Grok with conditional patterns and adding a tag

You could e.g. use multiple grok filters.

filter {
  if "grokked" not in [tags] {
    grok {
      match => ["message", "... Failed password ... "]
      add_tag = ["ssh_failed_login", "grokked"]
    }
  }
  if "grokked" not in [tags] {
    grok {
      match => ["message", "... Accepted password ... "]
      add_tag = ["ssh_successful_login", "grokked"]
    }
  }
}