DOC/ENH: __md5hex regex defination to common.conf. Document debian bug #

ChangeLog

@@ -78,7 +78,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
      linux-pam before version 0.99.2.0 (2005)
    * filter.d/gssftpd - anchored regex at start
    * filter.d/mysqld-auth.conf - mysql can use syslog
-   * filter.d/sshd - regex enhancements to support openssh-6.3
+   * filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian
+     bug #722970
   Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
    * filter.d/exim.conf -- regex hardening and extra failure examples in
      sample logs

config/filter.d/common.conf

@@ -41,6 +41,9 @@ __kernel_prefix = kernel: \[\d+\.\d+\]
 
 __hostname = \S+
 
+# A MD5 hex
+# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f
+__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
 
 # bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
 # <auth.info> appearing before the host as per testcases/files/logs/bsd/*.

config/filter.d/sshd.conf

@@ -23,11 +23,10 @@ _daemon = sshd
 # Values:  TEXT
 #
 #
-md5hex = ([\da-f]{2}:){15}[\da-f]{2}
 
 failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
             ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
-            ^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$
+            ^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$
             ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
             ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$