diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf
index 8a63858d..c59a817c 100644
--- a/config/filter.d/apache-auth.conf
+++ b/config/filter.d/apache-auth.conf
@@ -9,20 +9,24 @@ before = apache-common.conf
[Definition]
+prefregex = ^%(_apache_error_client)s (?:AH\d+: )?.+$
-failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
- ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
- ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$
- ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
- ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
- ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$
- ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$
- ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$
- ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
- ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$
- ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$
- ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$
- ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$
+# auth_type = ((?:Digest|Basic): )?
+auth_type = ([A-Z]\w+: )?
+
+failregex = ^client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
+ ^user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
+ ^user .*? not found(: )?\S*(, referer: \S+)?\s*$
+ ^client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
+ ^Authorization of user \S+ to access \S* failed, reason: .*$
+ ^%(auth_type)suser .*?: password mismatch: \S*(, referer: \S+)?\s*$
+ ^%(auth_type)suser `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$
+ ^user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$
+ ^%(auth_type)sinvalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
+ ^%(auth_type)srealm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$
+ ^%(auth_type)sunknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$
+ ^invalid qop `.*?' received: \S*(, referer: \S+)?\s*$
+ ^%(auth_type)sinvalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$
ignoreregex =
@@ -53,4 +57,4 @@ ignoreregex =
# referer is always in error log messages if it exists added as per the log_error_core function in server/log.c
#
# Author: Cyril Jaquier
-# Major edits by Daniel Black
+# Major edits by Daniel Black and Sergey Brester (sebres)
diff --git a/config/filter.d/apache-botsearch.conf b/config/filter.d/apache-botsearch.conf
index 5687d405..7def09ac 100644
--- a/config/filter.d/apache-botsearch.conf
+++ b/config/filter.d/apache-botsearch.conf
@@ -23,14 +23,13 @@ before = apache-common.conf
[Definition]
-failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): (, referer: \S+)?\s*$
- ^%(_apache_error_client)s script '' not found or unable to stat(, referer: \S+)?\s*$
+prefregex = ^%(_apache_error_client)s (?:AH\d+: )?.+$
+
+failregex = ^(?:File does not exist|script not found or unable to stat): (, referer: \S+)?\s*$
+ ^script '' not found or unable to stat(, referer: \S+)?\s*$
ignoreregex =
-
-[Init]
-
# Webroot represents the webroot on which all other files are based
webroot = /var/www/
diff --git a/config/filter.d/apache-shellshock.conf b/config/filter.d/apache-shellshock.conf
index 39df1704..e2707dc0 100644
--- a/config/filter.d/apache-shellshock.conf
+++ b/config/filter.d/apache-shellshock.conf
@@ -9,8 +9,10 @@ before = apache-common.conf
[Definition]
-failregex = ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: warning: HTTP_.*?: ignoring function definition attempt(, referer: \S+)?\s*$
- ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: error importing function definition for `HTTP_.*?'(, referer: \S+)?\s*$
+prefregex = ^%(_apache_error_client)s (AH01215: )?/bin/([bd]a)?sh: .+$
+
+failregex = ^warning: HTTP_[^:]+: ignoring function definition attempt(, referer: \S+)?\s*$
+ ^error importing function definition for `HTTP_[^']+'(, referer: \S+)?\s*$
ignoreregex =
diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf
index df55d288..b9871b6c 100644
--- a/config/filter.d/asterisk.conf
+++ b/config/filter.d/asterisk.conf
@@ -18,16 +18,18 @@ iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?
-failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
- ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '[^']*' rejected because extension not found in context
- ^%(__prefix_line)s%(log_prefix)s Host failed to authenticate as '[^']*'$
- ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from \)$
- ^%(__prefix_line)s%(log_prefix)s Host failed MD5 authentication for '[^']*' \([^)]+\)$
- ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$
- ^%(__prefix_line)s%(log_prefix)s hacking attempt detected ''$
- ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
- ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from "$
- ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
+prefregex = ^%(__prefix_line)s%(log_prefix)s .+$
+
+failregex = ^Registration from '[^']*' failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
+ ^Call from '[^']*' \(:\d+\) to extension '[^']*' rejected because extension not found in context
+ ^Host failed to authenticate as '[^']*'$
+ ^No registration for peer '[^']*' \(from \)$
+ ^Host failed MD5 authentication for '[^']*' \([^)]+\)$
+ ^Failed to authenticate (user|device) [^@]+@\S*$
+ ^hacking attempt detected ''$
+ ^SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
+ ^"Rejecting unknown SIP connection from "$
+ ^Request (?:'[^']*' )?from '[^']*' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
ignoreregex =
diff --git a/config/filter.d/courier-smtp.conf b/config/filter.d/courier-smtp.conf
index fc0afc26..888753c4 100644
--- a/config/filter.d/courier-smtp.conf
+++ b/config/filter.d/courier-smtp.conf
@@ -12,8 +12,10 @@ before = common.conf
_daemon = courieresmtpd
-failregex = ^%(__prefix_line)serror,relay=,.*: 550 User (<.*> )?unknown\.?$
- ^%(__prefix_line)serror,relay=,msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$
+prefregex = ^%(__prefix_line)serror,relay=,.+$
+
+failregex = ^[^:]*: 550 User (<.*> )?unknown\.?$
+ ^msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$
ignoreregex =
diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf
index 3c45a332..966a7e86 100644
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@@ -7,13 +7,16 @@ before = common.conf
[Definition]
-_daemon = (auth|dovecot(-auth)?|auth-worker)
+_auth_worker = (?:dovecot: )?auth(?:-worker)?
+_daemon = (dovecot(-auth)?|auth)
-failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$
- ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
- ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
- ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,\): unknown user\s*$
- ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,,\S*\): invalid credentials\s*$
+prefregex = ^%(__prefix_line)s(%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: )?.+$
+
+failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$
+ ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
+ ^pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
+ ^(?:pam|passwd-file)\(\S+,\): unknown user\s*$
+ ^ldap\(\S*,,\S*\): invalid credentials\s*$
ignoreregex =
diff --git a/config/filter.d/dropbear.conf b/config/filter.d/dropbear.conf
index 288b0882..930bb128 100644
--- a/config/filter.d/dropbear.conf
+++ b/config/filter.d/dropbear.conf
@@ -23,9 +23,11 @@ before = common.conf
_daemon = dropbear
-failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from :\d+$
- ^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from (:\d+)?$
- ^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from :\d+\s*$
+prefregex = ^%(__prefix_line)s(?:[Ll]ogin|[Bb]ad|[Ee]xit).+$
+
+failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from :\d+$
+ ^[Bb]ad (PAM )?password attempt for .+ from (:\d+)?$
+ ^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from :\d+\s*$
ignoreregex =
diff --git a/config/filter.d/exim-common.conf b/config/filter.d/exim-common.conf
index 0e1b74fa..b3b25750 100644
--- a/config/filter.d/exim-common.conf
+++ b/config/filter.d/exim-common.conf
@@ -9,7 +9,9 @@ after = exim-common.local
[Definition]
-host_info = (?:H=([\w.-]+ )?(?:\(\S+\) )?)?\[\](?::\d+)? (?:I=\[\S+\](:\d+)? )?(?:U=\S+ )?(?:P=e?smtp )?
+host_info_pre = (?:H=([\w.-]+ )?(?:\(\S+\) )?)?
+host_info_suf = (?::\d+)?(?: I=\[\S+\](:\d+)?)?(?: U=\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\S+))?\s
+host_info = %(host_info_pre)s\[\]%(host_info_suf)s
pid = (?: \[\d+\])?
