
+          description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage
+    - name: email
+      type: group
+      fields:
+        - name: email_dst
+          type: keyword
+          description: This key is used to capture the Destination email address only, when the destination context is not clear use email
+        - name: email_src
+          type: keyword
+          description: This key is used to capture the source email address only, when the source context is not clear use email
+        - name: subject
+          type: keyword
+          description: This key is used to capture the subject string from an Email only.
+        - name: email
+          type: keyword
+          description: This key is used to capture a generic email address where the source or destination context is not clear
+        - name: trans_from
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: trans_to
+          type: keyword
+          description: Deprecated key defined only in table map.
+    - name: file
+      type: group
+      fields:
+        - name: privilege
+          type: keyword
+          description: Deprecated, use permissions
+        - name: attachment
+          type: keyword
+          description: This key captures the attachment file name
+        - name: filesystem
+          type: keyword
+        - name: binary
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: filename_dst
+          type: keyword
+          description: This is used to capture name of the file targeted by the action
+        - name: filename_src
+          type: keyword
+          description: This is used to capture name of the parent filename, the file which performed the action
+        - name: filename_tmp
+          type: keyword
+        - name: directory_dst
+          type: keyword
+          description: <span>This key is used to capture the directory of the target process or file</span>
+        - name: directory_src
+          type: keyword
+          description: This key is used to capture the directory of the source process or file
+        - name: file_entropy
+          type: double
+          description: This is used to capture entropy vale of a file
+        - name: file_vendor
+          type: keyword
+          description: This is used to capture Company name of file located in version_info
+        - name: task_name
+          type: keyword
+          description: This is used to capture name of the task
+    - name: web
+      type: group
+      fields:
+        - name: fqdn
+          type: keyword
+          description: Fully Qualified Domain Names
+        - name: web_cookie
+          type: keyword
+          description: This key is used to capture the Web cookies specifically.
+        - name: alias_host
+          type: keyword
+        - name: reputation_num
+          type: double
+          description: Reputation Number of an entity. Typically used for Web Domains
+        - name: web_ref_domain
+          type: keyword
+          description: Web referer's domain
+        - name: web_ref_query
+          type: keyword
+          description: This key captures Web referer's query portion of the URL
+        - name: remote_domain
+          type: keyword
+        - name: web_ref_page
+          type: keyword
+          description: This key captures Web referer's page information
+        - name: web_ref_root
+          type: keyword
+          description: Web referer's root URL path
+        - name: cn_asn_dst
+          type: keyword
+        - name: cn_rpackets
+          type: keyword
+        - name: urlpage
+          type: keyword
+        - name: urlroot
+          type: keyword
+        - name: p_url
+          type: keyword
+        - name: p_user_agent
+          type: keyword
+        - name: p_web_cookie
+          type: keyword
+        - name: p_web_method
+          type: keyword
+        - name: p_web_referer
+          type: keyword
+        - name: web_extension_tmp
+          type: keyword
+        - name: web_page
+          type: keyword
+    - name: threat
+      type: group
+      fields:
+        - name: threat_category
+          type: keyword
+          description: This key captures Threat Name/Threat Category/Categorization of alert
+        - name: threat_desc
+          type: keyword
+          description: This key is used to capture the threat description from the session directly or inferred
+        - name: alert
+          type: keyword
+          description: This key is used to capture name of the alert
+        - name: threat_source
+          type: keyword
+          description: This key is used to capture source of the threat
+    - name: crypto
+      type: group
+      fields:
+        - name: crypto
+          type: keyword
+          description: This key is used to capture the Encryption Type or Encryption Key only
+        - name: cipher_src
+          type: keyword
+          description: This key is for Source (Client) Cipher
+        - name: cert_subject
+          type: keyword
+          description: This key is used to capture the Certificate organization only
+        - name: peer
+          type: keyword
+          description: This key is for Encryption peer's IP Address
+        - name: cipher_size_src
+          type: long
+          description: This key captures Source (Client) Cipher Size
+        - name: ike
+          type: keyword
+          description: IKE negotiation phase.
+        - name: scheme
+          type: keyword
+          description: This key captures the Encryption scheme used
+        - name: peer_id
+          type: keyword
+          description: "This key is for Encryption peer’s identity"
+        - name: sig_type
+          type: keyword
+          description: This key captures the Signature Type
+        - name: cert_issuer
+          type: keyword
+        - name: cert_host_name
+          type: keyword
+          description: Deprecated key defined only in table map.
+        - name: cert_error
+          type: keyword
+          description: This key captures the Certificate Error String
+        - name: cipher_dst
+          type: keyword
+          description: This key is for Destination (Server) Cipher
+        - name: cipher_size_dst
+          type: long
+          description: This key captures Destination (Server) Cipher Size
+        - name: ssl_ver_src
+          type: keyword
+          description: Deprecated, use version
+        - name: d_certauth
+          type: keyword
+        - name: s_certauth
+          type: keyword
+        - name: ike_cookie1
+          type: keyword
+          description: "ID of the negotiation — sent for ISAKMP Phase One"
+        - name: ike_cookie2
+          type: keyword
+          description: "ID of the negotiation — sent for ISAKMP Phase Two"
+        - name: cert_checksum
+          type: keyword
+        - name: cert_host_cat
+          type: keyword
+          description: This key is used for the hostname category value of a certificate
+        - name: cert_serial
+          type: keyword
+          description: This key is used to capture the Certificate serial number only
+        - name: cert_status
+          type: keyword
+          description: This key captures Certificate validation status
+        - name: ssl_ver_dst
+          type: keyword
+          description: Deprecated, use version
+        - name: cert_keysize
+          type: keyword
+        - name: cert_username
+          type: keyword
+        - name: https_insact
+          type: keyword
+        - name: https_valid
+          type: keyword
+        - name: cert_ca
+          type: keyword
+          description: This key is used to capture the Certificate signing authority only
+        - name: cert_common
+          type: keyword
+          description: This key is used to capture the Certificate common name only
+    - name: wireless
+      type: group
+      fields:
+        - name: wlan_ssid
+          type: keyword
+          description: This key is used to capture the ssid of a Wireless Session
+        - name: access_point
+          type: keyword
+          description: This key is used to capture the access point name.
+        - name: wlan_channel
+          type: long
+          description: This is used to capture the channel names
+        - name: wlan_name
+          type: keyword
+          description: This key captures either WLAN number/name
+    - name: storage
+      type: group
+      fields:
+        - name: disk_volume
+          type: keyword
+          description: A unique name assigned to logical units (volumes) within a physical disk
+        - name: lun
+          type: keyword
+          description: Logical Unit Number.This key is a very useful concept in Storage.
+        - name: pwwn
+          type: keyword
+          description: This uniquely identifies a port on a HBA.
+    - name: physical
+      type: group
+      fields:
+        - name: org_dst
+          type: keyword
+          description: This is used to capture the destination organization based on the GEOPIP Maxmind database.
+        - name: org_src
+          type: keyword
+          description: This is used to capture the source organization based on the GEOPIP Maxmind database.
+    - name: healthcare
+      type: group
+      fields:
+        - name: patient_fname
+          type: keyword
+          description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information
+        - name: patient_id
+          type: keyword
+          description: This key captures the unique ID for a patient
+        - name: patient_lname
+          type: keyword
+          description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information
+        - name: patient_mname
+          type: keyword
+          description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information
+    - name: endpoint
+      type: group
+      fields:
+        - name: host_state
+          type: keyword
+          description: This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on
+        - name: registry_key
+          type: keyword
+          description: This key captures the path to the registry key
+        - name: registry_value
+          type: keyword
+          description: This key captures values or decorators used within a registry entry
+- name: dns.question.domain
+  type: keyword
+  ignore_above: 1024
+  description: Server domain.
+- name: network.interface.name
+  type: keyword
diff --git a/packages/juniper_netscreen/0.3.1/data_stream/log/manifest.yml b/packages/juniper_netscreen/0.3.1/data_stream/log/manifest.yml
new file mode 100755
index 0000000000..7b194a9784
--- /dev/null
+++ b/packages/juniper_netscreen/0.3.1/data_stream/log/manifest.yml
@@ -0,0 +1,205 @@
+title: Netscreen logs
+release: experimental
+type: logs
+streams:
+  - input: udp
+    title: Netscreen logs
+    description: Collect Netscreen logs
+    template_path: udp.yml.hbs
+    vars:
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - juniper-netscreen
+          - forwarded
+      - name: udp_host
+        type: text
+        title: UDP host to listen on
+        multi: false
+        required: true
+        show_user: true
+        default: localhost
+      - name: udp_port
+        type: integer
+        title: UDP port to listen on
+        multi: false
+        required: true
+        show_user: true
+        default: 9523
+      - name: tz_offset
+        type: text
+        title: Timezone offset (+HH:mm format)
+        required: false
+        show_user: true
+        default: "local"
+      - name: rsa_fields
+        type: bool
+        title: Add non-ECS fields
+        required: false
+        show_user: true
+        default: true
+      - name: keep_raw_fields
+        type: bool
+        title: Keep raw parser fields
+        required: false
+        show_user: false
+        default: false
+      - name: debug
+        type: bool
+        title: Enable debug logging
+        required: false
+        show_user: false
+        default: false
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+  - input: tcp
+    title: Netscreen logs
+    description: Collect Netscreen logs
+    template_path: tcp.yml.hbs
+    vars:
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - juniper-netscreen
+          - forwarded
+      - name: tcp_host
+        type: text
+        title: TCP host to listen on
+        multi: false
+        required: true
+        show_user: true
+        default: localhost
+      - name: tcp_port
+        type: integer
+        title: TCP port to listen on
+        multi: false
+        required: true
+        show_user: true
+        default: 9523
+      - name: tz_offset
+        type: text
+        title: Timezone offset (+HH:mm format)
+        required: false
+        show_user: true
+        default: "local"
+      - name: rsa_fields
+        type: bool
+        title: Add non-ECS fields
+        required: false
+        show_user: true
+        default: true
+      - name: keep_raw_fields
+        type: bool
+        title: Keep raw parser fields
+        required: false
+        show_user: false
+        default: false
+      - name: debug
+        type: bool
+        title: Enable debug logging
+        required: false
+        show_user: false
+        default: false
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+  - input: filestream
+    enabled: false
+    title: Netscreen logs
+    description: Collect Netscreen logs from file
+    template_path: logfile.yml.hbs
+    vars:
+      - name: paths
+        type: text
+        title: Paths
+        multi: true
+        required: true
+        show_user: true
+        default:
+          - /var/log/juniper-netscreen.log
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - juniper-netscreen
+          - forwarded
+      - name: tz_offset
+        type: text
+        title: Timezone offset (+HH:mm format)
+        required: false
+        show_user: true
+        default: "local"
+      - name: rsa_fields
+        type: bool
+        title: Add non-ECS fields
+        required: false
+        show_user: true
+        default: true
+      - name: keep_raw_fields
+        type: bool
+        title: Keep raw parser fields
+        required: false
+        show_user: false
+        default: false
+      - name: debug
+        type: bool
+        title: Enable debug logging
+        required: false
+        show_user: false
+        default: false
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/juniper_netscreen/0.3.1/data_stream/log/sample_event.json b/packages/juniper_netscreen/0.3.1/data_stream/log/sample_event.json
new file mode 100755
index 0000000000..4794339b14
--- /dev/null
+++ b/packages/juniper_netscreen/0.3.1/data_stream/log/sample_event.json
@@ -0,0 +1,60 @@
+{
+    "@timestamp": "2016-01-29T06:09:59.000Z",
+    "agent": {
+        "ephemeral_id": "1d0b19ed-8fb1-4e91-873a-19f2949ff20e",
+        "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0"
+    },
+    "data_stream": {
+        "dataset": "juniper_netscreen.log",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0",
+        "snapshot": true,
+        "version": "8.0.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "code": "00628",
+        "dataset": "juniper_netscreen.log",
+        "ingested": "2022-01-25T12:47:59Z",
+        "timezone": "+00:00"
+    },
+    "input": {
+        "type": "udp"
+    },
+    "log": {
+        "level": "low",
+        "source": {
+            "address": "172.30.0.4:59406"
+        }
+    },
+    "observer": {
+        "product": "Netscreen",
+        "type": "Firewall",
+        "vendor": "Juniper"
+    },
+    "rsa": {
+        "internal": {
+            "messageid": "00628"
+        },
+        "misc": {
+            "hardware_id": "olab",
+            "severity": "low"
+        },
+        "time": {
+            "event_time": "2016-01-29T06:09:59.000Z"
+        }
+    },
+    "tags": [
+        "juniper-netscreen",
+        "forwarded"
+    ]
+}
\ No newline at end of file
diff --git a/packages/juniper_netscreen/0.3.1/docs/README.md b/packages/juniper_netscreen/0.3.1/docs/README.md
new file mode 100755
index 0000000000..1dd31a6505
--- /dev/null
+++ b/packages/juniper_netscreen/0.3.1/docs/README.md
@@ -0,0 +1,913 @@
+# Juniper integration
+
+This is an integration for ingesting logs from [Juniper NetScreen](https://www.juniper.net/documentation/en_US/release-independent/screenos/information-products/pathway-pages/netscreen-series/product/).
+
+### Log
+
+The `log` dataset collects Netscreen logs.
+
+An example event for `log` looks as following:
+
+```json
+{
+    "@timestamp": "2016-01-29T06:09:59.000Z",
+    "agent": {
+        "ephemeral_id": "1d0b19ed-8fb1-4e91-873a-19f2949ff20e",
+        "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0"
+    },
+    "data_stream": {
+        "dataset": "juniper_netscreen.log",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0",
+        "snapshot": true,
+        "version": "8.0.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "code": "00628",
+        "dataset": "juniper_netscreen.log",
+        "ingested": "2022-01-25T12:47:59Z",
+        "timezone": "+00:00"
+    },
+    "input": {
+        "type": "udp"
+    },
+    "log": {
+        "level": "low",
+        "source": {
+            "address": "172.30.0.4:59406"
+        }
+    },
+    "observer": {
+        "product": "Netscreen",
+        "type": "Firewall",
+        "vendor": "Juniper"
+    },
+    "rsa": {
+        "internal": {
+            "messageid": "00628"
+        },
+        "misc": {
+            "hardware_id": "olab",
+            "severity": "low"
+        },
+        "time": {
+            "event_time": "2016-01-29T06:09:59.000Z"
+        }
+    },
+    "tags": [
+        "juniper-netscreen",
+        "forwarded"
+    ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.domain | Server domain. | keyword |
+| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| geo.city_name | City name. | keyword |
+| geo.country_name | Country name. | keyword |
+| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| geo.region_name | Region name. | keyword |
+| group.id | Unique identifier for the group on the system/platform. | keyword |
+| group.name | Name of the group. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Full path to the log file this event came from. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are:   \* ingress   \* egress   \* inbound   \* outbound   \* internal   \* external   \* unknown  When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.interface.name |  | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text |
+| process.parent.pid | Process id. | long |
+| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text |
+| process.pid | Process id. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.title.text | Multi-field of `process.title`. | match_only_text |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long |
+| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword |
+| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long |
+| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword |
+| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long |
+| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword |
+| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword |
+| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword |
+| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword |
+| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword |
+| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword |
+| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword |
+| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long |
+| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword |
+| rsa.crypto.cert_checksum |  | keyword |
+| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword |
+| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword |
+| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword |
+| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword |
+| rsa.crypto.cert_issuer |  | keyword |
+| rsa.crypto.cert_keysize |  | keyword |
+| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword |
+| rsa.crypto.cert_status | This key captures Certificate validation status | keyword |
+| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword |
+| rsa.crypto.cert_username |  | keyword |
+| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword |
+| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long |
+| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long |
+| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword |
+| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword |
+| rsa.crypto.d_certauth |  | keyword |
+| rsa.crypto.https_insact |  | keyword |
+| rsa.crypto.https_valid |  | keyword |
+| rsa.crypto.ike | IKE negotiation phase. | keyword |
+| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword |
+| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword |
+| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword |
+| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword |
+| rsa.crypto.s_certauth |  | keyword |
+| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword |
+| rsa.crypto.sig_type | This key captures the Signature Type | keyword |
+| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword |
+| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword |
+| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword |
+| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword |
+| rsa.db.db_pid | This key captures the process id of a connection with database server | long |
+| rsa.db.index | This key captures IndexID of the index. | keyword |
+| rsa.db.instance | This key is used to capture the database server instance name | keyword |
+| rsa.db.lread | This key is used for the number of logical reads | long |
+| rsa.db.lwrite | This key is used for the number of logical writes | long |
+| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword |
+| rsa.db.pread | This key is used for the number of physical writes | long |
+| rsa.db.table_name | This key is used to capture the table name | keyword |
+| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword |
+| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword |
+| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword |
+| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword |
+| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword |
+| rsa.email.trans_from | Deprecated key defined only in table map. | keyword |
+| rsa.email.trans_to | Deprecated key defined only in table map. | keyword |
+| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \<strong\>blacklisted\</strong\>, \<strong\>infected\</strong\>, \<strong\>firewall disabled\</strong\> and so on | keyword |
+| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword |
+| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword |
+| rsa.file.attachment | This key captures the attachment file name | keyword |
+| rsa.file.binary | Deprecated key defined only in table map. | keyword |
+| rsa.file.directory_dst | \<span\>This key is used to capture the directory of the target process or file\</span\> | keyword |
+| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword |
+| rsa.file.file_entropy | This is used to capture entropy vale of a file | double |
+| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword |
+| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword |
+| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword |
+| rsa.file.filename_tmp |  | keyword |
+| rsa.file.filesystem |  | keyword |
+| rsa.file.privilege | Deprecated, use permissions | keyword |
+| rsa.file.task_name | This is used to capture name of the task | keyword |
+| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword |
+| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword |
+| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword |
+| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword |
+| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword |
+| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword |
+| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword |
+| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword |
+| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword |
+| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword |
+| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword |
+| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword |
+| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword |
+| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword |
+| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword |
+| rsa.identity.org | This key captures the User organization | keyword |
+| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword |
+| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword |
+| rsa.identity.profile | This key is used to capture the user profile | keyword |
+| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword |
+| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword |
+| rsa.identity.user_dept | User's Department Names only | keyword |
+| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword |
+| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword |
+| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword |
+| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.data | Deprecated key defined only in table map. | keyword |
+| rsa.internal.dead | Deprecated key defined only in table map. | long |
+| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.device_type_id | Deprecated key defined only in table map. | long |
+| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long |
+| rsa.internal.entry | Deprecated key defined only in table map. | keyword |
+| rsa.internal.event_desc |  | keyword |
+| rsa.internal.event_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip |
+| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip |
+| rsa.internal.hcode | Deprecated key defined only in table map. | keyword |
+| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.inode | Deprecated key defined only in table map. | long |
+| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date |
+| rsa.internal.level | Deprecated key defined only in table map. | long |
+| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long |
+| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long |
+| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, &lt; 32 is packet session | long |
+| rsa.internal.message | This key captures the contents of instant messages | keyword |
+| rsa.internal.messageid |  | keyword |
+| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword |
+| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.node_name | Deprecated key defined only in table map. | keyword |
+| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword |
+| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword |
+| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword |
+| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long |
+| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword |
+| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword |
+| rsa.internal.resource | Deprecated key defined only in table map. | keyword |
+| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword |
+| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.site | Deprecated key defined only in table map. | keyword |
+| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long |
+| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.internal.statement | Deprecated key defined only in table map. | keyword |
+| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date |
+| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long |
+| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword |
+| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword |
+| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword |
+| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword |
+| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword |
+| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword |
+| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword |
+| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword |
+| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword |
+| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword |
+| rsa.investigations.event_cat | This key captures the Event category number | long |
+| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword |
+| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword |
+| rsa.investigations.inv_category | This used to capture investigation category | keyword |
+| rsa.investigations.inv_context | This used to capture investigation context | keyword |
+| rsa.investigations.ioc | This is key capture indicator of compromise | keyword |
+| rsa.misc.OS | This key captures the Name of the Operating System | keyword |
+| rsa.misc.acl_id |  | keyword |
+| rsa.misc.acl_op |  | keyword |
+| rsa.misc.acl_pos |  | keyword |
+| rsa.misc.acl_table |  | keyword |
+| rsa.misc.action |  | keyword |
+| rsa.misc.admin |  | keyword |
+| rsa.misc.agent_id | This key is used to capture agent id | keyword |
+| rsa.misc.alarm_id |  | keyword |
+| rsa.misc.alarmname |  | keyword |
+| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword |
+| rsa.misc.app_id |  | keyword |
+| rsa.misc.audit |  | keyword |
+| rsa.misc.audit_object |  | keyword |
+| rsa.misc.auditdata |  | keyword |
+| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword |
+| rsa.misc.benchmark |  | keyword |
+| rsa.misc.bypass |  | keyword |
+| rsa.misc.cache |  | keyword |
+| rsa.misc.cache_hit |  | keyword |
+| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword |
+| rsa.misc.cc_number | Valid Credit Card Numbers only | long |
+| rsa.misc.cefversion |  | keyword |
+| rsa.misc.cfg_attr |  | keyword |
+| rsa.misc.cfg_obj |  | keyword |
+| rsa.misc.cfg_path |  | keyword |
+| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword |
+| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword |
+| rsa.misc.changes |  | keyword |
+| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword |
+| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword |
+| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword |
+| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword |
+| rsa.misc.client_ip |  | keyword |
+| rsa.misc.clustermembers |  | keyword |
+| rsa.misc.cmd |  | keyword |
+| rsa.misc.cn_acttimeout |  | keyword |
+| rsa.misc.cn_asn_src |  | keyword |
+| rsa.misc.cn_bgpv4nxthop |  | keyword |
+| rsa.misc.cn_ctr_dst_code |  | keyword |
+| rsa.misc.cn_dst_tos |  | keyword |
+| rsa.misc.cn_dst_vlan |  | keyword |
+| rsa.misc.cn_engine_id |  | keyword |
+| rsa.misc.cn_engine_type |  | keyword |
+| rsa.misc.cn_f_switch |  | keyword |
+| rsa.misc.cn_flowsampid |  | keyword |
+| rsa.misc.cn_flowsampintv |  | keyword |
+| rsa.misc.cn_flowsampmode |  | keyword |
+| rsa.misc.cn_inacttimeout |  | keyword |
+| rsa.misc.cn_inpermbyts |  | keyword |
+| rsa.misc.cn_inpermpckts |  | keyword |
+| rsa.misc.cn_invalid |  | keyword |
+| rsa.misc.cn_ip_proto_ver |  | keyword |
+| rsa.misc.cn_ipv4_ident |  | keyword |
+| rsa.misc.cn_l_switch |  | keyword |
+| rsa.misc.cn_log_did |  | keyword |
+| rsa.misc.cn_log_rid |  | keyword |
+| rsa.misc.cn_max_ttl |  | keyword |
+| rsa.misc.cn_maxpcktlen |  | keyword |
+| rsa.misc.cn_min_ttl |  | keyword |
+| rsa.misc.cn_minpcktlen |  | keyword |
+| rsa.misc.cn_mpls_lbl_1 |  | keyword |
+| rsa.misc.cn_mpls_lbl_10 |  | keyword |
+| rsa.misc.cn_mpls_lbl_2 |  | keyword |
+| rsa.misc.cn_mpls_lbl_3 |  | keyword |
+| rsa.misc.cn_mpls_lbl_4 |  | keyword |
+| rsa.misc.cn_mpls_lbl_5 |  | keyword |
+| rsa.misc.cn_mpls_lbl_6 |  | keyword |
+| rsa.misc.cn_mpls_lbl_7 |  | keyword |
+| rsa.misc.cn_mpls_lbl_8 |  | keyword |
+| rsa.misc.cn_mpls_lbl_9 |  | keyword |
+| rsa.misc.cn_mplstoplabel |  | keyword |
+| rsa.misc.cn_mplstoplabip |  | keyword |
+| rsa.misc.cn_mul_dst_byt |  | keyword |
+| rsa.misc.cn_mul_dst_pks |  | keyword |
+| rsa.misc.cn_muligmptype |  | keyword |
+| rsa.misc.cn_sampalgo |  | keyword |
+| rsa.misc.cn_sampint |  | keyword |
+| rsa.misc.cn_seqctr |  | keyword |
+| rsa.misc.cn_spackets |  | keyword |
+| rsa.misc.cn_src_tos |  | keyword |
+| rsa.misc.cn_src_vlan |  | keyword |
+| rsa.misc.cn_sysuptime |  | keyword |
+| rsa.misc.cn_template_id |  | keyword |
+| rsa.misc.cn_totbytsexp |  | keyword |
+| rsa.misc.cn_totflowexp |  | keyword |
+| rsa.misc.cn_totpcktsexp |  | keyword |
+| rsa.misc.cn_unixnanosecs |  | keyword |
+| rsa.misc.cn_v6flowlabel |  | keyword |
+| rsa.misc.cn_v6optheaders |  | keyword |
+| rsa.misc.code |  | keyword |
+| rsa.misc.command |  | keyword |
+| rsa.misc.comments | Comment information provided in the log message | keyword |
+| rsa.misc.comp_class |  | keyword |
+| rsa.misc.comp_name |  | keyword |
+| rsa.misc.comp_rbytes |  | keyword |
+| rsa.misc.comp_sbytes |  | keyword |
+| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword |
+| rsa.misc.connection_id | This key captures the Connection ID | keyword |
+| rsa.misc.content | This key captures the content type from protocol headers | keyword |
+| rsa.misc.content_type | This key is used to capture Content Type only. | keyword |
+| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword |
+| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword |
+| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword |
+| rsa.misc.context_target |  | keyword |
+| rsa.misc.count |  | keyword |
+| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long |
+| rsa.misc.cpu_data |  | keyword |
+| rsa.misc.criticality |  | keyword |
+| rsa.misc.cs_agency_dst |  | keyword |
+| rsa.misc.cs_analyzedby |  | keyword |
+| rsa.misc.cs_av_other |  | keyword |
+| rsa.misc.cs_av_primary |  | keyword |
+| rsa.misc.cs_av_secondary |  | keyword |
+| rsa.misc.cs_bgpv6nxthop |  | keyword |
+| rsa.misc.cs_bit9status |  | keyword |
+| rsa.misc.cs_context |  | keyword |
+| rsa.misc.cs_control |  | keyword |
+| rsa.misc.cs_data |  | keyword |
+| rsa.misc.cs_datecret |  | keyword |
+| rsa.misc.cs_dst_tld |  | keyword |
+| rsa.misc.cs_eth_dst_ven |  | keyword |
+| rsa.misc.cs_eth_src_ven |  | keyword |
+| rsa.misc.cs_event_uuid |  | keyword |
+| rsa.misc.cs_filetype |  | keyword |
+| rsa.misc.cs_fld |  | keyword |
+| rsa.misc.cs_if_desc |  | keyword |
+| rsa.misc.cs_if_name |  | keyword |
+| rsa.misc.cs_ip_next_hop |  | keyword |
+| rsa.misc.cs_ipv4dstpre |  | keyword |
+| rsa.misc.cs_ipv4srcpre |  | keyword |
+| rsa.misc.cs_lifetime |  | keyword |
+| rsa.misc.cs_log_medium |  | keyword |
+| rsa.misc.cs_loginname |  | keyword |
+| rsa.misc.cs_modulescore |  | keyword |
+| rsa.misc.cs_modulesign |  | keyword |
+| rsa.misc.cs_opswatresult |  | keyword |
+| rsa.misc.cs_payload |  | keyword |
+| rsa.misc.cs_registrant |  | keyword |
+| rsa.misc.cs_registrar |  | keyword |
+| rsa.misc.cs_represult |  | keyword |
+| rsa.misc.cs_rpayload |  | keyword |
+| rsa.misc.cs_sampler_name |  | keyword |
+| rsa.misc.cs_sourcemodule |  | keyword |
+| rsa.misc.cs_streams |  | keyword |
+| rsa.misc.cs_targetmodule |  | keyword |
+| rsa.misc.cs_v6nxthop |  | keyword |
+| rsa.misc.cs_whois_server |  | keyword |
+| rsa.misc.cs_yararesult |  | keyword |
+| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword |
+| rsa.misc.data_type |  | keyword |
+| rsa.misc.description |  | keyword |
+| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword |
+| rsa.misc.devvendor |  | keyword |
+| rsa.misc.disposition | This key captures the The end state of an action. | keyword |
+| rsa.misc.distance |  | keyword |
+| rsa.misc.doc_number | This key captures File Identification number | long |
+| rsa.misc.dstburb |  | keyword |
+| rsa.misc.edomain |  | keyword |
+| rsa.misc.edomaub |  | keyword |
+| rsa.misc.ein_number | Employee Identification Numbers only | long |
+| rsa.misc.error | This key captures All non successful Error codes or responses | keyword |
+| rsa.misc.euid |  | keyword |
+| rsa.misc.event_category |  | keyword |
+| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword |
+| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword |
+| rsa.misc.event_id |  | keyword |
+| rsa.misc.event_log | This key captures the Name of the event log | keyword |
+| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword |
+| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword |
+| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword |
+| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword |
+| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword |
+| rsa.misc.facility |  | keyword |
+| rsa.misc.facilityname |  | keyword |
+| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword |
+| rsa.misc.filter | This key captures Filter used to reduce result set | keyword |
+| rsa.misc.finterface |  | keyword |
+| rsa.misc.flags |  | keyword |
+| rsa.misc.forensic_info |  | keyword |
+| rsa.misc.found | This is used to capture the results of regex match | keyword |
+| rsa.misc.fresult | This key captures the Filter Result | long |
+| rsa.misc.gaddr |  | keyword |
+| rsa.misc.group | This key captures the Group Name value | keyword |
+| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword |
+| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword |
+| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword |
+| rsa.misc.id3 |  | keyword |
+| rsa.misc.im_buddyid |  | keyword |
+| rsa.misc.im_buddyname |  | keyword |
+| rsa.misc.im_client |  | keyword |
+| rsa.misc.im_croomid |  | keyword |
+| rsa.misc.im_croomtype |  | keyword |
+| rsa.misc.im_members |  | keyword |
+| rsa.misc.im_userid |  | keyword |
+| rsa.misc.im_username |  | keyword |
+| rsa.misc.index |  | keyword |
+| rsa.misc.inout |  | keyword |
+| rsa.misc.ipkt |  | keyword |
+| rsa.misc.ipscat |  | keyword |
+| rsa.misc.ipspri |  | keyword |
+| rsa.misc.job_num | This key captures the Job Number | keyword |
+| rsa.misc.jobname |  | keyword |
+| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword |
+| rsa.misc.latitude |  | keyword |
+| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword |
+| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long |
+| rsa.misc.linenum |  | keyword |
+| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword |
+| rsa.misc.list_name |  | keyword |
+| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword |
+| rsa.misc.load_data |  | keyword |
+| rsa.misc.location_floor |  | keyword |
+| rsa.misc.location_mark |  | keyword |
+| rsa.misc.log_id |  | keyword |
+| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword |
+| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword |
+| rsa.misc.log_type |  | keyword |
+| rsa.misc.logid |  | keyword |
+| rsa.misc.logip |  | keyword |
+| rsa.misc.logname |  | keyword |
+| rsa.misc.longitude |  | keyword |
+| rsa.misc.lport |  | keyword |
+| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword |
+| rsa.misc.match | This key is for regex match name from search.ini | keyword |
+| rsa.misc.mbug_data |  | keyword |
+| rsa.misc.message_body | This key captures the The contents of the message body. | keyword |
+| rsa.misc.misc |  | keyword |
+| rsa.misc.misc_name |  | keyword |
+| rsa.misc.mode |  | keyword |
+| rsa.misc.msgIdPart1 |  | keyword |
+| rsa.misc.msgIdPart2 |  | keyword |
+| rsa.misc.msgIdPart3 |  | keyword |
+| rsa.misc.msgIdPart4 |  | keyword |
+| rsa.misc.msg_type |  | keyword |
+| rsa.misc.msgid |  | keyword |
+| rsa.misc.name |  | keyword |
+| rsa.misc.netsessid |  | keyword |
+| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword |
+| rsa.misc.ntype |  | keyword |
+| rsa.misc.num |  | keyword |
+| rsa.misc.number |  | keyword |
+| rsa.misc.number1 |  | keyword |
+| rsa.misc.number2 |  | keyword |
+| rsa.misc.nwwn |  | keyword |
+| rsa.misc.obj_name | This is used to capture name of object | keyword |
+| rsa.misc.obj_type | This is used to capture type of object | keyword |
+| rsa.misc.object |  | keyword |
+| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword |
+| rsa.misc.operation |  | keyword |
+| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword |
+| rsa.misc.opkt |  | keyword |
+| rsa.misc.orig_from |  | keyword |
+| rsa.misc.owner_id |  | keyword |
+| rsa.misc.p_action |  | keyword |
+| rsa.misc.p_filter |  | keyword |
+| rsa.misc.p_group_object |  | keyword |
+| rsa.misc.p_id |  | keyword |
+| rsa.misc.p_msgid |  | keyword |
+| rsa.misc.p_msgid1 |  | keyword |
+| rsa.misc.p_msgid2 |  | keyword |
+| rsa.misc.p_result1 |  | keyword |
+| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword |
+| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword |
+| rsa.misc.param_src | This key captures source parameter | keyword |
+| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword |
+| rsa.misc.password_chg |  | keyword |
+| rsa.misc.password_expire |  | keyword |
+| rsa.misc.payload_dst | This key is used to capture destination payload | keyword |
+| rsa.misc.payload_src | This key is used to capture source payload | keyword |
+| rsa.misc.permgranted |  | keyword |
+| rsa.misc.permwanted |  | keyword |
+| rsa.misc.pgid |  | keyword |
+| rsa.misc.phone |  | keyword |
+| rsa.misc.pid |  | keyword |
+| rsa.misc.policy |  | keyword |
+| rsa.misc.policyUUID |  | keyword |
+| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword |
+| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword |
+| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword |
+| rsa.misc.policy_waiver |  | keyword |
+| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword |
+| rsa.misc.pool_name | This key captures the name of a resource pool | keyword |
+| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword |
+| rsa.misc.priority |  | keyword |
+| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword |
+| rsa.misc.prog_asp_num |  | keyword |
+| rsa.misc.program |  | keyword |
+| rsa.misc.real_data |  | keyword |
+| rsa.misc.reason |  | keyword |
+| rsa.misc.rec_asp_device |  | keyword |
+| rsa.misc.rec_asp_num |  | keyword |
+| rsa.misc.rec_library |  | keyword |
+| rsa.misc.recordnum |  | keyword |
+| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword |
+| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword |
+| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword |
+| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword |
+| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword |
+| rsa.misc.risk | This key captures the non-numeric risk value | keyword |
+| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword |
+| rsa.misc.risk_num | This key captures a Numeric Risk value | double |
+| rsa.misc.risk_num_comm | This key captures Risk Number Community | double |
+| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double |
+| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double |
+| rsa.misc.risk_num_static | This key captures Risk Number Static | double |
+| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword |
+| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword |
+| rsa.misc.ruid |  | keyword |
+| rsa.misc.rule | This key captures the Rule number | keyword |
+| rsa.misc.rule_group | This key captures the Rule group name | keyword |
+| rsa.misc.rule_name | This key captures the Rule Name | keyword |
+| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword |
+| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword |
+| rsa.misc.sburb |  | keyword |
+| rsa.misc.sdomain_fld |  | keyword |
+| rsa.misc.search_text | This key captures the Search Text used | keyword |
+| rsa.misc.sec |  | keyword |
+| rsa.misc.second |  | keyword |
+| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword |
+| rsa.misc.sensorname |  | keyword |
+| rsa.misc.seqnum |  | keyword |
+| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword |
+| rsa.misc.session |  | keyword |
+| rsa.misc.sessiontype |  | keyword |
+| rsa.misc.severity | This key is used to capture the severity given the session | keyword |
+| rsa.misc.sigUUID |  | keyword |
+| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long |
+| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long |
+| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword |
+| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword |
+| rsa.misc.sigcat |  | keyword |
+| rsa.misc.snmp_oid | SNMP Object Identifier | keyword |
+| rsa.misc.snmp_value | SNMP set request value | keyword |
+| rsa.misc.space |  | keyword |
+| rsa.misc.space1 |  | keyword |
+| rsa.misc.spi |  | keyword |
+| rsa.misc.spi_dst | Destination SPI Index | keyword |
+| rsa.misc.spi_src | Source SPI Index | keyword |
+| rsa.misc.sql | This key captures the SQL query | keyword |
+| rsa.misc.srcburb |  | keyword |
+| rsa.misc.srcdom |  | keyword |
+| rsa.misc.srcservice |  | keyword |
+| rsa.misc.state |  | keyword |
+| rsa.misc.status |  | keyword |
+| rsa.misc.status1 |  | keyword |
+| rsa.misc.streams | This key captures number of streams in session | long |
+| rsa.misc.subcategory |  | keyword |
+| rsa.misc.svcno |  | keyword |
+| rsa.misc.system |  | keyword |
+| rsa.misc.tbdstr1 |  | keyword |
+| rsa.misc.tbdstr2 |  | keyword |
+| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long |
+| rsa.misc.terminal | This key captures the Terminal Names only | keyword |
+| rsa.misc.tgtdom |  | keyword |
+| rsa.misc.tgtdomain |  | keyword |
+| rsa.misc.threshold |  | keyword |
+| rsa.misc.tos | This key describes the type of service | long |
+| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword |
+| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword |
+| rsa.misc.type |  | keyword |
+| rsa.misc.type1 |  | keyword |
+| rsa.misc.udb_class |  | keyword |
+| rsa.misc.url_fld |  | keyword |
+| rsa.misc.user_div |  | keyword |
+| rsa.misc.userid |  | keyword |
+| rsa.misc.username_fld |  | keyword |
+| rsa.misc.utcstamp |  | keyword |
+| rsa.misc.v_instafname |  | keyword |
+| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword |
+| rsa.misc.virt_data |  | keyword |
+| rsa.misc.virusname | This key captures the name of the virus | keyword |
+| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword |
+| rsa.misc.vpnid |  | keyword |
+| rsa.misc.vsys | This key captures Virtual System Name | keyword |
+| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword |
+| rsa.misc.workspace | This key captures Workspace Description | keyword |
+| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword |
+| rsa.network.addr |  | keyword |
+| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword |
+| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword |
+| rsa.network.dmask | This key is used for Destionation Device network mask | keyword |
+| rsa.network.dns_a_record |  | keyword |
+| rsa.network.dns_cname_record |  | keyword |
+| rsa.network.dns_id |  | keyword |
+| rsa.network.dns_opcode |  | keyword |
+| rsa.network.dns_ptr_record |  | keyword |
+| rsa.network.dns_resp |  | keyword |
+| rsa.network.dns_type |  | keyword |
+| rsa.network.domain |  | keyword |
+| rsa.network.domain1 |  | keyword |
+| rsa.network.eth_host | Deprecated, use alias.mac | keyword |
+| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long |
+| rsa.network.faddr |  | keyword |
+| rsa.network.fhost |  | keyword |
+| rsa.network.fport |  | keyword |
+| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword |
+| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword |
+| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword |
+| rsa.network.host_type |  | keyword |
+| rsa.network.icmp_code | This key is used to capture the ICMP code only | long |
+| rsa.network.icmp_type | This key is used to capture the ICMP type only | long |
+| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword |
+| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long |
+| rsa.network.laddr |  | keyword |
+| rsa.network.lhost |  | keyword |
+| rsa.network.linterface |  | keyword |
+| rsa.network.mask | This key is used to capture the device network IPmask. | keyword |
+| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword |
+| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long |
+| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword |
+| rsa.network.origin |  | keyword |
+| rsa.network.packet_length |  | keyword |
+| rsa.network.paddr | Deprecated | ip |
+| rsa.network.phost |  | keyword |
+| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long |
+| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword |
+| rsa.network.remote_domain_id |  | keyword |
+| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword |
+| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword |
+| rsa.network.smask | This key is used for capturing source Network Mask | keyword |
+| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long |
+| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword |
+| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword |
+| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword |
+| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword |
+| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword |
+| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword |
+| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword |
+| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword |
+| rsa.threat.alert | This key is used to capture name of the alert | keyword |
+| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword |
+| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword |
+| rsa.threat.threat_source | This key is used to capture source of the threat | keyword |
+| rsa.time.date |  | keyword |
+| rsa.time.datetime |  | keyword |
+| rsa.time.day |  | keyword |
+| rsa.time.duration_str | A text string version of the duration | keyword |
+| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double |
+| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date |
+| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date |
+| rsa.time.event_queue_time | This key is the Time that the event was queued. | date |
+| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date |
+| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword |
+| rsa.time.eventtime |  | keyword |
+| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date |
+| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword |
+| rsa.time.gmtdate |  | keyword |
+| rsa.time.gmttime |  | keyword |
+| rsa.time.hour |  | keyword |
+| rsa.time.min |  | keyword |
+| rsa.time.month |  | keyword |
+| rsa.time.p_date |  | keyword |
+| rsa.time.p_month |  | keyword |
+| rsa.time.p_time |  | keyword |
+| rsa.time.p_time1 |  | keyword |
+| rsa.time.p_time2 |  | keyword |
+| rsa.time.p_year |  | keyword |
+| rsa.time.process_time | Deprecated, use duration.time | keyword |
+| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date |
+| rsa.time.stamp | Deprecated key defined only in table map. | date |
+| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date |
+| rsa.time.timestamp |  | keyword |
+| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword |
+| rsa.time.tzone |  | keyword |
+| rsa.time.year |  | keyword |
+| rsa.web.alias_host |  | keyword |
+| rsa.web.cn_asn_dst |  | keyword |
+| rsa.web.cn_rpackets |  | keyword |
+| rsa.web.fqdn | Fully Qualified Domain Names | keyword |
+| rsa.web.p_url |  | keyword |
+| rsa.web.p_user_agent |  | keyword |
+| rsa.web.p_web_cookie |  | keyword |
+| rsa.web.p_web_method |  | keyword |
+| rsa.web.p_web_referer |  | keyword |
+| rsa.web.remote_domain |  | keyword |
+| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double |
+| rsa.web.urlpage |  | keyword |
+| rsa.web.urlroot |  | keyword |
+| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword |
+| rsa.web.web_extension_tmp |  | keyword |
+| rsa.web.web_page |  | keyword |
+| rsa.web.web_ref_domain | Web referer's domain | keyword |
+| rsa.web.web_ref_page | This key captures Web referer's page information | keyword |
+| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword |
+| rsa.web.web_ref_root | Web referer's root URL path | keyword |
+| rsa.wireless.access_point | This key is used to capture the access point name. | keyword |
+| rsa.wireless.wlan_channel | This is used to capture the channel names | long |
+| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword |
+| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| url.path | Path of the request, such as "/search". | wildcard |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+
diff --git a/packages/juniper_netscreen/0.3.1/img/logo.svg b/packages/juniper_netscreen/0.3.1/img/logo.svg
new file mode 100755
index 0000000000..8802414a5a
--- /dev/null
+++ b/packages/juniper_netscreen/0.3.1/img/logo.svg
@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   viewBox="0 0 957.61334 261.66666"
+   height="261.66666"
+   width="957.61334"
+   xml:space="preserve"
+   id="svg2"
+   version="1.1"><metadata
+     id="metadata8"><rdf:RDF><cc:Work
+         rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" /></cc:Work></rdf:RDF></metadata><defs
+     id="defs6" /><g
+     transform="matrix(1.3333333,0,0,-1.3333333,0,261.66667)"
+     id="g10"><g
+       transform="scale(0.1)"
+       id="g12"><path
+         id="path14"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 3522.67,386.301 h 44.12 L 3794.08,72.8516 V 386.301 h 39 V 6.14844 h -36.96 L 3561.66,328.859 V 6.14844 h -38.99 V 386.301" /><path
+         id="path16"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="M 3930.04,386.301 H 4181.4 V 347.82 H 3970.56 V 222.148 h 205.71 V 184.16 H 3970.56 V 43.0898 h 212.9 V 6.14844 H 3930.04 V 386.301" /><path
+         id="path18"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 4385.07,347.82 h -142.6 v 38.481 h 325.76 V 347.82 H 4425.61 V 6.14844 h -40.54 V 347.82" /><path
+         id="path20"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 4617.46,386.301 h 41.56 L 4759.05,71.8516 4861.14,386.301 h 34.9 L 4997.61,71.8516 5098.15,386.301 h 39.01 L 5015.05,3.60156 h -34.87 L 4877.56,320.109 4775.47,3.60156 h -35.38 L 4617.46,386.301" /><path
+         id="path22"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 5515.75,195.988 c 0,102.602 -47.7,157.981 -151.35,157.981 -103.12,0 -150.31,-55.379 -150.31,-157.981 0,-103.1286 47.19,-158.5583 150.31,-158.5583 103.65,0 151.35,55.4297 151.35,158.5583 z m -342.18,0.492 c 0,135.43 69.25,195.981 190.83,195.981 122.1,0 191.87,-60.551 191.87,-195.981 C 5556.27,60.5391 5486.5,0 5364.4,0 5242.82,0 5173.57,60.5391 5173.57,196.48" /><path
+         id="path24"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 5803.55,198.031 c 53.87,0 87.21,16.41 87.21,76.438 0,59 -32.31,74.371 -88.74,74.371 H 5678.38 V 198.031 Z m -11.28,-36.929 H 5678.38 V 6.14844 h -39.51 V 386.301 h 164.17 c 88.23,0 128.26,-35.403 128.26,-110.821 0,-65.652 -31.29,-104.121 -97.49,-112.832 L 5925.63,6.14844 h -43.07 L 5792.27,161.102" /><path
+         id="path26"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 6132.91,207.77 -75.94,-83.09 V 6.14844 h -39.49 V 386.301 h 39.49 V 176.469 l 192.39,209.832 h 46.68 L 6159.59,237.012 6314.51,6.14844 h -45.65 L 6132.91,207.77" /><path
+         id="path28"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 6348.38,44.6289 20.52,30.7695 c 45.63,-28.707 90.29,-38.4765 135.93,-38.4765 78.51,0 113.38,22.0586 113.38,74.4101 0,53.867 -45.13,61.539 -113.38,73.84 -82.08,14.398 -137.49,28.269 -137.49,105.168 0,73.398 47.19,102.121 137.49,102.121 59.54,0 102.11,-13.359 132.37,-33.871 l -21.55,-32.828 c -27.19,17.957 -67.73,29.769 -110.82,29.769 -68.21,0 -97.46,-19.011 -97.46,-64.133 0,-48.25 39.51,-57.457 107.23,-69.757 83.1,-14.903 143.11,-27.219 143.11,-108.77 0,-75.4413 -48.22,-111.83194 -151.84,-111.83194 -57.45,0 -109.28,11.78124 -157.49,43.58984" /><path
+         id="path30"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 7055.16,1957.45 c -534.43,0 -557.12,-239.44 -557.12,-577.24 V 550.898 h 126 v 829.312 c 0,254.59 -10.08,458.77 431.12,458.77 47.25,0 89.2,-2.48 126.94,-6.89 v 120.07 c -38.93,3.41 -80.97,5.29 -126.94,5.29" /><path
+         id="path32"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 821.941,1090.33 v 839.43 h 128.567 v -841.92 c 0,-242.02 -2.5,-446.168 441.142,-446.168 441.12,0 431.06,204.148 431.06,458.768 v 829.32 h 126.03 v -829.32 c 0,-337.819 -22.71,-577.268 -557.09,-577.268 -536.943,0 -569.709,239.449 -569.709,567.158" /><path
+         id="path34"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="M 3288.78,1390.32 V 550.898 h -128.57 v 841.912 c 0,241.99 2.51,446.17 -441.12,446.17 -441.16,0 -431.04,-204.18 -431.04,-458.77 V 550.898 H 2162 v 829.312 c 0,337.8 22.71,577.24 557.09,577.24 536.94,0 569.69,-239.44 569.69,-567.13" /><path
+         id="path36"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 3522.69,1927.2 h 123.36 V 550.898 H 3522.69 V 1927.2" /><path
+         id="path38"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 4523.34,1152.87 c 222.62,0 333.24,108.48 333.24,327.66 0,219.12 -119.37,323.14 -338.76,323.14 h -517.27 v -650.8 z m -646.2,774.33 h 644.33 c 319.52,0 464.4,-158.81 464.4,-441.13 0,-284.18 -143.05,-456.96 -466.18,-456.96 H 4000.55 V 550.898 H 3877.14 V 1927.2" /><path
+         id="path40"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 5255.55,1337.39 h 937.7 c -12.59,274.75 -30.26,509.16 -431.06,509.16 -385.65,0 -491.51,-209.23 -506.64,-509.16 z m -126.09,-93.3 c 0,405.81 116.02,718.42 635.31,718.42 536.89,0 554.5,-360.44 552.03,-741.08 H 5253.03 c 2.52,-335.289 85.66,-584.871 521.77,-584.871 231.91,0 337.81,63.062 451.24,146.242 l 70.54,-93.262 c -126,-93.269 -274.7,-166.367 -521.78,-166.367 -544.46,0 -645.34,315.117 -645.34,720.918" /><path
+         id="path42"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 47.9414,252.238 c 534.4026,0 557.0976,239.461 557.0976,577.274 V 1929.76 H 478.977 V 829.512 c 0,-254.563 10.086,-458.821 -431.0356,-458.821 -16.6719,0 -32.5234,0.411 -47.9414,1.02 L 0,252.879 c 15.5078,-0.399 31.457,-0.641 47.9414,-0.641" /><path
+         id="path44"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 6899.98,707.691 c -41.8,0 -75.8,-33.98 -75.8,-75.769 0,-41.723 34,-75.75 75.8,-75.75 41.71,0 75.71,34.027 75.71,75.75 0,41.789 -34,75.769 -75.71,75.769 z m 0,-162.761 c -47.98,0 -87.05,39.031 -87.05,86.992 0,47.988 39.07,87.027 87.05,87.027 47.97,0 86.96,-39.039 86.96,-87.027 0,-47.961 -38.99,-86.992 -86.96,-86.992 v 0" /><path
+         id="path46"
+         style="fill:#231f20;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="m 6908.69,632.84 c 13.65,0 21.47,3.949 21.47,18.531 0,14.438 -7.59,17.77 -21.88,17.77 h -30.61 V 632.84 Z m -3.1,-12.5 h -27.92 v -38.442 h -13.31 v 99.942 h 44.49 c 25.33,0 35.08,-10.379 35.08,-30.102 0,-16.129 -6.86,-27.277 -24.14,-30.488 l 22.61,-39.352 h -14.49 l -22.32,38.442" /></g></g></svg>
\ No newline at end of file
diff --git a/packages/juniper_netscreen/0.3.1/manifest.yml b/packages/juniper_netscreen/0.3.1/manifest.yml
new file mode 100755
index 0000000000..92bde889f0
--- /dev/null
+++ b/packages/juniper_netscreen/0.3.1/manifest.yml
@@ -0,0 +1,32 @@
+format_version: 1.0.0
+name: juniper_netscreen
+title: Juniper NetScreen
+version: "0.3.1"
+description: Collect logs from Juniper NetScreen with Elastic Agent.
+categories: ["network", "security"]
+release: experimental
+license: basic
+type: integration
+conditions:
+  kibana.version: "^8.0.0"
+policy_templates:
+  - name: juniper
+    title: Juniper NetScreen logs
+    description: Collect Juniper NetScreen logs from syslog or a file.
+    inputs:
+      - type: udp
+        title: Collect logs from Juniper NetScreen via UDP
+        description: Collecting syslog from Juniper NetScreen via UDP.
+      - type: tcp
+        title: Collect logs from Juniper NetScreen via TCP
+        description: Collecting syslog from Juniper NetScreen via TCP.
+      - type: filestream
+        title: Collect logs from Juniper NetScreen via file
+        description: Collecting syslog from Juniper NetScreen via file.
+icons:
+  - src: /img/logo.svg
+    title: Juniper logo
+    size: 32x32
+    type: image/svg+xml
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/panw_cortex_xdr/1.3.1/changelog.yml b/packages/panw_cortex_xdr/1.3.1/changelog.yml
new file mode 100755
index 0000000000..d409fd3e82
--- /dev/null
+++ b/packages/panw_cortex_xdr/1.3.1/changelog.yml
@@ -0,0 +1,81 @@
+# newer versions go on top
+- version: "1.3.1"
+  changes:
+    - description: Fix rate limit.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3635
+- version: "1.3.0"
+  changes:
+    - description: Update package to ECS 8.3.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3353
+- version: "1.2.1"
+  changes:
+    - description: Updated the links in the file to Palo Alto Cortex XDR documentation
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3144
+- version: "1.2.0"
+  changes:
+    - description: Update to ECS 8.2 to use new email field set.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2799
+- version: "1.1.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.1.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2431
+- version: "1.0.0"
+  changes:
+    - description: GA integration
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2360
+- version: "0.3.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2275
+- version: "0.2.6"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "0.2.5"
+  changes:
+    - description: Change test public IPs to the supported subset
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2327
+- version: "0.2.4"
+  changes:
+    - description: Uniform with guidelines
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2092
+- version: "0.2.3"
+  changes:
+    - description: Update Title and Description.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1980
+- version: "0.2.2"
+  changes:
+    - description: Fix duplicate events
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1921
+- version: "0.2.1"
+  changes:
+    - description: Fix logic that checks for the 'forwarded' tag
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1841
+- version: "0.2.0"
+  changes:
+    - description: Update to ECS 1.12.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1673
+- version: "0.1.0"
+  changes:
+    - description: initial release
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1327
diff --git a/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/agent/stream/httpjson.yml.hbs b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..4410a95a5b
--- /dev/null
+++ b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,82 @@
+config_version: "2"
+interval: {{interval}}
+request.method: POST
+
+{{#if url}}
+request.url: {{url}}/public_api/v1/alerts/get_alerts_multi_events
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if request_timeout}}
+request.timeout: {{request_timeout}}
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+request.rate_limit:
+  limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]'
+  remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]'
+  reset: '[[(parseDate (.last_response.header.Get "X-Rate-Limit-Reset")).Unix]]'
+request.transforms:
+- set:
+    target: header.Authorization
+    value: {{api_token}}
+- set:
+    target: header.x-xdr-auth-id
+    value: {{token_id}}
+- set:
+    target: body.request_data.sort.field
+    value: creation_time
+- set:
+    target: body.request_data.sort.keyword
+    value: asc
+- append:
+    target: body.request_data.filters
+    value: |-
+      {
+        "field": "creation_time",
+        "operator": "gte",
+        "value": [[ .cursor.next_ts ]]
+      }
+    default: |-
+      {
+        "field": "creation_time",
+        "operator": "gte",
+        "value": [[ mul (add (now (parseDuration "-{{initial_interval}}")).Unix) 1000 ]]
+      }
+    value_type: json
+response.split:
+  target: body.reply.alerts
+  split:
+    target: body.events
+    keep_parent: true
+response.pagination:
+  - set:
+      target: body.request_data.search_from
+      value: "[[mul .last_response.page 100]]"
+      value_type: int
+      fail_on_template_error: true
+  - set:
+      target: body.request_data.search_to
+      value: "[[add (mul .last_response.page 100) 100]]"
+      value_type: int
+      fail_on_template_error: true
+cursor:
+  next_ts:
+    value: "[[.last_event.detection_timestamp]]"
+
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..099284420f
--- /dev/null
+++ b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,458 @@
+---
+description: Pipeline for Palo Alto XDR API.
+processors:
+  - set:
+      field: ecs.version
+      value: "8.3.0"
+  - set:
+      field: event.kind
+      value: alert
+  - append:
+      field: event.category
+      value: malware
+  - append:
+      field: event.type
+      value: info
+  - rename:
+      field: message
+      target_field: event.original
+  - json:
+      field: event.original
+      target_field: panw_cortex.xdr
+  - fingerprint:
+      fields:
+        - panw_cortex.xdr.events.event_timestamp
+        - panw_cortex.xdr.events.event_id
+        - panw_cortex.xdr.events.event_type
+        - panw_cortex.xdr.alert_id
+      target_field: "_id"
+      ignore_missing: true
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      source: |
+        boolean drop(Object o) {
+          if (o == null || o == "") {
+            return true;
+          } else if (o instanceof Map) {
+            ((Map) o).values().removeIf(v -> drop(v));
+            return (((Map) o).size() == 0);
+          } else if (o instanceof List) {
+            ((List) o).removeIf(v -> drop(v));
+            return (((List) o).length == 0);
+          }
+          return false;
+        }
+        drop(ctx);
+  - date:
+      field: panw_cortex.xdr.events.event_timestamp
+      formats:
+        - UNIX_MS
+      if: ctx.panw_cortex?.xdr?.events?.event_timestamp != null
+  - date:
+      field: panw_cortex.xdr.detection_timestamp
+      target_field: event.created
+      formats:
+        - UNIX_MS
+      if: ctx.panw_cortex?.xdr?.detection_timestamp != null
+  - date:
+      field: panw_cortex.xdr.end_match_attempt_ts
+      target_field: panw_cortex.xdr.end_match_attempt_ts
+      formats:
+        - UNIX_MS
+      if: ctx.panw_cortex?.xdr?.end_match_attempt_ts != null
+  - date:
+      field: panw_cortex.xdr.local_insert_ts
+      target_field: panw_cortex.xdr.local_insert_ts
+      formats:
+        - UNIX_MS
+      if: ctx.panw_cortex?.xdr?.local_insert_ts != null
+  - rename:
+      field: panw_cortex.xdr.name
+      target_field: message
+      ignore_missing: true
+  - set:
+      field: event.severity
+      value: 0
+      if: ctx.panw_cortex?.xdr?.severity == "unknown"
+  - set:
+      field: event.severity
+      value: 1
+      if: ctx.panw_cortex?.xdr?.severity == "informational"
+  - set:
+      field: event.severity
+      value: 2
+      if: ctx.panw_cortex?.xdr?.severity == "low"
+  - set:
+      field: event.severity
+      value: 3
+      if: ctx.panw_cortex?.xdr?.severity == "medium"
+  - set:
+      field: event.severity
+      value: 4
+      if: ctx.panw_cortex?.xdr?.severity == "high"
+  - rename:
+      field: panw_cortex.xdr.external_id
+      target_field: event.id
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.action
+      target_field: event.action
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.description
+      target_field: event.reason
+      ignore_missing: true
+      if: "ctx.panw_cortex?.xdr?.description != null && ctx.panw_cortex.xdr.description instanceof String"
+  - rename:
+      field: panw_cortex.xdr.description
+      target_field: panw_cortex.xdr.bioc_description
+      ignore_missing: true
+      if: "ctx.event?.reason == null && ctx.panw_cortex?.xdr?.description != null && ctx.panw_cortex?.xdr?.description instanceof List"
+  - set:
+      field: event.reason
+      value: Bioc Event
+      if: "ctx.event?.reason == null && ctx.panw_cortex?.xdr?.bioc_description != null"
+  - rename:
+      field: panw_cortex.xdr.agent_device_domain
+      target_field: host.domain
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.agent_fqdn
+      target_field: host.hostname
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.host_name
+      target_field: host.hostname
+      ignore_missing: true
+      if: ctx.host?.hostname == null
+  - set:
+      field: host.name
+      copy_from: host.hostname
+      if: ctx.host?.hostname != null
+  - rename:
+      field: panw_cortex.xdr.agent_os_type
+      target_field: host.os.name
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.agent_os_sub_type
+      target_field: host.os.version
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.mac_addresses
+      target_field: host.mac
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.host_ip
+      target_field: host.ip
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.endpoint_id
+      target_field: host.id
+      ignore_missing: true
+  - split:
+      field: panw_cortex.xdr.mac
+      target_field: host.mac
+      separator: ","
+      ignore_missing: true
+      if: ctx.host?.mac == null
+  - remove:
+      field:
+        - panw_cortex.xdr.mac
+      ignore_missing: true
+      if: ctx.host?.mac != null
+  - rename:
+      field: panw_cortex.xdr.events.dns_query_name
+      target_field: dns.question.name
+      ignore_missing: true
+  #The Action actor is an an activity that took place and was recorded by the agent.
+  - convert:
+      field: panw_cortex.xdr.events.action_remote_ip
+      target_field: destination.ip
+      type: ip
+      ignore_missing: true
+      ignore_failure: true
+  - convert:
+      field: panw_cortex.xdr.events.action_remote_port
+      target_field: destination.port
+      type: long
+      ignore_missing: true
+  - convert:
+      field: panw_cortex.xdr.events.action_local_ip
+      target_field: source.ip
+      type: ip
+      ignore_missing: true
+  - convert:
+      field: panw_cortex.xdr.events.action_local_port
+      target_field: source.port
+      type: long
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.action_process_image_sha256
+      target_field: process.hash.sha256
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.action_process_image_command_line
+      target_field: process.command_line
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.action_process_image_name
+      target_field: process.name
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.action_process_signature_vendor
+      target_field: process.code_signature.subject_name
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.action_process_signature_status
+      target_field: process.code_signature.status
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.action_process_instance_id
+      target_field: process.entity_id
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.actor_process_command_line
+      target_field: process.command_line
+      ignore_missing: true
+      if: ctx.process?.command_line == null
+  - rename:
+      field: panw_cortex.xdr.events.action_file_path
+      target_field: file.path
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.action_file_name
+      target_field: file.name
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.action_file_md5
+      target_field: file.hash.md5
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.action_file_sha256
+      target_field: file.hash.sha256
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.action_registry_key_name
+      target_field: registry.key
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.action_registry_value_name
+      target_field: registry.value
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.action_registry_full_key
+      target_field: registry.path
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.action_registry_data
+      target_field: registry.data.strings
+      ignore_missing: true
+  #The Actor actor is the process that performed the action.
+  - rename:
+      field: panw_cortex.xdr.events.actor_process_os_pid
+      target_field: process.pid
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.actor_process_instance_id
+      target_field: process.entity_id
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.actor_process_image_path
+      target_field: process.executable
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.actor_process_command_line
+      target_field: process.command_line
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.actor_process_image_name
+      target_field: process.name
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.actor_process_signature_vendor
+      target_field: process.code_signature.subject_name
+      ignore_missing: true
+      if: ctx.process?.code_signature?.subject_name == null
+  - rename:
+      field: panw_cortex.xdr.events.actor_process_image_sha256
+      target_field: process.hash.sha256
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.actor_process_image_md5
+      target_field: process.hash.md5
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.actor_thread_thread_id
+      target_field: process.thread.id
+      ignore_missing: true
+  #The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR agent identified as being responsible for initiating the process tree.
+  - rename:
+      field: panw_cortex.xdr.events.causality_actor_process_image_name
+      target_field: process.parent.name
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.causality_actor_process_image_path
+      target_field: process.parent.executable
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.causality_actor_process_image_md5
+      target_field: process.parent.hash.md5
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.causality_actor_process_image_sha256
+      target_field: process.parent.hash.sha256
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.causality_actor_causality_id
+      target_field: process.parent.entity_id
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.causality_actor_process_signature_vendor
+      target_field: process.parent.code_signature.subject_name
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.causality_actor_process_signature_status
+      target_field: process.parent.code_signature.status
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.causality_actor_process_command_line
+      target_field: process.parent.command_line
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.causality_actor_process_execution_time
+      target_field: process.parent.uptime
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.user_name
+      target_field: user.name
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.fw_rule
+      target_field: rule.name
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.fw_rule_id
+      target_field: rule.id
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.fw_interface_from
+      target_field: observer.ingress.interface.name
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.fw_interface_to
+      target_field: observer.egress.interface.name
+      ignore_missing: true
+  - rename:
+      field: panw_cortex.xdr.events.fw_serial_number
+      target_field: observer.serial_number
+      ignore_missing: true
+  - set:
+      field: email.subject
+      copy_from: panw_cortex.xdr.events.fw_email_subject
+      if: "ctx?.panw_cortex.xdr?.events?.fw_email_subject != null"
+  - append:
+      field: email.from.address
+      value: "{{{panw_cortex.xdr.events.fw_email_sender}}}"
+      if: "ctx?.panw_cortex.xdr?.events?.fw_email_sender != null"
+  - append:
+      field: email.to.address
+      value: "{{{panw_cortex.xdr.events.fw_email_recipient}}}"
+      if: "ctx?.panw_cortex.xdr?.events?.fw_email_recipient != null"
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+  - geoip:
+      field: destination.ip
+      target_field: destination.geo
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: destination.ip
+      target_field: destination.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - rename:
+      field: destination.as.asn
+      target_field: destination.as.number
+      ignore_missing: true
+  - rename:
+      field: destination.as.organization_name
+      target_field: destination.as.organization.name
+      ignore_missing: true
+  - append:
+      field: related.hash
+      value: "{{{process.parent.hash.md5}}}"
+      allow_duplicates: false
+      if: ctx.process?.parent?.hash?.md5 != null
+  - append:
+      field: related.hash
+      value: "{{{process.parent.hash.sha256}}}"
+      allow_duplicates: false
+      if: ctx.process?.parent?.hash?.sha256 != null
+  - append:
+      field: related.hash
+      value: "{{{process.hash.md5}}}"
+      allow_duplicates: false
+      if: ctx.process?.hash?.md5 != null
+  - append:
+      field: related.hash
+      value: "{{{process.hash.sha256}}}"
+      allow_duplicates: false
+      if: ctx.process?.hash?.sha256 != null
+  - append:
+      field: related.hash
+      value: "{{{file.hash.sha256}}}"
+      allow_duplicates: false
+      if: ctx.file?.hash?.sha256 != null
+  - append:
+      field: related.hash
+      value: "{{{file.hash.md5}}}"
+      allow_duplicates: false
+      if: ctx.file?.hash?.md5 != null
+  - append:
+      field: related.user
+      value: "{{{user.name}}}"
+      allow_duplicates: false
+      if: ctx.user?.name != null
+  - remove:
+      field:
+        - panw_cortex.xdr.host_name
+        - panw_cortex.xdr.detection_timestamp
+        - panw_cortex.xdr.events.event_timestamp
+        - panw_cortex.xdr.severity
+        - panw_cortex.xdr.events.action_remote_ip
+        - panw_cortex.xdr.events.action_remote_port
+        - panw_cortex.xdr.events.action_local_ip
+        - panw_cortex.xdr.events.action_local_port
+        - panw_cortex.xdr.events.action_country
+        - panw_cortex.xdr.bioc_indicator
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/agent.yml b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/base-fields.yml b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/base-fields.yml
new file mode 100755
index 0000000000..26897c3d3e
--- /dev/null
+++ b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset name.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: panw_cortex
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: panw_cortex_xdr.alerts
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/beats.yml b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
+- name: log.flags
+  type: keyword
+  description: Flags for the log file.
+- name: log.offset
+  type: long
+  description: Offset of the entry in the log file.
+- name: log.file.path
+  type: keyword
+  description: Path to the log file.
diff --git a/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/ecs.yml b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/ecs.yml
new file mode 100755
index 0000000000..6591f46f0a
--- /dev/null
+++ b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/ecs.yml
@@ -0,0 +1,327 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: The email address of the sender, typically from the RFC 5322 `From:` header field.
+  name: email.from.address
+  type: keyword
+- description: The email address of recipient
+  name: email.to.address
+  type: keyword
+- description: A brief summary of the topic of the message.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: email.subject
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    The numeric severity of the event according to your event source.
+    What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+    The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+  name: event.severity
+  type: long
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    Reason why this event happened, according to the source.
+    This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+  name: event.reason
+  type: keyword
+- description: |-
+    Name of the domain of which the host is a member.
+    For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
+  name: host.domain
+  type: keyword
+- description: |-
+    Hostname of the host.
+    It normally contains what the `hostname` command returns on the host machine.
+  name: host.hostname
+  type: keyword
+- description: Operating system version as a raw string.
+  name: host.os.version
+  type: keyword
+- description: |-
+    Host MAC addresses.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: host.mac
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  type: keyword
+- description: Host ip addresses.
+  name: host.ip
+  type: ip
+- description: |-
+    Unique host id.
+    As hostname is not always unique, use values that are meaningful in your environment.
+    Example: The current usage of `beat.name`.
+  name: host.id
+  type: keyword
+- description: |-
+    The name being queried.
+    If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+  name: dns.question.name
+  type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: Port of the destination.
+  name: destination.port
+  type: long
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: destination.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.as.organization.name
+  type: keyword
+- description: Name of the continent.
+  name: destination.geo.continent_name
+  type: keyword
+- description: City name.
+  name: destination.geo.city_name
+  type: keyword
+- description: Country ISO code.
+  name: destination.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: destination.geo.country_name
+  type: keyword
+- description: Region ISO code.
+  name: destination.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: destination.geo.region_name
+  type: keyword
+- description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  name: destination.geo.location
+  type: geo_point
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  name: source.geo.location
+  type: geo_point
+- description: SHA256 hash.
+  name: process.hash.sha256
+  type: keyword
+- description: |-
+    Full command line that started the process, including the absolute path to the executable, and all arguments.
+    Some arguments may be filtered to protect sensitive information.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.command_line
+  type: wildcard
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.name
+  type: keyword
+- description: Subject name of the code signer
+  name: process.code_signature.subject_name
+  type: keyword
+- description: |-
+    Additional information about the certificate status.
+    This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+  name: process.code_signature.status
+  type: keyword
+- description: |-
+    Unique identifier for the process.
+    The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+    Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+  name: process.entity_id
+  type: keyword
+- description: Process id.
+  name: process.pid
+  type: long
+- description: Absolute path to the process executable.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.executable
+  type: keyword
+- description: MD5 hash.
+  name: process.hash.md5
+  type: keyword
+- description: Thread ID.
+  name: process.thread.id
+  type: long
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.parent.name
+  type: keyword
+- description: Absolute path to the process executable.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.parent.executable
+  type: keyword
+- description: MD5 hash.
+  name: process.parent.hash.md5
+  type: keyword
+- description: SHA256 hash.
+  name: process.parent.hash.sha256
+  type: keyword
+- description: |-
+    Unique identifier for the process.
+    The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+    Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+  name: process.parent.entity_id
+  type: keyword
+- description: Subject name of the code signer
+  name: process.parent.code_signature.subject_name
+  type: keyword
+- description: |-
+    Additional information about the certificate status.
+    This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
+  name: process.parent.code_signature.status
+  type: keyword
+- description: |-
+    Full command line that started the process, including the absolute path to the executable, and all arguments.
+    Some arguments may be filtered to protect sensitive information.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.parent.command_line
+  type: wildcard
+- description: Seconds the process has been up.
+  name: process.parent.uptime
+  type: long
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: file.path
+  type: keyword
+- description: Name of the file including the extension, without the directory.
+  name: file.name
+  type: keyword
+- description: MD5 hash.
+  name: file.hash.md5
+  type: keyword
+- description: SHA256 hash.
+  name: file.hash.sha256
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: The name of the rule or signature generating the event.
+  name: rule.name
+  type: keyword
+- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+  name: rule.id
+  type: keyword
+- description: Interface name as reported by the system.
+  name: observer.ingress.interface.name
+  type: keyword
+- description: Interface name as reported by the system.
+  name: observer.egress.interface.name
+  type: keyword
+- description: Observer serial number.
+  name: observer.serial_number
+  type: keyword
+- description: Hive-relative path of keys.
+  name: registry.key
+  type: keyword
+- description: Name of the value written.
+  name: registry.value
+  type: keyword
+- description: Full path, including hive, key and value
+  name: registry.path
+  type: keyword
+- description: |-
+    Content when writing string types.
+    Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).
+  name: registry.data.strings
+  type: wildcard
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+  name: related.hash
+  type: keyword
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
diff --git a/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/fields.yml b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/fields.yml
new file mode 100755
index 0000000000..2d77754219
--- /dev/null
+++ b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/fields/fields.yml
@@ -0,0 +1,276 @@
+- name: panw_cortex.xdr
+  type: group
+  fields:
+    - name: external_id
+      type: keyword
+      description: |
+        External ID related to the Alert itself.
+    - name: matching_status
+      type: keyword
+      description: |
+        Matching status of the endpoint group.
+    - name: end_match_attempt_ts
+      type: date
+    - name: local_insert_ts
+      type: date
+    - name: bioc_indicator
+      type: keyword
+      description: |
+        The Behavioral Indicator type matching to the event.
+    - name: description
+      type: keyword
+      description: |
+        A description of the related event.
+    - name: bioc_description
+      type: object
+      description: |
+        A description of the related bioc event.
+    - name: matching_service_rule_id
+      type: keyword
+    - name: attempt_counter
+      type: long
+      description: |
+        Attempts to block or stop the malicious process.
+    - name: bioc_category_enum_key
+      type: keyword
+      description: |
+        Behavior Indicator type key.
+    - name: is_whitelisted
+      type: boolean
+      description: |
+        If process is whitelisted.
+    - name: starred
+      type: boolean
+      description: |
+        If alert type is prioritized (starred).
+    - name: deduplicate_tokens
+      type: keyword
+    - name: filter_rule_id
+      type: keyword
+      description: |
+        ID of the filter rule.
+    - name: mitre_technique_id_and_name
+      type: keyword
+    - name: mitre_tactic_id_and_name
+      type: keyword
+    - name: agent_version
+      type: keyword
+      description: |
+        Version of the XDR Endpoint agent.
+    - name: agent_data_collection_status
+      type: boolean
+      description: |
+        Collection status of the agent.
+    - name: mac
+      type: keyword
+      description: |
+        Main MAC address of the agent.
+    - name: mac_address
+      type: keyword
+      description: |
+        Array of all the MAC addresses related to the agent.
+    - name: agent_is_vdi
+      type: keyword
+      description: |
+        If agent is running inside a Virtual Desktop.
+    - name: alert_id
+      type: keyword
+      description: |
+        The ID of the alert.
+    - name: category
+      type: keyword
+      description: |
+        The Alert category.
+    - name: endpoint_id
+      type: keyword
+      description: |
+        The unique ID of the endpoint.
+    - name: source
+      type: keyword
+    - name: action_pretty
+      type: keyword
+      description: |
+        Pretty description of the action type.
+    - name: events
+      type: group
+      fields:
+        - name: contains_featured_host
+          type: keyword
+        - name: contains_featured_user
+          type: keyword
+        - name: contains_featured_ip
+          type: keyword
+        - name: agent_install_type
+          type: keyword
+          description: |
+            Display name of the actor.
+        - name: agent_host_boot_time
+          type: keyword
+          description: |
+            Uptime of the host.
+        - name: event_sub_type
+          type: keyword
+          description: |
+            Sub type of the event related to the alert.
+        - name: module_id
+          type: keyword
+          description: |
+            The ID of the module that caught the event.
+        - name: association_strength
+          type: long
+        - name: dst_association_strength
+          type: long
+        - name: story_id
+          type: keyword
+        - name: event_id
+          type: keyword
+          description: |
+            The ID unique to the underlying event related to the alert.
+        - name: event_type
+          type: keyword
+          description: |
+            Event type
+        - name: actor_process_causality_id
+          type: keyword
+          description: |
+            The parent processor ID related to the actor.
+        - name: action_file_macro_sha256
+          type: keyword
+        - name: action_external_hostname
+          type: keyword
+          description: |
+            Any external hostname related to the specific event action.
+        - name: action_country
+          type: keyword
+        - name: action_process_causality_id
+          type: keyword
+          description: |
+            The parent processor ID related to the action.
+        - name: os_actor_effective_username
+          type: keyword
+          description: |
+            Username related to the OS actor.
+        - name: os_actor_process_instance_id
+          type: keyword
+          description: |
+            The process ID related to the OS actor.
+        - name: os_actor_process_image_path
+          type: keyword
+          description: |
+            OS actor binary path.
+        - name: os_actor_process_image_name
+          type: keyword
+          description: |
+            OS actor binary name.
+        - name: os_actor_process_command_line
+          type: keyword
+          description: |
+            OS actor full command line example.
+        - name: os_actor_process_signature_status
+          type: keyword
+          description: |
+            Signature of the OS actor process.
+        - name: os_actor_process_signature_vendor
+          type: keyword
+          description: |
+            Signature vendor of the OS actor process.
+        - name: os_actor_process_image_sha256
+          type: keyword
+          description: |
+            SHA256 hash indentifier of the OS actor process.
+        - name: os_actor_process_causality_id
+          type: keyword
+          description: |
+            The ID of the parent process related to the OS actor.
+        - name: os_actor_causality_id
+          type: keyword
+          description: |
+            The ID of the OS actor process
+        - name: os_actor_process_os_pid
+          type: keyword
+          description: |
+            The OS PID related to the related process.
+        - name: os_actor_thread_thread_id
+          type: keyword
+          description: |
+            The thread ID related to the related OS actor process.
+        - name: fw_app_id
+          type: keyword
+          description: |
+            The layer 7 application ID from the firewall event.
+        - name: fw_device_name
+          type: keyword
+          description: |
+            Related firewall device.
+        - name: fw_url_domain
+          type: keyword
+          description: |
+            Related domain to the firewall event.
+        - name: fw_email_subject
+          type: keyword
+        - name: fw_email_sender
+          type: keyword
+        - name: fw_email_recipient
+          type: keyword
+        - name: fw_app_subcategory
+          type: keyword
+          description: |
+            Layer 7 application subcategory related to the firewall event.
+        - name: fw_app_category
+          type: keyword
+          description: |
+            Layer 7 application category related to the firewall event.
+        - name: fw_app_technology
+          type: keyword
+          description: |
+            Layer 7 application type related to the firewall event.
+        - name: fw_vsys
+          type: keyword
+          description: |
+            The related VSYS name if applicable.
+        - name: fw_xff
+          type: keyword
+        - name: fw_misc
+          type: keyword
+          description: |
+            Additional information related to the firewall event.
+        - name: fw_is_phishing
+          type: keyword
+          description: |
+            If event is related to a phishing campaign.
+        - name: dst_agent_id
+          type: keyword
+          description: |
+            The endpoint ID of a destination agent.
+        - name: dst_causality_actor_process_execution_time
+          type: keyword
+          description: |
+            The process execution time of the destination process.
+        - name: dns_query_name
+          type: keyword
+          description: |
+            The related DNS query for the event.
+        - name: dst_action_external_hostname
+          type: keyword
+          description: |
+            The external hostname of the destination.
+        - name: dst_action_country
+          type: keyword
+          description: |
+            The country related to the destination.
+        - name: dst_action_external_port
+          type: keyword
+          description: |
+            The external (NAT) port of the destination.
