Otherwise regexps are quite unreadable and hard to maintain.
I'm not sure that: Accepted publickey for (?<user>\S+) from (?<ipaddr>\S+) port (?<port>\d+) (?<version>.*) Is any less readable than: Accepted publickey for @ESTRING:user: @ from @IPv4:ipaddr:@ port @NUMBER:port:@ @ANYSTRING:version:@ In general, I don't think the patterndb syntax adds anything in terms of readability or maintainability. I assume that regular expressions were rejected primarily for performance reasons, which may be a bigger concern in some environments than others. The performance of modern hardware means that in our environment this isn't a particular concern (but we're not a large environment by any definition). I would argue that having to learn an entirely new syntax for this one application actually makes it less readable, since one can't apply lessons learned from working with other tools.