diff --git a/config/filter.d/dropbear.conf b/config/filter.d/dropbear.conf
index 930bb128..3523be42 100644
--- a/config/filter.d/dropbear.conf
+++ b/config/filter.d/dropbear.conf
@@ -23,7 +23,7 @@ before = common.conf
 
 _daemon = dropbear
 
-prefregex = ^%(__prefix_line)s<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
+prefregex = ^%(__prefix_line)s(\[\d+\] [A-Z][a-z]+ \d\d \d\d:\d\d:\d\d )?<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
 
 failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
             ^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
@@ -31,6 +31,8 @@ failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
 
 ignoreregex = 
 
+journalmatch = _SYSTEMD_UNIT=dropbear.service + _COMM=dropbear
+
 # DEV Notes:
 #
 # The first two regexs here match the unmodified dropbear messages. It isn't
diff --git a/fail2ban/tests/files/logs/dropbear b/fail2ban/tests/files/logs/dropbear
index d8a4d4d3..e165e602 100644
--- a/fail2ban/tests/files/logs/dropbear
+++ b/fail2ban/tests/files/logs/dropbear
@@ -13,3 +13,6 @@ Jul 27 01:04:12 fail2ban-test dropbear[1335]: Bad password attempt for 'root' fr
 Jul 27 01:04:22 fail2ban-test dropbear[1335]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 1.2.3.4:60588
 # failJSON: { "time": "2005-07-27T01:18:59", "match": true , "host": "1.2.3.4" }
 Jul 27 01:18:59 fail2ban-test dropbear[1477]: Login attempt for nonexistent user from 1.2.3.4:60794
+
+# failJSON: { "time": "2005-07-10T23:53:52", "match": true , "host": "1.2.3.4" }
+Jul 10 23:53:52 fail2ban-test dropbear[825]: [825] Jul 10 23:53:52 Bad password attempt for 'root' from 1.2.3.4:52289