+        - name: actor_causality_id
+          type: keyword
+          description: |
+            The parent process ID of the actor process.
+        - name: actor_process_signature_status
+          type: keyword
+          description: |
+            The signature of the actor process.
+        - name: actor_process_signature_vendor
+          type: keyword
+          description: |
+            The signature vendor of the actor process.
diff --git a/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/manifest.yml b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/manifest.yml
new file mode 100755
index 0000000000..b49e4ad0ef
--- /dev/null
+++ b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/manifest.yml
@@ -0,0 +1,92 @@
+type: logs
+title: Palo Alto Cortex XDR API
+streams:
+  - input: httpjson
+    vars:
+      - name: url
+        type: text
+        title: Palo Alto Cortex XDR API Domain
+        multi: false
+        required: true
+        show_user: true
+        description: The URL hosting the API endpoint.
+        default: https://test.xdr.eu.paloaltonetworks.com
+      - name: api_token
+        type: text
+        title: Palo Alto Cortex XDR API Token
+        multi: false
+        required: true
+        show_user: true
+        description: API token from the XDR UI.
+      - name: token_id
+        type: text
+        title: Palo Alto Cortex XDR API Token ID
+        multi: false
+        required: true
+        show_user: true
+        default: 1
+        description: The token ID related to the above API token
+      - name: request_timeout
+        type: text
+        title: HTTP Client Timeout
+        multi: false
+        required: false
+        show_user: true
+        default: 30s
+      - name: interval
+        type: text
+        title: Interval
+        multi: false
+        required: true
+        show_user: true
+        default: 5m
+        description: How often the API is polled for new alerts.
+      - name: initial_interval
+        type: text
+        title: Initial Interval
+        multi: false
+        required: true
+        show_user: true
+        default: 24h
+        description: How far back in time to look for alerts the first time running.
+      - name: ssl
+        type: yaml
+        title: SSL
+        multi: false
+        required: false
+        show_user: true
+      - name: proxy_url
+        type: text
+        title: Proxy URL
+        multi: false
+        required: false
+        show_user: true
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - panw_cortex_xdr
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: httpjson.yml.hbs
+    title: Palo Alto Cortex XDR
+    description: Palo Alto Cortex XDR API
diff --git a/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/sample_event.json b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/sample_event.json
new file mode 100755
index 0000000000..0545a93862
--- /dev/null
+++ b/packages/panw_cortex_xdr/1.3.1/data_stream/alerts/sample_event.json
@@ -0,0 +1,112 @@
+{
+    "@timestamp": "2020-10-21T11:31:28.980Z",
+    "agent": {
+        "ephemeral_id": "a7da9a06-658a-4f11-a037-4f3c5009996a",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "data_stream": {
+        "dataset": "panw_cortex_xdr.alerts",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "BLOCKED",
+        "agent_id_status": "verified",
+        "category": [
+            "malware"
+        ],
+        "created": "2020-10-21T11:31:28.980Z",
+        "dataset": "panw_cortex_xdr.alerts",
+        "id": "800800",
+        "ingested": "2022-01-02T08:57:33Z",
+        "kind": "alert",
+        "original": "{\"action\":\"BLOCKED\",\"action_pretty\":\"Prevented (Blocked)\",\"agent_data_collection_status\":true,\"agent_device_domain\":null,\"agent_fqdn\":\"test\",\"agent_is_vdi\":null,\"agent_os_sub_type\":\"XP\",\"agent_os_type\":\"Windows\",\"agent_version\":\"1.2.3.4\",\"alert_id\":\"1001\",\"attempt_counter\":55,\"bioc_category_enum_key\":null,\"bioc_indicator\":null,\"category\":\"Exploit\",\"deduplicate_tokens\":null,\"description\":\"Local privilege escalation prevented\",\"detection_timestamp\":1603279888980,\"end_match_attempt_ts\":1603552062824,\"endpoint_id\":\"12345678\",\"events\":{\"action_country\":\"UNKNOWN\",\"action_external_hostname\":null,\"action_file_macro_sha256\":null,\"action_file_md5\":null,\"action_file_name\":null,\"action_file_path\":null,\"action_file_sha256\":null,\"action_local_ip\":null,\"action_local_port\":null,\"action_process_causality_id\":null,\"action_process_image_command_line\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_instance_id\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"action_registry_data\":null,\"action_registry_full_key\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_remote_ip\":null,\"action_remote_port\":null,\"actor_causality_id\":null,\"actor_process_causality_id\":null,\"actor_process_command_line\":\"c:\\\\tmp\\\\virus.exe\",\"actor_process_image_md5\":null,\"actor_process_image_name\":\"virus.exe\",\"actor_process_image_path\":\"c:\\\\tmp\\\\virus.exe\",\"actor_process_image_sha256\":\"133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44\",\"actor_process_instance_id\":\"1234\",\"actor_process_os_pid\":1234,\"actor_process_signature_status\":\"N/A\",\"actor_process_signature_vendor\":null,\"actor_thread_thread_id\":null,\"agent_host_boot_time\":null,\"agent_install_type\":\"NA\",\"association_strength\":null,\"causality_actor_causality_id\":null,\"causality_actor_process_command_line\":null,\"causality_actor_process_execution_time\":null,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_name\":null,\"causality_actor_process_image_path\":null,\"causality_actor_process_image_sha256\":null,\"causality_actor_process_signature_status\":\"N/A\",\"causality_actor_process_signature_vendor\":null,\"dns_query_name\":null,\"dst_action_country\":null,\"dst_action_external_hostname\":null,\"dst_action_external_port\":null,\"dst_agent_id\":null,\"dst_association_strength\":null,\"dst_causality_actor_process_execution_time\":null,\"event_id\":null,\"event_sub_type\":null,\"event_timestamp\":1603279888980,\"event_type\":\"Process Execution\",\"fw_app_category\":null,\"fw_app_id\":null,\"fw_app_subcategory\":null,\"fw_app_technology\":null,\"fw_device_name\":null,\"fw_email_recipient\":null,\"fw_email_sender\":null,\"fw_email_subject\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_is_phishing\":\"N/A\",\"fw_misc\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_vsys\":null,\"fw_xff\":null,\"module_id\":\"Privilege Escalation Protection\",\"os_actor_causality_id\":null,\"os_actor_effective_username\":null,\"os_actor_process_causality_id\":null,\"os_actor_process_command_line\":null,\"os_actor_process_image_name\":null,\"os_actor_process_image_path\":null,\"os_actor_process_image_sha256\":null,\"os_actor_process_instance_id\":null,\"os_actor_process_os_pid\":null,\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":null,\"os_actor_thread_thread_id\":null,\"story_id\":null,\"user_name\":null},\"external_id\":\"800800\",\"filter_rule_id\":null,\"host_ip\":[\"10.0.255.20\"],\"host_name\":\"Test\",\"is_whitelisted\":false,\"local_insert_ts\":1603279967500,\"mac\":null,\"mac_address\":[\"00:11:22:33:44:55\"],\"matching_service_rule_id\":null,\"matching_status\":\"FAILED\",\"mitre_tactic_id_and_name\":[\"\"],\"mitre_technique_id_and_name\":[\"\"],\"name\":\"Kernel Privilege Escalation\",\"severity\":\"high\",\"source\":\"XDR Agent\",\"starred\":false}",
+        "reason": "Local privilege escalation prevented",
+        "severity": 4,
+        "type": [
+            "info"
+        ]
+    },
+    "host": {
+        "hostname": "test",
+        "id": "12345678",
+        "ip": [
+            "10.0.255.20"
+        ],
+        "name": "test",
+        "os": {
+            "name": "Windows",
+            "version": "XP"
+        }
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "message": "Kernel Privilege Escalation",
+    "panw_cortex": {
+        "xdr": {
+            "action_pretty": "Prevented (Blocked)",
+            "agent_data_collection_status": true,
+            "agent_version": "1.2.3.4",
+            "alert_id": "1001",
+            "attempt_counter": 55,
+            "category": "Exploit",
+            "end_match_attempt_ts": "2020-10-24T15:07:42.824Z",
+            "events": {
+                "actor_process_signature_status": "N/A",
+                "agent_install_type": "NA",
+                "event_type": "Process Execution",
+                "fw_is_phishing": "N/A",
+                "module_id": "Privilege Escalation Protection",
+                "os_actor_process_signature_status": "N/A"
+            },
+            "is_whitelisted": false,
+            "local_insert_ts": "2020-10-21T11:32:47.500Z",
+            "mac_address": [
+                "00:11:22:33:44:55"
+            ],
+            "matching_status": "FAILED",
+            "source": "XDR Agent",
+            "starred": false
+        }
+    },
+    "process": {
+        "code_signature": {
+            "status": "N/A"
+        },
+        "command_line": "c:\\tmp\\virus.exe",
+        "entity_id": "1234",
+        "executable": "c:\\tmp\\virus.exe",
+        "hash": {
+            "sha256": "133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44"
+        },
+        "name": "virus.exe",
+        "parent": {
+            "code_signature": {
+                "status": "N/A"
+            }
+        },
+        "pid": 1234
+    },
+    "related": {
+        "hash": [
+            "133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44"
+        ]
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "panw_cortex_xdr"
+    ]
+}
\ No newline at end of file
diff --git a/packages/panw_cortex_xdr/1.3.1/docs/README.md b/packages/panw_cortex_xdr/1.3.1/docs/README.md
new file mode 100755
index 0000000000..1bf6e3efcd
--- /dev/null
+++ b/packages/panw_cortex_xdr/1.3.1/docs/README.md
@@ -0,0 +1,333 @@
+# Palo Alto Cortex XDR Integration
+
+The PANW XDR integration collects alerts with multiple events from the [Cortex XDR API,](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-apis/incident-management/get-alerts).
+
+## Logs
+
+### Alerts
+
+The Cortex XDR Alerts API is used to retrieve alerts generated by Cortex XDR based on raw endpoint data. A single alert might include one or more local endpoint events, each event generating its own document on Elasticsearch.
+
+The Palo Alto XDR integration requires both an API key and API key ID, both which can be retrieved from the Cortex XDR UI. See: [Get Started with Cortex XDR API](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-api-overview/get-started-with-cortex-xdr-apis.html)
+
+An example event for `alerts` looks as following:
+
+```json
+{
+    "@timestamp": "2020-10-21T11:31:28.980Z",
+    "agent": {
+        "ephemeral_id": "a7da9a06-658a-4f11-a037-4f3c5009996a",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "data_stream": {
+        "dataset": "panw_cortex_xdr.alerts",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "BLOCKED",
+        "agent_id_status": "verified",
+        "category": [
+            "malware"
+        ],
+        "created": "2020-10-21T11:31:28.980Z",
+        "dataset": "panw_cortex_xdr.alerts",
+        "id": "800800",
+        "ingested": "2022-01-02T08:57:33Z",
+        "kind": "alert",
+        "original": "{\"action\":\"BLOCKED\",\"action_pretty\":\"Prevented (Blocked)\",\"agent_data_collection_status\":true,\"agent_device_domain\":null,\"agent_fqdn\":\"test\",\"agent_is_vdi\":null,\"agent_os_sub_type\":\"XP\",\"agent_os_type\":\"Windows\",\"agent_version\":\"1.2.3.4\",\"alert_id\":\"1001\",\"attempt_counter\":55,\"bioc_category_enum_key\":null,\"bioc_indicator\":null,\"category\":\"Exploit\",\"deduplicate_tokens\":null,\"description\":\"Local privilege escalation prevented\",\"detection_timestamp\":1603279888980,\"end_match_attempt_ts\":1603552062824,\"endpoint_id\":\"12345678\",\"events\":{\"action_country\":\"UNKNOWN\",\"action_external_hostname\":null,\"action_file_macro_sha256\":null,\"action_file_md5\":null,\"action_file_name\":null,\"action_file_path\":null,\"action_file_sha256\":null,\"action_local_ip\":null,\"action_local_port\":null,\"action_process_causality_id\":null,\"action_process_image_command_line\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_instance_id\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"action_registry_data\":null,\"action_registry_full_key\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_remote_ip\":null,\"action_remote_port\":null,\"actor_causality_id\":null,\"actor_process_causality_id\":null,\"actor_process_command_line\":\"c:\\\\tmp\\\\virus.exe\",\"actor_process_image_md5\":null,\"actor_process_image_name\":\"virus.exe\",\"actor_process_image_path\":\"c:\\\\tmp\\\\virus.exe\",\"actor_process_image_sha256\":\"133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44\",\"actor_process_instance_id\":\"1234\",\"actor_process_os_pid\":1234,\"actor_process_signature_status\":\"N/A\",\"actor_process_signature_vendor\":null,\"actor_thread_thread_id\":null,\"agent_host_boot_time\":null,\"agent_install_type\":\"NA\",\"association_strength\":null,\"causality_actor_causality_id\":null,\"causality_actor_process_command_line\":null,\"causality_actor_process_execution_time\":null,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_name\":null,\"causality_actor_process_image_path\":null,\"causality_actor_process_image_sha256\":null,\"causality_actor_process_signature_status\":\"N/A\",\"causality_actor_process_signature_vendor\":null,\"dns_query_name\":null,\"dst_action_country\":null,\"dst_action_external_hostname\":null,\"dst_action_external_port\":null,\"dst_agent_id\":null,\"dst_association_strength\":null,\"dst_causality_actor_process_execution_time\":null,\"event_id\":null,\"event_sub_type\":null,\"event_timestamp\":1603279888980,\"event_type\":\"Process Execution\",\"fw_app_category\":null,\"fw_app_id\":null,\"fw_app_subcategory\":null,\"fw_app_technology\":null,\"fw_device_name\":null,\"fw_email_recipient\":null,\"fw_email_sender\":null,\"fw_email_subject\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_is_phishing\":\"N/A\",\"fw_misc\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_vsys\":null,\"fw_xff\":null,\"module_id\":\"Privilege Escalation Protection\",\"os_actor_causality_id\":null,\"os_actor_effective_username\":null,\"os_actor_process_causality_id\":null,\"os_actor_process_command_line\":null,\"os_actor_process_image_name\":null,\"os_actor_process_image_path\":null,\"os_actor_process_image_sha256\":null,\"os_actor_process_instance_id\":null,\"os_actor_process_os_pid\":null,\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":null,\"os_actor_thread_thread_id\":null,\"story_id\":null,\"user_name\":null},\"external_id\":\"800800\",\"filter_rule_id\":null,\"host_ip\":[\"10.0.255.20\"],\"host_name\":\"Test\",\"is_whitelisted\":false,\"local_insert_ts\":1603279967500,\"mac\":null,\"mac_address\":[\"00:11:22:33:44:55\"],\"matching_service_rule_id\":null,\"matching_status\":\"FAILED\",\"mitre_tactic_id_and_name\":[\"\"],\"mitre_technique_id_and_name\":[\"\"],\"name\":\"Kernel Privilege Escalation\",\"severity\":\"high\",\"source\":\"XDR Agent\",\"starred\":false}",
+        "reason": "Local privilege escalation prevented",
+        "severity": 4,
+        "type": [
+            "info"
+        ]
+    },
+    "host": {
+        "hostname": "test",
+        "id": "12345678",
+        "ip": [
+            "10.0.255.20"
+        ],
+        "name": "test",
+        "os": {
+            "name": "Windows",
+            "version": "XP"
+        }
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "message": "Kernel Privilege Escalation",
+    "panw_cortex": {
+        "xdr": {
+            "action_pretty": "Prevented (Blocked)",
+            "agent_data_collection_status": true,
+            "agent_version": "1.2.3.4",
+            "alert_id": "1001",
+            "attempt_counter": 55,
+            "category": "Exploit",
+            "end_match_attempt_ts": "2020-10-24T15:07:42.824Z",
+            "events": {
+                "actor_process_signature_status": "N/A",
+                "agent_install_type": "NA",
+                "event_type": "Process Execution",
+                "fw_is_phishing": "N/A",
+                "module_id": "Privilege Escalation Protection",
+                "os_actor_process_signature_status": "N/A"
+            },
+            "is_whitelisted": false,
+            "local_insert_ts": "2020-10-21T11:32:47.500Z",
+            "mac_address": [
+                "00:11:22:33:44:55"
+            ],
+            "matching_status": "FAILED",
+            "source": "XDR Agent",
+            "starred": false
+        }
+    },
+    "process": {
+        "code_signature": {
+            "status": "N/A"
+        },
+        "command_line": "c:\\tmp\\virus.exe",
+        "entity_id": "1234",
+        "executable": "c:\\tmp\\virus.exe",
+        "hash": {
+            "sha256": "133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44"
+        },
+        "name": "virus.exe",
+        "parent": {
+            "code_signature": {
+                "status": "N/A"
+            }
+        },
+        "pid": 1234
+    },
+    "related": {
+        "hash": [
+            "133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44"
+        ]
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "panw_cortex_xdr"
+    ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.port | Port of the destination. | long |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword |
+| email.subject | A brief summary of the topic of the message. | keyword |
+| email.subject.text | Multi-field of `email.subject`. | match_only_text |
+| email.to.address | The email address of recipient | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.hash.md5 | MD5 hash. | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.serial_number | Observer serial number. | keyword |
+| panw_cortex.xdr.action_pretty | Pretty description of the action type. | keyword |
+| panw_cortex.xdr.agent_data_collection_status | Collection status of the agent. | boolean |
+| panw_cortex.xdr.agent_is_vdi | If agent is running inside a Virtual Desktop. | keyword |
+| panw_cortex.xdr.agent_version | Version of the XDR Endpoint agent. | keyword |
+| panw_cortex.xdr.alert_id | The ID of the alert. | keyword |
+| panw_cortex.xdr.attempt_counter | Attempts to block or stop the malicious process. | long |
+| panw_cortex.xdr.bioc_category_enum_key | Behavior Indicator type key. | keyword |
+| panw_cortex.xdr.bioc_description | A description of the related bioc event. | object |
+| panw_cortex.xdr.bioc_indicator | The Behavioral Indicator type matching to the event. | keyword |
+| panw_cortex.xdr.category | The Alert category. | keyword |
+| panw_cortex.xdr.deduplicate_tokens |  | keyword |
+| panw_cortex.xdr.description | A description of the related event. | keyword |
+| panw_cortex.xdr.end_match_attempt_ts |  | date |
+| panw_cortex.xdr.endpoint_id | The unique ID of the endpoint. | keyword |
+| panw_cortex.xdr.events.action_country |  | keyword |
+| panw_cortex.xdr.events.action_external_hostname | Any external hostname related to the specific event action. | keyword |
+| panw_cortex.xdr.events.action_file_macro_sha256 |  | keyword |
+| panw_cortex.xdr.events.action_process_causality_id | The parent processor ID related to the action. | keyword |
+| panw_cortex.xdr.events.actor_causality_id | The parent process ID of the actor process. | keyword |
+| panw_cortex.xdr.events.actor_process_causality_id | The parent processor ID related to the actor. | keyword |
+| panw_cortex.xdr.events.actor_process_signature_status | The signature of the actor process. | keyword |
+| panw_cortex.xdr.events.actor_process_signature_vendor | The signature vendor of the actor process. | keyword |
+| panw_cortex.xdr.events.agent_host_boot_time | Uptime of the host. | keyword |
+| panw_cortex.xdr.events.agent_install_type | Display name of the actor. | keyword |
+| panw_cortex.xdr.events.association_strength |  | long |
+| panw_cortex.xdr.events.contains_featured_host |  | keyword |
+| panw_cortex.xdr.events.contains_featured_ip |  | keyword |
+| panw_cortex.xdr.events.contains_featured_user |  | keyword |
+| panw_cortex.xdr.events.dns_query_name | The related DNS query for the event. | keyword |
+| panw_cortex.xdr.events.dst_action_country | The country related to the destination. | keyword |
+| panw_cortex.xdr.events.dst_action_external_hostname | The external hostname of the destination. | keyword |
+| panw_cortex.xdr.events.dst_action_external_port | The external (NAT) port of the destination. | keyword |
+| panw_cortex.xdr.events.dst_agent_id | The endpoint ID of a destination agent. | keyword |
+| panw_cortex.xdr.events.dst_association_strength |  | long |
+| panw_cortex.xdr.events.dst_causality_actor_process_execution_time | The process execution time of the destination process. | keyword |
+| panw_cortex.xdr.events.event_id | The ID unique to the underlying event related to the alert. | keyword |
+| panw_cortex.xdr.events.event_sub_type | Sub type of the event related to the alert. | keyword |
+| panw_cortex.xdr.events.event_type | Event type | keyword |
+| panw_cortex.xdr.events.fw_app_category | Layer 7 application category related to the firewall event. | keyword |
+| panw_cortex.xdr.events.fw_app_id | The layer 7 application ID from the firewall event. | keyword |
+| panw_cortex.xdr.events.fw_app_subcategory | Layer 7 application subcategory related to the firewall event. | keyword |
+| panw_cortex.xdr.events.fw_app_technology | Layer 7 application type related to the firewall event. | keyword |
+| panw_cortex.xdr.events.fw_device_name | Related firewall device. | keyword |
+| panw_cortex.xdr.events.fw_email_recipient |  | keyword |
+| panw_cortex.xdr.events.fw_email_sender |  | keyword |
+| panw_cortex.xdr.events.fw_email_subject |  | keyword |
+| panw_cortex.xdr.events.fw_is_phishing | If event is related to a phishing campaign. | keyword |
+| panw_cortex.xdr.events.fw_misc | Additional information related to the firewall event. | keyword |
+| panw_cortex.xdr.events.fw_url_domain | Related domain to the firewall event. | keyword |
+| panw_cortex.xdr.events.fw_vsys | The related VSYS name if applicable. | keyword |
+| panw_cortex.xdr.events.fw_xff |  | keyword |
+| panw_cortex.xdr.events.module_id | The ID of the module that caught the event. | keyword |
+| panw_cortex.xdr.events.os_actor_causality_id | The ID of the OS actor process | keyword |
+| panw_cortex.xdr.events.os_actor_effective_username | Username related to the OS actor. | keyword |
+| panw_cortex.xdr.events.os_actor_process_causality_id | The ID of the parent process related to the OS actor. | keyword |
+| panw_cortex.xdr.events.os_actor_process_command_line | OS actor full command line example. | keyword |
+| panw_cortex.xdr.events.os_actor_process_image_name | OS actor binary name. | keyword |
+| panw_cortex.xdr.events.os_actor_process_image_path | OS actor binary path. | keyword |
+| panw_cortex.xdr.events.os_actor_process_image_sha256 | SHA256 hash indentifier of the OS actor process. | keyword |
+| panw_cortex.xdr.events.os_actor_process_instance_id | The process ID related to the OS actor. | keyword |
+| panw_cortex.xdr.events.os_actor_process_os_pid | The OS PID related to the related process. | keyword |
+| panw_cortex.xdr.events.os_actor_process_signature_status | Signature of the OS actor process. | keyword |
+| panw_cortex.xdr.events.os_actor_process_signature_vendor | Signature vendor of the OS actor process. | keyword |
+| panw_cortex.xdr.events.os_actor_thread_thread_id | The thread ID related to the related OS actor process. | keyword |
+| panw_cortex.xdr.events.story_id |  | keyword |
+| panw_cortex.xdr.external_id | External ID related to the Alert itself. | keyword |
+| panw_cortex.xdr.filter_rule_id | ID of the filter rule. | keyword |
+| panw_cortex.xdr.is_whitelisted | If process is whitelisted. | boolean |
+| panw_cortex.xdr.local_insert_ts |  | date |
+| panw_cortex.xdr.mac | Main MAC address of the agent. | keyword |
+| panw_cortex.xdr.mac_address | Array of all the MAC addresses related to the agent. | keyword |
+| panw_cortex.xdr.matching_service_rule_id |  | keyword |
+| panw_cortex.xdr.matching_status | Matching status of the endpoint group. | keyword |
+| panw_cortex.xdr.mitre_tactic_id_and_name |  | keyword |
+| panw_cortex.xdr.mitre_technique_id_and_name |  | keyword |
+| panw_cortex.xdr.source |  | keyword |
+| panw_cortex.xdr.starred | If alert type is prioritized (starred). | boolean |
+| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword |
+| process.code_signature.subject_name | Subject name of the code signer | keyword |
+| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.hash.md5 | MD5 hash. | keyword |
+| process.hash.sha256 | SHA256 hash. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword |
+| process.parent.code_signature.subject_name | Subject name of the code signer | keyword |
+| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text |
+| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.parent.executable | Absolute path to the process executable. | keyword |
+| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text |
+| process.parent.hash.md5 | MD5 hash. | keyword |
+| process.parent.hash.sha256 | SHA256 hash. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text |
+| process.parent.uptime | Seconds the process has been up. | long |
+| process.pid | Process id. | long |
+| process.thread.id | Thread ID. | long |
+| registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard |
+| registry.key | Hive-relative path of keys. | keyword |
+| registry.path | Full path, including hive, key and value | keyword |
+| registry.value | Name of the value written. | keyword |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+
+
diff --git a/packages/panw_cortex_xdr/1.3.1/img/icon-cortex.svg b/packages/panw_cortex_xdr/1.3.1/img/icon-cortex.svg
new file mode 100755
index 0000000000..ff8819d77f
--- /dev/null
+++ b/packages/panw_cortex_xdr/1.3.1/img/icon-cortex.svg
@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="54" height="63" viewBox="0 0 54 63">
+    <g fill="#00cc66">
+        <path d="M32 11v39c12.151 0 22-8.73 22-19.5S44.151 11 32 11zM32 50.627c-10.732 0-19.43-8.563-19.43-19.127 0-10.564 8.698-19.127 19.43-19.127V0C14.324 0 0 14.1 0 31.5S14.324 63 32 63V50.627z"/>
+    </g>
+</svg>
diff --git a/packages/panw_cortex_xdr/1.3.1/manifest.yml b/packages/panw_cortex_xdr/1.3.1/manifest.yml
new file mode 100755
index 0000000000..f2f0c8d629
--- /dev/null
+++ b/packages/panw_cortex_xdr/1.3.1/manifest.yml
@@ -0,0 +1,26 @@
+name: panw_cortex_xdr
+title: Palo Alto Cortex XDR Logs
+version: "1.3.1"
+release: ga
+description: Collect and parse logs from Palo Alto Cortex XDR API with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+  kibana.version: ^7.15.0 || ^8.0.0
+icons:
+  - src: /img/icon-cortex.svg
+    title: Palo Alto
+    size: 216x216
+    type: image/svg+xml
+policy_templates:
+  - name: alerts
+    title: Palo Alto Cortex XDR API
+    description: Collect logs from Palo Alto Cortex XDR API
+    inputs:
+      - type: httpjson
+        title: "Collect data from Palo Alto Cortex XDR"
+        description: "Collect data from Palo Alto Cortex XDR (input: httpjson)"
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/pfsense/1.1.1/changelog.yml b/packages/pfsense/1.1.1/changelog.yml
new file mode 100755
index 0000000000..e91f87dbc5
--- /dev/null
+++ b/packages/pfsense/1.1.1/changelog.yml
@@ -0,0 +1,81 @@
+# newer versions go on top
+- version: "1.1.1"
+  changes:
+    - description: Fix grok to support new opensense log format
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3612
+- version: "1.1.0"
+  changes:
+    - description: Update package to ECS 8.3.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3353
+- version: "1.0.3"
+  changes:
+    - description: updated links in the documentation to the vendor documentation
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3145
+- version: "1.0.2"
+  changes:
+    - description: Update HAProxy log parsing to handle non HTTPS and TCP logs
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3504
+- version: "1.0.1"
+  changes:
+    - description: Format client.mac as per ECS.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3303
+- version: "1.0.0"
+  changes:
+    - description: Add OPNsense support.  Add PHP-FPM log parsing.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2413
+- version: "0.4.0"
+  changes:
+    - description: Update to ECS 8.2
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2780
+- version: "0.3.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "0.3.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2432
+- version: "0.2.2"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "0.2.1"
+  changes:
+    - description: Change test public IPs to the supported subset
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2327
+- version: "0.2.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2257
+- version: "0.1.3"
+  changes:
+    - description: Uniform with guidelines
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2091
+- version: "0.1.2"
+  changes:
+    - description: Update Title and Description.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1981
+- version: "0.1.1"
+  changes:
+    - description: Fix logic that checks for the 'forwarded' tag
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1842
+- version: "0.1.0"
+  changes:
+    - description: initial release
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/1286
diff --git a/packages/pfsense/1.1.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/pfsense/1.1.1/data_stream/log/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..9241b23255
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/agent/stream/tcp.yml.hbs
@@ -0,0 +1,23 @@
+host: "{{syslog_host}}:{{syslog_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+processors:
+- add_locale: ~
+- add_fields:
+    target: _tmp
+    fields:
+      tz_offset: {{tz_offset}}
+{{#if processors}}
+{{processors}}
+{{/if}}
diff --git a/packages/pfsense/1.1.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/pfsense/1.1.1/data_stream/log/agent/stream/udp.yml.hbs
new file mode 100755
index 0000000000..ca515ab199
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/agent/stream/udp.yml.hbs
@@ -0,0 +1,26 @@
+host: "{{syslog_host}}:{{syslog_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+- add_fields:
+    target: _tmp
+    fields:
+      tz_offset: {{tz_offset}}
+{{#if internal_networks.length}}
+      internal_networks:
+        {{#each internal_networks as |ntwrk i|}}
+        - {{ntwrk}}
+        {{/each}}
+{{/if}}
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..294e3afcd0
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,186 @@
+---
+description: Pipeline for PFsense
+processors:
+  - set:
+      field: ecs.version
+      value: '8.3.0'
+  - set:
+      field: observer.vendor
+      value: netgate
+  - set:
+      field: observer.type
+      value: firewall
+  - rename:
+      field: message
+      target_field: event.original
+  - set:
+      field: event.timezone
+      value: "{{_tmp.tz_offset}}"
+      if: ctx?._tmp?.tz_offset != null && ctx?._tmp?.tz_offset != 'local'
+  - grok:
+      description: Parse syslog header
+      field: event.original
+      patterns:
+        - '^(%{ECS_SYSLOG_PRI})?%{TIMESTAMP} %{GREEDYDATA:message}'
+      pattern_definitions:
+        ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>(\d )?'
+        BSD_TIMESTAMP_FORMAT: '%{SYSLOGTIMESTAMP:_tmp.timestamp}(%{SPACE}%{OBSERVER})?%{SPACE}%{PROCESS}(\[%{POSINT:process.pid:long}\])?:'
+        SYSLOG_TIMESTAMP_FORMAT: '%{TIMESTAMP_ISO8601:_tmp.timestamp8601}%{SPACE}%{OBSERVER}%{SPACE}%{PROCESS}%{SPACE}(%{POSINT:process.pid:long}|-) - (-|\[%{DATA}\])?'
+        TIMESTAMP_ISO8601: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?'
+        TIMESTAMP: '(?:%{BSD_TIMESTAMP_FORMAT}|%{SYSLOG_TIMESTAMP_FORMAT})'
+        OBSERVER: '(?:%{IP:observer.ip}|%{HOSTNAME:observer.name})'
+        PROCESS: '(\(%{DATA:process.name}\)|(%{UNIXPATH}/)?%{WORD:process.name})'
+  - date:
+      if: ctx?._tmp.timestamp8601 != null
+      field: _tmp.timestamp8601
+      target_field: '@timestamp'
+      formats:
+        - ISO8601
+  - date:
+      if: ctx?.event?.timezone != null && ctx?._tmp?.timestamp != null
+      field: _tmp.timestamp
+      target_field: '@timestamp'
+      formats:
+      - MMM  d HH:mm:ss
+      - MMM d HH:mm:ss
+      - MMM dd HH:mm:ss
+      timezone: '{{ event.timezone }}'
+  - grok:
+      description: Set Event Provider
+      field: process.name
+      patterns:
+        - '^%{WORD:event.provider}'
+  - pipeline:
+      name: '{{ IngestPipeline "firewall" }}'
+      if: ctx.event.provider == 'filterlog'
+  - pipeline:
+      name: '{{ IngestPipeline "openvpn" }}'
+      if: ctx.event.provider == 'openvpn'
+  - pipeline:
+      name: '{{ IngestPipeline "ipsec" }}'
+      if: ctx.event.provider == 'charon'
+  - pipeline:
+      name: '{{ IngestPipeline "dhcp" }}'
+      if: ctx.event.provider == 'dhcpd'
+  - pipeline:
+      name: '{{ IngestPipeline "unbound" }}'
+      if: ctx.event.provider == 'unbound'
+  - pipeline:
+      name: '{{ IngestPipeline "haproxy" }}'
+      if: ctx.event.provider == 'haproxy'
+  - pipeline:
+      name: '{{ IngestPipeline "php-fpm" }}'
+      if: ctx.event.provider == 'php-fpm'
+  - pipeline:
+      name: '{{ IngestPipeline "squid" }}'
+      if: ctx.event.provider == 'squid'
+  - drop:
+      if: '!["filterlog", "openvpn", "charon", "dhcpd", "unbound", "haproxy", "php-fpm", "squid"].contains(ctx?.event?.provider)'
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+  - geoip:
+      field: destination.ip
+      target_field: destination.geo
+      ignore_missing: true
+  - geoip:
+      ignore_missing: true
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+      - asn
+      - organization_name
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: destination.ip
+      target_field: destination.as
+      properties:
+      - asn
+      - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - rename:
+      field: destination.as.asn
+      target_field: destination.as.number
+      ignore_missing: true
+  - rename:
+      field: destination.as.organization_name
+      target_field: destination.as.organization.name
+      ignore_missing: true
+  - append:
+      field: related.ip
+      value: "{{destination.ip}}"
+      allow_duplicates: false
+      if: ctx?.destination?.ip != null
+  - append:
+      field: related.ip
+      value: "{{source.ip}}"
+      allow_duplicates: false
+      if: ctx?.source?.ip != null
+  - append:
+      field: related.ip
+      value: "{{source.nat.ip}}"
+      allow_duplicates: false
+      if: ctx?.source?.nat?.ip != null
+  - append:
+      field: related.hosts
+      value: "{{destination.domain}}"
+      if: "ctx?.destination?.domain != null"
+  - append:
+      field: related.user
+      value: "{{user.name}}"
+      if: "ctx?.user?.name != null"
+  - set:
+      field: network.direction
+      value: "{{network.direction}}bound"
+      if: ctx?.network?.direction != null && ctx?.network?.direction =~ /^(in|out)$/
+  - remove:
+      field:
+        - _tmp
+      ignore_failure: true
+  - script:
+      lang: painless
+      description: This script processor iterates over the whole document to remove fields with null values.
+      source: |
+        void handleMap(Map map) {
+          for (def x : map.values()) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+          }
+          map.values().removeIf(v -> v == null || (v instanceof String && v == "-"));
+        }
+        void handleList(List list) {
+          for (def x : list) {
+              if (x instanceof Map) {
+                  handleMap(x);
+              } else if (x instanceof List) {
+                  handleList(x);
+              }
+          }
+        }
+        handleMap(ctx);
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - remove:
+      field:
+        - _tmp
+      ignore_failure: true
+  - append:
+      field: error.message
+      value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml
new file mode 100755
index 0000000000..f366964fba
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml
@@ -0,0 +1,100 @@
+---
+description: Pipeline for PFsense DHCP logs
+processors:
+  - grok:
+      field: message
+      patterns:
+        - '%{WORD:event.action} %{MIDDLE} via %{INTERFACE:observer.ingress.interface.name}' 
+        - '%{GREEDYDATA}'
+      pattern_definitions:
+        INTERFACE: '[a-z0-9\.]+'
+        MAC_ADDRESS: '([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})'
+        FROM: 'from %{MAC_ADDRESS:client.mac}'
+        ON: 'on %{IP:client.address} to %{MAC_ADDRESS:client.mac} \(%{HOSTNAME:pfsense.dhcp.hostname}\)'
+        FOR: 'for %{IP:client.address} \(%{IP:server.address}\)? from %{MAC_ADDRESS:client.mac} \(%{HOSTNAME:pfsense.dhcp.hostname}\)'
+        MIDDLE: '(?:%{FROM}|%{ON}|%{FOR})'
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: network
+      allow_duplicates: false
+  - append:
+      field: event.type
+      value: connection
+      allow_duplicates: false
+  - append:
+      field: event.type
+      value: protocol
+      allow_duplicates: false
+  - append:
+      field: event.type
+      value: info
+      allow_duplicates: false
+  - set:
+      field: network.protocol
+      value: dhcp
+  - set:
+      field: network.transport
+      value: udp
+  - set:
+      field: client.port
+      value: 68
+      if: ctx?.client?.port == null
+  - set:
+      field: server.port
+      value: 67
+      if: ctx?.server?.port == null
+  - set:
+      field: client.ip
+      value: "{{client.address}}"
+      ignore_empty_value: true
+  - set:
+      field: server.ip
+      value: "{{server.address}}"
+      ignore_empty_value: true
+  - uppercase:
+      field: client.mac
+      ignore_missing: true
+  - gsub:
+      field: client.mac
+      pattern: '[:]'
+      replacement: '-'
+      ignore_missing: true
+  - set:
+      field: source
+      copy_from: client
+      ignore_empty_value: true
+  - set:
+      field: destination
+      copy_from: server
+      ignore_empty_value: true
+  - community_id:
+      target_field: network.community_id
+      ignore_failure: true
+  - grok:
+      field: observer.ingress.interface.name
+      patterns:
+      - "%{DATA}.%{NONNEGINT:observer.ingress.vlan.id}"
+      ignore_missing: true
+      ignore_failure: true
+  - append:
+      field: related.ip
+      value: "{{source.ip}}"
+      allow_duplicates: false
+      if: "ctx?.source?.ip != null"
+  - append:
+      field: related.ip
+      value: "{{destination.ip}}"
+      allow_duplicates: false
+      if: "ctx?.destination?.ip != null"
+  - append:
+      field: related.hosts
+      value: "{{pfsense.dhcp.hostname}}"
+      allow_duplicates: false
+      if: "ctx?.pfsense?.log?.dhcp?.hostname != null"
+on_failure:
+  - append:
+      field: error.message
+      value: '{{ _ingest.on_failure_message }}'
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml
new file mode 100755
index 0000000000..2e28538ca1
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml
@@ -0,0 +1,111 @@
+---
+description: Pipeline for PFsense Firewall logs
+processors:
+    - grok:
+        field: message
+        patterns:
+        - "%{PF_LOG_ENTRY}%{GREEDYDATA}"
+        pattern_definitions:
+            PF_LOG_ENTRY: "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}?"
