ENH: filter.d/vsftpd - pam regex as syslog and anchored at start

ChangeLog

@@ -76,6 +76,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
    * filter.d/apache-auth - added expressions for mod_authz, mod_auth and
      mod_auth_digest failures.
    * filter.d/recidive -- support f2b syslog target and anchor regex at start
+   * filter.d/vsftpd - anchored regex at start. disable old pam format regex
    * filter.d/pam-generic - added syslog prefix. Disabled support for
      linux-pam before version 0.99.2.0 (2005)
    * filter.d/gssftpd - anchored regex at start

config/filter.d/vsftpd.conf

@@ -4,8 +4,15 @@
 #
 #
 
+[INCLUDES]
+
+before = common.conf
+
 [Definition]
 
+__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
+_daemon =  vsftpd
+
 # Option: failregex
 # Notes.: regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
@@ -13,7 +20,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values: TEXT
 #
-failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty= ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
             ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
 
 # Option:  ignoreregex