Sample Rule for sshd

<Traverse>

<message-handler>

 <ruleset type="file" name="*">

  <rule>

   <description>SSH: Break-In Attempt as ROOT</description> <pattern>:\d+\s+(\S+)\s+(\S+)\[\d+\]:\s+.*\s+root\s+from\s+(.*)\s+ssh2</pattern>

   <action>accept</action>

   <mapping>

    <field name="device_name" match="1"/>

    <field name="process_name" match="2"/>

    <field name="remote_host" match="3"/>

   </mapping>

   <severity>critical</severity>

   <show-message>true</show-message>

   <auto-clear>1800</auto-clear>

   <transform>${process_name}: break-in attempt as "root" from ${remote_host}</transform>

  </rule>

 </ruleset>

</message-handler>

</Traverse>