mosquitto bruteforce fail2ban failregex

I am trying to write fail2ban filter to block bruteforcing IP addresses which are trying to subscribe to username/password protected mosquitto service by guessing username/password combinations. On attempt to subscribe with incorrect details, mosquitto writes two lines to log like: 1544984465: New connection from 123.123.123.123 on port 1883. 1544984465: Socket error on client , disconnecting. I managed to write regex matching this two lines pattern by using https://regex101.com/ set to "python flavor". Regex looks like this: \s(?P\d+)\: New connection from (?P[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+\n(?P=date): Socket error on client \, disconnecting. Unfortunately, fail2ban is unable to find matches in log by using this regex: # fail2ban-regex '/var/log/testlog.log' '\s(?P\d+)\: New connection from (?P[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+\n(?P=date): Socket error on client \, disconnecting.' Running tests ============= Use failregex line : \s(?P\d+)\: New connection from (?P[0-... Use log file : /var/log/testlog.log Use encoding : UTF-8 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | Epoch `- Lines: 13 lines, 0 ignored, 0 matched, 13 missed [processed in 0.00 sec] |- Missed line(s): | 1544984465: New connection from 123.123.123.123 on port 1883. | 1544984465: Socket error on client , disconnecting. | 1544984466: New connection from 123.123.123.123 on port 1883. | 1544984466: Socket error on client , disconnecting. | 1544984468: New connection from 123.123.123.123 on port 1883. | 1544984468: Socket error on client , disconnecting. | 1544984469: New connection from 123.123.123.123 on port 1883. | 1544984469: Socket error on client , disconnecting. | 1544984470: New connection from 123.123.123.123 on port 1883. | 1544984470: Socket error on client , disconnecting. | 1544984471: New connection from 123.123.123.123 on port 1883. | 1544984471: Socket error on client , disconnecting. | 1544984473: New connection from 123.123.123.123 on port 1883. `- Fail2ban version is 0.9.6-1.el6.1. Running on Centos 6 server.