From 8b54523316022d2f4e017f353ad1892f06b6bd8e Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Wed, 6 Nov 2013 12:13:37 +1100
Subject: [PATCH] BF: fix to filter.d/wuftp to support pam authentication -
 Debian bug #665925

---
 ChangeLog                   | 2 ++
 config/filter.d/wuftpd.conf | 3 +++
 testcases/files/logs/wuftpd | 2 ++
 3 files changed, 7 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 6497a731..4fcc7cd0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -80,6 +80,8 @@ IMPORTANT incompatible changes:
    * filter.d/mysqld-auth.conf - mysql can use syslog
    * filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian
      bug #722970
+   * filter.d/wuftpd - regex enhancements to support pam and wuftpd. Closes
+     Debian bug #665925
   Rolf Fokkens
    * action.d/dshield.conf and complain.conf -- reorder mailx arguments.
      https://bugzilla.redhat.com/show_bug.cgi?id=998020
diff --git a/config/filter.d/wuftpd.conf b/config/filter.d/wuftpd.conf
index 942de82a..45149f60 100644
--- a/config/filter.d/wuftpd.conf
+++ b/config/filter.d/wuftpd.conf
@@ -11,8 +11,11 @@ before = common.conf
 [Definition]
 
 _daemon = wu-ftpd
+__pam_re=\(?pam_unix(?:\(wu-ftpd:auth\))?\)?:?
 
 failregex = ^%(__prefix_line)sfailed login from \S+ \[<HOST>\]\s*$
+            ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+
 
 ignoreregex = 
 
diff --git a/testcases/files/logs/wuftpd b/testcases/files/logs/wuftpd
index bbb816cc..948e848f 100644
--- a/testcases/files/logs/wuftpd
+++ b/testcases/files/logs/wuftpd
@@ -3,3 +3,5 @@
 Oct  6 09:59:26 myserver wu-ftpd[18760]: failed login from hj-145-173-a8.bta.net.cn [202.108.145.173]
 # failJSON: { "time": "2004-10-11T16:45:07", "match": true , "host": "198.51.100.71" }
 Oct 11 16:45:07 ubuntu wu-ftpd[2360]: failed login from example.com [198.51.100.71]
+# failJSON: { "time": "2005-03-22T09:35:02", "match": true , "host": "198.51.100.71" }
+Mar 22 09:35:02 SiD wu-ftpd[31278]: pam_unix(wu-ftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=198.51.100.71  user=root