ConfigServer Security & Firewall

Hello,

Does anyone have the correct Regex for ConfigServer Security & Firewall to monitor failed logins to NC?
Here’s what the logs look like:

{“reqId”:“WG5Y@-IxYfIX1CXkM9N16gAAAAY”,“remoteAddr”:“22.43.166.102”,“app”:“core”,“message”:“Login failed: ‘dmom’ (Remote IP: ‘22.43.166.102’)”,“level”:2,“time”:“2017-01-05T14:32:28+00:00”,“method”:“POST”,“url”:"/index.php/login?user=dmom",“user”:"–",“version”:“11.0.0.10”}
{“reqId”:“WG5Y-fIxYfIX1CXkM9N17QAAAAY”,“remoteAddr”:“22.43.166.102”,“app”:“core”,“message”:“Login failed: ‘dmom’ (Remote IP: ‘22.43.166.102’)”,“level”:2,“time”:“2017-01-05T14:32:30+00:00”,“method”:“POST”,“url”:"/index.php/login?user=dmom",“user”:"–",“version”:“11.0.0.10”}
{“reqId”:“WG5ZAPIxYfIX1CXkM9N18AAAAAY”,“remoteAddr”:“22.43.166.102”,“app”:“core”,“message”:“Login failed: ‘dmom’ (Remote IP: ‘22.43.166.102’)”,“level”:2,“time”:“2017-01-05T14:32:33+00:00”,“method”:“POST”,“url”:"/index.php/login?user=dmom",“user”:"–",“version”:“11.0.0.10”}
{“reqId”:“WG5ZAvIxYfIX1CXkM9N18wAAAAY”,“remoteAddr”:“22.43.166.102”,“app”:“core”,“message”:“Login failed: ‘dmom’ (Remote IP: ‘22.43.166.102’)”,“level”:2,“time”:“2017-01-05T14:32:36+00:00”,“method”:“POST”,“url”:"/index.php/login?user=dmom",“user”:"–",“version”:“11.0.0.10”}

I think there have been some examples for owncloud+fail2ban, doesn’t this also use regular expressions?
edit: https://www.techandme.se/fail2ban-owncloud/

Hi, here is the regex for Owncloud/Nextcloud:

[INCLUDES]
before = apache-common.conf
ignoreregex =

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}

regards

Ok, I’ll admit I am NOT a regex guy.
So, how to do I convert that to what CSF understands?
I know where to set it up in CSF, but not the regex part.