# Start/Stop
SSHD_LISTEN         (?<listening_on_msg>Server listening on) %{IP:sshd_listen_ip} port %{NUMBER:sshd_listen_port}.
SSHD_TERMINATE      Received signal %{NUMBER:sshd_signal}; ${WORD:terminate_msg}.

# SSH Tunnel
SSHD_TUNN_ERR1      (?<connection_failed_msg>error: connect_to) %{IP:sshd_listen_ip} port %{NUMBER:sshd_listen_port}: failed.
SSHD_TUNN_ERR2      (?<fail_listen_port_msg>error: channel_setup_fwd_listener: cannot listen to port:) %{NUMBER:sshd_listen_port}
SSHD_TUNN_ERR3      (?<address_already_in_use_msg>error: bind: Address already in use)
SSHD_TUNN_ERR4      (?<cannot_listen_to_port_msg>error: channel_setup_fwd_listener_tcpip: cannot listen to port): %{NUMBER:sshd_listen_port}
SSHD_TUNN_TIMEOUT   (?<timeout_msg>Timeout), client not responding.

# Normal
SSHD_SUCCESS        (?<sshd_success_connection_msg>(?<sshd_result>Accepted)) %{WORD:sshd_auth_type} for %{USERNAME:sshd_user} from %{IP:sshd_client_ip} port %{NUMBER:sshd_port} %{WORD:sshd_protocol}
SSHD_DISCONNECT     (?<received_disconnect_from_msg>Received disconnect from) %{IP:sshd_client_ip}:(%{NUMBER:sshd_port})? %{NUMBER:sshd_disconnect_code}: (?<sshd_disconnect_status>(\w+\s*)+)
SSHD_CONN_CLOSE     (?<connection_closed_msg>Connection closed by) %{IP:sshd_client_ip} \[(?<stage>.*)\]
SSHD_SESSION_OPEN   pam_unix\(sshd:session\): (?<session_open_msg>session opened for user) %{USERNAME:sshd_user} by \(uid=\d+\)
SSHD_SESSION_CLOSE  pam_unix\(sshd:session\): (?<session_closed_msg>session closed for user) %{USERNAME:sshd_user}
SSHD_SESSION_FAIL   pam_systemd\(sshd:session\): (?<session_fail_msg>Failed to release session): (?<sshd_disconnect_status>Interrupted system call)
SSHD_AUTH_FAIL      pam_unix\(sshd:auth\): (?<sshd_status>.*); logname=(%{WORD:sshd_logname})? uid=.* euid=.* tty=(%{WORD:sshd_tty}) ruser=(%{USERNAME:sshd_ruser})? rhost=(%{IP:sshd_client_ip})? user=(%{USERNAME:sshd_user})?
SSHD_AUTH_FAIL_2    pam_unix(sshd:auth): (?<sshd_status>.*); user %{USERNAME:sshd_user}

# Probe
SSHD_REFUSE_CONN    (?<sshd_result_conn_msg>(?<sshd_result>refused) connect from) %{DATA:sshd_client_hostname} \(%{IPORHOST:sshd_client_ip}\)
SSHD_TCPWRAP_FAIL1  warning: %{DATA:sshd_tcpd_file}, line %{NUMBER}: (?<verify_hostname_msg>can't verify hostname): getaddrinfo\(%{DATA:sshd_paranoid_hostname}, %{DATA:sshd_sa_family}\) failed
SSHD_TCPWRAP_FAIL2  warning: %{DATA:sshd_tcpd_file}, line %{NUMBER}: (?<host_name_address_mismatch_msg>host name/address mismatch): %{IPORHOST:sshd_client_ip} != %{HOSTNAME:sshd_paranoid_hostname}
SSHD_TCPWRAP_FAIL3  warning: %{DATA:sshd_tcpd_file}, line %{NUMBER}: (?<host_name_name_mismatch_msg>host name/name mismatch): %{HOSTNAME:sshd_paranoid_hostname_1} != %{HOSTNAME:sshd_paranoid_hostname_2}
SSHD_TCPWRAP_FAIL4  warning: %{DATA:sshd_tcpd_file}, line %{NUMBER}: (?<host_name_name_mismatch_reverse_msg>host name/name mismatch): reverse lookup results in non-FQDN %{HOSTNAME:sshd_paranoid_hostname}
SSHD_TCPWRAP_FAIL5  warning: (?<connection_reset_by_peer_msg>can't get client address: Connection reset by peer)
SSHD_FAIL           (?<sshd_fail_msg>Failed) %{WORD:sshd_auth_type} for %{USERNAME:sshd_invalid_user} from %{IP:sshd_client_ip} port %{NUMBER:sshd_port} %{WORD:sshd_protocol}
SSHD_USER_FAIL      (?<sshd_user_fail_msg>Failed password for invalid user) %{USERNAME:sshd_invalid_user} from %{IP:sshd_client_ip} port %{NUMBER:sshd_port} %{WORD:sshd_protocol}
SSHD_INVAL_USER     (?<sshd_invalid_user_msg>Invalid user)\s*%{USERNAME:sshd_invalid_user}? from %{IP:sshd_client_ip}

