I updated my Grafana to 10.1.2 and confirmed that the log messages for failed logins have changed.
After spending a little more time on this, I think the regex I provided above could result in false positives if some other event triggers a log with msg="Bad request". With that in mind, I’ve updated to what I believe will be a more reliable regex that focuses on the errror= section of the log entry. I also tweaked the datepattern to hopefully be more robust if the log format changes again.
[Init]
datepattern = ^(?:[^=]+=(?:[^ ]*|"[^"]*") )+t=%%Y-%%m-%%dT%%H:%%M:%%S.%%f(?:\d{0,6})%%z
[Definition]
failregex = error="\[password-auth\.failed\][^"]*" (?:[^=]+=(?:[^ ]*|"[^"]*") )*remote_addr=<ADDR>