__Startup messages__
.* is missing .* redirect, sshdfilter rendered useless.
.* is missing .* chain, sshdfilter rendered useless.
sshdfilter .* starting up, running sshd proper.
sshdfilter .* starting up.
Flushing .* chain

__Error startup messages__
couldn't run .*
cannot fork: .*
ran sshd and waited one second, it died and said: status=.* error=.*

__DEBUG messages__ Notice they all start with DB:
DB:OPTIONS
DB: repurgetime=[0-9]+
DB: maxblocktime=[0-9]+
DB: maxchances=[0-9]+
DB: iptablesoptions=
DB: sshdpath=
DB: sshdname=
DB: logpid=
DB: ip6toip4=
DB: iptables command=
DB: iptables chain=
DB: debug=
DB: logsource=
DB: sshd args=
DB: sanitise=
DB: mail=
DB:USER POLICY entries=[0-9]+
DB: [0-9]+, [0-9]+, [0-9]+, .+
DB:IP POLICY entries=[0-9]+
DB: [0-9]+, action=[0-9]+, re=.+
DB:EMAIL POLICY entries=[0-9]+
DB: [0-9]+, action=[0-9]+, re=.+
DB: msg_pid_2_ip\[[0-9]+\]=.*
DB: map_pid_2_ip\[[0-9]+\]=.*
DB: msg_pid_exit\[[0-9]+\]=.*
DB: map_pid_exit\[[0-9]+\]=.*
DB: msg_invalid\[[0-9]+\]=.+
DB: map_invalid\[[0-9]+\]=.+
DB: msg_failed_valid\[[0-9]+\]=.+
DB: map_failed_valid\[[0-9]+\]=.+
DB: msg_accepted_user\[[0-9]+\]=.+
DB: map_accepted_user\[[0-9]+\]=.+
DB: msg_no_id_string\[[0-9]+\]=.+
DB: map_no_id_string\[[0-9]+\]=.+
DB: msg_quit\[[0-9]+\]=.+
DB: map_quit\[[0-9]+\]=.+


__General error messages__

system(\".*\"); failed: .*
Suggest trying the same command in a shell.
sshdfilter couldn't email block event

__DEBUG error messages__
DB:pre mail command is .*
DB:post mail command is .*

__DEBUG general runtime messages__
DB:u2m: un=.*, ev=.*, idx=[0-9]+, userre=.*
DB:Aline=.*
DB:INVALID: ip black listed, [0-9a-fA-F:\.]+
DB:INVALID: dirty=[0-9]+ user=.*, ip=[0-9a-fA-F:\.]+
DB:NOID: ip black listed, [0-9a-fA-F:\.]+
DB:NOID: ip=[0-9a-fA-F:\.]+
DB:FAILVAL: ip black listed user=.*, ip=[0-9a-fA-F:\.]+
DB:FAILVAL: user=.*, ip=[0-9a-fA-F:\.]+
DB:ACCEPT: user=.*, ip=[0-9a-fA-F:\.]+
DB:QUIT: signal=.*
DB:PID2IP: pid=[0-9]-, ip=[0-9a-fA-F:\.]+
DB:PIDEXIT: pid=[0-9]-, stored ip=[0-9a-fA-F:\.]+

__General event messages__ 
# The ones that are counted and summerised, you might want to categorise these
# to reduce the types. Not sure what categories to use.
Cancelled .* block from [0-9a-fA-F:\.]+ 
Illegal username from white listed ip [0-9a-fA-F:\.]+, user .*
Illegal user name from black listed ip, instant block of [0-9a-fA-F:\.]+
Illegal user name, blocking after [0-9]+ chances
No ssh id from black listed ip, instant block of [0-9a-fA-F:\.]+
No ssh id string from client, blocking after [0-9]+ chances
Failure from valid user on a black listed ip, instant block of [0-9a-fA-F:\.]+
Valid user failed, blocking after [0-9]+ chances
sshd received signal .*, closing sshdfilter
Illegal user name, blocking [0-9a-fA-F:\.]+ after [0-9]+ chances
Chanced illegal user name from [0-9a-fA-F:\.]+, [0-9]+ guesses out of [0-9]+
No ssh id from white listed ip [0-9a-fA-F:\.]+, user .*
No ssh id string from client, blocking [0-9a-fA-F:\.]+ after [0-9]+ chances
Chanced missing ssh id string from [0-9a-fA-F:\.]+, [0-9]+ guesses out of [0-9]+
Failure from valid user from white listed ip [0-9a-fA-F:\.]+, user .*
Valid user failed, blocking [0-9a-fA-F:\.]+ after [0-9]+ chances
Chanced valid user name from [0-9a-fA-F:\.]+, [0-9]+ guesses out of [0-9]+
Valid login, cancelled .* block from [0-9a-fA-F:\.]+

__Shutdown messages__
sshd quit, closing sshdfilter
closing sshdfilter

