diff --git a/napalm_logs/config/infinera/USER_LOGIN.yml b/napalm_logs/config/infinera/USER_LOGIN.yml
new file mode 100644
index 00000000..64835ca6
--- /dev/null
+++ b/napalm_logs/config/infinera/USER_LOGIN.yml
@@ -0,0 +1,15 @@
+# Infinera SECURITY messages for user login events
+messages:
+  - error: USER_LOGIN
+    tag: SECURITY
+    values:
+      timestamp: (\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z?)
+      sessionId: ([^;]+)
+      sessionType: (\w+)
+      user: ([^;]+)
+    line: '"time-stamp":{timestamp};"session-id":{sessionId};"session-type":{sessionType};"user-name":{user};"event/action":logged in'
+    model: openconfig-system
+    mapping:
+      variables:
+        system//aaa//authentication//users//user//{user}//state//username: user
+      static: {}
diff --git a/napalm_logs/config/infinera/init.yml b/napalm_logs/config/infinera/init.yml
new file mode 100644
index 00000000..2288f430
--- /dev/null
+++ b/napalm_logs/config/infinera/init.yml
@@ -0,0 +1,21 @@
+# Infinera syslog format (RFC5424 style via netsyslog relay)
+# Supported message types per vendor documentation:
+#   - ALARM: alarm notifications with severity, duration, service-affect
+#   - EVENT: system events with entity and attributes
+#   - CONFIGURATION: config changes with user, result, attributes
+#   - SECURITY: authentication events (login/logout)
+#
+# Example log:
+# Jan 20 05:01:59.657539 73dm8 netsyslog: <85>1 2026-01-20T05:02:17+00:00 dci01.abc01@:: SECURITY 401 [meta sequenceId="735"] "time-stamp":...
+#
+prefixes:
+  - time_format: "%Y-%m-%dT%H:%M:%S"
+    values:
+      date: (\d{4}-\d{2}-\d{2})
+      time: (\d{2}:\d{2}:\d{2})
+      timezone: ([\+\-]\d{2}:\d{2})
+      host: '([\w\.\-]+)@::'
+      tag: (ALARM|EVENT|CONFIGURATION|SECURITY)
+      messageId: (\d+)
+      structuredData: (\[.*?\])
+    line: '1 {date}T{time}{timezone} {host} {tag} {messageId} {structuredData} '
\ No newline at end of file
diff --git a/tests/config/infinera/USER_LOGIN/default/syslog.msg b/tests/config/infinera/USER_LOGIN/default/syslog.msg
new file mode 100644
index 00000000..8d6a6a07
--- /dev/null
+++ b/tests/config/infinera/USER_LOGIN/default/syslog.msg
@@ -0,0 +1 @@
+<85>1 2026-01-20T05:02:17+00:00 dci01.waw02@:: SECURITY 401 [meta sequenceId="735"] "time-stamp":2026-01-20T05:02:17Z;"session-id":sess-12345;"session-type":CLI;"user-name":admin;"event/action":logged in
diff --git a/tests/config/infinera/USER_LOGIN/default/yang.json b/tests/config/infinera/USER_LOGIN/default/yang.json
new file mode 100644
index 00000000..63798a92
--- /dev/null
+++ b/tests/config/infinera/USER_LOGIN/default/yang.json
@@ -0,0 +1,40 @@
+{
+  "yang_message": {
+    "system": {
+      "aaa": {
+        "authentication": {
+          "users": {
+            "user": {
+              "admin": {
+                "state": {
+                  "username": "admin"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  },
+  "message_details": {
+    "severity": 5,
+    "facility": 10,
+    "pri": "85",
+    "host": "dci01.waw02",
+    "tag": "SECURITY",
+    "date": "2026-01-20",
+    "time": "05:02:17",
+    "timezone": "+00:00",
+    "messageId": "401",
+    "structuredData": "[meta sequenceId=\"735\"]",
+    "message": "\"time-stamp\":2026-01-20T05:02:17Z;\"session-id\":sess-12345;\"session-type\":CLI;\"user-name\":admin;\"event/action\":logged in"
+  },
+  "timestamp": 1768978937,
+  "facility": 10,
+  "ip": "127.0.0.1",
+  "host": "dci01.waw02",
+  "yang_model": "openconfig-system",
+  "error": "USER_LOGIN",
+  "os": "infinera",
+  "severity": 5
+}