Syslog Alert REGEXP

[MrRat]

I would like to get an e-mail when a specific user log's in or fails authentication. The line logged is similar to

June 2 09:04:18 ASA-Primary %ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = NETMANQPM-ACS : user = somebody

I would like to match both "AAA user authentication" and "user = somebody" can someone help with the syslog plugin alert rule for this?

I tried creating 2 seperate rules each using "contains"

AAA user authentication Rejected : reason = AAA failure : server = NETMANQPM-ACS : user = somebody

AAA user authentication Successful : server = NETMANQPM-ACS : user = somebody

but the rule doesnt trigger. I think because of the : in the string.

help is greatly appreciated.