That is a difficult problem. See this thread. I would guess that the first few fields are positional, so you could use either dissect or grok. But once you get into event specific data the format is also event specific. There are multiple fields that contain whitespace which are also separated by whitespace. It's hard to parse that.