diff --git a/.tests/synology-dsm-logs/parser.assert b/.tests/synology-dsm-logs/parser.assert
index 44669755872..7c774eccec8 100644
--- a/.tests/synology-dsm-logs/parser.assert
+++ b/.tests/synology-dsm-logs/parser.assert
@@ -63,3 +63,68 @@ results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Meta["log_type"]
 results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Meta["machine"] == "synologynas"
 results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Meta["service"] == "synology-dsm"
 results["s01-parse"]["crowdsecurity/synology-dsm-logs"][4].Evt.Meta["source_ip"] == "10.4.2.113"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][5].Success == true
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][5].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_3_login"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][5].Evt.Parsed["src_ip"] == "88.166.17.26"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][5].Evt.Parsed["timestamp8601"] == "2025-11-05T12:39:17+01:00"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][5].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][5].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=88.166.17.26  user=admin"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][5].Evt.Parsed["pid"] == "29814"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][5].Evt.Meta["datasource_path"] == "synology-dsm-logs.log"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][5].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][5].Evt.Meta["log_type"] == "synology-dsm_failed_auth"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][5].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][5].Evt.Meta["service"] == "synology-dsm"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][5].Evt.Meta["source_ip"] == "88.166.17.26"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][6].Success == true
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][6].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_3_login"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][6].Evt.Parsed["src_ip"] == "88.166.17.26"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][6].Evt.Parsed["timestamp8601"] == "2025-11-05T13:16:30+01:00"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][6].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][6].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=88.166.17.26  user=admin"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][6].Evt.Parsed["pid"] == "11869"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][6].Evt.Meta["datasource_path"] == "synology-dsm-logs.log"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][6].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][6].Evt.Meta["log_type"] == "synology-dsm_failed_auth"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][6].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][6].Evt.Meta["service"] == "synology-dsm"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][6].Evt.Meta["source_ip"] == "88.166.17.26"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][7].Success == true
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][7].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_3_login"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][7].Evt.Parsed["src_ip"] == "88.166.17.26"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][7].Evt.Parsed["timestamp8601"] == "2025-11-05T14:15:53+01:00"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][7].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][7].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=88.166.17.26  user=admin"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][7].Evt.Parsed["pid"] == "1742"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][7].Evt.Meta["datasource_path"] == "synology-dsm-logs.log"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][7].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][7].Evt.Meta["log_type"] == "synology-dsm_failed_auth"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][7].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][7].Evt.Meta["service"] == "synology-dsm"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][7].Evt.Meta["source_ip"] == "88.166.17.26"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][8].Success == true
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][8].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_3_login"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][8].Evt.Parsed["src_ip"] == "88.166.17.26"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][8].Evt.Parsed["timestamp8601"] == "2025-11-05T16:00:16+01:00"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][8].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][8].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=88.166.17.26  user=admin"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][8].Evt.Parsed["pid"] == "10921"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][8].Evt.Meta["datasource_path"] == "synology-dsm-logs.log"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][8].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][8].Evt.Meta["log_type"] == "synology-dsm_failed_auth"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][8].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][8].Evt.Meta["service"] == "synology-dsm"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][8].Evt.Meta["source_ip"] == "88.166.17.26"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][9].Success == true
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][9].Evt.Parsed["program"] == "synoscgi_SYNO.API.Auth_3_login"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][9].Evt.Parsed["src_ip"] == "88.166.17.26"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][9].Evt.Parsed["timestamp8601"] == "2025-11-05T18:02:16+01:00"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][9].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][9].Evt.Parsed["message"] == "pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=88.166.17.26  user=admin"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][9].Evt.Parsed["pid"] == "26280"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][9].Evt.Meta["datasource_path"] == "synology-dsm-logs.log"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][9].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][9].Evt.Meta["log_type"] == "synology-dsm_failed_auth"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][9].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][9].Evt.Meta["service"] == "synology-dsm"
