How do I make sec ignore a timestamp properly

Well, after almost a day of hair pulling, I finally understand a) how to do it and b) a misconception I have about sec.

In reading the sec man page and it describes desc= as essentially showing the match. So in my mind, that meant it should show whatever was matched in pattern. Well, yes, that is true, in this case the match in that pattern is the; hostname, rhost, and user.

So when I'm doing desc= Login Failure: $0 , I'm keying off the entire line. That's bad.

So instead I changed it to key off the username and hostname, which then causes it to adhere to the window=300 rule since the timestamp (entire line) wasn't changing; aka, the following rundown;

/etc/sec/rules.d/ssh.sec

type=SingleWithSuppress
ptype=regexp
pattern=(\S+) sshd\[\d+\]: PAM \d+ more authentication failures\; logname=.* uid=.* euid=.* tty=ssh ruser=.* rhost=(.*) user=(.*)
desc=Login Failure: $3@$1
action=pipe '%s $0' /bin/mail -s "Login Failure: $3@$1" [email protected]
window=300

Error Line

Nov 21 01:58:10 test.test.com sshd[26846]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=test.test.com user=kloggins

It will notice the user [email protected] and will not report on it unless it happens again after 300 seconds, because it keyed off [email protected].

I've tested it several times now, it's a 'werkin.