# preauth
SSHD_DISC_PREAUTH   (?<disc_preauth_msg>Disconnected) from %{IP:sshd_client_ip} port %{NUMBER:sshd_port}
SSHD_RECE_PREAUTH   (?:error: |)(?<received_disconnect_msg>Received disconnect from) %{IP:sshd_client_ip} port %{NUMBER:sshd_port}:%{NUMBER:sshd_disconnect_code}: %{GREEDYDATA:sshd_disconnect_status}? \[%{GREEDYDATA:sshd_privsep}\]
SSHD_MAXE_PREAUTH   error: (?<max_auth_attempts_msg>maximum authentication attempts exceeded) for (?:invalid user |)%{USERNAME:sshd_invalid_user} from %{IP:sshd_client_ip} port %{NUMBER:sshd_port} %{WORD:sshd_protocol}\s*(?:\[%{GREEDYDATA:sshd_privsep}\]|)
SSHD_DISR_PREAUTH   (?<disr_preauth_msg>Disconnecting): %{GREEDYDATA:sshd_disconnect_status} \[%{GREEDYDATA:sshd_privsep}\]
SSHD_INVA_PREAUTH   input_userauth_request: (?<invalid_user_preauth_msg>invalid user) %{USERNAME:sshd_invalid_user}?\s*(?:\[%{GREEDYDATA:sshd_privsep}\]|)
SSHD_REST_PREAUTH   (?<connection_reset_preauth_msg>Connection reset) by %{IP:sshd_client_ip} port %{NUMBER:sshd_port}\s*(?:\[%{GREEDYDATA:sshd_privsep}\]|)
SSHD_CLOS_PREAUTH   (?<connection_closed_preauth_msg>Connection closed) by %{IP:sshd_client_ip} port %{NUMBER:sshd_port}\s*(?:\[%{GREEDYDATA:sshd_privsep}\]|)
SSHD_FAIL_PREAUTH   fatal: Unable to negotiate with %{IP:sshd_client_ip} port %{NUMBER:sshd_port}:\s*%{GREEDYDATA:sshd_disconnect_status}? \[%{GREEDYDATA:sshd_privsep}\]
SSHD_FAI2_PREAUTH   fatal: %{GREEDYDATA:sshd_fatal_status}: Connection from %{IP:sshd_client_ip} port %{NUMBER:sshd_port}:\s*%{GREEDYDATA:sshd_disconnect_status}? \[%{GREEDYDATA:sshd_privsep}\]
SSHD_BADL_PREAUTH   (?<bad_packet_length_msg>Bad packet length) %{NUMBER:sshd_packet_length}. \[%{GREEDYDATA:sshd_privsep}\]

# Corrupted
SSHD_IDENT_FAIL     (?<identification_fail_msg>Did not receive identification string) from %{IP:sshd_client_ip}
SSHD_MAPB_FAIL      (?<sshd_mapb_fail_msg>Address %{IP:sshd_client_ip} maps to) %{HOSTNAME:sshd_client_hostname}, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
SSHD_RMAP_FAIL      reverse mapping checking getaddrinfo for %{HOSTNAME:sshd_client_hostname} \[%{IP:sshd_client_ip}\] (?<sshd_rmap_fail_msg>failed - POSSIBLE BREAK-IN ATTEMPT!)
SSHD_TOOMANY_AUTH   Disconnecting: (?<too_many_auth_msg>Too many authentication failures) for %{USERNAME:sshd_invalid_user}
SSHD_CORRUPT_MAC    (?<corrupted_mac_msg>Corrupted MAC on input)
SSHD_PACKET_CORRUPT Disconnecting: (?<packet_corrupt_msg>Packet corrupt)
SSHD_BAD_VERSION    (?<bad_protocol_version_msg>Bad protocol version identification) '%{GREEDYDATA}' from %{IP:sshd_client_ip}

