Merge pull request #406 from grooverdan/vsftp

ENH: vsftp improvements

ChangeLog

@@ -47,6 +47,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
    * files/redhat-initd - rewritten to use stock init.d functions thus
      avoiding problems with getpid.  Also $network and iptables moved
      to Should- rc init fields
+  Rick Mellor
+   * filter.d/vsftp - fix capture with tty=ftp
 
 - New Features:
   Edgar Hoch

config/filter.d/vsftpd.conf

@@ -20,7 +20,7 @@ _daemon =  vsftpd
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values: TEXT
 #
-failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty= ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
             ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
 
 # Option:  ignoreregex

testcases/files/logs/vsftpd

@@ -10,3 +10,5 @@ Feb 6 12:02:29 server vsftpd(pam_unix)[15522]: authentication failure; logname=
 # failJSON: { "time": "2007-01-19T12:20:33", "match": true , "host": "64.106.46.98" }
 Fri Jan 19 12:20:33 2007 [pid 27202] [anonymous] FAIL LOGIN: Client "64.106.46.98"
 
+# failJSON: { "time": "2004-10-23T21:15:42", "match": true , "host": "58.254.172.161" }
+Oct 23 21:15:42 vps vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test rhost=58.254.172.161