Is it possible to substitute a value after a pattern match? For example, in the pattern below if I match the "23" then use value "telnet", but if it is a "22", then "ssh".

%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: test] [Source: 131.212.1.1] [localport: 23] [Reason: Login Authentication Failed] at 10:38:41 CST Thu Jan 23 2014

I am trying to use one pattern to match both cases and we'd prefer to have service names rather than port numbers in our db.