+results["s01-parse"]["crowdsecurity/synology-dsm-logs"][9].Evt.Meta["source_ip"] == "88.166.17.26"
\ No newline at end of file
diff --git a/.tests/synology-dsm-logs/synology-dsm-logs.log b/.tests/synology-dsm-logs/synology-dsm-logs.log
index f42897e6ef2..1c2f743a5aa 100644
--- a/.tests/synology-dsm-logs/synology-dsm-logs.log
+++ b/.tests/synology-dsm-logs/synology-dsm-logs.log
@@ -3,3 +3,8 @@
 2022-02-09T20:54:00+01:00 synologynas synoscgi_SYNO.API.Auth_7_login[2368]: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.116
 2022-02-09T20:55:08+01:00 synologynas synoscgi_SYNO.API.Auth_7_login[2706]: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.114
 2022-02-09T20:55:18+01:00 synologynas synoscgi_SYNO.API.Auth_7_login[2737]: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.113
+2025-11-05T12:39:17+01:00 synologynas synoscgi_SYNO.API.Auth_3_login[29814]: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=88.166.17.26  user=admin
+2025-11-05T13:16:30+01:00 synologynas synoscgi_SYNO.API.Auth_3_login[11869]: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=88.166.17.26  user=admin
+2025-11-05T14:15:53+01:00 synologynas synoscgi_SYNO.API.Auth_3_login[1742]: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=88.166.17.26  user=admin
+2025-11-05T16:00:16+01:00 synologynas synoscgi_SYNO.API.Auth_3_login[10921]: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=88.166.17.26  user=admin
+2025-11-05T18:02:16+01:00 synologynas synoscgi_SYNO.API.Auth_3_login[26280]: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=88.166.17.26  user=admin
diff --git a/.tests/synology-dsm-ssh-bf/config.yaml b/.tests/synology-dsm-ssh-bf/config.yaml
new file mode 100644
index 00000000000..fb9e1fbd6f9
--- /dev/null
+++ b/.tests/synology-dsm-ssh-bf/config.yaml
@@ -0,0 +1,11 @@
+parsers:
+  - crowdsecurity/sshd-logs
+  - crowdsecurity/syslog-logs
+  - crowdsecurity/dateparse-enrich
+scenarios:
+  - crowdsecurity/ssh-bf
+postoverflows:
+  - ""
+log_file: synology-dsm-ssh-bf.log
+log_type: syslog
+ignore_parsers: false
diff --git a/.tests/synology-dsm-ssh-bf/parser.assert b/.tests/synology-dsm-ssh-bf/parser.assert
new file mode 100644
index 00000000000..878bc76dc7d
--- /dev/null
+++ b/.tests/synology-dsm-ssh-bf/parser.assert
@@ -0,0 +1,760 @@
+len(results) == 4
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 21
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp8601"] == "2025-10-27T23:29:36+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172  user=root"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "12031"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp8601"] == "2025-10-27T23:29:52+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172  user=postgres"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "12099"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "12202"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:07+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:07+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (zm)."
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "12202"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "12275"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:22+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:22+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (alarm)."
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "12275"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:38+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172  user=root"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["pid"] == "12387"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["pid"] == "12490"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:53+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][8].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["pid"] == "12490"
+results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:53+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (nx)."
+results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][8].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][9].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:09+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Parsed["pid"] == "12556"
+results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][9].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][10].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:09+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (k)."
+results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["pid"] == "12556"
+results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][10].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][11].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:23+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Parsed["pid"] == "12648"
+results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][11].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][12].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (ftpuser)."
+results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["pid"] == "12648"
+results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:23+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][12].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][13].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["pid"] == "12741"
+results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:38+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][13].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][14].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (cloudadmin)."
+results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["pid"] == "12741"
+results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:38+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][14].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][15].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["pid"] == "12823"
+results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:53+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][16].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:55+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (tc)."
