I noticed some unusual activity on my webserver recently, and tracked it down to brute force attempts on wordpress installs. I did a little searching and found wp-fail2ban. Without too much tweaking of rsyslog, I got the auth messages to my firewall, where I set about getting fail2ban to monitor for login attempts. I was using the supplied wordpress.conf file that came with the plugin, but it was failing to match the regex due to the 32 character limitation of the syslog tag. Essentially a tag that should be of the form
wordpress(www.example.com)[12345]
would sometimes be truncated to
wordpress(www.longdomainname.com
This would cause a failure of the regex. So if you have long domain names, you may need to modify the wordpress.conf. In my case, I just removed
^%(__prefix_line)
from the beginning of the regex