From 5f2807b41f5af5fd9badc32c630117e19784227b Mon Sep 17 00:00:00 2001
From: Markus Oesterle <markusoesterle@gmx.de>
Date: Fri, 17 Apr 2015 10:04:35 +0200
Subject: [PATCH] replaced .* before rhost with regex matching all the previous
 fields

---
 config/filter.d/sshd.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index f6274a30..e69c8622 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -33,7 +33,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro
             ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
             ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
             ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
-             ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure.*rhost=<HOST>\s.*$
+             ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>.*$
 
 ignoreregex =