+results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["pid"] == "12823"
+results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][17].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["message"] == "pushservice_update_ds_token.c:42 ERROR: setresuid(-1, 0, -1) [Operation not permitted]"
+results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["pid"] == "24968"
+results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["program"] == "ssnotifyd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["timestamp8601"] == "2025-10-29T18:55:53+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["message"] == "pushservice_update_ds_token.c:42 ERROR: ENTERCriticalSection"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["pid"] == "24968"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["program"] == "ssnotifyd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Parsed["timestamp8601"] == "2025-10-29T18:55:53+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][19].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["message"] == "pushservice_update_ds_token.c:42 ERROR: setresuid(-1, 0, -1) [Operation not permitted]"
+results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["pid"] == "764"
+results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["program"] == "synoscgi_SYNO.SurveillanceStation.Notification_1_GetRegisterToken"
+results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["timestamp8601"] == "2025-11-05T18:19:42+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Meta["machine"] == "synologynas"
+results["s00-raw"]["crowdsecurity/syslog-logs"][20].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Parsed["message"] == "pushservice_update_ds_token.c:42 ERROR: ENTERCriticalSection"
+results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Parsed["pid"] == "764"
+results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Parsed["program"] == "synoscgi_SYNO.SurveillanceStation.Notification_1_GetRegisterToken"
+results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Parsed["timestamp8601"] == "2025-11-05T18:19:42+01:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Meta["machine"] == "synologynas"
+len(results["s01-parse"]["crowdsecurity/sshd-logs"]) == 21
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172  user=root"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["pid"] == "12031"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["sshd_invalid_user"] == "root"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["timestamp8601"] == "2025-10-27T23:29:36+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["uid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["euid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["pam_type"] == "unix"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Meta["target_user"] == "root"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["sshd_invalid_user"] == "postgres"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172  user=postgres"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["pam_type"] == "unix"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["euid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["pid"] == "12099"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["timestamp8601"] == "2025-10-27T23:29:52+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Parsed["uid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["target_user"] == "postgres"
+results["s01-parse"]["crowdsecurity/sshd-logs"][1].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["pid"] == "12202"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:07+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["uid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["euid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Parsed["pam_type"] == "unix"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][2].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][3].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["sshd_invalid_user"] == "zm"
+results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (zm)."
+results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["pid"] == "12202"
+results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:07+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Parsed["pam_type"] == "syno_log_fail"
+results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["target_user"] == "zm"
+results["s01-parse"]["crowdsecurity/sshd-logs"][3].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["pid"] == "12275"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["euid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["pam_type"] == "unix"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:22+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["uid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][4].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][5].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["pam_type"] == "syno_log_fail"
+results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (alarm)."
+results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["pid"] == "12275"
+results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["sshd_invalid_user"] == "alarm"
+results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:22+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["target_user"] == "alarm"
+results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][5].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["pid"] == "12387"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:38+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["uid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["euid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172  user=root"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["pam_type"] == "unix"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["sshd_invalid_user"] == "root"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["target_user"] == "root"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][6].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["pid"] == "12490"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["euid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["pam_type"] == "unix"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:53+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["uid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][7].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][8].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:53+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (nx)."
+results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Parsed["pam_type"] == "syno_log_fail"
+results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Parsed["pid"] == "12490"
+results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Parsed["sshd_invalid_user"] == "nx"
+results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][8].Evt.Meta["target_user"] == "nx"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:09+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["uid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["euid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["pid"] == "12556"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Parsed["pam_type"] == "unix"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][9].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][10].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Parsed["sshd_invalid_user"] == "k"
+results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Parsed["pam_type"] == "syno_log_fail"
+results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Parsed["pid"] == "12556"
+results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:09+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (k)."
+results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][10].Evt.Meta["target_user"] == "k"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Parsed["euid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:23+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Parsed["pam_type"] == "unix"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Parsed["pid"] == "12648"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Parsed["uid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][11].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][12].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][12].Evt.Parsed["pid"] == "12648"
+results["s01-parse"]["crowdsecurity/sshd-logs"][12].Evt.Parsed["sshd_invalid_user"] == "ftpuser"
+results["s01-parse"]["crowdsecurity/sshd-logs"][12].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][12].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (ftpuser)."
+results["s01-parse"]["crowdsecurity/sshd-logs"][12].Evt.Parsed["pam_type"] == "syno_log_fail"
+results["s01-parse"]["crowdsecurity/sshd-logs"][12].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][12].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:23+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][12].Evt.Meta["target_user"] == "ftpuser"
+results["s01-parse"]["crowdsecurity/sshd-logs"][12].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][12].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][12].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][12].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][12].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Parsed["euid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Parsed["pid"] == "12741"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Parsed["uid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Parsed["pam_type"] == "unix"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:38+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][13].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][14].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][14].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:38+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][14].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][14].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (cloudadmin)."