+            PF_LOG_DATA: "%{INT},%{INT}?,,%{WORD:rule.id},%{DATA:observer.ingress.interface.name},%{PF_REASON:event.reason},%{WORD:event.action},%{WORD:network.direction},"
+            PF_REASON: '[a-zA-Z-]+'
+            PF_IP_DATA: "%{NONNEGINT:network.bytes:long},%{IP:source.address},%{IP:destination.address},"
+            PF_IP_SPECIFIC_DATA: "%{PF_IPv4_SPECIFIC_DATA}|%{PF_IPv6_SPECIFIC_DATA}"
+            PF_IPv4_SPECIFIC_DATA: "(?<network.type>(4)),%{BASE16NUM:pfsense.ip.tos},%{WORD:pfsense.ip.ecn}?,%{NONNEGINT:pfsense.ip.ttl:long},%{NONNEGINT:pfsense.ip.id:long},%{NONNEGINT:pfsense.ip.offset:long},(?:%{WORD:pfsense.ip.flags}|%{PF_SPEC:pfsense.ip.flags}),%{INT:network.iana_number},%{WORD:network.transport},"
+            PF_IPv6_SPECIFIC_DATA: "(?<network.type>(6)),%{BASE16NUM:pfsense.ip.tos},%{WORD:pfsense.ip.flow_label},%{WORD:pfsense.ip.flags},%{WORD:network.transport},%{INT:network.iana_number},"
+            PF_PROTOCOL_DATA: "%{PF_TCP_DATA}|%{PF_UDP_DATA}|%{PF_ICMP_DATA}|%{PF_IGMP_DATA}|%{PF_IPv6_VAR}|%{PF_IPv6_ICMP}"
+            PF_IPv6_VAR: "%{GREEDYDATA}"
+            PF_IPv6_ICMP: ''
+            PF_TCP_DATA: "%{INT:source.port:long},%{INT:destination.port:long},%{NONNEGINT:pfsense.tcp.length:long},%{WORD:pfsense.tcp.flags}?,%{NONNEGINT:pfsense.tcp.seq:long}?:?%{NONNEGINT},%{NONNEGINT:pfsense.tcp.ack:long}?,%{NONNEGINT:pfsense.tcp.window:long}?,%{WORD:pfsense.tcp.urg}?,%{GREEDYDATA:pfsense.tcp.options}"
+            PF_UDP_DATA: "%{INT:source.port:long},%{INT:destination.port:long},%{NONNEGINT:pfsense.udp.length:long}$"
+            PF_IGMP_DATA: "datalength=%{NONNEGINT:network.packets:long}"
+            PF_ICMP_DATA: "%{PF_ICMP_TYPE}%{PF_ICMP_RESPONSE}"
+            PF_ICMP_TYPE: "(?<pfsense.icmp.type>(request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply)),"
+            PF_ICMP_RESPONSE: "%{PF_ICMP_ECHO_REQ_REPLY}|%{PF_ICMP_UNREACHPORT}|%{PF_ICMP_UNREACHPROTO}|%{PF_ICMP_UNREACHABLE}|%{PF_ICMP_NEED_FLAG}|%{PF_ICMP_TSTAMP}|%{PF_ICMP_TSTAMP_REPLY}"
+            PF_ICMP_ECHO_REQ_REPLY: "%{NONNEGINT:pfsense.icmp.id:long},%{NONNEGINT:pfsense.icmp.seq:long}"
+            PF_ICMP_UNREACHPORT: "%{IP:[pfsense.icmp.destination.ip]},%{WORD:pfsense.icmp.unreachable.iana_number},%{NONNEGINT:pfsense.icmp.unreachable.port:long}"
+            PF_ICMP_UNREACHPROTO: "%{IP:[pfsense.icmp.destination.ip]},%{WORD:[pfsense.icmp.unreachable.iana_number]}"
+            PF_ICMP_UNREACHABLE: "%{GREEDYDATA:pfsense.icmp.unreachable.other}"
+            PF_ICMP_NEED_FLAG: "%{IP:pfsense.icmp.destination.ip},%{NONNEGINT:pfsense.icmp.mtu:long}"
+            PF_ICMP_TSTAMP: "%{INT:pfsense.icmp.id},%{INT:pfsense.icmp.seq}"
+            PF_ICMP_TSTAMP_REPLY: "%{INT:pfsense.icmp.id},%{INT:pfsense.icmp.seq},%{INT:pfsense.icmp.otime},%{INT:pfsense.icmp.rtime},%{INT:pfsense.icmp.ttime}"
+            PF_SPEC: "[+]"
+    - set:
+        field: event.kind
+        value: event
+    - append:
+        field: event.category
+        value: network
+        allow_duplicates: false
+    - set:
+        field: source.ip
+        value: "{{source.address}}"
+        ignore_empty_value: true
+    - set:
+        field: destination.ip
+        value: "{{destination.address}}"
+        ignore_empty_value: true
+    - append:
+        field: event.type
+        value: connection
+        allow_duplicates: false
+        if: ctx?.source?.ip != null && ctx?.destination?.ip != null
+    - append:
+        field: event.type
+        value: denied
+        allow_duplicates: false
+        if: ctx?.event.action == 'block'
+    - append:
+        field: event.type
+        value: allowed
+        allow_duplicates: false
+        if: ctx?.event.action == 'pass'
+    - set:
+        field: network.type
+        value: ipv{{network.type}}
+        if: ctx?.network?.type == '4' || ctx?.network?.type == '6'
+    - lowercase:
+        field: network.transport
+        ignore_missing: true
+    - remove:
+        field: ack_number
+        ignore_missing: true
+        if: ctx?.ack_number == null || ctx?.ack_number == ''
+    - network_direction:
+        internal_networks_field: _tmp.internal_networks
+    - community_id:
+        target_field: network.community_id
+        ignore_failure: true
+    - grok:
+        field: observer.ingress.interface.name
+        patterns:
+        - "%{DATA}.%{NONNEGINT:observer.ingress.vlan.id}"
+        ignore_missing: true
+        ignore_failure: true
+    - split:
+        field: pfsense.tcp.options
+        separator: ';'
+        ignore_missing: true
+        ignore_failure: true
+    - date:
+        field: pfsense.icmp.otime
+        ignore_failure: true
+        formats:
+            - UNIX
+            - UNIX_MS
+    - date:
+        field: pfsense.icmp.rtime
+        ignore_failure: true
+        formats:
+            - UNIX
+            - UNIX_MS
+    - date:
+        field: pfsense.icmp.ttime
+        ignore_failure: true
+        formats:
+            - UNIX
+            - UNIX_MS
+on_failure:
+  - append:
+      field: error.message
+      value: '{{ _ingest.on_failure_message }}'
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml
new file mode 100755
index 0000000000..3ae2fb4c69
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml
@@ -0,0 +1,139 @@
+---
+description: Pipeline for parsing PFsense HAProxy http, tcp and default logs.
+processors:
+  - grok:
+      field: message
+      patterns:
+      - 'Connect from (%{IPORHOST:source.address}|-):%{POSINT:source.port:long} %{WORD} %{IPORHOST:destination.address}:%{POSINT:destination.port:long} \(%{NOTSPACE:haproxy.frontend_name}/%{WORD:haproxy.mode}\)'
+      # HTTP(S)
+      - '(%{IPORHOST:source.address}|-):%{POSINT:source.port:long} \[%{NOTSPACE:haproxy.request_date}\] %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/%{NOTSPACE:haproxy.server_name} 
+        %{NUMBER:haproxy.http.request.time_wait_ms:long}/%{NUMBER:haproxy.total_waiting_time_ms:long}/%{NUMBER:haproxy.connection_wait_time_ms:long}/%{NUMBER:haproxy.http.request.time_wait_without_data_ms:long}/%{NUMBER:_temp.duration:long} 
+        %{NUMBER:http.response.status_code:long} %{NUMBER:haproxy.bytes_read:long} %{NOTSPACE:haproxy.http.request.captured_cookie} %{NOTSPACE:haproxy.http.response.captured_cookie} %{NOTSPACE:haproxy.termination_state} 
+        %{NUMBER:haproxy.connections.active:long}/%{NUMBER:haproxy.connections.frontend:long}/%{NUMBER:haproxy.connections.backend:long}/%{NUMBER:haproxy.connections.server:long}/%{NUMBER:haproxy.connections.retries:long} %{NUMBER:haproxy.server_queue:long}/%{NUMBER:haproxy.backend_queue:long} 
+        (\{%{DATA:haproxy.http.request.captured_headers}\} \{%{DATA:haproxy.http.response.captured_headers}\} |\{%{DATA}\} )?"%{GREEDYDATA:haproxy.http.request.raw_request_line}"'
+      # TCP
+      - '(%{IP:source.address}|-):%{POSINT:source.port:long} \[%{NOTSPACE:haproxy.request_date}\] 
+        %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/%{NOTSPACE:haproxy.server_name} 
+        %{NUMBER:haproxy.total_waiting_time_ms:long}/%{NUMBER:haproxy.connection_wait_time_ms:long}/%{NUMBER:_temp.duration:long} 
+        %{NUMBER:haproxy.bytes_read:long} %{NOTSPACE:haproxy.termination_state} %{NUMBER:haproxy.connections.active:long}/%{NUMBER:haproxy.connections.frontend:long}/%{NUMBER:haproxy.connections.backend:long}/%{NUMBER:haproxy.connections.server:long}/%{NUMBER:haproxy.connections.retries:long} 
+        %{NUMBER:haproxy.server_queue:long}/%{NUMBER:haproxy.backend_queue:long}'
+      # Error
+      - '(%{IP:source.address}|-):%{POSINT:source.port:long} \[%{NOTSPACE:haproxy.request_date}\] %{NOTSPACE:haproxy.frontend_name}/%{BIND_NAME:haproxy.bind_name}:? %{GREEDYDATA:haproxy.error_message}'
+      ignore_missing: false
+      pattern_definitions:
+        HAPROXY_DATE: (%{MONTHDAY}[/-]%{MONTH}[/-]%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND})|%{SYSLOGTIMESTAMP}
+        BIND_NAME: ((%{IP:destination.address})?(:%{POSINT:destination.port:long})?|%{NOTSPACE})
+      on_failure:
+        - drop:
+            description: Drop if not a connection log
+  - date:
+      if: ctx?.haproxy?.request_date != null && ctx?.event?.timezone == null
+      field: haproxy.request_date
+      target_field: '@timestamp'
+      formats:
+      - dd/MMM/yyyy:HH:mm:ss.SSS
+      - MMM dd HH:mm:ss
+  - date:
+      if: ctx?.haproxy?.request_date != null && ctx?.event?.timezone != null
+      field: haproxy.request_date
+      target_field: '@timestamp'
+      formats:
+      - dd/MMM/yyyy:HH:mm:ss.SSS
+      - MMM dd HH:mm:ss
+      timezone: '{{ event.timezone }}'
+  - grok:
+      field: haproxy.http.request.raw_request_line
+      patterns:
+        - '%{WORD:http.request.method}%{SPACE}%{URIPATHPARAM:url.original}%{SPACE}HTTP/%{NUMBER:http.version}'
+      ignore_missing: true
+      if: 'ctx.haproxy?.http?.request?.raw_request_line != null && !ctx.haproxy?.http?.request?.raw_request_line.isEmpty() && ctx.haproxy?.http?.request?.raw_request_line != "<BADREQ>"'
+  - uri_parts:
+      field: url.original
+      ignore_failure: true
+      if: ctx?.url?.original != null
+  - convert:
+      field: source.address
+      target_field: source.ip
+      type: ip
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: destination.address
+      target_field: destination.ip
+      type: ip
+      ignore_failure: true
+      ignore_missing: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+      - asn
+      - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - split:
+      field: haproxy.http.request.captured_headers
+      separator: \|
+      ignore_failure: true
+      ignore_missing: true
+  - split:
+      field: haproxy.http.response.captured_headers
+      separator: \|
+      ignore_failure: true
+      ignore_missing: true
+  - script:
+      lang: painless
+      source: ctx.event.duration = Math.round(ctx._temp.duration * params.scale)
+      params:
+        scale: 1000000
+      if: ctx._temp?.duration != null
+  - convert:
+      field: haproxy.bytes_read
+      target_field: http.response.bytes
+      type: long
+      ignore_missing: true
+      if: ctx.containsKey('http')
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: web
+      if: "ctx?.haproxy?.mode == 'HTTP' || ctx?.haproxy?.http != null"
+  - append:
+      field: event.category
+      value: network
+      if: "ctx?.source.ip != null && ctx?.destination?.ip != null"
+  - append:
+      field: event.type
+      value: connection
+      if: "ctx?.source.ip != null && ctx?.destination?.ip != null"
+  - set:
+      field: event.outcome
+      value: success
+      if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400"
+  - set:
+      field: event.outcome
+      value: failure
+      if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400"
+  - remove:
+      field: 
+        - _temp
+        - haproxy.request_date
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml
new file mode 100755
index 0000000000..0ee5fae5ce
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml
@@ -0,0 +1,44 @@
+---
+description: Pipeline for PFsense IPSEC logs
+processors:
+  - grok:
+      field: message
+      patterns:
+        - '%{PREFIX}%{GREEDYDATA}%{SOURCE} to %{DEST} \(%{NONNEGINT:network.bytes:long} bytes\)'
+        - '%{GREEDYDATA}'
+      pattern_definitions:
+        PREFIX: '\d+\[%{WORD}\]'
+        SOURCE: '%{IP:source.address}\[%{NONNEGINT:source.port:long}\]'
+        DEST: '%{IP:destination.address}\[%{NONNEGINT:destination.port:long}\]'
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: network
+      allow_duplicates: false
+  - append:
+      field: event.type
+      value: connection
+      allow_duplicates: false
+      if: ctx?.source?.address != null
+  - append:
+      field: event.type
+      value: end
+      allow_duplicates: false
+      if: ctx?.message.toLowerCase().contains('disconnected')
+  - set:
+      field: source.ip
+      value: "{{source.address}}"
+      ignore_empty_value: true
+  - set:
+      field: destination.ip
+      value: "{{destination.address}}"
+      ignore_empty_value: true  
+  - set:
+      field: network.protocol
+      value: ipsec
+on_failure:
+  - append:
+      field: error.message
+      value: '{{ _ingest.on_failure_message }}'
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml
new file mode 100755
index 0000000000..9afef3ba5d
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml
@@ -0,0 +1,53 @@
+---
+description: Pipeline for PFsense OpenVPN logs
+processors:
+  - grok:
+      field: message
+      patterns:
+        - '%{SOURCE}%{SPACE}peer%{SPACE}info:%{SPACE}%{GREEDYDATA:pfsense.openvpn.peer_info}'
+        - '%{SOURCE}%{SPACE}\[%{USERNAME:user.name}\]%{SPACE}%{GREEDYDATA}'
+        - "user%{SPACE}'%{USERNAME:user.name}'%{GREEDYDATA}"
+        - '%{USERNAME:user.name}/%{SOURCE}%{DATA}IPv4=(%{IP:source.nat.ip}|%{GREEDYDATA}),%{SPACE}IPv6=(%{IP:source.nat.ip}|%{GREEDYDATA})'
+        - '%{GREEDYDATA}%{SOURCE}'
+        - '%{GREEDYDATA}'
+      pattern_definitions:
+        SOURCE: '%{IP:source.address}:%{NONNEGINT:source.port:long}'
+        USERNAME: '[a-zA-Z0-9._-]+'
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: network
+      allow_duplicates: false
+  - append:
+      field: event.category
+      value: authentication
+      allow_duplicates: false
+      if: ctx?.message.contains('auth')
+  - append:
+      field: event.type
+      value: connection
+      allow_duplicates: false
+      if: ctx?.source?.address != null
+  - append:
+      field: event.type
+      value: error
+      allow_duplicates: false
+      if: ctx?.message.toLowerCase().contains('error') || ctx?.message.toLowerCase().contains('not auth') 
+  - append:
+      field: event.type
+      value: start
+      allow_duplicates: false
+      if: ctx?.message.toLowerCase().contains('initiat')
+  - set:
+      field: source.ip
+      value: "{{source.address}}"
+      ignore_empty_value: true
+  - set:
+      field: network.protocol
+      value: openvpn
+on_failure:
+  - append:
+      field: error.message
+      value: '{{ _ingest.on_failure_message }}'
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml
new file mode 100755
index 0000000000..7570a1da68
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml
@@ -0,0 +1,46 @@
+---
+description: Pipeline for PFsense PHP-FPM logs
+processors:
+  - grok:
+      field: message
+      patterns:
+        - '^%{DATA}: %{PF_APP_DATA}'
+        - '^%{GREEDYDATA}'
+      pattern_definitions:
+        PF_APP_DATA: '(%{PF_APP_LOGIN}|%{PF_APP_LOGOUT}|%{PF_APP_ERROR})'
+        PF_APP_LOGIN: "(%{DATA:_tmp.action}) for user '%{USER:user.name}' from: %{IP:source.address} \\(%{DATA}\\)"
+        PF_APP_LOGOUT: "User (%{DATA:_tmp.action}) for user '%{USER:user.name}' from: %{IP:source.address}"
+        PF_APP_ERROR: "webConfigurator %{DATA:_tmp.action} for user '%{DATA:user.name}' from: %{IP:source.address}"
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: authentication
+      allow_duplicates: false
+  - set:
+      field: event.outcome
+      value: success
+      if: 'ctx._tmp?.action.toLowerCase().contains("success")'
+  - set:
+      field: event.outcome
+      value: failure
+      if: 'ctx._tmp?.action.toLowerCase().contains("authentication error")'
+  - convert:
+      field: source.address
+      target_field: source.ip
+      type: ip
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: observer.ip
+      target_field: host.ip
+      ignore_missing: true
+  - rename:
+      field: observer.name
+      target_field: host.name
+      ignore_missing: true
+on_failure:
+  - append:
+      field: error.message
+      value: '{{ _ingest.on_failure_message }}'
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/squid.yml b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/squid.yml
new file mode 100755
index 0000000000..29e8bbee97
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/squid.yml
@@ -0,0 +1,90 @@
+---
+description: Pipeline for parsing PFsense Squid logs.
+processors:
+  - grok:
+      field: message
+      patterns:
+      - '%{IPORHOST:source.address} %{NOTSPACE:squid.request_status}/%{NUMBER:http.response.status_code:long} %{NUMBER:http.response.bytes:long} %{NOTSPACE:http.request.method} (%{URI:url.original})?%{SPACE}%{NOTSPACE:http.request.referrer}%{SPACE}%{NOTSPACE:squid.hierarchy_status}/%{IPORHOST:destination.address}%{SPACE}%{NOTSPACE:http.response.mime_type}'
+      ignore_missing: false
+  - uri_parts:
+      field: url.original
+      ignore_failure: true
+      if: ctx?.url?.original != null
+  - convert:
+      field: source.address
+      target_field: source.ip
+      type: ip
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: destination.address
+      target_field: destination.ip
+      type: ip
+      ignore_failure: true
+      ignore_missing: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+      - asn
+      - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+#   - split:
+#       field: haproxy.http.request.captured_headers
+#       separator: \|
+#       ignore_failure: true
+#       ignore_missing: true
+#   - split:
+#       field: haproxy.http.response.captured_headers
+#       separator: \|
+#       ignore_failure: true
+#       ignore_missing: true
+#   - script:
+#       lang: painless
+#       source: ctx.event.duration = Math.round(ctx.temp.duration * params.scale)
+#       params:
+#         scale: 1000000
+#       if: ctx.temp?.duration != null
+#   - remove:
+#       field: temp.duration
+#       ignore_missing: true
+#   - convert:
+#       field: haproxy.bytes_read
+#       target_field: http.response.bytes
+#       type: long
+#       ignore_missing: true
+#       if: ctx.containsKey('http')
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: web
+  - append:
+      field: event.category
+      value: network
+  - set:
+      field: event.outcome
+      value: success
+      if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400"
+  - set:
+      field: event.outcome
+      value: failure
+      if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400"
+on_failure:
+  - set:
+      field: error.message
+      value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml
new file mode 100755
index 0000000000..5bdbdb6d2e
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml
@@ -0,0 +1,70 @@
+---
+description: Pipeline for PFsense Unbound DNS logs
+processors:
+  - grok:
+      field: message
+      patterns:        
+        - '%{LOGLEVEL:log.level}: %{IP:source.address} %{HOSTNAME:_tmp.question.name}(\.) %{WORD:_tmp.question.type} %{WORD:_tmp.question.class}'
+      on_failure:
+        - drop:
+            description: Drop if not a query log
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: network
+      allow_duplicates: false
+  - append:
+      field: event.type
+      value: connection
+      allow_duplicates: false
+      if: ctx?.source?.address != null
+  - append:
+      field: event.type
+      value: end
+      allow_duplicates: false
+      if: ctx?.message.toLowerCase().contains('disconnected')
+  - set:
+      field: network.protocol
+      value: dns
+  - set:
+      field: dns.type
+      value: question
+      if: ctx?._tmp?.question?.name != null
+  - registered_domain:
+      field: _tmp.question.name
+      target_field: dns.question
+      ignore_missing: true
+  - rename:
+      field: dns.question.domain
+      target_field: dns.question.name
+      ignore_missing: true
+  - rename:
+      field: _tmp.question.type
+      target_field: dns.question.type
+      ignore_missing: true
+  - rename:
+      field: _tmp.question.class
+      target_field: dns.question.class
+      ignore_missing: true
+  - convert:
+      field: source.address
+      target_field: source.ip
+      type: ip
+      ignore_failure: true
+      ignore_missing: true
+  - set:
+      field: client
+      copy_from: source
+      ignore_empty_value: true
+  - convert:
+      field: destination.address
+      target_field: destination.ip
+      type: ip
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - append:
+      field: error.message
+      value: '{{ _ingest.on_failure_message }}'
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/data_stream/log/fields/agent.yml b/packages/pfsense/1.1.1/data_stream/log/fields/agent.yml
new file mode 100755
index 0000000000..c961daeee1
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/fields/agent.yml
@@ -0,0 +1,207 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: hostname
+  type: keyword
+  description: Hostname from syslog header.
+- name: log.source.address
+  type: keyword
+  description: Source address of the syslog message.
+- name: process.program
+  type: keyword
+  description: Process from syslog header.
diff --git a/packages/pfsense/1.1.1/data_stream/log/fields/base-fields.yml b/packages/pfsense/1.1.1/data_stream/log/fields/base-fields.yml
new file mode 100755
index 0000000000..8007b1ad5b
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/fields/base-fields.yml
@@ -0,0 +1,17 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: pfsense
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: pfsense.log
diff --git a/packages/pfsense/1.1.1/data_stream/log/fields/ecs.yml b/packages/pfsense/1.1.1/data_stream/log/fields/ecs.yml
new file mode 100755
index 0000000000..99d109782e
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/fields/ecs.yml
@@ -0,0 +1,566 @@
+- description: |-
+    Date/time when the event originated.
+    This is the date/time extracted from the event, typically representing when the event was generated by the source.
+    If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.
+    Required field for all events.
+  name: '@timestamp'
+  type: date
+- description: |-
+    Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: client.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: client.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: client.as.organization.name
+  type: keyword
+- description: Bytes sent from the client to the server.
+  name: client.bytes
+  type: long
+- description: |-
+    The domain name of the client system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: client.domain
+  type: keyword
+- description: City name.
+  name: client.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  ignore_above: 1024
+  name: client.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: client.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: client.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  name: client.geo.location
+  type: geo_point
+- description: Region ISO code.
+  name: client.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: client.geo.region_name
+  type: keyword
+- description: IP address of the client (IPv4 or IPv6).
+  name: client.ip
+  type: ip
+- description: |-
+    MAC address of the client.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: client.mac
+  type: keyword
+- description: Port of the client.
+  name: client.port
+  type: long
+- description: |-
+    Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: destination.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: destination.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: destination.as.organization.name
+  type: keyword
+- description: Bytes sent from the destination to the source.
+  name: destination.bytes
+  type: long
+- description: City name.
+  name: destination.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: destination.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: destination.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: destination.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  name: destination.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: destination.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: destination.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: destination.geo.region_name
+  type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+  name: destination.ip
+  type: ip
+- description: Port of the destination.
+  name: destination.port
+  type: long
+- description: The class of records being queried.
+  name: dns.question.class
+  type: keyword
+- description: |-
+    The name being queried.
+    If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+  name: dns.question.name
+  type: keyword
+- description: |-
+    The highest registered domain, stripped of the subdomain.
+    For example, the registered domain for "foo.example.com" is "example.com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+  name: dns.question.registered_domain
+  type: keyword
+- description: |-
+    The subdomain is all of the labels under the registered_domain.
+    If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+  name: dns.question.subdomain
+  type: keyword
+- description: |-
+    The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+    This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+  name: dns.question.top_level_domain
+  type: keyword
+- description: The type of record being queried.
+  name: dns.question.type
+  type: keyword
+- description: |-
+    The type of DNS event captured, query or answer.
+    If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.
+    If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
+  name: dns.type
+  type: keyword
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: match_only_text
+- description: |-
+    The action captured by the event.
+    This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+  name: event.action
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+    `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+    This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+  name: event.category
+  type: keyword
+- description: |-
+    Duration of the event in nanoseconds.
+    If event.start and event.end are known this value should be the difference between the end and start time.
+  name: event.duration
+  type: long
+- description: Unique ID to describe the event.
+  name: event.id
+  type: keyword
+- description: |-
+    Timestamp when an event arrived in the central data store.
+    This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+    In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+  name: event.ingested
+  type: date
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+    `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+    The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+  name: event.kind
+  type: keyword
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+    `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+    Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+    Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+    Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+  name: event.outcome
+  type: keyword
+- description: |-
+    Source of the event.
+    Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+  name: event.provider
+  type: keyword
+- description: |-
+    Reason why this event happened, according to the source.
+    This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+  name: event.reason
+  type: keyword
+- description: |-
+    This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
+    Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+  name: event.timezone
+  type: keyword
+- description: |-
+    This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+    `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+    This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+  name: event.type
+  type: keyword
+- description: Size in bytes of the request body.
+  name: http.request.body.bytes
+  type: long
+- description: |-
+    HTTP request method.
+    The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+  name: http.request.method
+  type: keyword
+- description: Referrer for this HTTP request.
+  name: http.request.referrer
+  type: keyword
+- description: Size in bytes of the response body.
+  name: http.response.body.bytes
+  type: long
+- description: Total size in bytes of the response (body and headers).
+  name: http.response.bytes
+  type: long
+- description: |-
+    Mime type of the body of the response.
+    This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers.
+  name: http.response.mime_type
+  type: keyword
+- description: HTTP response status code.
+  name: http.response.status_code
+  type: long
+- description: HTTP version.
+  name: http.version
+  type: keyword
+- description: Type of Filebeat input.
+  name: input.type
+  type: keyword
+- description: |-
+    Original log level of the log event.
+    If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
+    Some examples are `warn`, `err`, `i`, `informational`.
+  name: log.level
+  type: keyword
+- description: |-
+    Syslog numeric priority of the event, if available.
+    According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+  name: log.syslog.priority
+  type: long
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: |-
+    Total bytes transferred in both directions.
+    If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+  name: network.bytes
+  type: long
+- description: |-
+    A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
+    Learn more at https://github.com/corelight/community-id-spec.
+  name: network.community_id
+  type: keyword
+- description: |-
+    Direction of the network traffic.
+    Recommended values are:
+      * ingress
+      * egress
+      * inbound
+      * outbound
+      * internal
+      * external
+      * unknown
+
+    When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+    When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+    Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+  name: network.direction
+  type: keyword
+- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+  name: network.iana_number
+  type: keyword
+- description: |-
+    Total packets transferred in both directions.
+    If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+  name: network.packets
+  type: long
+- description: |-
+    In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+    The field value must be normalized to lowercase for querying.
+  name: network.protocol
+  type: keyword
+- description: |-
+    Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+    The field value must be normalized to lowercase for querying.
+  name: network.transport
+  type: keyword
+- description: |-
+    In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+    The field value must be normalized to lowercase for querying.
+  name: network.type
+  type: keyword
+- description: Interface name as reported by the system.
+  name: observer.ingress.interface.name
+  type: keyword
+- description: VLAN ID as reported by the observer.
+  name: observer.ingress.vlan.id
+  type: keyword
+- description: IP addresses of the observer.
+  name: observer.ip
+  type: ip
+- description: |-
+    Custom name of the observer.
+    This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.
+    If no custom name is needed, the field can be left empty.
+  name: observer.name
+  type: keyword
+- description: |-
+    The type of the observer the data is coming from.
+    There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+  name: observer.type
+  type: keyword
+- description: Vendor name of the observer.
+  name: observer.vendor
+  type: keyword
+- description: |-
+    Process name.
+    Sometimes called program name or similar.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: process.name
+  type: keyword
+- description: Process id.
+  name: process.pid
+  type: long
+- description: All of the IPs seen on your event.
+  name: related.ip
+  type: ip
+- description: All the user names or other user identifiers seen on the event.
+  name: related.user
+  type: keyword
+- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+  name: rule.id
+  type: keyword
+- description: |-
+    Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: server.address
+  type: keyword
+- description: Bytes sent from the server to the client.
+  name: server.bytes
+  type: long
+- description: IP address of the server (IPv4 or IPv6).
+  name: server.ip
+  type: ip
+- description: Port of the server.
+  name: server.port
+  type: long
+- description: |-
+    Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+  name: source.address
+  type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+  name: source.as.number
+  type: long
+- description: Organization name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.as.organization.name
+  type: keyword
+- description: Bytes sent from the source to the destination.
+  name: source.bytes
+  type: long
+- description: |-
+    The domain name of the source system.
+    This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+  name: source.domain
+  type: keyword
+- description: City name.
+  name: source.geo.city_name
+  type: keyword
+- description: Name of the continent.
+  name: source.geo.continent_name
+  type: keyword
+- description: Country ISO code.
+  name: source.geo.country_iso_code
+  type: keyword
+- description: Country name.
+  name: source.geo.country_name
+  type: keyword
+- description: Longitude and latitude.
+  name: source.geo.location
+  type: geo_point
+- description: |-
+    User-defined description of a location, at the level of granularity they care about.
+    Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+    Not typically used in automated geolocation.
+  name: source.geo.name
+  type: keyword
+- description: Region ISO code.
+  name: source.geo.region_iso_code
+  type: keyword
+- description: Region name.
+  name: source.geo.region_name
+  type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+  name: source.ip
+  type: ip
+- description: |-
+    MAC address of the source.
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+  name: source.mac
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  type: keyword
+- description: |-
+    Translated ip of source based NAT sessions (e.g. internal client to internet)
+    Typically connections traversing load balancers, firewalls, or routers.
+  name: source.nat.ip
+  type: ip
+- description: Port of the source.
+  name: source.port
+  type: long
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: source.user.full_name
+  type: keyword
+- description: Unique identifier of the user.
+  name: source.user.id
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: String indicating the cipher used during the current connection.
+  name: tls.cipher
+  type: keyword
+- description: Numeric part of the version parsed from the original string.
+  name: tls.version
+  type: keyword
+- description: Normalized lowercase protocol name parsed from original string.
+  name: tls.version_protocol
+  type: keyword
+- description: |-
+    Domain of the url, such as "www.elastic.co".
+    In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+    If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+  name: url.domain
+  type: keyword
+- description: |-
+    The field contains the file extension from the original request url, excluding the leading dot.
+    The file extension is only set if it exists, as not every url has a file extension.
+    The leading period must not be included. For example, the value must be "png", not ".png".
+    Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+  name: url.extension
+  type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.full
+  type: wildcard
+- description: |-
+    Unmodified original url as seen in the event source.
+    Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+    This field is meant to represent the URL as it was observed, complete or not.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: url.original
+  type: wildcard
+- description: Password of the request.
+  name: url.password
+  type: keyword
+- description: Path of the request, such as "/search".
+  name: url.path
+  type: wildcard
+- description: Port of the request, such as 443.
+  name: url.port
+  type: long
+- description: |-
+    The query field describes the query string of the request, such as "q=elasticsearch".
+    The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+  name: url.query
+  type: keyword
+- description: |-
+    Scheme of the request, such as "https".
+    Note: The `:` is not part of the scheme.
+  name: url.scheme
+  type: keyword
+- description: Username of the request.
+  name: url.username
+  type: keyword
+- description: |-
+    Name of the directory the user is a member of.
+    For example, an LDAP or Active Directory domain name.
+  name: user.domain
+  type: keyword
+- description: User email address.
+  name: user.email
+  type: keyword
+- description: User's full name, if available.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.full_name
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: Short name or login of the user.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user.name
+  type: keyword
+- description: Name of the device.
+  name: user_agent.device.name
+  type: keyword
+- description: Name of the user agent.
+  name: user_agent.name
+  type: keyword
+- description: Unparsed user_agent string.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.original
+  type: keyword
+- description: Operating system name, including the version or code name.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.full
+  type: keyword
+- description: Operating system name, without the version.
+  multi_fields:
+    - name: text
+      type: match_only_text
+  name: user_agent.os.name
+  type: keyword
+- description: Operating system version as a raw string.
+  name: user_agent.os.version
+  type: keyword
+- description: Version of the user agent.
+  name: user_agent.version
+  type: keyword
diff --git a/packages/pfsense/1.1.1/data_stream/log/fields/fields.yml b/packages/pfsense/1.1.1/data_stream/log/fields/fields.yml
new file mode 100755
index 0000000000..7a350eba17
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/fields/fields.yml
@@ -0,0 +1,256 @@
+- name: pfsense.ip
+  type: group
+  fields:
+    - name: tos
+      type: keyword
+      description: |
+        IP Type of Service identification.
+    - name: ecn
+      type: keyword
+      description: |
+        Explicit Congestion Notification.
+    - name: ttl
+      type: long
+      description: |
+        Time To Live (TTL) of the packet
+    - name: id
+      type: long
+      description: |
+        ID of the packet
+    - name: offset
+      type: long
+      description: |
+        Fragment offset
+    - name: flags
+      type: keyword
+      description: |
+        IP flags.
+    - name: flow_label
+      type: keyword
+      description: |
+        Flow label
+- name: pfsense.tcp
+  type: group
+  fields:
+    - name: flags
+      type: keyword
+      description: |
+        TCP flags.
+    - name: seq
+      type: long
+      description: |
+        TCP sequence number.
+    - name: ack
+      type: long
+      description: |
+        TCP Acknowledgment number.
+    - name: window
+      type: long
+      description: |
+        Advertised TCP window size.
+    - name: urg
+      type: keyword
+      description: |
+        Urgent pointer data.
+    - name: options
+      type: array
+      description: |
+        TCP Options.
+    - name: length
+      type: long
+      description: |
+        Length of the TCP header and payload.
+- name: pfsense.udp
+  type: group
+  fields:
+    - name: length
+      type: long
+      description: |
+        Length of the UDP header and payload.
+- name: pfsense.icmp
+  type: group
+  fields:
+    - name: type
+      type: keyword
+      description: |
+        ICMP type.
+    - name: id
+      type: long
+      description: |
+        ID of the echo request/reply
+    - name: destination.ip
+      type: ip
+      description: Original destination address of the connection that caused this notification
+    - name: mtu
+      type: long
+      description: MTU to use for subsequent data to this destination
+    - name: otime
+      type: date
+      description: Originate Timestamp
+    - name: rtime
+      type: date
+      description: Receive Timestamp
+    - name: ttime
+      type: date
+      description: Transmit Timestamp
+    - name: unreachable
+      type: group
+      fields:
+        - name: iana_number
+          type: long
+          description: |
+            Protocol ID number that was unreachable
+        - name: port
+          type: long
+          description: |
+            Port number that was unreachable
+        - name: other
+          type: keyword
+          description: |
+            Other unreachable information
+    - name: code
+      type: long
+      description: |
+        ICMP code.
+    - name: parameter
+      type: long
+      description: |
+        ICMP parameter.
+    - name: redirect
+      type: ip
+      description: |
+        ICMP redirect address.
+    - name: seq
+      type: long
+      description: |
+        ICMP sequence number.
+- name: pfsense.dhcp.hostname
+  type: keyword
+  description: |
+    Hostname of DHCP client
+- name: pfsense.openvpn.peer_info
+  type: keyword
+  description: |-
+    Information about the Open VPN client
+- name: haproxy
+  type: group
+  fields:
+    - name: frontend_name
+      type: keyword
+      description: Name of the frontend (or listener) which received and processed the connection.
+    - name: backend_name
+      type: keyword
+      description: Name of the backend (or listener) which was selected to manage the connection to the server.
+    - name: server_name
+      type: keyword
+      description: Name of the last server to which the connection was sent.
+    - name: total_waiting_time_ms
+      type: long
+      description: Total time in milliseconds spent waiting in the various queues
+    - name: connection_wait_time_ms
+      type: long
+      description: Total time in milliseconds spent waiting for the connection to establish to the final server
+    - name: bytes_read
+      type: long
+      description: Total number of bytes transmitted to the client when the log is emitted.
+    - name: time_queue
+      type: long
+      description: Total time in milliseconds spent waiting in the various queues.
+    - name: time_backend_connect
+      type: long
+      description: Total time in milliseconds spent waiting for the connection to establish to the final server, including retries.
+    - name: server_queue
+      type: long
+      description: Total number of requests which were processed before this one in the server queue.
+    - name: backend_queue
+      type: long
+      description: Total number of requests which were processed before this one in the backend's global queue.
+    - name: bind_name
+      type: keyword
+      description: Name of the listening address which received the connection.
+    - name: error_message
+      type: text
+      description: Error message logged by HAProxy in case of error.
+    - name: source
+      type: keyword
+      description: The HAProxy source of the log
+    - name: termination_state
+      type: keyword
+      description: Condition the session was in when the session ended.
+    - name: mode
+      type: keyword
+      description: mode that the frontend is operating (TCP or HTTP)
+    - name: connections
+      type: group
+      fields:
+        - name: active
+          type: long
+          description: Total number of concurrent connections on the process when the session was logged.
+        - name: frontend
+          type: long
+          description: Total number of concurrent connections on the frontend when the session was logged.
+        - name: backend
+          type: long
+          description: Total number of concurrent connections handled by the backend when the session was logged.
+        - name: server
+          type: long
+          description: Total number of concurrent connections still active on the server when the session was logged.
+        - name: retries
+          type: long
+          description: Number of connection retries experienced by this session when trying to connect to the server.
+    - name: client
+      type: group
+    - name: destination
+      type: group
+    - name: geoip
+      type: group
+- name: haproxy.http
+  type: group
+  fields:
+    - name: response
+      type: group
+      fields:
+        - name: captured_cookie
+          type: keyword
+          description: |
+            Optional "name=value" entry indicating that the client had this cookie in the response.
+        - name: captured_headers
+          type: keyword
+          description: |
+            List of headers captured in the response due to the presence of the "capture response header" statement in the frontend.
+    - name: request
+      type: group
+      fields:
+        - name: captured_cookie
+          type: keyword
+          description: |
+            Optional "name=value" entry indicating that the server has returned a cookie with its request.
+        - name: captured_headers
+          type: keyword
+          description: |
+            List of headers captured in the request due to the presence of the "capture request header" statement in the frontend.
+        - name: raw_request_line
+          type: keyword
+          description: Complete HTTP request line, including the method, request and HTTP version string.
+        - name: time_wait_without_data_ms
+          type: long
+          description: Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data.
+        - name: time_wait_ms
+          type: long
+          description: Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received.
+- name: haproxy.tcp
+  type: group
+  fields:
+    - name: connection_waiting_time_ms
+      type: long
+      description: Total time in milliseconds elapsed between the accept and the last close
+- name: squid
+  type: group
+  fields:
+    - name: request_status
+      type: keyword
+      description: |
+        The cache result code; how the cache responded to the request: HIT, MISS, and so on. Cache result codes are described [here](https://www.websense.com/content/support/library/web/v773/wcg_help/cachrslt.aspx#596301).
