When running a Linux server, which is accessible from the Internet, you will see a lot of failed SSH authentication attemtps.
This article is not about securing your server (ssh-port-change, fail2ban, private/public-key-auth only, ...) but about visualizing these attacks. A popular tool to visualize time series data is here.

The code and documentation is documented on a GitHub.
It just looks great and providoes all the data we need to build a spy movie style attack dashboard:

Please note, this embedded image is hosted on Github, the copyright is with the author Alexis Couvreur..

The basic idea of his tool ssh-log-to-influx is to utilize a custimzed configuration of RSYNC to send specific event notifications to a custom TCP port in addition to the standard output into /var/log/messages.
So the data flow is like this:

SSHD -- RSYSLOG -- SSH-log-to-Influx -- InfluxDB -- Grafana

The documentation worked pretty well for me with one exception. RSYSLOG was not able to send events to the local TCP port 7070.
After restarting RSYSLOG I saw this in /var/log/messages:

Jan 26 16:21:24 server4711 rsyslogd[148476]: cannot connect to 127.0.0.1:7070: Permission denied [v8.2102.0-5$

After checking the port configuration in Docker I could identify the root cause. The Linux distribution on the particular server had SELinux enabled. So the fix was easy:

semanage port -a -t syslogd_port_t -p tcp 7070