+results["s01-parse"]["crowdsecurity/sshd-logs"][14].Evt.Parsed["pid"] == "12741"
+results["s01-parse"]["crowdsecurity/sshd-logs"][14].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][14].Evt.Parsed["sshd_invalid_user"] == "cloudadmin"
+results["s01-parse"]["crowdsecurity/sshd-logs"][14].Evt.Parsed["pam_type"] == "syno_log_fail"
+results["s01-parse"]["crowdsecurity/sshd-logs"][14].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][14].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][14].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][14].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][14].Evt.Meta["target_user"] == "cloudadmin"
+results["s01-parse"]["crowdsecurity/sshd-logs"][14].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Parsed["pam_type"] == "unix"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Parsed["pid"] == "12823"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Parsed["uid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:53+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Parsed["euid"] == "0"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s01-parse"]["crowdsecurity/sshd-logs"][16].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["sshd_invalid_user"] == "tc"
+results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:55+01:00"
+results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["pam_type"] == "syno_log_fail"
+results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["pid"] == "12823"
+results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (tc)."
+results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["machine"] == "synologynas"
+results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["target_user"] == "tc"
+results["s01-parse"]["crowdsecurity/sshd-logs"][17].Success == false
+results["s01-parse"]["crowdsecurity/sshd-logs"][18].Success == false
+results["s01-parse"]["crowdsecurity/sshd-logs"][19].Success == false
+results["s01-parse"]["crowdsecurity/sshd-logs"][20].Success == false
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 17
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172  user=root"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pam_type"] == "unix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "12031"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp8601"] == "2025-10-27T23:29:36+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["euid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["uid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["sshd_invalid_user"] == "root"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "root"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-10-27T23:29:36+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:29:36+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "12099"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["sshd_invalid_user"] == "postgres"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172  user=postgres"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pam_type"] == "unix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp8601"] == "2025-10-27T23:29:52+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["uid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["euid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["target_user"] == "postgres"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-10-27T23:29:52+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:29:52+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["uid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "12202"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:07+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["euid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pam_type"] == "unix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-10-27T23:30:07+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:30:07+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (zm)."
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:07+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["sshd_invalid_user"] == "zm"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pam_type"] == "syno_log_fail"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "12202"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["target_user"] == "zm"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2025-10-27T23:30:07+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:30:07+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["uid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["euid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pam_type"] == "unix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "12275"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:22+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2025-10-27T23:30:22+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:30:22+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "12275"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:22+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (alarm)."
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pam_type"] == "syno_log_fail"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["sshd_invalid_user"] == "alarm"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["target_user"] == "alarm"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2025-10-27T23:30:22+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:30:22+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["euid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172  user=root"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["pam_type"] == "unix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["uid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["pid"] == "12387"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["sshd_invalid_user"] == "root"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:38+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2025-10-27T23:30:38+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["target_user"] == "root"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:30:38+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:53+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["uid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["pam_type"] == "unix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["pid"] == "12490"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["euid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2025-10-27T23:30:53+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:30:53+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["sshd_invalid_user"] == "nx"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["timestamp8601"] == "2025-10-27T23:30:53+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["pid"] == "12490"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (nx)."
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Parsed["pam_type"] == "syno_log_fail"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["target_user"] == "nx"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["timestamp"] == "2025-10-27T23:30:53+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][8].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:30:53+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:09+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["uid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["pam_type"] == "unix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["pid"] == "12556"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["euid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["timestamp"] == "2025-10-27T23:31:09+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][9].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:31:09+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["pam_type"] == "syno_log_fail"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (k)."
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["pid"] == "12556"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["sshd_invalid_user"] == "k"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:09+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["target_user"] == "k"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Meta["timestamp"] == "2025-10-27T23:31:09+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][10].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:31:09+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["pid"] == "12648"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["uid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:23+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["euid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["pam_type"] == "unix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["timestamp"] == "2025-10-27T23:31:23+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][11].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:31:23+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (ftpuser)."
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["pid"] == "12648"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:23+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["pam_type"] == "syno_log_fail"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Parsed["sshd_invalid_user"] == "ftpuser"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["target_user"] == "ftpuser"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["timestamp"] == "2025-10-27T23:31:23+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][12].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:31:23+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["uid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["pam_type"] == "unix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["pid"] == "12741"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["euid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:38+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["timestamp"] == "2025-10-27T23:31:38+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][13].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:31:38+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (cloudadmin)."
