EEM should look like this example.  When the data is parsed out what do you want to do with it?

event manager applet AddHostnameToIPHost
 event syslog pattern "DHCPD: Updating 'PTR' RR (.*) -> '(.*).tobi.local.'"
 action 010 regexp "DHCPD: Updating 'PTR' RR ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) -> '([A-Z]+)" "$_syslog_msg" match IP HOST
 action 020 syslog msg "ip = $IP and host = $HOST"

 test

INTERNET#send log DHCPD: Updating 'PTR' RR 10.0.0.151 -> 'WINTOBIASTEST.tobi.local.'
INTERNET#
*May  6 19:36:46.405: %SYS-7-USERLOG_DEBUG: Message from tty0(user id: dafrey): DHCPD: Updating 'PTR' RR 10.0.0.151 -> 'WINTOBIASTEST.tobi.local.'
INTERNET#
*May  6 19:36:46.425: %HA_EM-6-LOG: AddHostnameToIPHost: ip = 10.0.0.151 and host = WINTOBIASTEST
INTERNET#