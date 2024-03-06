The grouping-by() parser of syslog-ng arrived in version 3.8, which means that all currently available syslog-ng versions should support it, except for official SLES 12 and EPEL 7 packages.

You also need patterns (XML files describing the content of log messages) to parse sshd log messages. These are available in the syslog-ng example patterns project from 2010: https://github.com/balabit/syslog-ng-patterndb/tree/master/access It is over a decade old, but it still works as expected.