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["pam_type"] == "syno_log_fail"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["pid"] == "12741"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["sshd_invalid_user"] == "cloudadmin"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:38+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["target_user"] == "cloudadmin"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["timestamp"] == "2025-10-27T23:31:38+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][14].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:31:38+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["pam_type"] == "unix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["pid"] == "12823"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["sshd_client_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["euid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["message"] == "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:53+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["uid"] == "0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["source_ip"] == "110.235.67.172"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["timestamp"] == "2025-10-27T23:31:53+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][15].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:31:53+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["pid"] == "12823"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["program"] == "sshd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["sshd_invalid_user"] == "tc"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["pam_type"] == "syno_log_fail"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["message"] == "pam_syno_log_fail(sshd:auth): Can't get user uid (tc)."
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Parsed["timestamp8601"] == "2025-10-27T23:31:55+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_path"] == "synology-dsm-ssh-bf.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["machine"] == "synologynas"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["service"] == "ssh"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["target_user"] == "tc"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Meta["timestamp"] == "2025-10-27T23:31:55+01:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][16].Evt.Enriched["MarshaledTime"] == "2025-10-27T23:31:55+01:00"
+len(results["success"][""]) == 0
diff --git a/.tests/synology-dsm-ssh-bf/scenario.assert b/.tests/synology-dsm-ssh-bf/scenario.assert
new file mode 100644
index 00000000000..54d6a9db664
--- /dev/null
+++ b/.tests/synology-dsm-ssh-bf/scenario.assert
@@ -0,0 +1 @@
+len(results) == 0
\ No newline at end of file
diff --git a/.tests/synology-dsm-ssh-bf/synology-dsm-ssh-bf.log b/.tests/synology-dsm-ssh-bf/synology-dsm-ssh-bf.log
new file mode 100644
index 00000000000..52b3b6b46fb
--- /dev/null
+++ b/.tests/synology-dsm-ssh-bf/synology-dsm-ssh-bf.log
@@ -0,0 +1,21 @@
+2025-10-27T23:29:36+01:00 synologynas sshd[12031]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172  user=root
+2025-10-27T23:29:52+01:00 synologynas sshd[12099]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172  user=postgres
+2025-10-27T23:30:07+01:00 synologynas sshd[12202]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172
+2025-10-27T23:30:07+01:00 synologynas sshd[12202]: pam_syno_log_fail(sshd:auth): Can't get user uid (zm).
+2025-10-27T23:30:22+01:00 synologynas sshd[12275]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172
+2025-10-27T23:30:22+01:00 synologynas sshd[12275]: pam_syno_log_fail(sshd:auth): Can't get user uid (alarm).
+2025-10-27T23:30:38+01:00 synologynas sshd[12387]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172  user=root
+2025-10-27T23:30:53+01:00 synologynas sshd[12490]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172
+2025-10-27T23:30:53+01:00 synologynas sshd[12490]: pam_syno_log_fail(sshd:auth): Can't get user uid (nx).
+2025-10-27T23:31:09+01:00 synologynas sshd[12556]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172
+2025-10-27T23:31:09+01:00 synologynas sshd[12556]: pam_syno_log_fail(sshd:auth): Can't get user uid (k).
+2025-10-27T23:31:23+01:00 synologynas sshd[12648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172
+2025-10-27T23:31:23+01:00 synologynas sshd[12648]: pam_syno_log_fail(sshd:auth): Can't get user uid (ftpuser).
+2025-10-27T23:31:38+01:00 synologynas sshd[12741]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172
+2025-10-27T23:31:38+01:00 synologynas sshd[12741]: pam_syno_log_fail(sshd:auth): Can't get user uid (cloudadmin).
+2025-10-27T23:31:53+01:00 synologynas sshd[12823]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.235.67.172
+2025-10-27T23:31:55+01:00 synologynas sshd[12823]: pam_syno_log_fail(sshd:auth): Can't get user uid (tc).
