@Sam of Simple Samples - Sorry, it's not letting me reply directly too you, even after dropping the character count below a 1000.
This is being written for a UDSM/Log Source Xtension in QRadar - there is no way to implement a library. However the base language to pull the data in is perl. The regex flavour used in QRadar is Java. The perl side of this is done, just for the record. The data can already be imported in, it's just a matter of taking the dat imported in, and doing something useful with it.
In a given event, they have certain guaranteed fields. For example, every Security log will have a channel, event ID, etc. However, each "Event ID" will have a different set of more unique fields under the <Data> tags. Those fields are unique to the event id.
Example:
Event ID 4624:
<EventData>
<Data Name='SubjectUserSid'>SID</Data>
<Data Name='SubjectUserName'>USERNAME</Data>
<Data Name='SubjectDomainName'>DOMAIN</Data>
...
</EventData>
EventID 4728:
<EventData>
<Previous tags from logon Event>
<Data Name='TargetUserInformation'>TUINFO</Data>
<Data Name='GroupName'>GROUPNAME</Data>
<Data Name='....'></Data>
</EventData>
Note the additional new fields of the Target information (U/N, SID, Domain), group name. These are the varying fields I'm hoping are documented somewhere.
Cheers