+    - name: hierarchy_status
+      type: keyword
+      description: The proxy hierarchy route; the route Content Gateway used to retrieve the object.
diff --git a/packages/pfsense/1.1.1/data_stream/log/manifest.yml b/packages/pfsense/1.1.1/data_stream/log/manifest.yml
new file mode 100755
index 0000000000..1b65cbac0b
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/manifest.yml
@@ -0,0 +1,140 @@
+type: logs
+title: pfSense log logs
+release: experimental
+streams:
+  - input: udp
+    template_path: udp.yml.hbs
+    title: pfSense syslog logs
+    description: Collect pfsense logs using udp input
+    vars:
+      - name: syslog_host
+        type: text
+        title: Syslog Host
+        description: The interface to listen to UDP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces.
+        multi: false
+        required: true
+        show_user: true
+        default: localhost
+      - name: syslog_port
+        type: integer
+        title: Syslog Port
+        description: The UDP port to listen for syslog traffic. Ports below 1024 require Filebeat to run as root.
+        multi: false
+        required: true
+        show_user: true
+        default: 9001
+      - name: internal_networks
+        type: text
+        title: Internal Networks
+        multi: true
+        required: false
+        show_user: true
+        default:
+          - private
+        description: The internal IP subnet(s) of the network.
+      - name: tz_offset
+        type: text
+        title: Timezone Offset
+        multi: false
+        required: true
+        show_user: true
+        default: local
+        description: >-
+          By default, datetimes (with no timezone) in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT.
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - pfsense
+          - forwarded
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+  - input: tcp
+    template_path: tcp.yml.hbs
+    title: pfSense syslog logs
+    description: Collect pfsense logs using tcp input
+    enabled: false
+    vars:
+      - name: syslog_host
+        type: text
+        title: Syslog Host
+        description: The interface to listen to TCP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces.
+        multi: false
+        required: true
+        show_user: true
+        default: localhost
+      - name: syslog_port
+        type: integer
+        title: Syslog Port
+        description: The TCP port to listen for syslog traffic. Ports below 1024 require Filebeat to run as root.
+        multi: false
+        required: true
+        show_user: true
+        default: 9001
+      - name: internal_networks
+        type: text
+        title: Internal Networks
+        multi: true
+        required: false
+        show_user: true
+        default:
+          - private
+        description: The internal IP subnet(s) of the network.
+      - name: tz_offset
+        type: text
+        title: Timezone Offset
+        multi: false
+        required: true
+        show_user: true
+        default: local
+        description: >-
+          By default, datetimes (with no timezone) in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT.
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - pfsense
+          - forwarded
+      - name: ssl
+        type: yaml
+        title: TLS configuration
+        multi: false
+        required: false
+        show_user: true
+        description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options.
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/pfsense/1.1.1/data_stream/log/sample_event.json b/packages/pfsense/1.1.1/data_stream/log/sample_event.json
new file mode 100755
index 0000000000..e40849bf2d
--- /dev/null
+++ b/packages/pfsense/1.1.1/data_stream/log/sample_event.json
@@ -0,0 +1,135 @@
+{
+    "@timestamp": "2021-07-04T00:10:14.578Z",
+    "agent": {
+        "ephemeral_id": "54ce1a5f-64b9-4475-9d01-4d9fb46c22ba",
+        "id": "1db51880-bfd3-4297-9dd1-f3def809da25",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.2.0"
+    },
+    "data_stream": {
+        "dataset": "pfsense.log",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "address": "175.16.199.1",
+        "geo": {
+            "city_name": "Changchun",
+            "continent_name": "Asia",
+            "country_iso_code": "CN",
+            "country_name": "China",
+            "location": {
+                "lat": 43.88,
+                "lon": 125.3228
+            },
+            "region_iso_code": "CN-22",
+            "region_name": "Jilin Sheng"
+        },
+        "ip": "175.16.199.1",
+        "port": 853
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "1db51880-bfd3-4297-9dd1-f3def809da25",
+        "snapshot": false,
+        "version": "8.2.0"
+    },
+    "event": {
+        "action": "block",
+        "agent_id_status": "verified",
+        "category": [
+            "network"
+        ],
+        "dataset": "pfsense.log",
+        "ingested": "2022-06-29T13:24:24Z",
+        "kind": "event",
+        "original": "\u003c134\u003e1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale",
+        "provider": "filterlog",
+        "reason": "match",
+        "timezone": "-05:00",
+        "type": [
+            "connection",
+            "denied"
+        ]
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "192.168.128.4:52326"
+        },
+        "syslog": {
+            "priority": 134
+        }
+    },
+    "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale",
+    "network": {
+        "bytes": 60,
+        "community_id": "1:pOXVyPJTFJI5seusI/UD6SwvBjg=",
+        "direction": "in",
+        "iana_number": "6",
+        "transport": "tcp",
+        "type": "ipv4"
+    },
+    "observer": {
+        "ingress": {
+            "interface": {
+                "name": "igb1.12"
+            },
+            "vlan": {
+                "id": "12"
+            }
+        },
+        "name": "pfSense.example.com",
+        "type": "firewall",
+        "vendor": "netgate"
+    },
+    "pfsense": {
+        "ip": {
+            "flags": "DF",
+            "id": 32989,
+            "offset": 0,
+            "tos": "0x0",
+            "ttl": 63
+        },
+        "tcp": {
+            "flags": "S",
+            "length": 0,
+            "options": [
+                "mss",
+                "sackOK",
+                "TS",
+                "nop",
+                "wscale"
+            ],
+            "window": 64240
+        }
+    },
+    "process": {
+        "name": "filterlog",
+        "pid": 72237
+    },
+    "related": {
+        "ip": [
+            "175.16.199.1",
+            "10.170.12.50"
+        ]
+    },
+    "rule": {
+        "id": "1535324496"
+    },
+    "source": {
+        "address": "10.170.12.50",
+        "ip": "10.170.12.50",
+        "port": 49652
+    },
+    "tags": [
+        "preserve_original_event",
+        "pfsense",
+        "forwarded"
+    ]
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/docs/README.md b/packages/pfsense/1.1.1/docs/README.md
new file mode 100755
index 0000000000..4eeec9597f
--- /dev/null
+++ b/packages/pfsense/1.1.1/docs/README.md
@@ -0,0 +1,431 @@
+# pfSense Integration
+
+This is an integration to parse certain logs from [pfSense and OPNsense firewalls](https://docs.netgate.com/pfsense/en/latest/). It parses logs received over the network via syslog (UDP/TCP/TLS). pfSense natively only supports UDP. OPNsense supports all 3 transports.
+
+Currently the integration supports parsing the Firewall, Unbound, DHCP Daemon, OpenVPN, IPsec, HAProxy, Squid, and PHP-FPM (Authentication) logs.  
+All other events will be dropped.
+The HAProxy logs are setup to be compatible with the dashboards from the HAProxy integration. Install the HAPrxoy integration assets to use them.
+
+## pfSense Setup
+1. Navigate to _Status -> System Logs_, then click on _Settings_
+2. At the bottom check _Enable Remote Logging_
+3. (Optional) Select a specific interface to use for forwarding
+4. Input the agent IP address and port as set via the integration config into the field _Remote log servers_ (e.g. 192.168.100.50:5140)
+5. Under _Remote Syslog Contents_ select what logs to forward to the agent
+   * Select _Everything_ to forward all logs to the agent or select the individual services to forward. Any log entry not in the list above will be dropped. This will cause additional data to be sent to the agent and Elasticsearch. The firewall, VPN, DHCP, DNS, and Authentication (PHP-FPM) logs are able to be individually selected. In order to collect HAProxy and Squid or other "package" logs, the _Everything_ option must be selected.
+
+## OPNsense Setup
+1. Navigate to _System -> Settings -> Logging/Targets_
+2. Add a new _Logging/Target_ (Click the plus icon)
+    - Transport = UDP or TCP or TLS
+    - Applications = Select a list of applications to send to remote syslog. Leave empty for all.
+    - Levels = Nothing Selected
+    - Facilities = Nothing Selected
+    - Hostname = IP of Elastic agent as configured in the integration config
+    - Port = Port of Elastic agent as configured in the integration config
+    - Certificate = Client certificate to use (when selecting a tls transport type)
+    - Description = Syslog to Elasticsearch
+    - Click Save   
+
+ The module is by default configured to run with the `udp` input on port `9001`.
+
+**Important**  
+The pfSense integration supports both the BSD logging format (used by pfSense by default and OPNsense) and the Syslog format (optional for pfSense).
+However the syslog format is recommended. It will provide the firewall hostname and timestamps with timezone information.
+When using the BSD format, the `Timezone Offset` config must be set when deploying the agent or else the timezone will default to the timezone of the agent. See `https://<pfsense url>/status_logs_settings.php` and https://docs.netgate.com/pfsense/en/latest/monitoring/logs/settings.html for more information.
+
+A huge thanks to [a3ilson](https://github.com/a3ilson) for the https://github.com/pfelk/pfelk repo, which is the foundation for the majority of the grok patterns and dashboards in this integration.
+
+## Logs
+
+### pfSense log
+
+This is the pfSense `log` dataset.
+
+An example event for `log` looks as following:
+
+```json
+{
+    "@timestamp": "2021-07-04T00:10:14.578Z",
+    "agent": {
+        "ephemeral_id": "54ce1a5f-64b9-4475-9d01-4d9fb46c22ba",
+        "id": "1db51880-bfd3-4297-9dd1-f3def809da25",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.2.0"
+    },
+    "data_stream": {
+        "dataset": "pfsense.log",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "address": "175.16.199.1",
+        "geo": {
+            "city_name": "Changchun",
+            "continent_name": "Asia",
+            "country_iso_code": "CN",
+            "country_name": "China",
+            "location": {
+                "lat": 43.88,
+                "lon": 125.3228
+            },
+            "region_iso_code": "CN-22",
+            "region_name": "Jilin Sheng"
+        },
+        "ip": "175.16.199.1",
+        "port": 853
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "1db51880-bfd3-4297-9dd1-f3def809da25",
+        "snapshot": false,
+        "version": "8.2.0"
+    },
+    "event": {
+        "action": "block",
+        "agent_id_status": "verified",
+        "category": [
+            "network"
+        ],
+        "dataset": "pfsense.log",
+        "ingested": "2022-06-29T13:24:24Z",
+        "kind": "event",
+        "original": "\u003c134\u003e1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale",
+        "provider": "filterlog",
+        "reason": "match",
+        "timezone": "-05:00",
+        "type": [
+            "connection",
+            "denied"
+        ]
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "192.168.128.4:52326"
+        },
+        "syslog": {
+            "priority": 134
+        }
+    },
+    "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale",
+    "network": {
+        "bytes": 60,
+        "community_id": "1:pOXVyPJTFJI5seusI/UD6SwvBjg=",
+        "direction": "in",
+        "iana_number": "6",
+        "transport": "tcp",
+        "type": "ipv4"
+    },
+    "observer": {
+        "ingress": {
+            "interface": {
+                "name": "igb1.12"
+            },
+            "vlan": {
+                "id": "12"
+            }
+        },
+        "name": "pfSense.example.com",
+        "type": "firewall",
+        "vendor": "netgate"
+    },
+    "pfsense": {
+        "ip": {
+            "flags": "DF",
+            "id": 32989,
+            "offset": 0,
+            "tos": "0x0",
+            "ttl": 63
+        },
+        "tcp": {
+            "flags": "S",
+            "length": 0,
+            "options": [
+                "mss",
+                "sackOK",
+                "TS",
+                "nop",
+                "wscale"
+            ],
+            "window": 64240
+        }
+    },
+    "process": {
+        "name": "filterlog",
+        "pid": 72237
+    },
+    "related": {
+        "ip": [
+            "175.16.199.1",
+            "10.170.12.50"
+        ]
+    },
+    "rule": {
+        "id": "1535324496"
+    },
+    "source": {
+        "address": "10.170.12.50",
+        "ip": "10.170.12.50",
+        "port": 49652
+    },
+    "tags": [
+        "preserve_original_event",
+        "pfsense",
+        "forwarded"
+    ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| client.as.organization.name | Organization name. | keyword |
+| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text |
+| client.bytes | Bytes sent from the client to the server. | long |
+| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| client.geo.city_name | City name. | keyword |
+| client.geo.continent_name | Name of the continent. | keyword |
+| client.geo.country_iso_code | Country ISO code. | keyword |
+| client.geo.country_name | Country name. | keyword |
+| client.geo.location | Longitude and latitude. | geo_point |
+| client.geo.region_iso_code | Region ISO code. | keyword |
+| client.geo.region_name | Region name. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| client.port | Port of the client. | long |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.port | Port of the destination. | long |
+| dns.question.class | The class of records being queried. | keyword |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| haproxy.backend_name | Name of the backend (or listener) which was selected to manage the connection to the server. | keyword |
+| haproxy.backend_queue | Total number of requests which were processed before this one in the backend's global queue. | long |
+| haproxy.bind_name | Name of the listening address which received the connection. | keyword |
+| haproxy.bytes_read | Total number of bytes transmitted to the client when the log is emitted. | long |
+| haproxy.connection_wait_time_ms | Total time in milliseconds spent waiting for the connection to establish to the final server | long |
+| haproxy.connections.active | Total number of concurrent connections on the process when the session was logged. | long |
+| haproxy.connections.backend | Total number of concurrent connections handled by the backend when the session was logged. | long |
+| haproxy.connections.frontend | Total number of concurrent connections on the frontend when the session was logged. | long |
+| haproxy.connections.retries | Number of connection retries experienced by this session when trying to connect to the server. | long |
+| haproxy.connections.server | Total number of concurrent connections still active on the server when the session was logged. | long |
+| haproxy.error_message | Error message logged by HAProxy in case of error. | text |
+| haproxy.frontend_name | Name of the frontend (or listener) which received and processed the connection. | keyword |
+| haproxy.http.request.captured_cookie | Optional "name=value" entry indicating that the server has returned a cookie with its request. | keyword |
+| haproxy.http.request.captured_headers | List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. | keyword |
+| haproxy.http.request.raw_request_line | Complete HTTP request line, including the method, request and HTTP version string. | keyword |
+| haproxy.http.request.time_wait_ms | Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. | long |
+| haproxy.http.request.time_wait_without_data_ms | Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. | long |
+| haproxy.http.response.captured_cookie | Optional "name=value" entry indicating that the client had this cookie in the response. | keyword |
+| haproxy.http.response.captured_headers | List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. | keyword |
+| haproxy.mode | mode that the frontend is operating (TCP or HTTP) | keyword |
+| haproxy.server_name | Name of the last server to which the connection was sent. | keyword |
+| haproxy.server_queue | Total number of requests which were processed before this one in the server queue. | long |
+| haproxy.source | The HAProxy source of the log | keyword |
+| haproxy.tcp.connection_waiting_time_ms | Total time in milliseconds elapsed between the accept and the last close | long |
+| haproxy.termination_state | Condition the session was in when the session ended. | keyword |
+| haproxy.time_backend_connect | Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. | long |
+| haproxy.time_queue | Total time in milliseconds spent waiting in the various queues. | long |
+| haproxy.total_waiting_time_ms | Total time in milliseconds spent waiting in the various queues | long |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| hostname | Hostname from syslog header. | keyword |
+| http.request.body.bytes | Size in bytes of the request body. | long |
+| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.bytes | Size in bytes of the response body. | long |
+| http.response.bytes | Total size in bytes of the response (body and headers). | long |
+| http.response.mime_type | Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. | keyword |
+| http.response.status_code | HTTP response status code. | long |
+| http.version | HTTP version. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.source.address | Source address of the syslog message. | keyword |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword |
+| network.direction | Direction of the network traffic. Recommended values are:   \* ingress   \* egress   \* inbound   \* outbound   \* internal   \* external   \* unknown  When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword |
+| observer.ip | IP addresses of the observer. | ip |
+| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| pfsense.dhcp.hostname | Hostname of DHCP client | keyword |
+| pfsense.icmp.code | ICMP code. | long |
+| pfsense.icmp.destination.ip | Original destination address of the connection that caused this notification | ip |
+| pfsense.icmp.id | ID of the echo request/reply | long |
+| pfsense.icmp.mtu | MTU to use for subsequent data to this destination | long |
+| pfsense.icmp.otime | Originate Timestamp | date |
+| pfsense.icmp.parameter | ICMP parameter. | long |
+| pfsense.icmp.redirect | ICMP redirect address. | ip |
+| pfsense.icmp.rtime | Receive Timestamp | date |
+| pfsense.icmp.seq | ICMP sequence number. | long |
+| pfsense.icmp.ttime | Transmit Timestamp | date |
+| pfsense.icmp.type | ICMP type. | keyword |
+| pfsense.icmp.unreachable.iana_number | Protocol ID number that was unreachable | long |
+| pfsense.icmp.unreachable.other | Other unreachable information | keyword |
+| pfsense.icmp.unreachable.port | Port number that was unreachable | long |
+| pfsense.ip.ecn | Explicit Congestion Notification. | keyword |
+| pfsense.ip.flags | IP flags. | keyword |
+| pfsense.ip.flow_label | Flow label | keyword |
+| pfsense.ip.id | ID of the packet | long |
+| pfsense.ip.offset | Fragment offset | long |
+| pfsense.ip.tos | IP Type of Service identification. | keyword |
+| pfsense.ip.ttl | Time To Live (TTL) of the packet | long |
+| pfsense.openvpn.peer_info | Information about the Open VPN client | keyword |
+| pfsense.tcp.ack | TCP Acknowledgment number. | long |
+| pfsense.tcp.flags | TCP flags. | keyword |
+| pfsense.tcp.length | Length of the TCP header and payload. | long |
+| pfsense.tcp.options | TCP Options. | array |
+| pfsense.tcp.seq | TCP sequence number. | long |
+| pfsense.tcp.urg | Urgent pointer data. | keyword |
+| pfsense.tcp.window | Advertised TCP window size. | long |
+| pfsense.udp.length | Length of the UDP header and payload. | long |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.pid | Process id. | long |
+| process.program | Process from syslog header. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword |
+| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| server.bytes | Bytes sent from the server to the client. | long |
+| server.ip | IP address of the server (IPv4 or IPv6). | ip |
+| server.port | Port of the server. | long |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.port | Port of the source. | long |
+| source.user.full_name | User's full name, if available. | keyword |
+| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text |
+| source.user.id | Unique identifier of the user. | keyword |
+| squid.hierarchy_status | The proxy hierarchy route; the route Content Gateway used to retrieve the object. | keyword |
+| squid.request_status | The cache result code; how the cache responded to the request: HIT, MISS, and so on. Cache result codes are described [here](https://www.websense.com/content/support/library/web/v773/wcg_help/cachrslt.aspx#596301). | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| tls.cipher | String indicating the cipher used during the current connection. | keyword |
+| tls.version | Numeric part of the version parsed from the original string. | keyword |
+| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| url.full.text | Multi-field of `url.full`. | match_only_text |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| url.password | Password of the request. | keyword |
+| url.path | Path of the request, such as "/search". | wildcard |
+| url.port | Port of the request, such as 443. | long |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+| url.username | Username of the request. | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.email | User email address. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user_agent.device.name | Name of the device. | keyword |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| user_agent.os.full | Operating system name, including the version or code name. | keyword |
+| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
+
diff --git a/packages/pfsense/1.1.1/img/dhcp.png b/packages/pfsense/1.1.1/img/dhcp.png
new file mode 100755
index 0000000000..3f73f8f3f4
Binary files /dev/null and b/packages/pfsense/1.1.1/img/dhcp.png differ
diff --git a/packages/pfsense/1.1.1/img/firewall.png b/packages/pfsense/1.1.1/img/firewall.png
new file mode 100755
index 0000000000..c98b30b09d
Binary files /dev/null and b/packages/pfsense/1.1.1/img/firewall.png differ
diff --git a/packages/pfsense/1.1.1/img/pfsense.svg b/packages/pfsense/1.1.1/img/pfsense.svg
new file mode 100755
index 0000000000..f63b99ab31
--- /dev/null
+++ b/packages/pfsense/1.1.1/img/pfsense.svg
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg version="1.1" viewBox="0 0 276.8 77.5" xmlns="http://www.w3.org/2000/svg" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+ <metadata>
+  <rdf:RDF>
+   <cc:Work rdf:about="">
+    <dc:format>image/svg+xml</dc:format>
+    <dc:type rdf:resource="http://purl.org/dc/dcmitype/StillImage"/>
+    <dc:title>pfSense Logo</dc:title>
+   </cc:Work>
+  </rdf:RDF>
+ </metadata>
+ <title id="cvfa">pfSense Logo</title>
+ <path class="pf0" d="m22.4 54.7c2.9 0 5.4-0.9 7.5-2.6s3.6-4 4.4-6.8 0.6-5.1-0.5-6.8-3.2-2.6-6.1-2.6-5.4 0.9-7.5 2.6-3.5 4-4.3 6.8-0.7 5.1 0.5 6.8c1 1.8 3 2.6 6 2.6" style="fill:#1a1a1a"/>
+ <path class="pf0" d="m109.7 43.6c-1.5-0.8-3-1.4-4.7-1.8s-3.2-0.7-4.7-1.1c-1.5-0.3-2.7-0.7-3.6-1.1s-1.4-1.1-1.4-2c0-1.1 0.5-1.9 1.4-2.4s1.9-0.7 2.8-0.7c2.8 0 5 1 6.7 3.1l7-7c-1.7-1.8-3.9-3.1-6.4-3.8s-5-1.1-7.4-1.1c-1.9 0-3.9 0.2-5.7 0.7-1.9 0.5-3.6 1.2-5 2.3-1.5 1-2.6 2.3-3.5 3.9s-1.3 3.5-1.3 5.7c0 2.3 0.5 4.2 1.4 5.6s2.1 2.5 3.6 3.3 3 1.3 4.7 1.7 3.2 0.7 4.7 1.1c1.5 0.3 2.7 0.7 3.6 1.2s1.4 1.2 1.4 2.2-0.5 1.7-1.6 2.1-2.3 0.6-3.6 0.6c-1.7 0-3.3-0.3-4.6-1s-2.5-1.7-3.6-3l-7 7.7c1.8 1.9 4.1 3.2 6.7 3.9 2.7 0.7 5.3 1.1 7.9 1.1 2 0 4-0.2 6.1-0.6 2-0.4 3.9-1 5.5-2 1.6-0.9 3-2.2 4-3.8s1.6-3.5 1.6-5.9c0-2.3-0.5-4.2-1.4-5.6-1-1.3-2.2-2.5-3.6-3.3" style="fill:#1a1a1a"/>
+ <path class="pf0" d="m150.9 31.1c-1.5-1.7-3.3-3-5.5-3.9s-4.6-1.4-7.2-1.4c-2.9 0-5.6 0.5-8.1 1.4s-4.7 2.2-6.6 3.9-3.3 3.8-4.4 6.2-1.6 5.1-1.6 8c0 3 0.5 5.6 1.6 8s2.5 4.5 4.4 6.2 4.1 3 6.6 3.9 5.2 1.4 8.1 1.4c3 0 5.9-0.6 8.7-1.9s5.1-3.1 7-5.4l-8-5.9c-1 1.3-2.1 2.4-3.4 3.3-1.3 0.8-2.9 1.3-4.8 1.3-2.2 0-4.1-0.7-5.7-2-1.5-1.3-2.5-3.1-3-5.2h26.6v-3.6c0-3-0.4-5.6-1.2-8-0.8-2.5-2-4.6-3.5-6.3m-22 10c0.1-0.9 0.3-1.8 0.7-2.6s0.9-1.6 1.6-2.2 1.5-1.2 2.5-1.6 2.1-0.6 3.4-0.6c2.1 0 3.8 0.7 5.1 2.1s2 3 1.9 5h-15.2z" style="fill:#1a1a1a"/>
+ <path class="pf0" d="m192.9 30.8c-1-1.6-2.4-2.8-4.2-3.7s-4.1-1.3-7-1.3c-1.4 0-2.7 0.2-3.8 0.5-1.2 0.4-2.2 0.8-3.1 1.4s-1.7 1.2-2.4 1.9-1.2 1.4-1.5 2.1h-0.3v-5.1h-11v37.2h11.5v-18.4c0-1.2 0.1-2.4 0.2-3.5 0.2-1.1 0.5-2.1 1-3s1.2-1.6 2.1-2.1 2.1-0.8 3.6-0.8 2.6 0.3 3.4 0.9 1.4 1.4 1.8 2.4 0.6 2 0.7 3.2c0.1 1.1 0.1 2.3 0.1 3.3v18.2h11.5v-20.6c0-2.5-0.2-4.8-0.5-7-0.5-2.1-1.1-4-2.1-5.6" style="fill:#1a1a1a"/>
+ <path class="pf0" d="m226.1 43.6c-1.5-0.8-3-1.4-4.7-1.8s-3.2-0.7-4.7-1.1c-1.5-0.3-2.7-0.7-3.6-1.1s-1.4-1.1-1.4-2c0-1.1 0.5-1.9 1.4-2.4s1.9-0.7 2.8-0.7c2.8 0 5 1 6.7 3.1l7-7c-1.7-1.8-3.9-3.1-6.4-3.8s-5-1.1-7.4-1.1c-1.9 0-3.9 0.2-5.7 0.7-1.9 0.5-3.6 1.2-5 2.3-1.5 1-2.6 2.3-3.5 3.9s-1.3 3.5-1.3 5.7c0 2.3 0.5 4.2 1.4 5.6s2.1 2.5 3.6 3.3 3 1.3 4.7 1.7 3.2 0.7 4.7 1.1c1.5 0.3 2.7 0.7 3.6 1.2s1.4 1.2 1.4 2.2-0.5 1.7-1.6 2.1-2.3 0.6-3.6 0.6c-1.7 0-3.3-0.3-4.6-1s-2.5-1.7-3.6-3l-7 7.7c1.8 1.9 4.1 3.2 6.7 3.9 2.7 0.7 5.3 1.1 7.9 1.1 2 0 4-0.2 6.1-0.6 2-0.4 3.9-1 5.5-2 1.6-0.9 3-2.2 4-3.8s1.6-3.5 1.6-5.9c0-2.3-0.5-4.2-1.4-5.6-1-1.3-2.2-2.5-3.6-3.3" style="fill:#1a1a1a"/>
+ <path class="pf0" d="m272 48.9v-4.2c-0.1-2.7-0.5-5.2-1.2-7.4-0.8-2.4-2-4.5-3.5-6.2s-3.3-3-5.5-3.9-4.6-1.4-7.2-1.4c-2.9 0-5.6 0.5-8.1 1.4s-4.7 2.2-6.6 3.9-3.3 3.8-4.4 6.2-1.6 5.1-1.6 8c0 3 0.5 5.6 1.6 8s2.5 4.5 4.4 6.2 4.1 3 6.6 3.9 5.2 1.4 8.1 1.4c3 0 5.9-0.6 8.7-1.9s5.1-3.1 7-5.4l-8-5.9c-1 1.3-2.1 2.4-3.4 3.3-1.3 0.8-2.9 1.3-4.8 1.3-2.2 0-4.1-0.7-5.7-2-1.5-1.3-2.5-3.1-3-5.2h26.6zm-26.7-7.8c0.1-0.9 0.3-1.8 0.7-2.6s0.9-1.6 1.6-2.2 1.5-1.2 2.5-1.6 2.1-0.6 3.4-0.6c2.1 0 3.8 0.7 5.1 2.1s2 3 1.9 5h-15.2z" style="fill:#1a1a1a"/>
+ <path class="pf1" d="m47.2 35.9 2.6-9.2h4.6l1.8-6.6c0.6-2 1.3-4 2.2-5.8 0.8-1.8 2-3.4 3.4-4.8s3.2-2.5 5.3-3.3 4.8-1.2 7.9-1.2c0.8 0 1.5 0 2.3 0.1-0.7-2.9-3.3-5-6.3-5.1h-64.5c-3.6 0-6.5 3-6.5 6.6v57.4l10.5-37.3h10.6l-1.4 4.9h0.2c0.6-0.7 1.4-1.3 2.4-2s2-1.3 3.1-1.9 2.3-1 3.6-1.4 2.6-0.5 3.9-0.5c2.8 0 5.1 0.5 7.1 1.4s3.5 2.3 4.7 4c1 1.5 1.6 3.3 1.9 5.4l0.8-0.6h-0.2z" style="fill:#1a1a1a"/>
+ <path class="pf2" d="m76.7 14.9c-0.5-0.1-1.1-0.2-1.8-0.2-1.8 0-3.3 0.4-4.5 1.2-1.1 0.8-2.1 2.4-2.8 4.9l-1.7 5.9h6.5l1.6 5.1-4.2 4.1h-6.5l-7.9 28h-11.4l7.9-28h-4.4l-0.9 0.6c0 0.2 0.1 0.5 0.1 0.7 0.2 2.3-0.1 4.9-0.9 7.7-0.7 2.6-1.8 5.1-3.3 7.5s-3.2 4.5-5.1 6.3c-2 1.8-4.2 3.3-6.6 4.4s-4.9 1.6-7.6 1.6c-2.4 0-4.5-0.4-6.4-1.1s-3.2-2-4-3.8h-0.2l-5 17.7h63.3c3.6 0 6.6-2.9 6.6-6.6v-55.7c-0.3-0.1-0.6-0.2-0.8-0.3" style="fill:#1a1a1a"/>
+ <path class="pf0" d="m272.2 65.5h0.8c0.4 0 0.6-0.1 0.7-0.2s0.2-0.2 0.2-0.4c0-0.1 0-0.2-0.1-0.3s-0.1-0.2-0.3-0.2c-0.1 0-0.3-0.1-0.6-0.1h-0.7zm-0.6 2.1v-3.8h1.3c0.5 0 0.8 0 1 0.1s0.4 0.2 0.5 0.4 0.2 0.4 0.2 0.6c0 0.3-0.1 0.5-0.3 0.7s-0.5 0.3-0.8 0.3c0.1 0.1 0.2 0.1 0.3 0.2 0.2 0.2 0.3 0.4 0.6 0.8l0.5 0.7h-0.8l-0.3-0.6c-0.3-0.5-0.5-0.8-0.6-0.9s-0.3-0.1-0.5-0.1h-0.4v1.6zm1.6-4.9c-0.5 0-1 0.1-1.5 0.4s-0.8 0.6-1.1 1.1-0.4 1-0.4 1.5 0.1 1 0.4 1.5 0.6 0.8 1.1 1.1 1 0.4 1.5 0.4 1-0.1 1.5-0.4 0.8-0.6 1.1-1.1 0.4-1 0.4-1.5-0.1-1-0.4-1.5-0.6-0.8-1.1-1.1-1-0.4-1.5-0.4zm0-0.6c0.6 0 1.2 0.2 1.8 0.5s1 0.7 1.3 1.3 0.5 1.2 0.5 1.8-0.2 1.2-0.5 1.8-0.8 1-1.3 1.3c-0.6 0.3-1.2 0.5-1.8 0.5s-1.2-0.2-1.8-0.5-1-0.8-1.3-1.3c-0.3-0.6-0.5-1.2-0.5-1.8s0.2-1.2 0.5-1.8 0.8-1 1.3-1.3c0.6-0.4 1.2-0.5 1.8-0.5z" style="fill:#1a1a1a"/>
+</svg>
diff --git a/packages/pfsense/1.1.1/img/unbound-1.png b/packages/pfsense/1.1.1/img/unbound-1.png
new file mode 100755
index 0000000000..cc53e8aa49
Binary files /dev/null and b/packages/pfsense/1.1.1/img/unbound-1.png differ
diff --git a/packages/pfsense/1.1.1/img/unbound-2.png b/packages/pfsense/1.1.1/img/unbound-2.png
new file mode 100755
index 0000000000..eaa51ee3df
Binary files /dev/null and b/packages/pfsense/1.1.1/img/unbound-2.png differ
diff --git a/packages/pfsense/1.1.1/img/unbound-3.png b/packages/pfsense/1.1.1/img/unbound-3.png
new file mode 100755
index 0000000000..838bfdc6bf
Binary files /dev/null and b/packages/pfsense/1.1.1/img/unbound-3.png differ
diff --git a/packages/pfsense/1.1.1/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..47067b4828
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json
@@ -0,0 +1,62 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"73294aad-e475-4a63-97d1-fc214a83bb0a\",\"w\":34,\"x\":0,\"y\":0},\"panelIndex\":\"73294aad-e475-4a63-97d1-fc214a83bb0a\",\"panelRefName\":\"panel_73294aad-e475-4a63-97d1-fc214a83bb0a\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"46725bb5-e239-4fa2-8dfd-4de947863354\",\"w\":14,\"x\":34,\"y\":0},\"panelIndex\":\"46725bb5-e239-4fa2-8dfd-4de947863354\",\"panelRefName\":\"panel_46725bb5-e239-4fa2-8dfd-4de947863354\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"w\":14,\"x\":34,\"y\":6},\"panelIndex\":\"f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"panelRefName\":\"panel_f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"a7662c6e-94d5-4062-85f4-0132897f3578\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"a7662c6e-94d5-4062-85f4-0132897f3578\",\"panelRefName\":\"panel_a7662c6e-94d5-4062-85f4-0132897f3578\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"panelRefName\":\"panel_763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"27569da9-7531-40cf-be93-8778738b68be\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"27569da9-7531-40cf-be93-8778738b68be\",\"panelRefName\":\"panel_27569da9-7531-40cf-be93-8778738b68be\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"columns\":[\"log.level\",\"client.ip\",\"dns.question.name\",\"dns.question.type\",\"dns.question.class\"],\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"w\":30,\"x\":0,\"y\":46},\"panelIndex\":\"7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"panelRefName\":\"panel_7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"type\":\"search\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"w\":18,\"x\":30,\"y\":46},\"panelIndex\":\"6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"panelRefName\":\"panel_6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"}]",
+    "timeRestore": false,
+    "title": "Unbound - Dashboard [pfSense]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-986061c0-3a9a-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "dashboard": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534",
+      "name": "73294aad-e475-4a63-97d1-fc214a83bb0a:panel_73294aad-e475-4a63-97d1-fc214a83bb0a",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56",
+      "name": "46725bb5-e239-4fa2-8dfd-4de947863354:panel_46725bb5-e239-4fa2-8dfd-4de947863354",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534",
+      "name": "f39b1b4c-b444-4d25-a8c5-a78b6285025f:panel_f39b1b4c-b444-4d25-a8c5-a78b6285025f",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-77eaf920-3a98-11eb-96b2-e765737b7534",
+      "name": "a7662c6e-94d5-4062-85f4-0132897f3578:panel_a7662c6e-94d5-4062-85f4-0132897f3578",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-98775710-3a98-11eb-96b2-e765737b7534",
+      "name": "763610d2-c8aa-4ab9-9a63-112e2471dcfc:panel_763610d2-c8aa-4ab9-9a63-112e2471dcfc",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-5b553450-3a99-11eb-96b2-e765737b7534",
+      "name": "27569da9-7531-40cf-be93-8778738b68be:panel_27569da9-7531-40cf-be93-8778738b68be",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4",
+      "name": "7ea4ebda-9d0c-4885-9c37-71cd0665497f:panel_7ea4ebda-9d0c-4885-9c37-71cd0665497f",
+      "type": "search"
+    },
+    {
+      "id": "pfsense-f554afa0-3a98-11eb-96b2-e765737b7534",
+      "name": "6a32114d-577c-488b-b1e9-b7b4fc8941ae:panel_6a32114d-577c-488b-b1e9-b7b4fc8941ae",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..7bb13ddc75
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json
@@ -0,0 +1,82 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"e0fb8e49-4af8-4958-9d55-8db1ed6cad2b\",\"w\":16,\"x\":0,\"y\":7},\"panelIndex\":\"e0fb8e49-4af8-4958-9d55-8db1ed6cad2b\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"82ed451e-8ee1-41a5-9aea-ffbd723c86cc\",\"w\":17,\"x\":16,\"y\":0},\"panelIndex\":\"82ed451e-8ee1-41a5-9aea-ffbd723c86cc\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"d2c26a96-ad50-4155-a67e-b6559246c302\",\"w\":15,\"x\":33,\"y\":0},\"panelIndex\":\"d2c26a96-ad50-4155-a67e-b6559246c302\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"9db410fe-e1b3-46d1-9e9b-828f3cec05dd\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"9db410fe-e1b3-46d1-9e9b-828f3cec05dd\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"20a6aca9-2a7c-4b4a-8bd4-f2e9ae5d6249\",\"w\":15,\"x\":33,\"y\":7},\"panelIndex\":\"20a6aca9-2a7c-4b4a-8bd4-f2e9ae5d6249\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"c2fbea99-8684-446a-a570-48bcbb9f1c39\",\"w\":33,\"x\":0,\"y\":14},\"panelIndex\":\"c2fbea99-8684-446a-a570-48bcbb9f1c39\",\"panelRefName\":\"panel_5\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"f4ceeef3-255f-4a1d-85f3-0635aa6a0772\",\"w\":15,\"x\":33,\"y\":14},\"panelIndex\":\"f4ceeef3-255f-4a1d-85f3-0635aa6a0772\",\"panelRefName\":\"panel_6\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a49d8775-3fc1-4b7b-8e8b-26c9e8705b6a\",\"w\":33,\"x\":0,\"y\":28},\"panelIndex\":\"a49d8775-3fc1-4b7b-8e8b-26c9e8705b6a\",\"panelRefName\":\"panel_7\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"60b4467b-8227-41de-b5ec-00c860793819\",\"w\":15,\"x\":33,\"y\":28},\"panelIndex\":\"60b4467b-8227-41de-b5ec-00c860793819\",\"panelRefName\":\"panel_8\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"columns\":[\"observer.name\",\"observer.ingress.vlan.id\",\"source.ip\",\"source.port\",\"destination.ip\",\"destination.port\",\"rule.id\",\"event.action\"],\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"290350f0-e295-4441-8228-2f7c74fc8a0c\",\"w\":48,\"x\":0,\"y\":43},\"panelIndex\":\"290350f0-e295-4441-8228-2f7c74fc8a0c\",\"panelRefName\":\"panel_9\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"b5d79638-384f-411b-a5c9-0d5aea67c08f\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"b5d79638-384f-411b-a5c9-0d5aea67c08f\",\"panelRefName\":\"panel_10\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"20537b1f-8d42-4522-8f9e-8e6fbccca58a\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"20537b1f-8d42-4522-8f9e-8e6fbccca58a\",\"panelRefName\":\"panel_11\",\"version\":\"7.11.0\"}]",
+    "timeRestore": false,
+    "title": "Firewall - Dashboard [pfSense]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "dashboard": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534",
+      "name": "panel_0",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-274304d0-3a8f-11eb-96b2-e765737b7534",
+      "name": "panel_1",
+      "type": "lens"
+    },
+    {
+      "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534",
+      "name": "panel_2",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56",
+      "name": "panel_3",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534",
+      "name": "panel_4",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534",
+      "name": "panel_5",
+      "type": "lens"
+    },
+    {
+      "id": "pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534",
+      "name": "panel_6",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534",
+      "name": "panel_7",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534",
+      "name": "panel_8",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534",
+      "name": "panel_9",
+      "type": "search"
+    },
+    {
+      "id": "pfsense-b1545340-3a8f-11eb-96b2-e765737b7534",
+      "name": "panel_10",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534",
+      "name": "panel_11",
+      "type": "visualization"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..133ffa4a16
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json
@@ -0,0 +1,67 @@
+{
+  "attributes": {
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
+    "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":22,\"i\":\"2b46d706-0288-4541-8880-ccb2efeeee92\",\"w\":35,\"x\":0,\"y\":0},\"panelIndex\":\"2b46d706-0288-4541-8880-ccb2efeeee92\",\"panelRefName\":\"panel_2b46d706-0288-4541-8880-ccb2efeeee92\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6018121a-9303-4c73-9c96-d23362cdc74d\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"6018121a-9303-4c73-9c96-d23362cdc74d\",\"panelRefName\":\"panel_6018121a-9303-4c73-9c96-d23362cdc74d\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"panelRefName\":\"panel_b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"w\":13,\"x\":35,\"y\":14},\"panelIndex\":\"d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"panelRefName\":\"panel_d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"w\":32,\"x\":0,\"y\":22},\"panelIndex\":\"20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"panelRefName\":\"panel_20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5b500115-4722-432b-8d67-38b1a948c1d5\",\"w\":16,\"x\":32,\"y\":22},\"panelIndex\":\"5b500115-4722-432b-8d67-38b1a948c1d5\",\"panelRefName\":\"panel_5b500115-4722-432b-8d67-38b1a948c1d5\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"aa85065f-1b07-468c-b264-1231b59be97b\",\"w\":16,\"x\":0,\"y\":36},\"panelIndex\":\"aa85065f-1b07-468c-b264-1231b59be97b\",\"panelRefName\":\"panel_aa85065f-1b07-468c-b264-1231b59be97b\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"w\":32,\"x\":16,\"y\":36},\"panelIndex\":\"22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"panelRefName\":\"panel_22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"columns\":[\"observer.name\",\"observer.ingress.interface.name\",\"event.action\",\"client.ip\",\"client.mac\",\"pfsense.dhcp.hostname\"],\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"73ea92c6-7373-4121-a255-1ed2e43010c1\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"73ea92c6-7373-4121-a255-1ed2e43010c1\",\"panelRefName\":\"panel_73ea92c6-7373-4121-a255-1ed2e43010c1\",\"type\":\"search\",\"version\":\"7.10.0\"}]",
+    "timeRestore": false,
+    "title": "DHCP - Dashboard [pfSense]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "dashboard": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534",
+      "name": "2b46d706-0288-4541-8880-ccb2efeeee92:panel_2b46d706-0288-4541-8880-ccb2efeeee92",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534",
+      "name": "6018121a-9303-4c73-9c96-d23362cdc74d:panel_6018121a-9303-4c73-9c96-d23362cdc74d",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56",
+      "name": "b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082:panel_b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534",
+      "name": "d9f98967-4e91-4eef-9a43-9caaeeebe6f8:panel_d9f98967-4e91-4eef-9a43-9caaeeebe6f8",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-457371f0-3afe-11eb-96b2-e765737b7534",
+      "name": "20e8c75c-3e93-42ab-b5c5-6ad814b64151:panel_20e8c75c-3e93-42ab-b5c5-6ad814b64151",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534",
+      "name": "5b500115-4722-432b-8d67-38b1a948c1d5:panel_5b500115-4722-432b-8d67-38b1a948c1d5",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-9990cd00-3afe-11eb-96b2-e765737b7534",
+      "name": "aa85065f-1b07-468c-b264-1231b59be97b:panel_aa85065f-1b07-468c-b264-1231b59be97b",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-072449e0-3a9c-11eb-96b2-e765737b7534",
+      "name": "22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5:panel_22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5",
+      "type": "visualization"
+    },
+    {
+      "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534",
+      "name": "73ea92c6-7373-4121-a255-1ed2e43010c1:panel_73ea92c6-7373-4121-a255-1ed2e43010c1",
+      "type": "search"
+    }
+  ],
+  "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..0e6f2067c4
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json
@@ -0,0 +1,87 @@
+{
+    "attributes": {
+        "description": "Treemap depicting the top 10 countries by destination ",
+        "state": {
+            "datasourceStates": {
+                "indexpattern": {
+                    "layers": {
+                        "d77ab0e4-c2c2-4fb4-bd98-63c13ade7778": {
+                            "columnOrder": [
+                                "9d13ff42-0a6d-4cb4-bff4-bbd64836de35",
+                                "57fc4315-85f4-4449-a8bd-308ec2e81e68"
+                            ],
+                            "columns": {
+                                "57fc4315-85f4-4449-a8bd-308ec2e81e68": {
+                                    "dataType": "number",
+                                    "isBucketed": false,
+                                    "label": "Count of records",
+                                    "operationType": "count",
+                                    "scale": "ratio",
+                                    "sourceField": "Records"
+                                },
+                                "9d13ff42-0a6d-4cb4-bff4-bbd64836de35": {
+                                    "dataType": "string",
+                                    "isBucketed": true,
+                                    "label": "Top values of destination.geo.country_name",
+                                    "operationType": "terms",
+                                    "params": {
+                                        "orderBy": {
+                                            "columnId": "57fc4315-85f4-4449-a8bd-308ec2e81e68",
+                                            "type": "column"
+                                        },
+                                        "orderDirection": "desc",
+                                        "size": 5
+                                    },
+                                    "scale": "ordinal",
+                                    "sourceField": "destination.geo.country_name"
+                                }
+                            }
+                        }
+                    }
+                }
+            },
+            "filters": [],
+            "query": {
+                "language": "kuery",
+                "query": ""
+            },
+            "visualization": {
+                "layers": [
+                    {
+                        "categoryDisplay": "default",
+                        "groups": [
+                            "9d13ff42-0a6d-4cb4-bff4-bbd64836de35"
+                        ],
+                        "layerId": "d77ab0e4-c2c2-4fb4-bd98-63c13ade7778",
+                        "legendDisplay": "default",
+                        "metric": "57fc4315-85f4-4449-a8bd-308ec2e81e68",
+                        "nestedLegend": false,
+                        "numberDisplay": "percent",
+                        "percentDecimals": 0
+                    }
+                ],
+                "shape": "treemap"
+            }
+        },
+        "title": "Firewall - Top Destination Countries/Treemap (Lens) [pfSense]",
+        "visualizationType": "lnsPie"
+    },
+    "coreMigrationVersion": "7.15.0",
+    "id": "pfsense-274304d0-3a8f-11eb-96b2-e765737b7534",
+    "migrationVersion": {
+        "lens": "7.14.0"
+    },
+    "references": [
+        {
+            "id": "logs-*",
+            "name": "indexpattern-datasource-current-indexpattern",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "indexpattern-datasource-layer-d77ab0e4-c2c2-4fb4-bd98-63c13ade7778",
+            "type": "index-pattern"
+        }
+    ],
+    "type": "lens"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..02f2a08f36
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json
@@ -0,0 +1,118 @@
+{
+    "attributes": {
+        "description": "Events over time line chart utilizing the LENS virtualization",
+        "state": {
+            "datasourceStates": {
+                "indexpattern": {
+                    "layers": {
+                        "25e5682a-0461-46dc-aa0a-7ad4cec0eade": {
+                            "columnOrder": [
+                                "f718697e-acee-4bfd-99f4-3406e224ed7f",
+                                "440112fe-405a-4b46-840e-2b9772961acc",
+                                "31549313-ebc1-427a-9913-3f6f78594221"
+                            ],
+                            "columns": {
+                                "31549313-ebc1-427a-9913-3f6f78594221": {
+                                    "dataType": "number",
+                                    "isBucketed": false,
+                                    "label": "Count of records",
+                                    "operationType": "count",
+                                    "scale": "ratio",
+                                    "sourceField": "Records"
+                                },
+                                "440112fe-405a-4b46-840e-2b9772961acc": {
+                                    "dataType": "date",
