-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This sounds very similar to the default Sentinel 7 rule of, 'Example:
Bad Logins One User' which looks like this:

filter(((e.XDASClass = 2) AND (e.XDASIdentifier = 0) AND (e.XDASOutcome
= 2)) OR ((e.XDASClass = 2) AND (e.XDASIdentifier = 4) AND
(e.XDASOutcome = 2)))flow trigger(2,60,discriminator(e.TargetUserName))

You could probably modify this, though, to have the discriminator be the
SourceIP and a requirement of three attempts with something like the
following (untested):

filter(((e.XDASClass = 2) AND (e.XDASIdentifier = 0) AND (e.XDASOutcome
= 2)) OR ((e.XDASClass = 2) AND (e.XDASIdentifier = 4) AND
(e.XDASOutcome = 2)))flow trigger(3,60,discriminator(e.SourceIP))

Keep in mind that this will very a lot based on the way the event source
sends its data, and the way the collector handles it. Does your given
syslog relay change IP addresses of all events it intercepts to itself,
or do collector receiving these events parse them as such for some
reason? What about a central proxy system that does authentications for
all kinds of users and so has a lot of "failed logins" coming from
itself compared to a single workstation?

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP0EIaAAoJEF+XTK08PnB5nkgQANE8gzBm4q EfMyB89R/ovzPR
YK6kmCqmMj9PAgZHWk8I4kLore0vukKC2h49uWzbR8G2Kh0aHd XWRbwXDd2udPwm
CHi6i3uX+8mmkdEIXR1n1zTX5Csogh1bozkoUUjVNFLWC8d5Cy OamvOpfiiGEPa2
MV/htB+viytCkh9rEuhGFxBxghkncX4HGLbKzrxPb8skchkhN7IVv enmR3Qcddpu
zF2dF7hB+afYEpTVG7QMW70VzjivHJ3jKc10+Eo1kOt+bxUtF9 vRIgAICm0HPxCn
3nmRNIa3//clz6P4flCVuKQ7J8KWWHEbK3ttBRJmpTaIxIy8dD2DdTTH/m7QcoYp
LLjwzNh5tBtLH2VGokiHhxJAKx70YDUlEi3E7g533ask9bMRIb 5XNf/KWsB2VWt1
dDGjzxijbwbWsFCxNC/slX/4NvoY6uCrlsILSqgrEP9YRf6ZtyVAawyBTWb3wcqS
Nux4ZQE7k+YQB861b3+p0ChmcLoKflACrWsLo514gcUNK+VDTD aR9VV/ToODg69/
vu3ZR6x4mjH62K46P+7YGd9vRva5itil76zOwEWj/Y6Wg4FRHz0TE3s0RLzTYdIz
7nklRVlHjTVOCpUxVn6Dw32CG29IhUJS7IE5HjQ6bu/rUBlb3E4nikZ7cfqog+lT
3wowzS5H92zIeJZqyXfv
=/dxT
-----END PGP SIGNATURE-----