I see some examples in scripting:
http://wiki.mikrotik.com/wiki/Manual:Scripting-examples#Detect_new_log_entry
I also see alot of this in Mikrotik Log files:
15:15:53 system,error,critical login failure for user temp from x.x.201.102 via ssh
Is there a way to add an IP that is not in a whiteless but has had say 5 failed login’s in a row to a blacklist? Any examples of this?