+                                    "isBucketed": true,
+                                    "label": "@timestamp",
+                                    "operationType": "date_histogram",
+                                    "params": {
+                                        "interval": "auto"
+                                    },
+                                    "scale": "interval",
+                                    "sourceField": "@timestamp"
+                                },
+                                "f718697e-acee-4bfd-99f4-3406e224ed7f": {
+                                    "dataType": "string",
+                                    "isBucketed": true,
+                                    "label": "Top values of event.action",
+                                    "operationType": "terms",
+                                    "params": {
+                                        "orderBy": {
+                                            "columnId": "31549313-ebc1-427a-9913-3f6f78594221",
+                                            "type": "column"
+                                        },
+                                        "orderDirection": "desc",
+                                        "size": 5
+                                    },
+                                    "scale": "ordinal",
+                                    "sourceField": "event.action"
+                                }
+                            }
+                        }
+                    }
+                }
+            },
+            "filters": [],
+            "query": {
+                "language": "kuery",
+                "query": ""
+            },
+            "visualization": {
+                "axisTitlesVisibilitySettings": {
+                    "x": true,
+                    "yLeft": true,
+                    "yRight": true
+                },
+                "fittingFunction": "None",
+                "gridlinesVisibilitySettings": {
+                    "x": true,
+                    "yLeft": true,
+                    "yRight": true
+                },
+                "layers": [
+                    {
+                        "accessors": [
+                            "31549313-ebc1-427a-9913-3f6f78594221"
+                        ],
+                        "layerId": "25e5682a-0461-46dc-aa0a-7ad4cec0eade",
+                        "position": "top",
+                        "seriesType": "line",
+                        "showGridlines": false,
+                        "splitAccessor": "f718697e-acee-4bfd-99f4-3406e224ed7f",
+                        "xAccessor": "440112fe-405a-4b46-840e-2b9772961acc"
+                    }
+                ],
+                "legend": {
+                    "isVisible": true,
+                    "position": "right"
+                },
+                "preferredSeriesType": "line",
+                "tickLabelsVisibilitySettings": {
+                    "x": true,
+                    "yLeft": true,
+                    "yRight": true
+                }
+            }
+        },
+        "title": "Firewall - Events/Time (Lens) [pfSense]",
+        "visualizationType": "lnsXY"
+    },
+    "coreMigrationVersion": "7.15.0",
+    "id": "pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534",
+    "migrationVersion": {
+        "lens": "7.14.0"
+    },
+    "references": [
+        {
+            "id": "logs-*",
+            "name": "indexpattern-datasource-current-indexpattern",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "indexpattern-datasource-layer-25e5682a-0461-46dc-aa0a-7ad4cec0eade",
+            "type": "index-pattern"
+        }
+    ],
+    "type": "lens"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..a455496aa4
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json
@@ -0,0 +1,36 @@
+{
+  "attributes": {
+    "columns": [],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"filterlog\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"filterlog\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+    },
+    "sort": [],
+    "title": "Firewall - Discover [pfSense]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..2476202065
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json
@@ -0,0 +1,36 @@
+{
+  "attributes": {
+    "columns": [],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"dhcpd\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"dhcpd\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+    },
+    "sort": [],
+    "title": "DHCP - Discover [pfSense]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json b/packages/pfsense/1.1.1/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json
new file mode 100755
index 0000000000..133d3caa85
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json
@@ -0,0 +1,36 @@
+{
+  "attributes": {
+    "columns": [],
+    "description": "",
+    "hits": 0,
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"unbound\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"unbound\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+    },
+    "sort": [],
+    "title": "Unbound - Discover [pfSense]",
+    "version": 1
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4",
+  "migrationVersion": {
+    "search": "7.9.3"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "search"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..e672a59a66
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "DHCP - Client IP/Time [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"DHCP - Client IP/Time\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-072449e0-3a9c-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..75f6a89eae
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "Select by interface alias",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Interface Selector [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"observer.ingress.interface.name\",\"id\":\"1607565832669\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Interface Selector\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Interface Selector\",\"type\":\"input_control_vis\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..a3ebaa5ea7
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "Unbound dns question types",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Unbound - Question Types [pfSense]",
+    "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"top\",\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Unbound - Question Types [pfSense]\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json
new file mode 100755
index 0000000000..7f73b1e962
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Firewall Selector [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"observer.name\",\"id\":\"1613404486264\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Firewall Selector\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Firewall Selector\",\"type\":\"input_control_vis\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..bfc06cc851
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "DHCP - Operation/Time [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-12h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"DHCP - Operation/Time\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-457371f0-3afe-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..985d72a2e0
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json
@@ -0,0 +1,30 @@
+{
+  "attributes": {
+    "description": "Select by network transport type",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "title": "Network Transport Type [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"network.transport\",\"id\":\"1607565832669\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Network Transport Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Network Transport Type\",\"type\":\"input_control_vis\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+      "type": "index-pattern"
+    },
+    {
+      "id": "logs-*",
+      "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+      "type": "index-pattern"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..cee6c25e13
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "Unbound client IP over time",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Unbound - Client IP/Time [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Unbound - Client IP/Time\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-5b553450-3a99-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..44a1d15c5a
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "DHCP - Interface [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"observer.ingress.interface.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Interface\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..e4a8a861bc
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "Top 10 client IP unbound events",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Unbound - Top Client IPs [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Unbound - Top Client IPs\",\"type\":\"tagcloud\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-77eaf920-3a98-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..b3c6b75a69
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "Displays quantity of events based on action type",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Firewall - Event Action [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Event Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Firewall - Event Action\",\"type\":\"metric\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..0e0841e17f
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "Top 10 domain name question/queries",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Unbound - Top Queries  [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.registered_domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Unbound - Top Queried Domains \",\"type\":\"tagcloud\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-98775710-3a98-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..ed42e0ac5c
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "DHCP - Client IP [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Client IP\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-9990cd00-3afe-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..e5404d633a
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "Heatmap of destination countries",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Firewall - Country Destination/Heatmap [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Destination Heatmap\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Firewall - Country Destination/Heatmap\",\"type\":\"heatmap\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-b1545340-3a8f-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..0489e7a517
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "DHCP - IP/MAC Flow [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"spec\":\"{\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\n  data: [\\n    {\\n      // query ES based on the currently selected time range and filter string\\n      name: rawData\\n      url: {\\n        %context%: true\\n        %timefield%: @timestamp\\n        index: logs-*\\n        body: {\\n          size: 0\\n          aggs: {\\n            table: {\\n              composite: {\\n                size: 10000\\n                sources: [\\n                  {\\n                    stk1: {\\n                      terms: {field: \\\"client.ip\\\"}\\n                    }\\n                  }\\n                  {\\n                    stk2: {\\n                      terms: {field: \\\"client.mac\\\"}\\n                    }\\n                  }\\n                ]\\n              }\\n            }\\n          }\\n        }\\n      }\\n      // From the result, take just the data we are interested in\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\n      // Convert key.stk1 -\\u003e stk1 for simpler access below\\n      transform: [\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n      ]\\n    }\\n    {\\n      name: nodes\\n      source: rawData\\n      transform: [\\n        // when a country is selected, filter out unrelated data\\n        {\\n          type: filter\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n        }\\n        // Set new key for later lookups - identifies each node\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n        // instead of each table row, create two new rows,\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n        // The country code stored in stk1 and stk2 fields is placed into grpId field.\\n        {\\n          type: fold\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\n        }\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\n        // Space separator ensures proper sort order in some corner cases.\\n        {\\n          type: formula\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n          as: sortField\\n        }\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n        // independently for each stack, and ensuring they are in the proper order,\\n        // alphabetical from the top (reversed on the y axis)\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n          field: size\\n        }\\n        // calculate vertical center point for each node, used to draw edges\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n      ]\\n    }\\n    {\\n      name: groups\\n      source: nodes\\n      transform: [\\n        // combine all nodes into country groups, summing up the doc counts\\n        {\\n          type: aggregate\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n          fields: [\\\"size\\\"]\\n          ops: [\\\"sum\\\"]\\n          as: [\\\"total\\\"]\\n        }\\n        // re-calculate the stacking y0,y1 values\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n          field: total\\n        }\\n        // project y0 and y1 values to screen coordinates\\n        // doing it once here instead of doing it several times in marks\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n        // boolean flag if the label should be on the right of the stack\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n        // Calculate traffic percentage for this country using \\\"y\\\" scale\\n        // domain upper bound, which represents the total traffic\\n        {\\n          type: formula\\n          expr: datum.total/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n    {\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\n      name: destinationNodes\\n      source: nodes\\n      transform: [\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n      ]\\n    }\\n    {\\n      name: edges\\n      source: nodes\\n      transform: [\\n        // we only want nodes from the left stack\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\n        {\\n          type: lookup\\n          from: destinationNodes\\n          key: key\\n          fields: [\\\"key\\\"]\\n          as: [\\\"target\\\"]\\n        }\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n        {\\n          type: linkpath\\n          orient: horizontal\\n          shape: diagonal\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n        }\\n        // A little trick to calculate the thickness of the line.\\n        // The value needs to be the same as the hight of the node, but scaling\\n        // size to screen's height gives inversed value because screen's Y\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n        // is at the bottom. So subtracting scaled doc count from screen height\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n        {\\n          type: formula\\n          expr: range('y')[0]-scale('y', datum.size)\\n          as: strokeWidth\\n        }\\n        // Tooltip needs individual link's percentage of all traffic\\n        {\\n          type: formula\\n          expr: datum.size/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n  ]\\n  scales: [\\n    {\\n      // calculates horizontal stack positioning\\n      name: x\\n      type: band\\n      range: width\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n      paddingOuter: 0.05\\n      paddingInner: 0.95\\n    }\\n    {\\n      // this scale goes up as high as the highest y1 value of all nodes\\n      name: y\\n      type: linear\\n      range: height\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n    }\\n    {\\n      // use rawData to ensure the colors stay the same when clicking.\\n      name: color\\n      type: ordinal\\n      range: category\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n    }\\n    {\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\n      name: stackNames\\n      type: ordinal\\n      range: [\\\"Source\\\", \\\"Destination\\\"]\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n    }\\n  ]\\n  axes: [\\n    {\\n      // x axis should use custom label formatting to print proper stack names\\n      orient: bottom\\n      scale: x\\n      encode: {\\n        labels: {\\n          update: {\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n          }\\n        }\\n      }\\n    }\\n    {orient: \\\"left\\\", scale: \\\"y\\\"}\\n  ]\\n  marks: [\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: edgeMark\\n      from: {data: \\\"edges\\\"}\\n      // this prevents some autosizing issues with large strokeWidth for paths\\n      clip: true\\n      encode: {\\n        update: {\\n          // By default use color of the left node, except when showing traffic\\n          // from just one country, in which case use destination color.\\n          stroke: [\\n            {\\n              test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\n              scale: color\\n              field: stk2\\n            }\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n          ]\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\n          path: {field: \\\"path\\\"}\\n          // when showing all traffic, and hovering over a country,\\n          // highlight the traffic from that country.\\n          strokeOpacity: {\\n            signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n          }\\n          // Ensure that the hover-selected edges show on top\\n          zindex: {\\n            signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n          }\\n          // format tooltip string\\n          tooltip: {\\n            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        // Simple mouseover highlighting of a single line\\n        hover: {\\n          strokeOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw stack groups (countries)\\n      type: rect\\n      name: groupMark\\n      from: {data: \\\"groups\\\"}\\n      encode: {\\n        enter: {\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n          width: {scale: \\\"x\\\", band: 1}\\n        }\\n        update: {\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n          y: {field: \\\"scaledY0\\\"}\\n          y2: {field: \\\"scaledY1\\\"}\\n          fillOpacity: {value: 0.6}\\n          tooltip: {\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        hover: {\\n          fillOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw country code labels on the inner side of the stack\\n      type: text\\n      from: {data: \\\"groups\\\"}\\n      // don't process events for the labels - otherwise line mouseover is unclean\\n      interactive: false\\n      encode: {\\n        update: {\\n          // depending on which stack it is, position x with some padding\\n          x: {\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n          }\\n          // middle of the group\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n          baseline: {value: \\\"middle\\\"}\\n          fontWeight: {value: \\\"bold\\\"}\\n          // only show text label if the group's height is large enough\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\n        }\\n      }\\n    }\\n    {\\n      // Create a \\\"show all\\\" button. Shown only when a country is selected.\\n      type: group\\n      data: [\\n        // We need to make the button show only when groupSelector signal is true.\\n        // Each mark is drawn as many times as there are elements in the backing data.\\n        // Which means that if values list is empty, it will not be drawn.\\n        // Here I create a data source with one empty object, and filter that list\\n        // based on the signal value. This can only be done in a group.\\n        {\\n          name: dataForShowAll\\n          values: [{}]\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n        }\\n      ]\\n      // Set button size and positioning\\n      encode: {\\n        enter: {\\n          xc: {signal: \\\"width/2\\\"}\\n          y: {value: 30}\\n          width: {value: 80}\\n          height: {value: 30}\\n        }\\n      }\\n      marks: [\\n        {\\n          // This group is shown as a button with rounded corners.\\n          type: group\\n          // mark name allows signal capturing\\n          name: groupReset\\n          // Only shows button if dataForShowAll has values.\\n          from: {data: \\\"dataForShowAll\\\"}\\n          encode: {\\n            enter: {\\n              cornerRadius: {value: 6}\\n              fill: {value: \\\"#f5f5f5\\\"}\\n              stroke: {value: \\\"#c1c1c1\\\"}\\n              strokeWidth: {value: 2}\\n              // use parent group's size\\n              height: {\\n                field: {group: \\\"height\\\"}\\n              }\\n              width: {\\n                field: {group: \\\"width\\\"}\\n              }\\n            }\\n            update: {\\n              // groups are transparent by default\\n              opacity: {value: 1}\\n            }\\n            hover: {\\n              opacity: {value: 0.7}\\n            }\\n          }\\n          marks: [\\n            {\\n              type: text\\n              // if true, it will prevent clicking on the button when over text.\\n              interactive: false\\n              encode: {\\n                enter: {\\n                  // center text in the paren group\\n                  xc: {\\n                    field: {group: \\\"width\\\"}\\n                    mult: 0.5\\n                  }\\n                  yc: {\\n                    field: {group: \\\"height\\\"}\\n                    mult: 0.5\\n                    offset: 2\\n                  }\\n                  align: {value: \\\"center\\\"}\\n                  baseline: {value: \\\"middle\\\"}\\n                  fontWeight: {value: \\\"bold\\\"}\\n                  text: {value: \\\"Show All\\\"}\\n                }\\n              }\\n            }\\n          ]\\n        }\\n      ]\\n    }\\n  ]\\n  signals: [\\n    {\\n      // used to highlight traffic to/from the same country\\n      name: groupHover\\n      value: {}\\n      on: [\\n        {\\n          events: @groupMark:mouseover\\n          update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n        }\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n      ]\\n    }\\n    // used to filter only the data related to the selected country\\n    {\\n      name: groupSelector\\n      value: false\\n      on: [\\n        {\\n          // Clicking groupMark sets this signal to the filter values\\n          events: @groupMark:click!\\n          update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n        }\\n        {\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n          events: [\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n            {type: \\\"dblclick\\\"}\\n          ]\\n          update: \\\"false\\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\"},\"title\":\"DHCP - IP/MAC Flow\",\"type\":\"vega\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..384f395db3
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "Events over type based on network transport type",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Firewall - Network Transport/Time [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Network Transport/Time\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":true,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Firewall - Network Transport/Time\",\"type\":\"histogram\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..09a7a4ce7a
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "Heatmap of source countries",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Firewall - Country Source/Heatmap [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Source Heatmap\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Firewall - Country Source/Heatmap\",\"type\":\"heatmap\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..4ce6eca893
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "DHCP - Operation [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Operation\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..bd1ab0a445
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "Client IP \u003c-flow-\u003e dns question name",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Unbound - DNS Flow [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[],\"params\":{\"spec\":\"{\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\n  data: [\\n    {\\n      // query ES based on the currently selected time range and filter string\\n      name: rawData\\n      url: {\\n        %context%: true\\n        %timefield%: @timestamp\\n        index: logs-*\\n        body: {\\n          size: 0\\n          aggs: {\\n            table: {\\n              composite: {\\n                size: 10000\\n                sources: [\\n                  {\\n                    stk1: {\\n                      terms: {field: \\\"client.ip\\\"}\\n                    }\\n                  }\\n                  {\\n                    stk2: {\\n                      terms: {field: \\\"dns.question.name\\\"}\\n                    }\\n                  }\\n                ]\\n              }\\n            }\\n          }\\n        }\\n      }\\n      // From the result, take just the data we are interested in\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\n      // Convert key.stk1 -\\u003e stk1 for simpler access below\\n      transform: [\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n      ]\\n    }\\n    {\\n      name: nodes\\n      source: rawData\\n      transform: [\\n        // when a country is selected, filter out unrelated data\\n        {\\n          type: filter\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n        }\\n        // Set new key for later lookups - identifies each node\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n        // instead of each table row, create two new rows,\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n        // The country code stored in stk1 and stk2 fields is placed into grpId field.\\n        {\\n          type: fold\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\n        }\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\n        // Space separator ensures proper sort order in some corner cases.\\n        {\\n          type: formula\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n          as: sortField\\n        }\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n        // independently for each stack, and ensuring they are in the proper order,\\n        // alphabetical from the top (reversed on the y axis)\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n          field: size\\n        }\\n        // calculate vertical center point for each node, used to draw edges\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n      ]\\n    }\\n    {\\n      name: groups\\n      source: nodes\\n      transform: [\\n        // combine all nodes into country groups, summing up the doc counts\\n        {\\n          type: aggregate\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n          fields: [\\\"size\\\"]\\n          ops: [\\\"sum\\\"]\\n          as: [\\\"total\\\"]\\n        }\\n        // re-calculate the stacking y0,y1 values\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n          field: total\\n        }\\n        // project y0 and y1 values to screen coordinates\\n        // doing it once here instead of doing it several times in marks\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n        // boolean flag if the label should be on the right of the stack\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n        // Calculate traffic percentage for this country using \\\"y\\\" scale\\n        // domain upper bound, which represents the total traffic\\n        {\\n          type: formula\\n          expr: datum.total/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n    {\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\n      name: destinationNodes\\n      source: nodes\\n      transform: [\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n      ]\\n    }\\n    {\\n      name: edges\\n      source: nodes\\n      transform: [\\n        // we only want nodes from the left stack\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\n        {\\n          type: lookup\\n          from: destinationNodes\\n          key: key\\n          fields: [\\\"key\\\"]\\n          as: [\\\"target\\\"]\\n        }\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n        {\\n          type: linkpath\\n          orient: horizontal\\n          shape: diagonal\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n        }\\n        // A little trick to calculate the thickness of the line.\\n        // The value needs to be the same as the hight of the node, but scaling\\n        // size to screen's height gives inversed value because screen's Y\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n        // is at the bottom. So subtracting scaled doc count from screen height\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n        {\\n          type: formula\\n          expr: range('y')[0]-scale('y', datum.size)\\n          as: strokeWidth\\n        }\\n        // Tooltip needs individual link's percentage of all traffic\\n        {\\n          type: formula\\n          expr: datum.size/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n  ]\\n  scales: [\\n    {\\n      // calculates horizontal stack positioning\\n      name: x\\n      type: band\\n      range: width\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n      paddingOuter: 0.05\\n      paddingInner: 0.95\\n    }\\n    {\\n      // this scale goes up as high as the highest y1 value of all nodes\\n      name: y\\n      type: linear\\n      range: height\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n    }\\n    {\\n      // use rawData to ensure the colors stay the same when clicking.\\n      name: color\\n      type: ordinal\\n      range: category\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n    }\\n    {\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\n      name: stackNames\\n      type: ordinal\\n      range: [\\\"Source\\\", \\\"Destination\\\"]\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n    }\\n  ]\\n  axes: [\\n    {\\n      // x axis should use custom label formatting to print proper stack names\\n      orient: bottom\\n      scale: x\\n      encode: {\\n        labels: {\\n          update: {\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n          }\\n        }\\n      }\\n    }\\n    {orient: \\\"left\\\", scale: \\\"y\\\"}\\n  ]\\n  marks: [\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: edgeMark\\n      from: {data: \\\"edges\\\"}\\n      // this prevents some autosizing issues with large strokeWidth for paths\\n      clip: true\\n      encode: {\\n        update: {\\n          // By default use color of the left node, except when showing traffic\\n          // from just one country, in which case use destination color.\\n          stroke: [\\n            {\\n              test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\n              scale: color\\n              field: stk2\\n            }\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n          ]\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\n          path: {field: \\\"path\\\"}\\n          // when showing all traffic, and hovering over a country,\\n          // highlight the traffic from that country.\\n          strokeOpacity: {\\n            signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n          }\\n          // Ensure that the hover-selected edges show on top\\n          zindex: {\\n            signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n          }\\n          // format tooltip string\\n          tooltip: {\\n            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        // Simple mouseover highlighting of a single line\\n        hover: {\\n          strokeOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw stack groups (countries)\\n      type: rect\\n      name: groupMark\\n      from: {data: \\\"groups\\\"}\\n      encode: {\\n        enter: {\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n          width: {scale: \\\"x\\\", band: 1}\\n        }\\n        update: {\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n          y: {field: \\\"scaledY0\\\"}\\n          y2: {field: \\\"scaledY1\\\"}\\n          fillOpacity: {value: 0.6}\\n          tooltip: {\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        hover: {\\n          fillOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw country code labels on the inner side of the stack\\n      type: text\\n      from: {data: \\\"groups\\\"}\\n      // don't process events for the labels - otherwise line mouseover is unclean\\n      interactive: false\\n      encode: {\\n        update: {\\n          // depending on which stack it is, position x with some padding\\n          x: {\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n          }\\n          // middle of the group\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n          baseline: {value: \\\"middle\\\"}\\n          fontWeight: {value: \\\"bold\\\"}\\n          // only show text label if the group's height is large enough\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\n        }\\n      }\\n    }\\n    {\\n      // Create a \\\"show all\\\" button. Shown only when a country is selected.\\n      type: group\\n      data: [\\n        // We need to make the button show only when groupSelector signal is true.\\n        // Each mark is drawn as many times as there are elements in the backing data.\\n        // Which means that if values list is empty, it will not be drawn.\\n        // Here I create a data source with one empty object, and filter that list\\n        // based on the signal value. This can only be done in a group.\\n        {\\n          name: dataForShowAll\\n          values: [{}]\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n        }\\n      ]\\n      // Set button size and positioning\\n      encode: {\\n        enter: {\\n          xc: {signal: \\\"width/2\\\"}\\n          y: {value: 30}\\n          width: {value: 80}\\n          height: {value: 30}\\n        }\\n      }\\n      marks: [\\n        {\\n          // This group is shown as a button with rounded corners.\\n          type: group\\n          // mark name allows signal capturing\\n          name: groupReset\\n          // Only shows button if dataForShowAll has values.\\n          from: {data: \\\"dataForShowAll\\\"}\\n          encode: {\\n            enter: {\\n              cornerRadius: {value: 6}\\n              fill: {value: \\\"#f5f5f5\\\"}\\n              stroke: {value: \\\"#c1c1c1\\\"}\\n              strokeWidth: {value: 2}\\n              // use parent group's size\\n              height: {\\n                field: {group: \\\"height\\\"}\\n              }\\n              width: {\\n                field: {group: \\\"width\\\"}\\n              }\\n            }\\n            update: {\\n              // groups are transparent by default\\n              opacity: {value: 1}\\n            }\\n            hover: {\\n              opacity: {value: 0.7}\\n            }\\n          }\\n          marks: [\\n            {\\n              type: text\\n              // if true, it will prevent clicking on the button when over text.\\n              interactive: false\\n              encode: {\\n                enter: {\\n                  // center text in the paren group\\n                  xc: {\\n                    field: {group: \\\"width\\\"}\\n                    mult: 0.5\\n                  }\\n                  yc: {\\n                    field: {group: \\\"height\\\"}\\n                    mult: 0.5\\n                    offset: 2\\n                  }\\n                  align: {value: \\\"center\\\"}\\n                  baseline: {value: \\\"middle\\\"}\\n                  fontWeight: {value: \\\"bold\\\"}\\n                  text: {value: \\\"Show All\\\"}\\n                }\\n              }\\n            }\\n          ]\\n        }\\n      ]\\n    }\\n  ]\\n  signals: [\\n    {\\n      // used to highlight traffic to/from the same country\\n      name: groupHover\\n      value: {}\\n      on: [\\n        {\\n          events: @groupMark:mouseover\\n          update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n        }\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n      ]\\n    }\\n    // used to filter only the data related to the selected country\\n    {\\n      name: groupSelector\\n      value: false\\n      on: [\\n        {\\n          // Clicking groupMark sets this signal to the filter values\\n          events: @groupMark:click!\\n          update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n        }\\n        {\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n          events: [\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n            {type: \\\"dblclick\\\"}\\n          ]\\n          update: \\\"false\\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\"},\"title\":\"Unbound - DNS Flow\",\"type\":\"vega\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..b773f61c44
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "Pie chart depicting events by interface alias",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Firewall - Events by Interface [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Firewall - Events by Interface\",\"field\":\"observer.ingress.interface.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Firewall - Events by Interface\",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..137b895052
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "Unbound request heat map by IP address",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Unbound - Request Rate [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"top\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Unbound - Request Rate\",\"type\":\"heatmap\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-f554afa0-3a98-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.1.1/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json
new file mode 100755
index 0000000000..95dfc88834
--- /dev/null
+++ b/packages/pfsense/1.1.1/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json
@@ -0,0 +1,26 @@
+{
+  "attributes": {
+    "description": "Network transport pie chart",
+    "kibanaSavedObjectMeta": {
+      "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+    },
+    "savedSearchRefName": "search_0",
+    "title": "Firewall - Network Transport  [pfSense]",
+    "uiStateJSON": "{}",
+    "version": 1,
+    "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Network Transport\",\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":true,\"type\":\"pie\"},\"title\":\"Firewall - Network Transport \",\"type\":\"pie\"}"
+  },
+  "coreMigrationVersion": "7.15.0",
+  "id": "pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534",
+  "migrationVersion": {
+    "visualization": "7.14.0"
+  },
+  "references": [
+    {
+      "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534",
+      "name": "search_0",
+      "type": "search"
+    }
+  ],
+  "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/pfsense/1.1.1/manifest.yml b/packages/pfsense/1.1.1/manifest.yml
new file mode 100755
index 0000000000..96382ee4b0
--- /dev/null
+++ b/packages/pfsense/1.1.1/manifest.yml
@@ -0,0 +1,52 @@
+name: pfsense
+title: pfSense Logs
+version: "1.1.1"
+release: ga
+description: Collect and parse logs from pfSense and OPNsense devices with Elastic Agent.
+type: integration
+icons:
+  - src: /img/pfsense.svg
+    title: pfsense
+    size: 512x143
+    type: image/svg+xml
+format_version: 1.0.0
+license: basic
+categories:
+  - network
+  - security
+conditions:
+  kibana.version: ^7.15.0 || ^8.0.0
+screenshots:
+  - src: /img/firewall.png
+    title: pfSense Firewall Dashboard
+    size: 2993x1646
+    type: image/png
+  - src: /img/dhcp.png
+    title: pfSense DHCP Dashboard
+    size: 2999x1640
+    type: image/png
+  - src: /img/unbound-1.png
+    title: pfSense Unbound Dashboard
+    size: 1680x763
+    type: image/png
+  - src: /img/unbound-2.png
+    title: pfSense Unbound Dashboard
+    size: 1679x833
+    type: image/png
+  - src: /img/unbound-3.png
+    title: pfSense Unbound Dashboard
+    size: 1679x904
+    type: image/png
+policy_templates:
+  - name: pfsense
+    title: pfSense logs
+    description: Collect logs from pfSense systems
+    inputs:
+      - type: udp
+        title: "Collect pfSense logs (input: udp)"
+        description: "Collecting logs from pfSense systems (input: udp)"
+      - type: tcp
+        title: "Collect pfSense logs (input: tcp)"
+        description: "Collecting logs from pfSense systems (input: tcp)"
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/snyk/1.3.1/changelog.yml b/packages/snyk/1.3.1/changelog.yml
new file mode 100755
index 0000000000..e4f67ce422
--- /dev/null
+++ b/packages/snyk/1.3.1/changelog.yml
@@ -0,0 +1,41 @@
+# newer versions go on top
+- version: "1.3.1"
+  changes:
+    - description: Fixes possible indefinite pagination
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3651
+- version: "1.3.0"
+  changes:
+    - description: Update package to ECS 8.3.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3353
+- version: "1.2.1"
+  changes:
+    - description: Add correct field mapping for event.created
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3579
+- version: "1.2.0"
+  changes:
+    - description: Update to ECS 8.2
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2780
+- version: "1.1.2"
+  changes:
+    - description: Fix typo in config template for ignoring host enrichment
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3092
+- version: "1.1.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.1.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2439
+- version: "1.0.0"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2162
diff --git a/packages/snyk/1.3.1/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/snyk/1.3.1/data_stream/audit/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..39b5ae4f7d
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/audit/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,63 @@
+config_version: 2
+interval: {{interval}}
+request.url: {{url}}/{{audit_type}}/{{audit_id}}/audit?page=1&sortOrder=ASC
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+- set:
+    target: header.Authorization
+    value: token {{ api_token }}
+- set:
+    target: url.params.to
+    value: '[[ formatDate (now) "2006-01-02" ]]'
+- set:
+    target: url.params.from
+    value: '[[ formatDate (now (parseDuration .cursor.interval)) "2006-01-02" ]]'
+    default: '[[ formatDate (now (parseDuration "-{{ first_interval }}")) "2006-01-02" ]]'
+cursor:
+  interval:
+    value: "-24h"
+
+request.body:
+  filters:
+{{#if userId }}
+    userId: {{ userId }}
+{{/if}}
+{{#if email_address }}
+    email: {{ email_address }}
+{{/if}}
+{{#if event }}
+    event: {{ event }}
+{{/if}}
+{{#if project_id }}
+    project_id: {{ project_id }}
+{{/if}}
+
+response.request_body_on_pagination: true
+response.pagination:
+- set:
+    target: url.params.page
+    value: '[[if (ne (len .last_response.body.response) 0)]][[add .last_response.page 1]][[end]]'
+    fail_on_template_error: true
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/snyk/1.3.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/snyk/1.3.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..4cf5c95275
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,87 @@
+---
+description: Pipeline for Snyk Audit logs
+processors:
+- set:
+    field: ecs.version
+    value: 8.3.0
+- rename:
+    field: message
+    target_field: event.original
+- json:
+    field: event.original
+    target_field: json
+- fingerprint:
+    fields: 
+      - json.orgId
+      - json.created
+      - json.event
+    target_field: _id
+- rename:
+    field: json
+    target_field: snyk.audit
+    ignore_missing: true
+- rename:
+    field: snyk.audit.groupId
+    target_field: user.group.id
+    ignore_missing: true
+- rename:
+    field: snyk.audit.orgId
+    target_field: snyk.audit.org_id
+    ignore_missing: true
+- rename:
+    field: snyk.audit.projectId
+    target_field: snyk.audit.project_id
+    ignore_missing: true
+- rename:
+    field: snyk.audit.userId
+    target_field: user.id
+    ignore_missing: true
+- rename:
+    field: snyk.audit.event
+    target_field: event.action
+    ignore_missing: true
+- date:
+    field: snyk.audit.created
+    target_field: "@timestamp"
+    formats:
+      - "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"
+- script:
+    lang: painless
+    description: This script processor iterates over the whole document to remove fields with null values.
