In this attack:
2018-06-26 13:22:02.108781500 Failed password for woold from 10.10.10.76 port 34718 ssh2
SYSLOG_BANNER eats up "2018-06-26 13:22:02.108781500 Failed " and prevents the rest of the message from being recognized as an attack.
Similar issue in
#89, where SYSLOG_BANNER eats up "2018-06-03 13:16:08 SMTP " instead of just the timestamp.
The SYSLOG_BANNER token in the lexer needs to be split up and some parts of the grammar moved to the parser.