+2025-10-29T18:55:53+01:00 synologynas ssnotifyd[24968]: pushservice_update_ds_token.c:42 ERROR: setresuid(-1, 0, -1) [Operation not permitted]
+2025-10-29T18:55:53+01:00 synologynas ssnotifyd[24968]: pushservice_update_ds_token.c:42 ERROR: ENTERCriticalSection
+2025-11-05T18:19:42+01:00 synologynas synoscgi_SYNO.SurveillanceStation.Notification_1_GetRegisterToken[764]: pushservice_update_ds_token.c:42 ERROR: setresuid(-1, 0, -1) [Operation not permitted]
+2025-11-05T18:19:42+01:00 synologynas synoscgi_SYNO.SurveillanceStation.Notification_1_GetRegisterToken[764]: pushservice_update_ds_token.c:42 ERROR: ENTERCriticalSection
diff --git a/parsers/s01-parse/crowdsecurity/sshd-logs.yaml b/parsers/s01-parse/crowdsecurity/sshd-logs.yaml
index 986a7b58563..09e5878a344 100644
--- a/parsers/s01-parse/crowdsecurity/sshd-logs.yaml
+++ b/parsers/s01-parse/crowdsecurity/sshd-logs.yaml
@@ -11,6 +11,7 @@ pattern_syntax:
   SSHD_AUTH_FAIL: 'pam_%{DATA:pam_type}\(sshd:auth\): authentication failure; logname= uid=%{NUMBER:uid}? euid=%{NUMBER:euid}? tty=ssh ruser= rhost=%{IP_WORKAROUND:sshd_client_ip}( %{SPACE}user=%{USERNAME:sshd_invalid_user})?'
   SSHD_MAGIC_VALUE_FAILED: 'Magic value check failed \(\d+\) on obfuscated handshake from %{IP_WORKAROUND:sshd_client_ip} port \d+'
   SSHD_INVALID_USER: 'Invalid user\s*%{USERNAME:sshd_invalid_user}? from %{IP_WORKAROUND:sshd_client_ip}( port \d+)?'
+  SSHD_INVALID_USER_SYNO: 'pam_%{DATA:pam_type}\(sshd:auth\): Can.t get user uid \(%{USERNAME:sshd_invalid_user}\)'
   SSHD_INVALID_USER_ALT: 'Failed keyboard-interactive/pam for invalid user %{USERNAME:sshd_invalid_user} from %{IP_WORKAROUND:sshd_client_ip}( port \d+)?'
   SSHD_INVALID_BANNER: 'banner exchange: Connection from %{IP_WORKAROUND:sshd_client_ip} port \d+: invalid format'
   SSHD_PREAUTH_AUTHENTICATING_USER: 'Connection (closed|reset) by( (authenticating|invalid) user %{USERNAME:sshd_invalid_user})? %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
@@ -61,6 +62,14 @@ nodes:
           value: ssh_failed-auth
         - meta: target_user
           expression: "evt.Parsed.sshd_invalid_user"
+  - grok:
+      name: "SSHD_INVALID_USER_SYNO"
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: ssh_failed-auth
+        - meta: target_user
+          expression: "evt.Parsed.sshd_invalid_user"
   - grok:
       name: "SSHD_INVALID_USER_ALT"
       apply_on: message
diff --git a/parsers/s01-parse/crowdsecurity/synology-dsm-logs.yaml b/parsers/s01-parse/crowdsecurity/synology-dsm-logs.yaml
index d46e3bb52dc..7641111ba52 100644
--- a/parsers/s01-parse/crowdsecurity/synology-dsm-logs.yaml
+++ b/parsers/s01-parse/crowdsecurity/synology-dsm-logs.yaml
@@ -11,7 +11,7 @@ pattern_syntax:
 # https://github.com/crowdsecurity/crowdsec/issues/938
   IPv4_WORKAROUND: '(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)'
   IP_WORKAROUND: '(?:%{IPV6}|%{IPv4_WORKAROUND})'
-  AUTH_LOG_FAIL: 'pam_unix\(webui:auth\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=%{IP_WORKAROUND:src_ip}'
+  AUTH_LOG_FAIL: 'pam_unix\(webui:auth\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=%{IP_WORKAROUND:src_ip}(\s+user=%{USERNAME:sshd_invalid_user})?'
 grok:
   pattern: "%{AUTH_LOG_FAIL}"
   apply_on: message