diff --git a/ChangeLog b/ChangeLog index bbad4e89..e98bcaa6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -47,6 +47,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests * files/redhat-initd - rewritten to use stock init.d functions thus avoiding problems with getpid. Also $network and iptables moved to Should- rc init fields + Rick Mellor + * filter.d/vsftp - fix capture with tty=ftp - New Features: Edgar Hoch diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index 661fbb61..e72b89eb 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -20,7 +20,7 @@ _daemon = vsftpd # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty= ruser=\S* rhost=(?:\s+user=.*)?\s*$ +failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client ""\s*$ # Option: ignoreregex diff --git a/testcases/files/logs/vsftpd b/testcases/files/logs/vsftpd index 4be6a8f8..bcd7f611 100644 --- a/testcases/files/logs/vsftpd +++ b/testcases/files/logs/vsftpd @@ -10,3 +10,5 @@ Feb 6 12:02:29 server vsftpd(pam_unix)[15522]: authentication failure; logname= # failJSON: { "time": "2007-01-19T12:20:33", "match": true , "host": "64.106.46.98" } Fri Jan 19 12:20:33 2007 [pid 27202] [anonymous] FAIL LOGIN: Client "64.106.46.98" +# failJSON: { "time": "2004-10-23T21:15:42", "match": true , "host": "58.254.172.161" } +Oct 23 21:15:42 vps vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test rhost=58.254.172.161