diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index d97fd675..a36b050c 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -26,4 +26,11 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro
 
 ignoreregex = 
 
+# DEV Notes:
+#
+#   "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
+#   it is coming before use of <HOST> which is not hard-anchored at the end as well,
+#   and later catch-all's could contain user-provided input, which need to be greedily
+#   matched away first.
+#
 # Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black