Mark, I tried your example without success. Here is what the output from my program shows:

>>>  |  |  |
$VAR2 = 4980519 04/12/2004 21:07:37.440 SEV=4 AUTH/22 RPT=1151
 User [agra02] Group [cisco3015] connected, Session Type: IPSec
[download]

As you can see in the first line the ">>>" indicates where I should have printed the contents of the extracted values. The second line, shows $VAR2 contents. One problem might be the line break occuring before the word "User". Here is the actual text message:

1081800476 3  Mon Apr 12 15:07:56 2004 test-vpn.mydomain.com u Trap: g
+eneric 6 specific 0 args (3):  [1] mgmt.mib-2.system.sysUpTime.0 (Tic
+ks): 10825222
1081800476 3  Mon Apr 12 15:07:56 2004  test-vpn.mydomain.com u  [2] p
+rivate.enterprises.3076.2.1.4.4.15.22 (OctetString): 4980519 04/12/20
+04 21:07:37.440 SEV=4 AUTH/22 RPT=1151
1081800476 3  Mon Apr 12 15:07:56 2004  test-vpn.mydomain.com u  User 
+[agra02] Group [cisco3015] connected, Session Type: IPSec
1081800476 3  Mon Apr 12 15:07:56 2004  test-vpn.mydomain.com u  [3] p
+rivate.enterprises.3076.2.1.2.4.1.1 (OctetString): AUTH/22
[download]

Here is how I coded it from your example:

if ($ARGUMENTS==6)
{
   ($KEY, $DATE, $TIMESTAMP, $SEV, $LOG_NUM, $RPT, $H1, $H2, $USER, $H
+3, $GROUP, $H4, $H5, $H6, $TYPE) = split(/ /, $VAR2);
   $USER =~ s/\[//;
   $USER =~ s/\]//;
   $GROUP =~ s/\[//;
   $GROUP =~ s/\]//;
# Old code handling ends here. This is the new piece you suggested.

my ($user, $group, $connected, $type) = $VAR2 =~ /^User \[(\w+)\] Grou
+p \[(\w+)\] (\w+), Session Type: +(\w+)$/;
print TRAPDATA "\n>>> $user | $group | $connected | $type\n";
print TRAPDATA "\$VAR2 = $VAR2\n";
}
[download]