version=2
rule=ssh,fail,invalid_user: Failed password for invalid user %user:word% from %clientip:ipv4% port %clientport:number%%-:rest%
rule=ssh,fail,incorrect_password: Failed password for %user:word% from %clientip:ipv4% port %clientport:number%%-:rest%
rule=ssh,fail,disconnect: Disconnected from authenticating user %user:word% %clientip:ipv4% port %clientport:number%%-:rest%
rule=ssh,fail,disconnect,invalid_user: Disconnected from invalid user %user:word% %clientip:ipv4% port %clientport:number%%-:rest%
rule=ssh,fail,disconnect: Received disconnect from %clientip:ipv4% port %clientport:number%%-:rest%
rule=ssh,fail,disconnect: Connection closed by %clientip:ipv4% port %clientport:number%%-:rest%
...which I wanted to simplify with...
version=2
prefix=%-:whitespace%
rule=ssh,fail,invalid_user:Failed password for invalid user %user:word% from %clientip:ipv4% port %clientport:number%%-:rest%
rule=ssh,fail,incorrect_password:Failed password for %user:word% from %clientip:ipv4% port %clientport:number%%-:rest%
# and others...
...however, this doesn't seem to work. Am I doing anything wrong, or is this a bug?
Also, even if I get this to work, it's probably going to be very brittle, because of what's written in the docs -
The current parsing position MUST be on a whitspace, else the parser does not match.
What is the best way to ignore optional prefixed whitespace?
I have the following ruleset...
...which I wanted to simplify with...
...however, this doesn't seem to work. Am I doing anything wrong, or is this a bug?
Also, even if I get this to work, it's probably going to be very brittle, because of what's written in the docs -
What is the best way to ignore optional prefixed whitespace?