####
SSHD_INIT       %{SSHD_LISTEN}|%{SSHD_TERMINATE}
SSHD_TUNN       %{SSHD_TUNN_ERR1}|%{SSHD_TUNN_ERR2}|%{SSHD_TUNN_ERR3}|%{SSHD_TUNN_ERR4}|%{SSHD_TUNN_TIMEOUT}
SSHD_NORMAL_LOG %{SSHD_SUCCESS}|%{SSHD_DISCONNECT}|%{SSHD_CONN_CLOSE}|%{SSHD_SESSION_OPEN}|%{SSHD_SESSION_CLOSE}|%{SSHD_SESSION_FAIL}
SSHD_PROBE_LOG  %{SSHD_REFUSE_CONN}|%{SSHD_TCPWRAP_FAIL1}|%{SSHD_TCPWRAP_FAIL2}|%{SSHD_TCPWRAP_FAIL3}|%{SSHD_TCPWRAP_FAIL4}|%{SSHD_TCPWRAP_FAIL5}|%{SSHD_FAIL}|%{SSHD_USER_FAIL}|%{SSHD_INVAL_USER}
SSHD_PREAUTH    %{SSHD_DISC_PREAUTH}|%{SSHD_RECE_PREAUTH}|%{SSHD_MAXE_PREAUTH}|%{SSHD_DISR_PREAUTH}|%{SSHD_INVA_PREAUTH}|%{SSHD_REST_PREAUTH}|%{SSHD_FAIL_PREAUTH}|%{SSHD_CLOS_PREAUTH}|%{SSHD_FAI2_PREAUTH}|%{SSHD_BADL_PREAUTH}
SSHD_CORRUPTED  %{SSHD_IDENT_FAIL}|%{SSHD_MAPB_FAIL}|%{SSHD_RMAP_FAIL}|%{SSHD_TOOMANY_AUTH}|%{SSHD_CORRUPT_MAC}|%{SSHD_PACKET_CORRUPT}|%{SSHD_BAD_VERSION}
SSHD_LOG        %{SSHD_INIT}|%{SSHD_NORMAL_LOG}|%{SSHD_PROBE_LOG}|%{SSHD_CORRUPTED}|%{SSHD_TUNN}|%{SSHD_PREAUTH}

SSHD_MESSAGE %{SSHD_LISTEN}|%{SSHD_TERMINATE}|%{SSHD_TUNN_ERR1}|%{SSHD_TUNN_ERR2}|%{SSHD_TUNN_ERR3}|%{SSHD_TUNN_ERR4}|%{SSHD_TUNN_TIMEOUT}|%{SSHD_SUCCESS}|%{SSHD_DISCONNECT}|%{SSHD_CONN_CLOSE}|%{SSHD_SESSION_OPEN}|%{SSHD_SESSION_CLOSE}|%{SSHD_SESSION_FAIL}|%{SSHD_REFUSE_CONN}|%{SSHD_TCPWRAP_FAIL1}|%{SSHD_TCPWRAP_FAIL2}|%{SSHD_TCPWRAP_FAIL3}|%{SSHD_TCPWRAP_FAIL4}|%{SSHD_TCPWRAP_FAIL5}|%{SSHD_FAIL}|%{SSHD_USER_FAIL}|%{SSHD_INVAL_USER}|%{SSHD_DISC_PREAUTH}|%{SSHD_RECE_PREAUTH}|%{SSHD_MAXE_PREAUTH}|%{SSHD_DISR_PREAUTH}|%{SSHD_INVA_PREAUTH}|%{SSHD_REST_PREAUTH}|%{SSHD_CLOS_PREAUTH}|%{SSHD_FAIL_PREAUTH}|%{SSHD_FAI2_PREAUTH}|%{SSHD_BADL_PREAUTH}|%{SSHD_IDENT_FAIL}|%{SSHD_MAPB_FAIL}|%{SSHD_RMAP_FAIL}|%{SSHD_TOOMANY_AUTH}|%{SSHD_CORRUPT_MAC}|%{SSHD_PACKET_CORRUPT}|%{SSHD_BAD_VERSION}|%{SSHD_INIT}|%{SSHD_TUNN}|%{SSHD_NORMAL_LOG}|%{SSHD_PROBE_LOG}|%{SSHD_PREAUTH}|%{SSHD_CORRUPTED}|%{SSHD_LOG}|%{SSHD_AUTH_FAIL_2}
