(monitor "ssh_syslog"
    (udp "127.0.0.1:20000" "127.0.0.1:30000") ; file <path> |  syslog <src ip:port> <dst ip:port>
    (logformat "syslog") 
    (filter "sshd" 
	    (search-window 600) 
	    (retry 0u)   
	    (score 30u) 
	    (bantime 60) 
	    (ignore-hosts '("192.168.1.0/24" "10.8.0.0/24"))
	    (use "all") ; override use
	    (action "pf")
        (override-actions #t)
    )
)