@load listen-clear
@load remote
@load notice

module SyslogSSH;

export {
    # Alert threshold per source. 
    const max_failures = 5 &redef;
}

redef Remote::destinations += {
    ["syslog"] = [$host = 127.0.0.1, $events = /ssh_.*/, $connect=F],
};

redef enum Notice += {
    SSHLoginFail,   
};
    
global sources: table[addr] of count &default=0 ;

event ssh_fail_login(ts:double, orig_h:addr, resp_h:addr, account:string, auth_type:string)
    {   
    if ( ++sources[orig_h] == max_failures )
        NOTICE([$note=SSHLoginFail, $src=orig_h,
                $msg=fmt("%s exceeded %d failed SSH logins", orig_h, max_failures)]);
    }