+    source: |
+      void handleMap(Map map) {
+        for (def x : map.values()) {
+          if (x instanceof Map) {
+              handleMap(x);
+          } else if (x instanceof List) {
+              handleList(x);
+          }
+        }
+        map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      void handleList(List list) {
+        for (def x : list) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+        }
+        list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      handleMap(ctx);
+- remove:
+    field: event.original
+    if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+    ignore_failure: true
+    ignore_missing: true
+- remove:
+    field:
+    - snyk.audit.created
+    - message
+    - json
+    ignore_missing: true
+on_failure:
+- set:
+    field: error.message
+    value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/snyk/1.3.1/data_stream/audit/fields/agent.yml b/packages/snyk/1.3.1/data_stream/audit/fields/agent.yml
new file mode 100755
index 0000000000..4d9a6f7b36
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/audit/fields/agent.yml
@@ -0,0 +1,114 @@
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/snyk/1.3.1/data_stream/audit/fields/base-fields.yml b/packages/snyk/1.3.1/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..66c5548b5d
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset name.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: snyk
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: snyk.audit
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/snyk/1.3.1/data_stream/audit/fields/beats.yml b/packages/snyk/1.3.1/data_stream/audit/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/audit/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
+- name: log.flags
+  type: keyword
+  description: Flags for the log file.
+- name: log.offset
+  type: long
+  description: Offset of the entry in the log file.
+- name: log.file.path
+  type: keyword
+  description: Path to the log file.
diff --git a/packages/snyk/1.3.1/data_stream/audit/fields/ecs.yml b/packages/snyk/1.3.1/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..295d0e1ad2
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,34 @@
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: user.group.id
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
diff --git a/packages/snyk/1.3.1/data_stream/audit/fields/fields.yml b/packages/snyk/1.3.1/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..8af2e4fe1e
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/audit/fields/fields.yml
@@ -0,0 +1,21 @@
+- name: snyk.audit
+  type: group
+  description: >
+    Snyk audit logs.
+
+  fields:
+    - name: org_id
+      type: keyword
+      description: >
+        ID of the related Organization related to the event.
+
+    - name: project_id
+      type: keyword
+      description: >
+        ID of the project related to the event.
+
+    - name: content
+      type: flattened
+      description: >
+        Overview of the content that was changed, both old and new values.
+
diff --git a/packages/snyk/1.3.1/data_stream/audit/fields/package-fields.yml b/packages/snyk/1.3.1/data_stream/audit/fields/package-fields.yml
new file mode 100755
index 0000000000..a6f1fda959
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/audit/fields/package-fields.yml
@@ -0,0 +1,17 @@
+- name: snyk
+  type: group
+  release: beta
+  description: >
+    Module for parsing Snyk project vulnerabilities.
+
+  fields:
+    - name: projects
+      type: flattened
+      description: >
+        Array with all related projects objects.
+
+    - name: related.projects
+      type: keyword
+      description: >
+        Array of all the related project ID's.
+
diff --git a/packages/snyk/1.3.1/data_stream/audit/manifest.yml b/packages/snyk/1.3.1/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..c6a1c5241a
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/audit/manifest.yml
@@ -0,0 +1,97 @@
+title: "Collect Snyk Audit Logs"
+type: logs
+streams:
+  - input: httpjson
+    title: "Collect Snyk Audit Logs"
+    description: "Collect Snyk Audit Logs via the Snyk API"
+    enabled: true
+    template_path: httpjson.yml.hbs
+    vars:
+      - name: audit_type
+        type: text
+        title: Audit Log Type
+        description: Type of Audit logs; "org" or "group"
+        multi: false
+        show_user: true
+        required: true
+        default: org
+      - name: audit_id
+        type: text
+        title: Group/Org ID
+        description: The ID of the Snyk group or organization
+        multi: false
+        show_user: true
+        required: true
+        default: ""
+      - name: userId
+        type: text
+        title: User ID Filter
+        description: User ID on which to filter events
+        multi: false
+        show_user: true
+        required: false
+        default: ""
+      - name: email_address
+        type: text
+        title: Email Address Filter
+        description: Email Address on which to filter events
+        multi: false
+        show_user: true
+        required: false
+        default: ""
+      - name: event
+        type: text
+        title: Event ID Filter
+        description: Event ID on which to filter events
+        multi: false
+        show_user: true
+        required: false
+        default: ""
+      - name: project_id
+        type: text
+        title: Project ID Filter
+        description: Project ID on which to filter events
+        multi: false
+        show_user: true
+        required: false
+        default: ""
+      - name: interval
+        type: text
+        title: Interval to query Snyk Events API
+        description: Go Duration syntax (eg. 10s)
+        multi: false
+        show_user: false
+        required: true
+        default: 10s
+      - name: first_interval
+        type: text
+        title: Initial interval to query Snyk Events API
+        description: Go Duration syntax (eg. 10s)
+        multi: false
+        show_user: false
+        required: true
+        default: 720h
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        show_user: false
+        default:
+          - forwarded
+          - snyk-audit
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/snyk/1.3.1/data_stream/audit/sample_event.json b/packages/snyk/1.3.1/data_stream/audit/sample_event.json
new file mode 100755
index 0000000000..754b460e37
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/audit/sample_event.json
@@ -0,0 +1,57 @@
+{
+    "@timestamp": "2020-11-11T21:00:00.000Z",
+    "agent": {
+        "ephemeral_id": "d625d71f-f6c0-4b21-a59c-8e6c6ca1cfa1",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "data_stream": {
+        "dataset": "snyk.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "org.user.invite",
+        "agent_id_status": "verified",
+        "created": "2022-01-02T10:21:09.808Z",
+        "dataset": "snyk.audit",
+        "ingested": "2022-01-02T10:21:10Z",
+        "original": "{\"content\":{\"email\":\"someone@snyk.io\",\"isAdmin\":false},\"created\":\"2020-11-11T21:00:00.000Z\",\"event\":\"org.user.invite\",\"groupId\":\"groupid123test-543123-54312sadf-123ad\",\"orgId\":\"orgid123test-5643asd234-asdfasdf\",\"projectId\":null,\"userId\":\"userid123test-234sdfa2-423sdfa-2134\"}"
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "snyk": {
+        "audit": {
+            "content": {
+                "email": "someone@snyk.io",
+                "isAdmin": false
+            },
+            "org_id": "orgid123test-5643asd234-asdfasdf"
+        }
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "snyk-audit"
+    ],
+    "user": {
+        "group": {
+            "id": "groupid123test-543123-54312sadf-123ad"
+        },
+        "id": "userid123test-234sdfa2-423sdfa-2134"
+    }
+}
\ No newline at end of file
diff --git a/packages/snyk/1.3.1/data_stream/vulnerabilities/agent/stream/httpjson.yml.hbs b/packages/snyk/1.3.1/data_stream/vulnerabilities/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..a3e05a53f0
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/vulnerabilities/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,92 @@
+config_version: 2
+interval: {{ interval }}
+request.url: {{ url }}/reporting/issues/?page=1&perPage=10&sortBy=issueTitle&order=asc&groupBy=issue
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+- set:
+    target: header.Authorization
+    value: token {{ api_token }}
+- set:
+    target: url.params.to
+    value: '[[ formatDate (now) "2006-01-02" ]]'
+- set:
+    target: url.params.from
+    value: '[[ formatDate (now (parseDuration .cursor.interval)) "2006-01-02" ]]'
+    default: '[[ formatDate (now (parseDuration "-{{ first_interval }}")) "2006-01-02" ]]'
+cursor:
+  interval:
+    value: "-24h"
+request.timeout: 120s
+
+request.body:
+  filters:
+    orgs:
+{{#each orgs as |org i|}}
+    - {{org}}
+{{/each}}
+    severity:
+{{#each severity as |sev i|}}
+    - {{sev}}
+{{/each}}
+    exploitMaturity:
+{{#each exploit_maturity as |mat i|}}
+    - {{mat}}
+{{/each}}
+    types:
+{{#each types as |type i|}}
+    - {{type}}
+{{/each}}
+    languages:
+{{#each languages as |lang i|}}
+    - {{lang}}
+{{/each}}
+    projects:
+{{#each projects as |proj i|}}
+    - {{proj}}
+{{/each}}
+    identifier: {{ identifier }}
+    ignored: {{ ignored }}
+    patched: {{ patched }}
+    fixable: {{ fixable }}
+    isFixed: {{ is_fixed }}
+    isUpgradable: {{ is_upgradeable }}
+    isPatchable: {{ is_patchable }}
+    isPinnable: {{ is_pinnable }}
+    priorityScore:
+      min: {{ min_priority_score }}
+      max: {{ max_priority_score }}
+
+response.request_body_on_pagination: true
+response.pagination:
+- set:
+    target: url.params.page
+    value: '[[if (ne (len .last_response.body.response) 0)]][[add .last_response.page 1]][[end]]'
+    fail_on_template_error: true
+
+response.split:
+  target: body.results
+
+
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/snyk/1.3.1/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml b/packages/snyk/1.3.1/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..c4ee018fb0
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,200 @@
+---
+description: Pipeline for Snyk vulnerability logs
+processors:
+- set:
+    field: ecs.version
+    value: 8.3.0
+- rename:
+    field: message
+    target_field: event.original
+- json:
+    field: event.original
+    target_field: json
+- fingerprint:
+    fields: 
+      - json.issue.id
+    target_field: _id
+- set:
+    field: vulnerability.classification
+    value: CVSS
+- set:
+    field: vulnerability.category
+    value: Github
+- set:
+    field: vulnerability.scanner.vendor
+    value: Snyk
+- rename:
+    field: json
+    target_field: snyk
+    ignore_missing: true
+- rename:
+    field: snyk.issue
+    target_field: snyk.vulnerabilities
+    ignore_missing: true
+- set:
+    field: vulnerability.score.version
+    value: "3.0"
+- set:
+    field: vulnerability.enumeration
+    value: CVE
+    if: ctx?.snyk?.vulnerabilities?.identifiers?.CVE != null
+- set:
+    field: vulnerability.enumeration
+    value: SNYK
+    if: ctx?.snyk?.vulnerabilities?.identifiers?.CVE == null && ctx?.snyk?.vulnerabilities?.identifiers?.ALTERNATIVE != null
+- rename:
+    field: snyk.vulnerabilities.description
+    target_field: vulnerability.description
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.identifiers.CVE
+    target_field: vulnerability.id
+    ignore_missing: true
+    if: ctx?.snyk?.vulnerabilities?.identifiers?.CVE != null
+- rename:
+    field: snyk.vulnerabilities.identifiers.ALTERNATIVE
+    target_field: vulnerability.id
+    ignore_missing: true
+    if: ctx?.vulnerability?.id == null && ctx?.snyk?.vulnerabilities?.identifiers?.ALTERNATIVE != null
+- convert:
+    field: snyk.vulnerabilities.cvssScore
+    target_field: vulnerability.score.base
+    type: float
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.severity
+    target_field: vulnerability.severity
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.CVSSv3
+    target_field: snyk.vulnerabilities.cvss3
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.disclosureTime
+    target_field: snyk.vulnerabilities.disclosure_time
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.exploitMaturity
+    target_field: snyk.vulnerabilities.exploit_maturity
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.identifiers.ALTERNATIVE
+    target_field: snyk.vulnerabilities.identifiers.alternative
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.identifiers.CWE
+    target_field: snyk.vulnerabilities.identifiers.cwe
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.isIgnored
+    target_field: snyk.vulnerabilities.is_ignored
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.isPatchable
+    target_field: snyk.vulnerabilities.is_patchable
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.isPatched
+    target_field: snyk.vulnerabilities.is_patched
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.isPinnable
+    target_field: snyk.vulnerabilities.is_pinnable
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.isUpgradable
+    target_field: snyk.vulnerabilities.is_upgradable
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.priorityScore
+    target_field: snyk.vulnerabilities.priority_score
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.publicationTime
+    target_field: snyk.vulnerabilities.publication_time
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.uniqueSeveritiesList
+    target_field: snyk.vulnerabilities.unique_severities_list
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.packageManager
+    target_field: snyk.vulnerabilities.package_manager
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.jiraIssueUrl
+    target_field: snyk.vulnerabilities.jira_issue_url
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.originalSeverity
+    target_field: snyk.vulnerabilities.original_severity
+    ignore_missing: true
+- rename:
+    field: snyk.isFixed
+    target_field: snyk.vulnerabilities.is_fixed
+    ignore_missing: true
+- rename:
+    field: snyk.introducedDate
+    target_field: snyk.vulnerabilities.introduced_date
+    ignore_missing: true
+- rename:
+    field: snyk.vulnerabilities.url
+    target_field: vulnerability.reference
+    ignore_missing: true
+- foreach:
+    field: snyk.vulnerabilities.patches
+    processor:
+      rename:
+        field: "{{ _ingest._value.modificationTime }}"
+        target_field: "{{ _ingest._value.modification_time }}"
+        ignore_missing: true
+    ignore_failure: true
+    if: ctx?.snyk?.vulnerabilities?.patches != null
+- foreach:
+    field: snyk.projects
+    processor:
+      append:
+        field: snyk.related.projects
+        value: "{{_ingest._value.name }}"
+        ignore_failure: true
+    ignore_failure: true
+    if: ctx?.snyk?.projects != null
+- script:
+    lang: painless
+    description: This script processor iterates over the whole document to remove fields with null values.
+    source: |
+      void handleMap(Map map) {
+        for (def x : map.values()) {
+          if (x instanceof Map) {
+              handleMap(x);
+          } else if (x instanceof List) {
+              handleList(x);
+          }
+        }
+        map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      void handleList(List list) {
+        for (def x : list) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+        }
+        list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+      }
+      handleMap(ctx);
+- remove:
+    field: event.original
+    if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+    ignore_failure: true
+    ignore_missing: true
+- remove:
+    field:
+    - message
+    - snyk.vulnerabilities.cvssScore
+    ignore_missing: true
+on_failure:
+- set:
+    field: error.message
+    value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/agent.yml b/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/agent.yml
new file mode 100755
index 0000000000..4d9a6f7b36
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/agent.yml
@@ -0,0 +1,114 @@
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/base-fields.yml b/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/base-fields.yml
new file mode 100755
index 0000000000..d3c9c6490e
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset name.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: snyk
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: snyk.vulnerabilities
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/beats.yml b/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
+- name: log.flags
+  type: keyword
+  description: Flags for the log file.
+- name: log.offset
+  type: long
+  description: Offset of the entry in the log file.
+- name: log.file.path
+  type: keyword
+  description: Path to the log file.
diff --git a/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/ecs.yml b/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/ecs.yml
new file mode 100755
index 0000000000..a7c206338e
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/ecs.yml
@@ -0,0 +1,67 @@
+- description: |-
+    event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+    This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+    In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+    In case the two timestamps are identical, @timestamp should be used.
+  name: event.created
+  type: date
+- description: |-
+    Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+    This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+  doc_values: false
+  index: false
+  name: event.original
+  type: keyword
+- description: List of keywords used to tag each event.
+  name: tags
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: Unique identifier for the group on the system/platform.
+  name: user.group.id
+  type: keyword
+- description: Unique identifier of the user.
+  name: user.id
+  type: keyword
+- description: |-
+    The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories])
+    This field must be an array.
+  name: vulnerability.category
+  type: keyword
+- description: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/)
+  name: vulnerability.classification
+  type: keyword
+- description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)
+  name: vulnerability.enumeration
+  type: keyword
+- description: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]
+  name: vulnerability.id
+  type: keyword
+- description: A resource that provides additional information, context, and mitigations for the identified vulnerability.
+  name: vulnerability.reference
+  type: keyword
+- description: The name of the vulnerability scanner vendor.
+  name: vulnerability.scanner.vendor
+  type: keyword
+- description: |-
+    Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+    Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)
+  name: vulnerability.score.base
+  type: float
+- description: |-
+    The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.
+    CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)
+  name: vulnerability.score.version
+  type: keyword
+- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
+  name: vulnerability.severity
+  type: keyword
diff --git a/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/fields.yml b/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/fields.yml
new file mode 100755
index 0000000000..98b7a315e2
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/fields.yml
@@ -0,0 +1,146 @@
+- name: snyk.vulnerabilities
+  type: group
+  description: >
+    Module for parsing Snyk project vulnerabilities.
+
+  fields:
+    - name: cvss3
+      type: keyword
+      description: >
+        CSSv3 scores.
+
+    - name: disclosure_time
+      type: date
+      description: >
+        The time this vulnerability was originally disclosed to the package maintainers.
+
+    - name: exploit_maturity
+      type: keyword
+      description: >
+        The Snyk exploit maturity level.
+
+    - name: id
+      type: keyword
+      description: >
+        The vulnerability reference ID.
+
+    - name: is_ignored
+      type: boolean
+      description: >
+        If the vulnerability report has been ignored.
+
+    - name: is_patchable
+      type: boolean
+      description: >
+        If vulnerability is fixable by using a Snyk supplied patch.
+
+    - name: is_patched
+      type: boolean
+      description: >
+        If the vulnerability has been patched.
+
+    - name: is_pinnable
+      type: boolean
+      description: >
+        If the vulnerability is fixable by pinning a transitive dependency.
+
+    - name: is_upgradable
+      type: boolean
+      description: >
+        If the vulnerability fixable by upgrading a dependency.
+
+    - name: language
+      type: keyword
+      description: >
+        The package's programming language.
+
+    - name: package
+      type: keyword
+      description: >
+        The package identifier according to its package manager.
+
+    - name: package_manager
+      type: keyword
+      description: >
+        The package manager.
+
+    - name: patches
+      type: flattened
+      description: >
+        Patches required to resolve the issue created by Snyk.
+
+    - name: priority_score
+      type: long
+      description: >
+        The CVS priority score.
+
+    - name: publication_time
+      type: date
+      description: >
+        The vulnerability publication time.
+
+    - name: jira_issue_url
+      type: keyword
+      description: >
+        Link to the related Jira issue.
+
+    - name: original_severity
+      type: long
+      description: >
+        The original severity of the vulnerability.
+
+    - name: reachability
+      type: keyword
+      description: >
+        If the vulnerable function from the library is used in the code scanned. Can either be No Info, Potentially reachable and Reachable.
+
+    - name: title
+      type: keyword
+      description: >
+        The issue title.
+
+    - name: type
+      type: keyword
+      description: >
+        The issue type. Can be either "license" or "vulnerability".
+
+    - name: unique_severities_list
+      type: keyword
+      description: >
+        A list of related unique severities.
+
+    - name: version
+      type: keyword
+      description: >
+        The package version this issue is applicable to.
+
+    - name: introduced_date
+      type: date
+      description: >
+        The date the vulnerability was initially found.
+
+    - name: is_fixed
+      type: boolean
+      description: >
+        If the related vulnerability has been resolved.
+
+    - name: credit
+      type: keyword
+      description: >
+        Reference to the person that original found the vulnerability.
+
+    - name: semver
+      type: flattened
+      description: >
+        One or more semver ranges this issue is applicable to. The format varies according to package manager.
+
+    - name: identifiers.alternative
+      type: keyword
+      description: >
+        Additional vulnerability identifiers.
+
+    - name: identifiers.cwe
+      type: keyword
+      description: >
+        CWE vulnerability identifiers.
+
diff --git a/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/package-fields.yml b/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/package-fields.yml
new file mode 100755
index 0000000000..a6f1fda959
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/vulnerabilities/fields/package-fields.yml
@@ -0,0 +1,17 @@
+- name: snyk
+  type: group
+  release: beta
+  description: >
+    Module for parsing Snyk project vulnerabilities.
+
+  fields:
+    - name: projects
+      type: flattened
+      description: >
+        Array with all related projects objects.
+
+    - name: related.projects
+      type: keyword
+      description: >
+        Array of all the related project ID's.
+
diff --git a/packages/snyk/1.3.1/data_stream/vulnerabilities/manifest.yml b/packages/snyk/1.3.1/data_stream/vulnerabilities/manifest.yml
new file mode 100755
index 0000000000..f64689d6d2
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/vulnerabilities/manifest.yml
@@ -0,0 +1,200 @@
+title: "Collect Snyk Vulnerability Data"
+type: logs
+streams:
+  - input: httpjson
+    title: "Collect Snyk Vulnerability Data"
+    description: "Collect Snyk Vulnerability data via the Snyk API"
+    enabled: true
+    template_path: httpjson.yml.hbs
+    vars:
+      - name: orgs
+        type: text
+        title: Orgs
+        multi: true
+        show_user: true
+        required: true
+        description: The list of org IDs to filter the results by
+      - name: severity
+        type: text
+        title: Severity
+        multi: true
+        show_user: true
+        required: false
+        description: The severity levels of issues to filter the results by
+        default:
+          - critical
+          - high
+          - medium
+          - low
+      - name: exploit_maturity
+        type: text
+        title: Exploit Maturity
+        multi: true
+        show_user: true
+        required: false
+        description: The exploit maturity levels of issues to filter the results by
+        default:
+          - mature
+          - proof-of-concept
+          - no-known-exploit
+          - no-data
+      - name: types
+        type: text
+        title: Types
+        multi: true
+        show_user: true
+        required: false
+        description: The type of issues to filter the results by
+        default:
+          - vuln
+          - license
+          - configuration
+      - name: languages
+        type: text
+        title: Languages
+        multi: true
+        show_user: true
+        required: false
+        description: The type of languages to filter the results by
+        default:
+          - javascript
+          - ruby
+          - java
+          - scala
+          - python
+          - golang
+          - php
+          - dotnet
+          - swift-objective-c
+          - elixir
+          - docker
+          - terraform
+          - kubernetes
+          - helm
+          - cloudformation
+      - name: projects
+        type: text
+        title: Projects
+        multi: true
+        show_user: true
+        required: false
+        description: The list of project IDs to filter issues by, max projects allowed is 1000
+      - name: identifier
+        type: text
+        title: Identifier
+        multi: false
+        show_user: true
+        required: false
+        description: Search term to filter issue name by, or an exact CVE or CWE
+      - name: ignored
+        type: bool
+        title: Ignored
+        multi: false
+        show_user: true
+        required: false
+        default: false
+        description: If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored
+      - name: patched
+        type: bool
+        title: Patched
+        multi: false
+        show_user: true
+        required: false
+        default: false
+        description: If set to true, only include issues which are patched, if set to false, only include issues which are not patched
+      - name: fixable
+        type: bool
+        title: Fixable
+        multi: false
+        show_user: true
+        required: false
+        default: false
+        description: If set to true, only include issues which are fixable, if set to false, only include issues which are not fixable. An issue is fixable if it is either upgradable, patchable or pinnable. Also see isUpgradable, isPatchable and isPinnable filters.
+      - name: is_fixed
+        type: bool
+        title: Is Fixed
+        multi: false
+        show_user: true
+        required: false
+        default: false
+        description: If set to true, only include issues which are fixed, if set to false, only include issues which are not fixed
+      - name: is_upgradeable
+        type: bool
+        title: Is Upgradeable
+        multi: false
+        show_user: true
+        required: false
+        default: false
+        description: If set to true, only include issues which are upgradable, if set to false, only include issues which are not upgradable
+      - name: is_patchable
+        type: bool
+        title: Is Patchable
+        multi: false
+        show_user: true
+        required: false
+        default: false
+        description: If set to true, only include issues which are patchable, if set to false, only include issues which are not patchable
+      - name: is_pinnable
+        type: bool
+        title: Is Pinnable
+        multi: false
+        show_user: true
+        required: false
+        default: false
+        description: If set to true, only include issues which are pinnable, if set to false, only include issues which are not pinnable
+      - name: min_priority_score
+        type: text
+        title: Min Priority Score
+        multi: false
+        show_user: true
+        required: false
+        description: The priority score ranging between 0-1000
+        default: 0
+      - name: max_priority_score
+        type: text
+        title: Max Priority Score
+        multi: false
+        show_user: true
+        required: false
+        description: The priority score ranging between 0-1000
+        default: 1000
+      - name: interval
+        type: text
+        title: Interval to query Snyk Events API
+        description: Go Duration syntax (eg. 10s)
+        multi: false
+        show_user: false
+        required: true
+        default: 24h
+      - name: first_interval
+        type: text
+        title: Initial interval to query Snyk Events API
+        description: Go Duration syntax (eg. 10s)
+        multi: false
+        show_user: false
+        required: true
+        default: 24h
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        show_user: false
+        default:
+          - forwarded
+          - snyk-vulnerabilities
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/snyk/1.3.1/data_stream/vulnerabilities/sample_event.json b/packages/snyk/1.3.1/data_stream/vulnerabilities/sample_event.json
new file mode 100755
index 0000000000..311a3bcaca
--- /dev/null
+++ b/packages/snyk/1.3.1/data_stream/vulnerabilities/sample_event.json
@@ -0,0 +1,141 @@
+{
+    "@timestamp": "2022-01-02T10:21:46.407Z",
+    "agent": {
+        "ephemeral_id": "b6ade099-0307-4079-b700-1b29dfb838ff",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "data_stream": {
+        "dataset": "snyk.vulnerabilities",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2022-01-02T10:21:46.407Z",
+        "dataset": "snyk.vulnerabilities",
+        "ingested": "2022-01-02T10:21:47Z",
+        "original": "{\"introducedDate\":\"2020-04-07\",\"isFixed\":false,\"issue\":{\"CVSSv3\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"credit\":[\"Snyk Security Research Team\"],\"cvssScore\":\"8.1\",\"disclosureTime\":\"2016-11-27T22:00:00.000Z\",\"exploitMaturity\":\"no-known-exploit\",\"id\":\"npm:ejs:20161128\",\"identifiers\":{\"ALTERNATIVE\":[\"SNYK-JS-EJS-10218\"],\"CVE\":[],\"CWE\":[\"CWE-94\"]},\"isIgnored\":false,\"isPatchable\":false,\"isPatched\":false,\"isPinnable\":false,\"isUpgradable\":false,\"jiraIssueUrl\":null,\"language\":\"js\",\"originalSeverity\":null,\"package\":\"ejs\",\"packageManager\":\"npm\",\"patches\":[{\"comments\":[],\"id\":\"patch:npm:ejs:20161128:0\",\"modificationTime\":\"2019-12-03T11:40:45.851976Z\",\"urls\":[\"https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch\"],\"version\":\"\\u003c2.5.3 \\u003e=2.2.4\"}],\"priorityScore\":4.05,\"publicationTime\":\"2016-11-28T18:44:12.000Z\",\"reachability\":\"No Info\",\"semver\":{\"vulnerable\":[\"\\u003c2.5.3\"]},\"severity\":\"high\",\"title\":\"Arbitrary Code Execution\",\"type\":\"vuln\",\"uniqueSeveritiesList\":[\"high\"],\"url\":\"https://snyk.io/vuln/npm:ejs:20161128\",\"version\":\"0.8.8\"},\"projects\":[{\"id\":\"projectid\",\"name\":\"username/reponame\",\"packageManager\":\"npm\",\"source\":\"github\",\"targetFile\":\"package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"},{\"id\":\"projectid\",\"name\":\"someotheruser/someotherreponame\",\"packageManager\":\"npm\",\"source\":\"github\",\"targetFile\":\"folder1/package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"},{\"id\":\"projectid\",\"name\":\"projectname\",\"packageManager\":\"npm\",\"source\":\"cli\",\"targetFile\":\"package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"}]}"
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "snyk": {
+        "projects": [
+            {
+                "id": "projectid",
+                "name": "username/reponame",
+                "packageManager": "npm",
+                "source": "github",
+                "targetFile": "package.json",
+                "url": "https://snyk.io/org/orgname/project/projectid"
+            },
+            {
+                "id": "projectid",
+                "name": "someotheruser/someotherreponame",
+                "packageManager": "npm",
+                "source": "github",
+                "targetFile": "folder1/package.json",
+                "url": "https://snyk.io/org/orgname/project/projectid"
+            },
+            {
+                "id": "projectid",
+                "name": "projectname",
+                "packageManager": "npm",
+                "source": "cli",
+                "targetFile": "package.json",
+                "url": "https://snyk.io/org/orgname/project/projectid"
+            }
+        ],
+        "related": {
+            "projects": [
+                "username/reponame",
+                "someotheruser/someotherreponame",
+                "projectname"
+            ]
+        },
+        "vulnerabilities": {
+            "credit": [
+                "Snyk Security Research Team"
+            ],
+            "cvss3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+            "disclosure_time": "2016-11-27T22:00:00.000Z",
+            "exploit_maturity": "no-known-exploit",
+            "id": "npm:ejs:20161128",
+            "identifiers": {
+                "alternative": [
+                    "SNYK-JS-EJS-10218"
+                ],
+                "cwe": [
+                    "CWE-94"
+                ]
+            },
+            "introduced_date": "2020-04-07",
+            "is_fixed": false,
+            "is_ignored": false,
+            "is_patchable": false,
+            "is_patched": false,
+            "is_pinnable": false,
+            "is_upgradable": false,
+            "language": "js",
+            "package": "ejs",
+            "package_manager": "npm",
+            "patches": [
+                {
+                    "id": "patch:npm:ejs:20161128:0",
+                    "modificationTime": "2019-12-03T11:40:45.851976Z",
+                    "urls": [
+                        "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch"
+                    ],
+                    "version": "\u003c2.5.3 \u003e=2.2.4"
+                }
+            ],
+            "priority_score": 4.05,
+            "publication_time": "2016-11-28T18:44:12.000Z",
+            "reachability": "No Info",
+            "semver": {
+                "vulnerable": [
+                    "\u003c2.5.3"
+                ]
+            },
+            "title": "Arbitrary Code Execution",
+            "type": "vuln",
+            "unique_severities_list": [
+                "high"
+            ],
+            "version": "0.8.8"
+        }
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "snyk-vulnerabilities"
+    ],
+    "vulnerability": {
+        "category": "Github",
+        "classification": "CVSS",
+        "enumeration": "CVE",
+        "reference": "https://snyk.io/vuln/npm:ejs:20161128",
+        "scanner": {
+            "vendor": "Snyk"
+        },
+        "score": {
+            "base": 8.1,
+            "version": "3.0"
+        },
+        "severity": "high"
+    }
+}
\ No newline at end of file
diff --git a/packages/snyk/1.3.1/docs/README.md b/packages/snyk/1.3.1/docs/README.md
new file mode 100755
index 0000000000..cfe34e1d71
--- /dev/null
+++ b/packages/snyk/1.3.1/docs/README.md
@@ -0,0 +1,346 @@
+# Snyk Integration
+
+This integration is for ingesting data from the [Snyk](https://snyk.io/) API.
+
+- `vulnerabilities`: Collects all found vulnerabilities for the related organizations and projects
+- `audit`: Collects audit logging from Snyk, this can be actions like users, permissions, groups, api access and more.
