If you want to associate a task to rules  , a log  analyser is not what you need.

logs are stored once an action is already done and its only purpose if to keep a history of system  behaviour. what you need is a rule engine. you might want to have a look at OCL and see how the ruls can be associated to objects. now to stay with your example, if an object is monitoring the state of login  attempts to the system, an OCL rule can trigger an action IF the number of attempts reaches to 3. the rule then is on your monitoring object.

I don't think looking at logs is a correct way to do it. one good reason for that is, information are logged in different levels, i.e. INFO, WARNING, DEBUG, TRACE, etc and these levels are customizable, now if the application user  sets the logging level to a certain value which doesnot include system log attempt, the analyser will be useless.

for example if log attempts are going to be logged when log level is WARNING and user set the log level to INFO, analyser will never notice the number of log attempts.

look into rules / rule engines and monitoring the tasks instead of log analyser. you are mixing two different things

Thank you for your useful comment.
You are right we have to manage it in another way.

this book may help:
Security Log
Management
Identifying Patterns in the Chaos
ISBN: 1-59749-042-3

I have downloaded electronic version from internet, if you can't found it, ask me to send you a copy.