diff --git a/filebeat/module/system/auth/ingest/pipeline.json b/filebeat/module/system/auth/ingest/pipeline.json
index 49142bc2d18..1c5ce8b46d4 100644
--- a/filebeat/module/system/auth/ingest/pipeline.json
+++ b/filebeat/module/system/auth/ingest/pipeline.json
@@ -22,22 +22,20 @@
                 "field": "message",
                 "ignore_missing": true,
                 "ignore_failure": true,
-                "tag": "ssh-login",
                 "patterns": [
-                    "^%{DATA:system.auth.ssh.action} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?"
+                    "^%{DATA:system.auth.ssh.action} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?",
+                    "^%{DATA:system.auth.ssh.action} user %{DATA:user.name} from %{IPORHOST:source.ip}",
+                    "^Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}"
                 ]
             }
         },
 
-
         {
             "grok": {
                 "field": "message",
                 "ignore_missing": true,
                 "ignore_failure": true,
                 "patterns": [
-                    "^%{DATA:system.auth.ssh.action} user %{DATA:user.name} from %{IPORHOST:source.ip}",
-                    "^Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}",
                     "^%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}",
                     "^new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id:long}",
                     "^new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id:long}, GID=%{NUMBER:group.id:long}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$"
@@ -70,7 +68,7 @@
             "set": {
                 "field": "event.outcome",
                 "value": "failure",
-                "if": "ctx.event.containsKey('action') && ctx.event.action == 'ssh_login' && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('action') && ctx.system.auth.ssh.action == 'Failed'"
+                "if": "ctx.event.containsKey('action') && ctx.event.action == 'ssh_login' && ctx.system.auth.containsKey('ssh') && ((ctx.system.auth.ssh.containsKey('action') && ctx.system.auth.ssh.action == 'Failed') || (ctx.system.auth.ssh.containsKey('dropped_ip')))"
             }
         },
 
diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json
index 0c1a99cdce5..e24d684f3ce 100644
--- a/filebeat/module/system/auth/test/test.log-expected.json
+++ b/filebeat/module/system/auth/test/test.log-expected.json
@@ -117,6 +117,7 @@
         "event.dataset": "system.auth",
         "event.kind": "event",
         "event.module": "system",
+        "event.outcome": "failure",
         "fileset.name": "auth",
         "host.hostname": "slave22",
         "input.type": "log",