+
+To configure access to the Snyk Audit Log API you will have to generate an API access token as described in the [Snyk Documentation](https://snyk.docs.apiary.io/#introduction/authorization)
+
+
+## Audit
+
+An example event for `audit` looks as following:
+
+```json
+{
+    "@timestamp": "2020-11-11T21:00:00.000Z",
+    "agent": {
+        "ephemeral_id": "d625d71f-f6c0-4b21-a59c-8e6c6ca1cfa1",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "data_stream": {
+        "dataset": "snyk.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "action": "org.user.invite",
+        "agent_id_status": "verified",
+        "created": "2022-01-02T10:21:09.808Z",
+        "dataset": "snyk.audit",
+        "ingested": "2022-01-02T10:21:10Z",
+        "original": "{\"content\":{\"email\":\"someone@snyk.io\",\"isAdmin\":false},\"created\":\"2020-11-11T21:00:00.000Z\",\"event\":\"org.user.invite\",\"groupId\":\"groupid123test-543123-54312sadf-123ad\",\"orgId\":\"orgid123test-5643asd234-asdfasdf\",\"projectId\":null,\"userId\":\"userid123test-234sdfa2-423sdfa-2134\"}"
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "snyk": {
+        "audit": {
+            "content": {
+                "email": "someone@snyk.io",
+                "isAdmin": false
+            },
+            "org_id": "orgid123test-5643asd234-asdfasdf"
+        }
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "snyk-audit"
+    ],
+    "user": {
+        "group": {
+            "id": "groupid123test-543123-54312sadf-123ad"
+        },
+        "id": "userid123test-234sdfa2-423sdfa-2134"
+    }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| snyk.audit.content | Overview of the content that was changed, both old and new values. | flattened |
+| snyk.audit.org_id | ID of the related Organization related to the event. | keyword |
+| snyk.audit.project_id | ID of the project related to the event. | keyword |
+| snyk.projects | Array with all related projects objects. | flattened |
+| snyk.related.projects | Array of all the related project ID's. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+
+
+## Vulnerabilities
+
+An example event for `vulnerabilities` looks as following:
+
+```json
+{
+    "@timestamp": "2022-01-02T10:21:46.407Z",
+    "agent": {
+        "ephemeral_id": "b6ade099-0307-4079-b700-1b29dfb838ff",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.0.0-beta1"
+    },
+    "data_stream": {
+        "dataset": "snyk.vulnerabilities",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.3.0"
+    },
+    "elastic_agent": {
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "created": "2022-01-02T10:21:46.407Z",
+        "dataset": "snyk.vulnerabilities",
+        "ingested": "2022-01-02T10:21:47Z",
+        "original": "{\"introducedDate\":\"2020-04-07\",\"isFixed\":false,\"issue\":{\"CVSSv3\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"credit\":[\"Snyk Security Research Team\"],\"cvssScore\":\"8.1\",\"disclosureTime\":\"2016-11-27T22:00:00.000Z\",\"exploitMaturity\":\"no-known-exploit\",\"id\":\"npm:ejs:20161128\",\"identifiers\":{\"ALTERNATIVE\":[\"SNYK-JS-EJS-10218\"],\"CVE\":[],\"CWE\":[\"CWE-94\"]},\"isIgnored\":false,\"isPatchable\":false,\"isPatched\":false,\"isPinnable\":false,\"isUpgradable\":false,\"jiraIssueUrl\":null,\"language\":\"js\",\"originalSeverity\":null,\"package\":\"ejs\",\"packageManager\":\"npm\",\"patches\":[{\"comments\":[],\"id\":\"patch:npm:ejs:20161128:0\",\"modificationTime\":\"2019-12-03T11:40:45.851976Z\",\"urls\":[\"https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch\"],\"version\":\"\\u003c2.5.3 \\u003e=2.2.4\"}],\"priorityScore\":4.05,\"publicationTime\":\"2016-11-28T18:44:12.000Z\",\"reachability\":\"No Info\",\"semver\":{\"vulnerable\":[\"\\u003c2.5.3\"]},\"severity\":\"high\",\"title\":\"Arbitrary Code Execution\",\"type\":\"vuln\",\"uniqueSeveritiesList\":[\"high\"],\"url\":\"https://snyk.io/vuln/npm:ejs:20161128\",\"version\":\"0.8.8\"},\"projects\":[{\"id\":\"projectid\",\"name\":\"username/reponame\",\"packageManager\":\"npm\",\"source\":\"github\",\"targetFile\":\"package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"},{\"id\":\"projectid\",\"name\":\"someotheruser/someotherreponame\",\"packageManager\":\"npm\",\"source\":\"github\",\"targetFile\":\"folder1/package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"},{\"id\":\"projectid\",\"name\":\"projectname\",\"packageManager\":\"npm\",\"source\":\"cli\",\"targetFile\":\"package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"}]}"
+    },
+    "host": {
+        "name": "docker-fleet-agent"
+    },
+    "input": {
+        "type": "httpjson"
+    },
+    "snyk": {
+        "projects": [
+            {
+                "id": "projectid",
+                "name": "username/reponame",
+                "packageManager": "npm",
+                "source": "github",
+                "targetFile": "package.json",
+                "url": "https://snyk.io/org/orgname/project/projectid"
+            },
+            {
+                "id": "projectid",
+                "name": "someotheruser/someotherreponame",
+                "packageManager": "npm",
+                "source": "github",
+                "targetFile": "folder1/package.json",
+                "url": "https://snyk.io/org/orgname/project/projectid"
+            },
+            {
+                "id": "projectid",
+                "name": "projectname",
+                "packageManager": "npm",
+                "source": "cli",
+                "targetFile": "package.json",
+                "url": "https://snyk.io/org/orgname/project/projectid"
+            }
+        ],
+        "related": {
+            "projects": [
+                "username/reponame",
+                "someotheruser/someotherreponame",
+                "projectname"
+            ]
+        },
+        "vulnerabilities": {
+            "credit": [
+                "Snyk Security Research Team"
+            ],
+            "cvss3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+            "disclosure_time": "2016-11-27T22:00:00.000Z",
+            "exploit_maturity": "no-known-exploit",
+            "id": "npm:ejs:20161128",
+            "identifiers": {
+                "alternative": [
+                    "SNYK-JS-EJS-10218"
+                ],
+                "cwe": [
+                    "CWE-94"
+                ]
+            },
+            "introduced_date": "2020-04-07",
+            "is_fixed": false,
+            "is_ignored": false,
+            "is_patchable": false,
+            "is_patched": false,
+            "is_pinnable": false,
+            "is_upgradable": false,
+            "language": "js",
+            "package": "ejs",
+            "package_manager": "npm",
+            "patches": [
+                {
+                    "id": "patch:npm:ejs:20161128:0",
+                    "modificationTime": "2019-12-03T11:40:45.851976Z",
+                    "urls": [
+                        "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch"
+                    ],
+                    "version": "\u003c2.5.3 \u003e=2.2.4"
+                }
+            ],
+            "priority_score": 4.05,
+            "publication_time": "2016-11-28T18:44:12.000Z",
+            "reachability": "No Info",
+            "semver": {
+                "vulnerable": [
+                    "\u003c2.5.3"
+                ]
+            },
+            "title": "Arbitrary Code Execution",
+            "type": "vuln",
+            "unique_severities_list": [
+                "high"
+            ],
+            "version": "0.8.8"
+        }
+    },
+    "tags": [
+        "preserve_original_event",
+        "forwarded",
+        "snyk-vulnerabilities"
+    ],
+    "vulnerability": {
+        "category": "Github",
+        "classification": "CVSS",
+        "enumeration": "CVE",
+        "reference": "https://snyk.io/vuln/npm:ejs:20161128",
+        "scanner": {
+            "vendor": "Snyk"
+        },
+        "score": {
+            "base": 8.1,
+            "version": "3.0"
+        },
+        "severity": "high"
+    }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| snyk.projects | Array with all related projects objects. | flattened |
+| snyk.related.projects | Array of all the related project ID's. | keyword |
+| snyk.vulnerabilities.credit | Reference to the person that original found the vulnerability. | keyword |
+| snyk.vulnerabilities.cvss3 | CSSv3 scores. | keyword |
+| snyk.vulnerabilities.disclosure_time | The time this vulnerability was originally disclosed to the package maintainers. | date |
+| snyk.vulnerabilities.exploit_maturity | The Snyk exploit maturity level. | keyword |
+| snyk.vulnerabilities.id | The vulnerability reference ID. | keyword |
+| snyk.vulnerabilities.identifiers.alternative | Additional vulnerability identifiers. | keyword |
+| snyk.vulnerabilities.identifiers.cwe | CWE vulnerability identifiers. | keyword |
+| snyk.vulnerabilities.introduced_date | The date the vulnerability was initially found. | date |
+| snyk.vulnerabilities.is_fixed | If the related vulnerability has been resolved. | boolean |
+| snyk.vulnerabilities.is_ignored | If the vulnerability report has been ignored. | boolean |
+| snyk.vulnerabilities.is_patchable | If vulnerability is fixable by using a Snyk supplied patch. | boolean |
+| snyk.vulnerabilities.is_patched | If the vulnerability has been patched. | boolean |
+| snyk.vulnerabilities.is_pinnable | If the vulnerability is fixable by pinning a transitive dependency. | boolean |
+| snyk.vulnerabilities.is_upgradable | If the vulnerability fixable by upgrading a dependency. | boolean |
+| snyk.vulnerabilities.jira_issue_url | Link to the related Jira issue. | keyword |
+| snyk.vulnerabilities.language | The package's programming language. | keyword |
+| snyk.vulnerabilities.original_severity | The original severity of the vulnerability. | long |
+| snyk.vulnerabilities.package | The package identifier according to its package manager. | keyword |
+| snyk.vulnerabilities.package_manager | The package manager. | keyword |
+| snyk.vulnerabilities.patches | Patches required to resolve the issue created by Snyk. | flattened |
+| snyk.vulnerabilities.priority_score | The CVS priority score. | long |
+| snyk.vulnerabilities.publication_time | The vulnerability publication time. | date |
+| snyk.vulnerabilities.reachability | If the vulnerable function from the library is used in the code scanned. Can either be No Info, Potentially reachable and Reachable. | keyword |
+| snyk.vulnerabilities.semver | One or more semver ranges this issue is applicable to. The format varies according to package manager. | flattened |
+| snyk.vulnerabilities.title | The issue title. | keyword |
+| snyk.vulnerabilities.type | The issue type. Can be either "license" or "vulnerability". | keyword |
+| snyk.vulnerabilities.unique_severities_list | A list of related unique severities. | keyword |
+| snyk.vulnerabilities.version | The package version this issue is applicable to. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword |
+| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword |
+| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword |
+| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword |
+| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword |
+| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword |
+| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float |
+| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword |
+| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword |
+
+
diff --git a/packages/snyk/1.3.1/img/snyk-logo.svg b/packages/snyk/1.3.1/img/snyk-logo.svg
new file mode 100755
index 0000000000..039ceba032
--- /dev/null
+++ b/packages/snyk/1.3.1/img/snyk-logo.svg
@@ -0,0 +1 @@
+<svg width="1527" height="2500" viewBox="0 0 256 419" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid"><path d="M217.619 99.409c-8.529-26.456-27.921-63.632-30.684-68.865l-2.406-4.574a533.076 533.076 0 0 0-4.806-9.363L170.985 0l-12.517 88.948-.436 3.235a525.09 525.09 0 0 0-29.859-.84c-10.598 0-20.62.31-30.034.85l-.386-3.247-4.393-31.179C93.366 57.715 85.217 0 85.217 0l-8.922 16.607a603.446 603.446 0 0 0-6.412 12.505l-.77 1.432c-2.77 5.238-22.347 42.48-30.93 68.94C13.423 104.267 0 109.383 0 109.383v216.216l127.999 92.72L256 325.6V109.383s-13.465-5.17-38.381-9.974z" fill="#FFF"/><path fill="#3B3B63" d="M183.073 267.277H127.9v-94.47l-55.983 91.708-8.703 94.172 63.825 46.618.861.631 65.273-47.585z"/><path d="M126.954 404.967L8.18 318.858V118.061s43.918-16.753 118.936-16.753c75.02 0 118.616 16.753 118.616 16.753v200.797l-118.777 86.11z" fill="#DBDBDB"/><path d="M128.675 101.308l-.163.002v303.652h.002l118.777-86.109V118.061s-43.598-16.753-118.616-16.753" fill="#C6C6C6"/><path fill="#3B3B63" d="M192.847 358.157l-10.08-90.88h-55.176v138.448z"/><path fill="#53537A" d="M63.213 358.687l64.687 47.249V172.807l-55.983 91.708z"/><path d="M155.74 331.842c0 15.582-14.315 23.306-27.447 23.306s-27.736-7.724-27.736-23.306" fill="#BC9375"/><path d="M147.692 323.012c0 18.274-9.677 23.173-19.544 23.173-9.866 0-19.546-4.9-19.546-23.173" fill="#073251"/><path d="M128.147 339.9c-10.543 0-15.669-7.864-15.669-24.03h5.027c0 18.926 7.186 18.926 10.642 18.926 3.455 0 10.642 0 10.642-18.926h5.026c0 16.166-5.127 24.03-15.668 24.03" fill="#FFF"/><path d="M211.832 129.623c0-19.714-32.77-81.74-32.77-81.74l-11.085 78.663-9.949 16.607-29.819 1.233-.118.244v-.244l-29.823-1.233-9.946-16.607-11.085-78.664s-32.773 62.027-32.773 81.741l13.845 37.88s-6.987 63.626-3.797 71.956c3.18 8.332 25.27 36.195 25.27 36.195s-.066 23.424 5.982 40.264c4.315 12.026 13.822 16.904 22.925 16.904 13.944 0 19.4-13.006 19.4-13.006s5.585 13.006 19.53 13.006c9.1 0 18.598-4.87 22.923-16.904 6.041-16.833 5.98-40.264 5.98-40.264s22.085-27.863 25.271-36.195c3.188-8.332-3.8-71.957-3.8-71.957l13.84-37.879z" fill="#C49A7E"/><path d="M128.147 144.512l-.057.118v-.243l-29.824-1.232-9.945-16.608-11.089-78.663s-32.77 62.027-32.77 81.741l13.842 37.879s-6.985 63.626-3.8 71.957c3.187 8.332 25.268 36.195 25.268 36.195s-.057 23.424 5.984 40.264c4.321 12.026 13.83 16.904 22.924 16.904 13.951 0 19.406-13.006 19.406-13.006s.025.046.063.131V144.512h-.002z" fill="#D8B7A0"/><path d="M198.291 171.23c-2.54-5.403 1.071-18.19 1.071-18.19-20.694-21.565-25.869-66.534-25.869-66.534-3.864 14.17-12.262 55.949-12.262 55.949s-15.445-5.848-33.015-5.876h-.131c-.965.005-1.916.03-2.866.06v176.292l1.312 1.953v-.965h.811v.965l.008-.965h1.602v.965-.965h.82v.965l14.304-21.236 3.11-59.633 17.81 20.654 22.944 6.814s8.584-6.221 8.584-6.198c3.645-5.188 4.854-9.608 5.735-11.901 3.187-8.344-3.968-72.153-3.968-72.153" fill="#3B3B63"/><path d="M128.308 136.577l-.061-.002v.002c-17.577.03-33.024 5.874-33.024 5.874s-8.4-41.777-12.261-55.948c0 0-5.172 44.969-25.87 66.534 0 0 3.611 12.788 1.072 18.19 0 0-7.156 63.813-3.968 72.144.88 2.295 2.098 6.712 5.738 11.9 0-.023 8.588 6.2 8.588 6.2l22.94-6.815 17.806-20.651 3.118 59.633 14.297 21.236v-.965h.82v.965-.965h.802V136.577h.002z" fill="#53537A"/><path d="M169.78 211.144h-26.805v.287c0 9.507 8.095 17.208 17.589 17.208 9.496 0 17.59-7.703 17.59-17.208v-.287h-8.374z" fill="#333152"/><path d="M149.676 211.144v.287c0 5.655 4.482 10.237 10.054 10.237 5.57 0 10.05-4.582 10.05-10.237v-.287h-20.104z" fill="#FFF"/><path d="M162.83 211.144h-4.71c-.046 0-.085.023-.126.032.584.124.908 1.47.782 2.365a2.707 2.707 0 0 1-2.652 2.341c.383 1.79 1.819 3.227 3.727 3.5 2.437.35 4.689-1.347 5.035-3.82.248-1.82-.614-4.418-2.055-4.418M105.076 211.144H78.274v.287c0 9.507 8.095 17.208 17.588 17.208 9.497 0 17.592-7.703 17.592-17.208v-.287h-8.378z" fill="#333152"/><path d="M84.976 211.144v.287c0 5.655 4.485 10.237 10.049 10.237 5.573 0 10.053-4.582 10.053-10.237v-.287H84.976z" fill="#FFF"/><path d="M98.13 211.144h-4.715c-.041 0-.085.023-.123.032.583.124.905 1.47.782 2.365-.19 1.368-1.331 2.318-2.655 2.341.388 1.79 1.824 3.227 3.728 3.5 2.436.35 4.693-1.347 5.034-3.82.252-1.82-.61-4.418-2.05-4.418" fill="#333152"/><path d="M167.758 203.03c1.125-1.252 10.68-12.26-2.1-12.26-11.546 0-19.854 9.46-22.056 12.26h24.156z" fill="#C49A7E"/><path d="M112.638 203.03c-2.2-2.8-10.508-12.26-22.059-12.26-12.772 0-3.217 11.008-2.098 12.26h24.157z" fill="#D8B7A0"/><path fill="#53537A" d="M72.109 211.043h48.882v-4.667H72.109z"/><path d="M199.176 144.864c-14.213-20.288-18.672-53.27-19.059-56.284l2.593-18.385c10.554 21.806 21.627 47.685 22.386 58.485l-5.92 16.184zm-3.63 92.293c-1.94 5.064-15.345 23.157-24.249 34.39l-1.485 1.883.007 2.404c0 .217-.007 22.394-5.577 37.914-4.027 11.217-12.972 12.43-16.626 12.43-9.252 0-13.245-8.612-13.385-8.923l-.529-8.066h-11.247l-.508 8.02c-.16.365-4.055 8.946-13.26 8.946-3.663 0-12.605-1.199-16.635-12.416-5.552-15.465-5.578-37.688-5.578-37.914l.008-2.403-1.485-1.875c-8.899-11.225-22.304-29.318-24.197-34.259-1.513-5.344.985-39.905 4.165-68.866l.175-1.607-2.509-6.858c8.62-9.176 14.67-21.804 18.842-33.825l.406 2.926 13.691 22.843 5.35-2.332c.134-.058 13.851-5.984 27.171-5.984 13.236 0 27.18 5.931 27.31 5.99l5.341 2.311 13.675-22.833.536-3.813c4.13 12.14 10.172 24.993 18.833 34.373l-2.627 7.197.175 1.606c3.178 28.967 5.676 63.528 4.212 68.741zm-75.74 100.245a26.17 26.17 0 0 0 4.831-2.83c1.302.387 2.551.387 3.51.387.954 0 2.19.01 3.483-.38a26.763 26.763 0 0 0 4.837 2.823c-2.245 1.704-5.009 2.662-8.313 2.662-3.323 0-6.1-.95-8.348-2.662zm8.487 14.51c-7.356 0-17.816-3.33-20.418-12.158.266.008.528.031.8.031 1.421 0 2.754-.132 4.042-.318 3.731 5.274 9.543 6.892 15.432 6.892 5.898 0 11.722-1.603 15.46-6.886 1.28.178 2.597.312 4.007.312.277 0 .543-.023.82-.03-2.577 8.826-12.897 12.156-20.143 12.156zM51.206 128.677c.76-10.8 11.825-36.677 22.381-58.485l2.814 19.94c-1.073 7.455-5.977 36.693-19.132 55.123l-6.063-16.578zm167.158 1.108c0-20.822-30.05-78.45-33.483-84.954l-9.607-18.259-13.762 97.794-6.352 10.622c-6.132-2.09-16.568-5.009-27.077-5.009-10.497 0-20.863 2.908-26.969 5.002l-6.355-10.617-4.83-34.28c.006-.057.014-.133.014-.168l-.037-.005-8.93-63.339-9.81 18.26c-3.438 6.502-33.728 64.131-33.728 84.953v1.222l13.87 37.511c-2.218 20.452-6.452 64.878-3.126 73.561 2.072 5.43 10.048 16.64 16.794 25.624l-9.086 85.987 12.51 8.962 6.612-62.55c.95 6.083 2.352 12.507 4.433 18.31 2.87 7.997 7.94 14.05 14.431 17.642.386 19.144 17.908 29.468 34.417 29.468 16.372 0 33.75-10.332 34.13-29.483 6.476-3.585 11.541-9.639 14.407-17.627 2.167-6.035 3.588-12.757 4.534-19.05l6.651 62.775 12.511-9.28-9.064-85.413c6.693-8.945 14.52-19.99 16.572-25.36 3.325-8.68-1.08-53.114-3.295-73.563l13.623-37.516v-1.22h.002z" fill="#333152"/><path d="M143.921 285.822h-31.443s-4.229 7.483-4.229 9.912c0 7.21 19.353 18.692 19.353 18.692s20.443-11.823 20.443-18.692c0-3.277-4.124-9.912-4.124-9.912" fill="#333152"/><path d="M137.86 307.804c-1.754-3.157-4.017-3.733-5.056-1.3-1.036 2.438-.444 6.972 1.31 10.122 1.755 3.159 4.02 3.735 5.053 1.299 1.04-2.435.45-6.971-1.306-10.121" fill="#C49A7E"/><path d="M118.434 307.804c-1.757 3.15-2.341 7.686-1.307 10.12 1.035 2.437 3.296 1.86 5.058-1.298 1.753-3.15 2.34-7.684 1.302-10.121-1.034-2.434-3.296-1.858-5.053 1.299" fill="#D8B7A0"/></svg>
\ No newline at end of file
diff --git a/packages/snyk/1.3.1/manifest.yml b/packages/snyk/1.3.1/manifest.yml
new file mode 100755
index 0000000000..28d2a8cd7f
--- /dev/null
+++ b/packages/snyk/1.3.1/manifest.yml
@@ -0,0 +1,62 @@
+format_version: 1.0.0
+name: snyk
+title: "Snyk"
+version: "1.3.1"
+license: basic
+description: "Collect logs from Snyk API with Elastic Agent."
+type: integration
+categories:
+  - security
+release: ga
+conditions:
+  kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+  - src: /img/snyk-logo.svg
+    title: Snyk logo
+    size: 382x625
+    type: image/svg+xml
+policy_templates:
+  - name: snyk
+    title: Snyk Events
+    description: Collect data from Snyk API
+    inputs:
+      - type: httpjson
+        title: Collect data from Snyk API
+        description: Collect Audit and Vulnerabilty data from the Snyk API
+        vars:
+          - name: url
+            type: text
+            title: Base URL of Snyk API Server
+            multi: false
+            show_user: false
+            required: true
+            default: https://snyk.io/api/v1
+            description: The base URL as found [here](https://snyk.docs.apiary.io/#introduction/api-url).  No trailing /.
+          - name: api_token
+            type: password
+            title: Snyk API Token
+            multi: false
+            show_user: true
+            required: true
+          - name: http_client_timeout
+            type: text
+            title: HTTP Client Timeout
+            multi: false
+            required: false
+            show_user: true
+          - name: proxy_url
+            type: text
+            title: Proxy URL
+            description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>
+            multi: false
+            required: false
+            show_user: false
+          - name: ssl
+            type: yaml
+            title: SSL Configuration
+            description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+            multi: false
+            required: false
+            show_user: false
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/tcp/1.3.0/changelog.yml b/packages/tcp/1.3.0/changelog.yml
new file mode 100755
index 0000000000..0721ab68f7
--- /dev/null
+++ b/packages/tcp/1.3.0/changelog.yml
@@ -0,0 +1,20 @@
+- version: "1.3.0"
+  changes:
+    - description: Add syslog parsing option
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3587
+- version: "1.2.0"
+  changes:
+    - description: Update package to ECS 8.3.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3353
+- version: "1.1.0"
+  changes:
+    - description: Update to ECS 8.2
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2781
+- version: "1.0.0"
+  changes:
+    - description: Initial Release
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2172
diff --git a/packages/tcp/1.3.0/data_stream/generic/agent/stream/tcp.yml.hbs b/packages/tcp/1.3.0/data_stream/generic/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..ee6e25ee3e
--- /dev/null
+++ b/packages/tcp/1.3.0/data_stream/generic/agent/stream/tcp.yml.hbs
@@ -0,0 +1,49 @@
+data_stream:
+  dataset: {{data_stream.dataset}}
+host: {{listen_address}}:{{listen_port}}
+{{#if pipeline}}
+pipeline: {{pipeline}}
+{{/if}}
+{{#if max_message_size}}
+max_message_size: {{max_message_size}}
+{{/if}}
+{{#if framing}}
+framing: {{framing}}
+{{/if}}
+{{#if line_delimiter}}
+line_delimiter: {{line_delimiter}}
+{{/if}}
+{{#if max_connections}}
+max_connections: {{max_connections}}
+{{/if}}
+{{#if ssl}}
+ssl: 
+  {{ssl}}
+{{/if}}
+{{#if timeout}}
+timeout: {{timeout}}
+{{/if}}
+{{#if keep_null}}
+keep_null: {{keep_null}}
+{{/if}}
+{{#if tags}}
+tags:
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{#if syslog}}
+  - syslog:
+      {{syslog_options}}
+{{/if}}
+{{processors}}
+{{else if syslog}}
+processors:
+  - syslog:
+      {{syslog_options}}
+{{/if}}
diff --git a/packages/tcp/1.3.0/data_stream/generic/fields/base-fields.yml b/packages/tcp/1.3.0/data_stream/generic/fields/base-fields.yml
new file mode 100755
index 0000000000..ee4f5b7611
--- /dev/null
+++ b/packages/tcp/1.3.0/data_stream/generic/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: tcp
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: tcp.generic
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/tcp/1.3.0/data_stream/generic/fields/beats.yml b/packages/tcp/1.3.0/data_stream/generic/fields/beats.yml
new file mode 100755
index 0000000000..ede6958855
--- /dev/null
+++ b/packages/tcp/1.3.0/data_stream/generic/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+  description: Type of Filebeat input.
+  type: keyword
+- name: tags
+  type: keyword
+  description: User defined tags
diff --git a/packages/tcp/1.3.0/data_stream/generic/fields/ecs.yml b/packages/tcp/1.3.0/data_stream/generic/fields/ecs.yml
new file mode 100755
index 0000000000..4835acacee
--- /dev/null
+++ b/packages/tcp/1.3.0/data_stream/generic/fields/ecs.yml
@@ -0,0 +1,55 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    Original log level of the log event.
+    If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
+    Some examples are `warn`, `err`, `i`, `informational`.
+  name: log.level
+  type: keyword
+- description: The IP or DNS name of the source sending the UDP packet.
+  name: log.source.address
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: The device or application that originated the Syslog message, if available.
+  name: log.syslog.appname
+  type: keyword
+- description: |-
+    The Syslog numeric facility of the log event, if available.
+    According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
+  name: log.syslog.facility.code
+  type: long
+- description: The Syslog text-based facility of the log event, if available.
+  name: log.syslog.facility.name
+  type: keyword
+- description: The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector.
+  name: log.syslog.hostname
+  type: keyword
+- description: |-
+    Syslog numeric priority of the event, if available.
+    According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+  name: log.syslog.priority
+  type: long
+- description: The process name or ID that originated the Syslog message, if available.
+  name: log.syslog.procid
+  type: keyword
+- description: |-
+    The Syslog numeric severity of the log event, if available.
+    If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
+  name: log.syslog.severity.code
+  type: long
+- description: |-
+    The Syslog numeric severity of the log event, if available.
+    If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.
+  name: log.syslog.severity.name
+  type: keyword
+- description: The version of the Syslog protocol specification. Only applicable for RFC 5424 messages.
+  name: log.syslog.version
+  type: keyword
diff --git a/packages/tcp/1.3.0/data_stream/generic/manifest.yml b/packages/tcp/1.3.0/data_stream/generic/manifest.yml
new file mode 100755
index 0000000000..9ecf45eb88
--- /dev/null
+++ b/packages/tcp/1.3.0/data_stream/generic/manifest.yml
@@ -0,0 +1,123 @@
+title: Custom TCP Logs
+type: logs
+streams:
+  - input: tcp
+    description: Collect raw TCP data from listening TCP port with Elastic Agent.
+    title: Custom TCP Logs
+    template_path: tcp.yml.hbs
+    vars:
+      - name: listen_address
+        type: text
+        title: Listen Address
+        description: |
+          Bind address for the listener. Use 0.0.0.0 to listen on all interfaces.
+        required: true
+        show_user: true
+        default: localhost
+      - name: listen_port
+        type: text
+        title: Listen port
+        description: |
+          Bind port for the listener.
+        required: true
+        show_user: true
+        default: 8080
+      - name: data_stream.dataset
+        type: text
+        title: Dataset name
+        description: |
+          Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html).
+        default: tcp.generic
+        required: true
+        show_user: true
+      - name: pipeline
+        type: text
+        title: Ingest Pipeline
+        description: |
+          The Ingest Node pipeline ID to be used by the integration.
+        required: false
+        show_user: true
+      - name: max_message_size
+        type: text
+        title: Max Message Size
+        description: The maximum size of the message received over TCP. The default is 20MiB
+        required: false
+        show_user: false
+      - name: framing
+        type: text
+        title: Framing
+        description: Specify the framing used to split incoming events. Can be one of delimiter or rfc6587. The default is delimiter
+        required: false
+        show_user: false
+      - name: line_delimiter
+        type: text
+        title: Line Delimiter
+        description: Specify the characters used to split the incoming events. The default is \n.
+        required: false
+        show_user: false
+      - name: max_connections
+        type: text
+        title: Max Connections
+        description: The at most number of connections to accept at any given point in time.
+        required: false
+        show_user: false
+      - name: timeout
+        type: text
+        title: Timeout
+        description: The number of seconds of inactivity before a remote connection is closed. The default is 300s
+        required: false
+        show_user: false
+      - name: keep_null
+        type: bool
+        title: Timeout
+        description: If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.
+        required: false
+        show_user: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: |
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+      - name: tags
+        type: text
+        title: Tags
+        description: Tags to include in the published event
+        required: false
+        multi: true
+        show_user: true
+      - name: syslog
+        type: bool
+        title: Syslog Parsing
+        description: Enable the syslog parser to automatically parse syslog data. The syslog parser can be configured under Advanced Options.
+        required: false
+        show_user: true
+      - name: syslog_options
+        type: yaml
+        title: Syslog Configuration
+        description: i.e. field, format, time zone, etc. See [Syslog](https://www.elastic.co/guide/en/beats/filebeat/current/syslog.html) for details.
+        multi: false
+        required: false
+        show_user: false
+        default: |
+          field: message
+          #format: auto
+          #timezone: Local
+      - name: ssl
+        type: yaml
+        title: SSL Configuration
+        description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details.
+        multi: false
+        required: false
+        show_user: false
+        default: |
+          #certificate: |
+          #    -----BEGIN CERTIFICATE-----
+          #    ...
+          #    -----END CERTIFICATE-----
+          #key: |
+          #    -----BEGIN PRIVATE KEY-----
+          #    ...
+          #    -----END PRIVATE KEY-----
diff --git a/packages/tcp/1.3.0/data_stream/generic/sample_event.json b/packages/tcp/1.3.0/data_stream/generic/sample_event.json
new file mode 100755
index 0000000000..1513078626
--- /dev/null
+++ b/packages/tcp/1.3.0/data_stream/generic/sample_event.json
@@ -0,0 +1,60 @@
+{
+    "@timestamp": "2021-11-17T12:57:58.037Z",
+    "agent": {
+        "ephemeral_id": "4a9f8d87-dcfb-447b-bbad-edbfbb7ea1f6",
+        "hostname": "docker-fleet-agent",
+        "id": "b401b753-f7aa-4f45-8204-fb83d47df6cd",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.16.0"
+    },
+    "data_stream": {
+        "dataset": "tcp.generic",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.2.0"
+    },
+    "elastic_agent": {
+        "id": "b401b753-f7aa-4f45-8204-fb83d47df6cd",
+        "snapshot": true,
+        "version": "7.16.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "dataset": "tcp.generic",
+        "ingested": "2021-11-17T12:57:59Z"
+    },
+    "host": {
+        "architecture": "x86_64",
+        "containerized": true,
+        "hostname": "docker-fleet-agent",
+        "id": "b7d928c66a441dff2fa2fb14971411df",
+        "ip": [
+            "192.168.176.7"
+        ],
+        "mac": [
+            "02:42:c0:a8:b0:07"
+        ],
+        "name": "docker-fleet-agent",
+        "os": {
+            "codename": "Core",
+            "family": "redhat",
+            "kernel": "5.10.60.1-microsoft-standard-WSL2",
+            "name": "CentOS Linux",
+            "platform": "centos",
+            "type": "linux",
+            "version": "7 (Core)"
+        }
+    },
+    "input": {
+        "type": "tcp"
+    },
+    "log": {
+        "source": {
+            "address": "192.168.176.4:44214"
+        }
+    },
+    "message": "\u003c134\u003e1 2020-03-29T13:19:20Z testhostname testproductname 1930 - some longer testmessage. - a {2:2}."
+}
\ No newline at end of file
diff --git a/packages/tcp/1.3.0/docs/README.md b/packages/tcp/1.3.0/docs/README.md
new file mode 100755
index 0000000000..45c7fdeaf4
--- /dev/null
+++ b/packages/tcp/1.3.0/docs/README.md
@@ -0,0 +1,4 @@
+# Custom TCP Log integration
+
+The custom TCP Log package intializes a listening TCP socket that collects any TCP traffic received and sends each line as a document to Elasticsearch.
+Custom ingest pipelines may be added by adding the name to the pipeline configuration option, creating custom ingest pipelines can be done either through the API or the [Ingest Node Pipeline UI](/app/management/ingest/ingest_pipelines/).
diff --git a/packages/tcp/1.3.0/img/icon.svg b/packages/tcp/1.3.0/img/icon.svg
new file mode 100755
index 0000000000..173fdec507
--- /dev/null
+++ b/packages/tcp/1.3.0/img/icon.svg
@@ -0,0 +1,4 @@
+<svg width="32" height="32" viewBox="0 0 32 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+    <path fill-rule="evenodd" clip-rule="evenodd" d="M17 13H8V15H17V13ZM24 18H8V20H24V18ZM8 23H24V25H8V23Z" fill="#017D73"/>
+    <path d="M21.41 0H5C3.34315 0 2 1.34315 2 3V29C2 30.6569 3.34315 32 5 32H27C28.6569 32 30 30.6569 30 29V8.59L21.41 0ZM22 3.41L26.59 8H22V3.41ZM27 30H5C4.44772 30 4 29.5523 4 29V3C4 2.44772 4.44772 2 5 2H20V10H28V29C28 29.5523 27.5523 30 27 30Z" fill="#343741"/>
+</svg>
\ No newline at end of file
diff --git a/packages/tcp/1.3.0/manifest.yml b/packages/tcp/1.3.0/manifest.yml
new file mode 100755
index 0000000000..c47749477a
--- /dev/null
+++ b/packages/tcp/1.3.0/manifest.yml
@@ -0,0 +1,25 @@
+format_version: 1.0.0
+name: tcp
+title: Custom TCP Logs
+description: Collect raw TCP data from listening TCP port with Elastic Agent.
+type: integration
+version: "1.3.0"
+release: ga
+conditions:
+  kibana.version: "^8.2.1"
+license: basic
+categories:
+  - custom
+policy_templates:
+  - name: tcp
+    title: Custom TCP Logs
+    description: Collect raw TCP data from listening TCP port with Elastic Agent.
+    inputs:
+      - type: tcp
+        title: Custom TCP Logs
+        description: Collect raw TCP data from listening TCP port with Elastic Agent.
+icons:
+  - src: "/img/icon.svg"
+    type: "image/svg+xml"
+owner:
+  github: elastic/security-external-integrations
diff --git a/packages/udp/1.3.0/changelog.yml b/packages/udp/1.3.0/changelog.yml
new file mode 100755
index 0000000000..ba4413a1f0
--- /dev/null
+++ b/packages/udp/1.3.0/changelog.yml
@@ -0,0 +1,30 @@
+- version: "1.3.0"
+  changes:
+    - description: Add syslog parsing option, expose SSL config
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3587
+- version: "1.2.0"
+  changes:
+    - description: Update package to ECS 8.3.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3353
+- version: "1.1.1"
+  changes:
+    - description: Fixing typo in readme
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3175
+- version: "1.1.0"
+  changes:
+    - description: Update ECS to 8.2
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2781
+- version: "1.0.1"
+  changes:
+    - description: Fixing typo in manifest for listen address
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2671
+- version: "1.0.0"
+  changes:
+    - description: Initial Release
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2170
diff --git a/packages/udp/1.3.0/data_stream/generic/agent/stream/udp.yml.hbs b/packages/udp/1.3.0/data_stream/generic/agent/stream/udp.yml.hbs
new file mode 100755
index 0000000000..da92f268b7
--- /dev/null
+++ b/packages/udp/1.3.0/data_stream/generic/agent/stream/udp.yml.hbs
@@ -0,0 +1,39 @@
+data_stream:
+  dataset: {{data_stream.dataset}}
+host: {{listen_address}}:{{listen_port}}
+{{#if pipeline}}
+pipeline: {{pipeline}}
+{{/if}}
+{{#if max_message_size}}
+max_message_size: {{max_message_size}}
+{{/if}}
+{{#if read_buffer_size}}
+read_buffer: {{read_buffer_size}}
+{{/if}}
+{{#if timeout}}
+timeout: {{timeout}}
+{{/if}}
+{{#if keep_null}}
+keep_null: {{keep_null}}
+{{/if}}
+{{#if tags}}
+tags:
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{#if syslog}}
+  - syslog:
+      {{syslog_options}}
+{{/if}}
+{{processors}}
+{{else if syslog}}
+processors:
+  - syslog:
+      {{syslog_options}}
+{{/if}}
diff --git a/packages/udp/1.3.0/data_stream/generic/fields/base-fields.yml b/packages/udp/1.3.0/data_stream/generic/fields/base-fields.yml
new file mode 100755
index 0000000000..12293deacd
--- /dev/null
+++ b/packages/udp/1.3.0/data_stream/generic/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: udp
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: udp.generic
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/udp/1.3.0/data_stream/generic/fields/beats.yml b/packages/udp/1.3.0/data_stream/generic/fields/beats.yml
new file mode 100755
index 0000000000..ede6958855
--- /dev/null
+++ b/packages/udp/1.3.0/data_stream/generic/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+  description: Type of Filebeat input.
+  type: keyword
+- name: tags
+  type: keyword
+  description: User defined tags
diff --git a/packages/udp/1.3.0/data_stream/generic/fields/ecs.yml b/packages/udp/1.3.0/data_stream/generic/fields/ecs.yml
new file mode 100755
index 0000000000..4835acacee
--- /dev/null
+++ b/packages/udp/1.3.0/data_stream/generic/fields/ecs.yml
@@ -0,0 +1,55 @@
+- description: |-
+    ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+    When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+  name: ecs.version
+  type: keyword
+- description: |-
+    Original log level of the log event.
+    If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
+    Some examples are `warn`, `err`, `i`, `informational`.
+  name: log.level
+  type: keyword
+- description: The IP or DNS name of the source sending the UDP packet.
+  name: log.source.address
+  type: keyword
+- description: |-
+    For log events the message field contains the log message, optimized for viewing in a log viewer.
+    For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+    If multiple messages exist, they can be combined into one message.
+  name: message
+  type: match_only_text
+- description: The device or application that originated the Syslog message, if available.
+  name: log.syslog.appname
+  type: keyword
+- description: |-
+    The Syslog numeric facility of the log event, if available.
+    According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
+  name: log.syslog.facility.code
+  type: long
+- description: The Syslog text-based facility of the log event, if available.
+  name: log.syslog.facility.name
+  type: keyword
+- description: The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector.
+  name: log.syslog.hostname
+  type: keyword
+- description: |-
+    Syslog numeric priority of the event, if available.
+    According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+  name: log.syslog.priority
+  type: long
+- description: The process name or ID that originated the Syslog message, if available.
+  name: log.syslog.procid
+  type: keyword
+- description: |-
+    The Syslog numeric severity of the log event, if available.
+    If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
+  name: log.syslog.severity.code
+  type: long
+- description: |-
+    The Syslog numeric severity of the log event, if available.
+    If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.
+  name: log.syslog.severity.name
+  type: keyword
+- description: The version of the Syslog protocol specification. Only applicable for RFC 5424 messages.
+  name: log.syslog.version
+  type: keyword
diff --git a/packages/udp/1.3.0/data_stream/generic/manifest.yml b/packages/udp/1.3.0/data_stream/generic/manifest.yml
new file mode 100755
index 0000000000..65c1f3999f
--- /dev/null
+++ b/packages/udp/1.3.0/data_stream/generic/manifest.yml
@@ -0,0 +1,98 @@
+title: Custom UDP Logs
+type: logs
+streams:
+  - input: udp
+    description: Collect raw UDP data from listening UDP port with Elastic Agent.
+    title: Custom UDP Logs
+    template_path: udp.yml.hbs
+    vars:
+      - name: listen_address
+        type: text
+        title: Listen Address
+        description: |
+          Bind address for the listener. Use 0.0.0.0 to listen on all interfaces.
+        required: true
+        show_user: true
+        default: localhost
+      - name: listen_port
+        type: text
+        title: Listen Port
+        description: |
+          Bind port for the listener.
+        required: true
+        show_user: true
+        default: 8080
+      - name: data_stream.dataset
+        type: text
+        title: Dataset name
+        description: |
+          Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html).
+        default: udp.generic
+        required: true
+        show_user: true
+      - name: pipeline
+        type: text
+        title: Ingest Pipeline
+        description: |
+          The Ingest Node pipeline ID to be used by the integration.
+        required: false
+        show_user: true
+      - name: max_message_size
+        type: text
+        title: Max Message Size
+        description: The maximum size of the message received over UDP. The default is 10KiB
+        required: false
+        show_user: false
+        default: 10KiB
+      - name: read_buffer_size
+        type: text
+        title: Read Buffer Size
+        description: |
+          The size of the read buffer on the UDP socket in the format KiB/MiB, an example would be: 10KiB
+        required: false
+        show_user: false
+      - name: timeout
+        type: text
+        title: Timeout
+        description: The read and write timeout for socket operations.
+        required: false
+        show_user: false
+      - name: keep_null
+        type: bool
+        title: Timeout
+        description: If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.
+        required: false
+        show_user: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: |
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+      - name: tags
+        type: text
+        title: Tags
+        description: Tags to include in the published event
+        required: false
+        multi: true
+        show_user: true
+      - name: syslog
+        type: bool
+        title: Syslog Parsing
+        description: Enable the syslog parser to automatically parse syslog data. The syslog parser can be configured under Advanced Options.
+        required: false
+        show_user: true
+      - name: syslog_options
+        type: yaml
+        title: Syslog Options
+        description: i.e. format, time zone, etc.
+        multi: false
+        required: false
+        show_user: false
+        default: |
+          field: message
+          #format: auto
+          #timezone: Local
diff --git a/packages/udp/1.3.0/data_stream/generic/sample_event.json b/packages/udp/1.3.0/data_stream/generic/sample_event.json
new file mode 100755
index 0000000000..a3ea74519e
--- /dev/null
+++ b/packages/udp/1.3.0/data_stream/generic/sample_event.json
@@ -0,0 +1,60 @@
+{
+    "@timestamp": "2021-11-17T11:47:14.951Z",
+    "agent": {
+        "ephemeral_id": "cc044f45-f102-43fa-95fd-78f7e03c71a2",
+        "hostname": "docker-fleet-agent",
+        "id": "c979ad84-c568-4e38-81eb-76da479696a1",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "7.16.0"
+    },
+    "data_stream": {
+        "dataset": "udp.generic",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "8.2.0"
+    },
+    "elastic_agent": {
+        "id": "c979ad84-c568-4e38-81eb-76da479696a1",
+        "snapshot": true,
+        "version": "7.16.0"
+    },
+    "event": {
+        "agent_id_status": "verified",
+        "dataset": "udp.generic",
+        "ingested": "2021-11-17T11:47:15Z"
+    },
+    "host": {
+        "architecture": "x86_64",
+        "containerized": true,
+        "hostname": "docker-fleet-agent",
+        "id": "b7d928c66a441dff2fa2fb14971411df",
+        "ip": [
+            "192.168.48.7"
+        ],
+        "mac": [
+            "02:42:c0:a8:30:07"
+        ],
+        "name": "docker-fleet-agent",
+        "os": {
+            "codename": "Core",
+            "family": "redhat",
+            "kernel": "5.10.60.1-microsoft-standard-WSL2",
+            "name": "CentOS Linux",
+            "platform": "centos",
+            "type": "linux",
+            "version": "7 (Core)"
+        }
+    },
+    "input": {
+        "type": "udp"
+    },
+    "log": {
+        "source": {
+            "address": "192.168.48.4:51973"
+        }
+    },
+    "message": "\u003c134\u003e1 2020-03-29T13:19:20Z testhostname testproductname 1930 - some longer testmessage. - a {2:2}.\n"
+}
\ No newline at end of file
diff --git a/packages/udp/1.3.0/docs/README.md b/packages/udp/1.3.0/docs/README.md
new file mode 100755
index 0000000000..b88047c2d3
--- /dev/null
+++ b/packages/udp/1.3.0/docs/README.md
@@ -0,0 +1,4 @@
+# Custom UDP Log integration
+
+The custom UDP Log package intializes a listening UDP socket that collects any UDP traffic received and sends each line as a document to Elasticsearch.
+Custom ingest pipelines may be added by adding the name to the pipeline configuration option, creating custom ingest pipelines can be done either through the API or the [Ingest Node Pipeline UI](/app/management/ingest/ingest_pipelines/).
diff --git a/packages/udp/1.3.0/img/icon.svg b/packages/udp/1.3.0/img/icon.svg
new file mode 100755
index 0000000000..173fdec507
--- /dev/null
+++ b/packages/udp/1.3.0/img/icon.svg
@@ -0,0 +1,4 @@
+<svg width="32" height="32" viewBox="0 0 32 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+    <path fill-rule="evenodd" clip-rule="evenodd" d="M17 13H8V15H17V13ZM24 18H8V20H24V18ZM8 23H24V25H8V23Z" fill="#017D73"/>
+    <path d="M21.41 0H5C3.34315 0 2 1.34315 2 3V29C2 30.6569 3.34315 32 5 32H27C28.6569 32 30 30.6569 30 29V8.59L21.41 0ZM22 3.41L26.59 8H22V3.41ZM27 30H5C4.44772 30 4 29.5523 4 29V3C4 2.44772 4.44772 2 5 2H20V10H28V29C28 29.5523 27.5523 30 27 30Z" fill="#343741"/>
+</svg>
\ No newline at end of file
diff --git a/packages/udp/1.3.0/manifest.yml b/packages/udp/1.3.0/manifest.yml
new file mode 100755
index 0000000000..a5a7c52f14
--- /dev/null
+++ b/packages/udp/1.3.0/manifest.yml
@@ -0,0 +1,26 @@
+format_version: 1.0.0
+name: udp
+title: Custom UDP Logs
+description: Collect raw UDP data from listening UDP port with Elastic Agent.
+type: integration
+version: "1.3.0"
+release: ga
+conditions:
+  kibana.version: "^8.2.1"
+license: basic
+categories:
+  - custom
+policy_templates:
+  - name: udp
+    title: Custom UDP Logs
+    description: Collect raw UDP data from listening UDP port with Elastic Agent.
+    inputs:
+      - type: udp
+        title: Custom UDP Logs
+        description: Collect raw UDP data from listening UDP port with Elastic Agent.
+        multi: true
+icons:
+  - src: "/img/icon.svg"
+    type: "image/svg+xml"
+owner:
+  github: elastic/security-external-integrations