Solaris

I had trouble initially compiling logsurfer, but wrote the developer and he said there was a change made that affected Solaris, so I got that fixed. I then looked for examples and found a config file I could use for ssh. I sent things up and was email on a failed ssh attempt. The trouble is, I don't understand the makeup of the config file. Does anyone know of an explained example or something that explains the config file in greater detail? Here is what I have minus the actual IP addresses:

pr 24 15:24:05 appoc4 sshd[25301]: [ID 800047 auth.info] Did not receive identification string from 199.123.122.70 Apr 24 15:24:05 appoc4 rsh[25303]: [ID 521673 daemon.notice] connection from noscdb.ism.army.mil (X.X.X.X) - bad port Apr 24 15:24:05 appoc4 rlogind[25304]: [ID 846982 daemon.notice] connection from [removed machine name](X.X.X.X) - bad port

From this I was able to turn off the "r" commands, but I thought I was only looking for ssh:
###
### ssh daemons
### $Id: ssh.txt,v 1.1 2002/03/09 18:26:23 emf Exp $
###

###
### SSH
###
'.* sshd\[.* Generating new .* key.*' - - - 0 ignore
'.* sshd\[.* key generation complete.*' - - - 0 ignore
'.* sshd\[.* error: accept: Connection reset by peer' - - - 0 ignore
'.* sshd\[.* Warning:.* keysize mismatch: actual 1023 vs. announced 1024.' - - - 0 ignore
'^.{16,}(.*) sshd\[.* (Accepted|Postponed) (.*) for (.*) from (.*) port (.*).*' - - - 0 ignore
'^.{16,}(.*) sshd\[.* log: Connection from (.*) port (.*)' - - - 0 ignore
'^.{16,}(.*) sshd\[.* log: RSA authentication for (.*) accepted.*' - - - 0 ignore
'^.{16,}(.*) sshd\[.* Setting tty modes failed: Invalid argument.*' - - - 0 ignore
'^.{15,} (.*) sshd\[.* log: Could not reverse map address (.*)' - - - 0 ignore
'^.{15,} (.*) sshd\[.* log: (Closing connection to|Connection closed by) (.*)' - - - 0 ignore
'^.{15,} (.*) sshd\[.* Did not receive (ident|identification) string from (.*)' - - - 0
open "$4" - 5000 1800 90
report "/usr/local/bin/surfmailer -r sa-team -S \"security incident from $4\"" "$4"
'^.{15,} (.*) sshd\[.* Bad protocol version identification .* from (.*)' - - - 0
open "$3" - 5000 1800 90
report "/usr/local/bin/surfmailer -r sa-team -S \"security incident from $3\"" "$3"
'^.{15,} (.*) sshd\[.* scanned from (.*) with SSH-1.0-SSH_Version_Mapper' - - - 0
open "$3" - 5000 1800 90
report "/usr/local/bin/surfmailer -r sa-team -S \"security incident from $3\" (scanssh)" "$3"
'^.{15,} (.*) sshd\[.* Disconnecting: Corrupted check bytes on input.' - - - 0
open "$2" - 100 1800 90
report "/usr/local/bin/surfmailer -r sa-team -S \"Possible SSH Attack in progress against $2\"" "$2"
'^.{15,} (.*) sshd\[(.*)\]: Failed password for (.*) from (.*) port .*' - - - 0
open "$2 sshd:\\[$3\\]:" - 5000 10800 300
report "/usr/local/bin/surfmailer -r sa-team -S \"SSH LOGIN FAILED for $4@$2 from $5\"" "$2 sshd:\\[$3\\]:"