# DEV Notes:
diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf
index a1d699c0..5d293429 100644
--- a/config/filter.d/exim.conf
+++ b/config/filter.d/exim.conf
@@ -13,14 +13,17 @@ before = exim-common.conf
[Definition]
+# Fre-filter via "prefregex" is currently inactive because of too different failure syntax in exim-log (testing needed):
+#prefregex = ^%(pid)s \b(?:\w+ authenticator failed|([\w\-]+ )?SMTP (?:(?:call|connection) from|protocol(?: synchronization)? error)|no MAIL in|(?:%(host_info_pre)s\[[^\]]+\]%(host_info_suf)s(?:sender verify fail|rejected RCPT|dropped|AUTH command))).+$
+
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
- ^%(pid)s %(host_info)sF=(?:<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user)\s*$
+ ^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$
^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$
^%(pid)s no MAIL in SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sD=\d+s(?: C=\S*)?\s*$
- ^%(pid)s \S+ SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
+ ^%(pid)s ([\w\-]+ )?SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
ignoreregex =
diff --git a/config/filter.d/froxlor-auth.conf b/config/filter.d/froxlor-auth.conf
index 04003263..d8f3785c 100644
--- a/config/filter.d/froxlor-auth.conf
+++ b/config/filter.d/froxlor-auth.conf
@@ -25,8 +25,11 @@ _daemon = Froxlor
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
-failregex = ^%(__prefix_line)s\[Login Action \] Unknown user \S* tried to login.$
- ^%(__prefix_line)s\[Login Action \] User \S* tried to login with wrong password.$
+
+prefregex = ^%(__prefix_line)s\[Login Action \] .+$
+
+failregex = ^Unknown user \S* tried to login.$
+ ^User \S* tried to login with wrong password.$
# Option: ignoreregex
diff --git a/config/filter.d/murmur.conf b/config/filter.d/murmur.conf
index 507bbd2f..f5f100a6 100644
--- a/config/filter.d/murmur.conf
+++ b/config/filter.d/murmur.conf
@@ -17,8 +17,10 @@ _usernameregex = [^>]+
_prefix = \s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from :\d+:
-failregex = ^%(_prefix)s Invalid server password$
- ^%(_prefix)s Wrong certificate or password for existing user$
+prefregex = ^%(_prefix)s .+$
+
+failregex = ^Invalid server password$
+ ^Wrong certificate or password for existing user$
ignoreregex =
diff --git a/config/filter.d/named-refused.conf b/config/filter.d/named-refused.conf
index eec3d667..2e14d442 100644
--- a/config/filter.d/named-refused.conf
+++ b/config/filter.d/named-refused.conf
@@ -34,9 +34,11 @@ __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
-failregex = ^%(__line_prefix)s( error:)?\s*client #\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
- ^%(__line_prefix)s( error:)?\s*client #\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
- ^%(__line_prefix)s( error:)?\s*client #\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
+prefregex = ^%(__line_prefix)s( error:)?\s*client #\S+( \([\S.]+\))?: .+$
+
+failregex = ^(view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
+ ^zone transfer '\S+/AXFR/\w+' denied\s*$
+ ^bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
ignoreregex =
diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf
index 3051409b..005ed585 100644
--- a/config/filter.d/postfix.conf
+++ b/config/filter.d/postfix.conf
@@ -12,13 +12,15 @@ before = common.conf
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
-failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 554 5\.7\.1 .*$
- ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
- ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
- ^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname;
- ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[\]: 550 5\.1\.1 .*$
- ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
- ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[\]:?$
+prefregex = ^%(__prefix_line)s(?:NOQUEUE: reject:|improper command pipelining) .+$
+
+failregex = ^RCPT from \S+\[\]: 554 5\.7\.1
+ ^RCPT from \S+\[\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
+ ^RCPT from \S+\[\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
+ ^EHLO from \S+\[\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname;
+ ^VRFY from \S+\[\]: 550 5\.1\.1
+ ^RCPT from \S+\[\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
+ ^after \S+ from [^[]*\[\]:?$
ignoreregex =
diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf
index 4bc0ba01..455bbdfc 100644
--- a/config/filter.d/proftpd.conf
+++ b/config/filter.d/proftpd.conf
@@ -16,10 +16,14 @@ _daemon = proftpd
__suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit (access|configuration) denies login|Not a UserAlias|maximum login length exceeded).?
-failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
- ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
- ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$
- ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
+
+prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ (?:USER|SECURITY|Maximum).+$
+
+
+failregex = ^USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
+ ^USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
+ ^SECURITY VIOLATION: .* login attempted\. *$
+ ^Maximum login attempts \(\d+\) exceeded *$
ignoreregex =
diff --git a/config/filter.d/xinetd-fail.conf b/config/filter.d/xinetd-fail.conf
index d75e3d66..b4093d98 100644
--- a/config/filter.d/xinetd-fail.conf
+++ b/config/filter.d/xinetd-fail.conf
@@ -14,8 +14,10 @@ before = common.conf
_daemon = xinetd
-failregex = ^%(__prefix_line)sFAIL: \S+ address from=$
- ^%(__prefix_line)sFAIL: \S+ libwrap from=$
+prefregex = ^%(__prefix_line)sFAIL: .+$
+
+failregex = ^\S+ address from=$
+ ^\S+ libwrap from=$
ignoreregex =