Creating GROK rule to parse across multiline log

1. Describe your incident:
I am trying to write a pipeline rule that will extract value based on a grok pattern and set field.

Sample log:

An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		asdf
	Account Domain:		-

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC000006A

I want to extract the Failure Reason into its own field, event_error_description.

2. Describe your environment:

  • OS Information: Rocky 9.5

  • Package Version: Graylog 6.1.5, MongoDB 6.0.19, OpenSearch 2.15

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
I have read forum postings, including this github issue page Multiline support for Grok extractor · Issue #2465 · Graylog2/graylog2-server · GitHub, which mentions (%s) and (%m) but both do not work, or I am not doing them right. I have tried editing the grok pattern on Grok Debugger.

This is a pattern I have tried:
(Failure Reason:\s\t%{GREEDYDATA:event_error_description})

4. How can the community help?

Hopefully someone can point out where I have written the GROK pattern wrongly. Or, will I have to use regex?

Thank you. Happy 2025!