HI @adem_netsys ,

I had earlier written a parser for syslogs from Arbor Availability Protection , but couldn't find now.

Currently I can help with how you can proceed on this:

- Simplify the patterns definition : 
<patternDefinitions>
<pattern name="gPatStrEndDigit"><![CDATA[[^\d+]*]]></pattern>
<pattern name="gPatStrRightParen"><![CDATA[[^\)]*]]></pattern>
<pattern name="gPatTimeHR"><![CDATA[\d{1,2}:\d{1,2}]]></pattern>
</patternDefinitions>

Now create a format recognizer: 
<eventFormatRecognizer><![CDATA[\s+arbor-networks-aps\:]]></eventFormatRecognizer>

Collect Fields from structed string:

1) Define the format
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[^\s*<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<reptDevName:gPatHostName>\s+arbor-networks-aps\:<eventAction:gPatStrEndColon><_body:gPatMesgBody>]]></regex>
</collectFieldsByRegex>

2) Collect the key value for event attributes:

<collectAndSetAttrByKeyValuePair sep="," src="$_msg">
<attrKeyMap attr="actionTime" key="EPOCH:"/>
<attrKeyMap attr="procId" key="PGID:"/>

--------

</collectAndSetAttrByKeyValuePair>
<setEventAttribute attr="_formatedPolicyName">replaceStringByRegex($policyName, "\s+", "-")</setEventAttribute>

Refer a sample syslog parser and the below document can help you to build detailed parser:

https://help.fortinet.com/fsiem/7-0-3/Online-Help/HTML5_Help/Configuring_parsers.htm

You can open a support ticket or contact Professional Services , where you can provide a complete raw log and they would provide suggestions, clarify doubt.