I am trying to create an "action" field extraction to grab "permitted/denied" from my Cisco device logs. I can get this "(?i)-INGRESS (?P[^ ]+)" to match the majority of the fields but still not 100%. Any help is greatly appreciated!

EXAMPLE LOGS

Apr 4 13:37:55 XXX-gw 28127310: Apr 4 13:39:26.000:%FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list GLOBAL-INGRESS denied tcp XXX.XX.9.XXX(53165) -> 132.X.X.X(25), 1 packet

Apr 4 13:37:55 XXX-usr-250.grace.ad.XX.XXX 192461: Apr 4 13:39:26:%SEC-6-IPACCESSLOGS: list 15 permitted XX.16.XX.X 1 packet

Apr 4 13:37:55 XXX-sdp 23211: Apr 4 13:39:25.975:%SEC-6-IPACCESSLOGNP: list NTPPEER denied 0 XXX.XX.2.X -> XXX.XXX.X.XX,1 packet