BF: fix to filter.d/wuftp to support pam authentication - Debian bug #665925

ChangeLog

@@ -80,6 +80,8 @@ IMPORTANT incompatible changes:
    * filter.d/mysqld-auth.conf - mysql can use syslog
    * filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian
      bug #722970
+   * filter.d/wuftpd - regex enhancements to support pam and wuftpd. Closes
+     Debian bug #665925
   Rolf Fokkens
    * action.d/dshield.conf and complain.conf -- reorder mailx arguments.
      https://bugzilla.redhat.com/show_bug.cgi?id=998020

config/filter.d/wuftpd.conf

@@ -11,8 +11,11 @@ before = common.conf
 [Definition]
 
 _daemon = wu-ftpd
+__pam_re=\(?pam_unix(?:\(wu-ftpd:auth\))?\)?:?
 
 failregex = ^%(__prefix_line)sfailed login from \S+ \[<HOST>\]\s*$
+            ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+
 
 ignoreregex = 
 

testcases/files/logs/wuftpd

@@ -3,3 +3,5 @@
 Oct  6 09:59:26 myserver wu-ftpd[18760]: failed login from hj-145-173-a8.bta.net.cn [202.108.145.173]
 # failJSON: { "time": "2004-10-11T16:45:07", "match": true , "host": "198.51.100.71" }
 Oct 11 16:45:07 ubuntu wu-ftpd[2360]: failed login from example.com [198.51.100.71]
+# failJSON: { "time": "2005-03-22T09:35:02", "match": true , "host": "198.51.100.71" }
+Mar 22 09:35:02 SiD wu-ftpd[31278]: pam_unix(wu-ftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=198.51.100.71  user=root