$re = '/password\s+for\s+(?<user>\w+)\s+from\s+(?<source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<port>\d+)\s+(?<protocol>\w+)/m';
$str = 'Jun 3 17:29:44 XXX sshd[9668]: Failed password for userXXX from 192.168.1.2 port 63568 ssh2
· host = 10.0.0.9
· source = /var/log/secure
· sourcetype = linux_secure
Jun 3 00:13:41 XXX sshd[18404]: Accepted password for userXXX from 192.168.3.4 port 60272 ssh2
· host = 10.0.0.9
· source = /var/log/secure
· sourcetype = linux_secure';
preg_match_all($re, $str, $matches, PREG_SET_ORDER, 0);
// Print the entire match result
var_dump($matches);
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for PHP, please visit: http://php.net/manual/en/ref.pcre.php