diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf
index 0ed7fe34..366e25ab 100644
--- a/config/filter.d/apache-auth.conf
+++ b/config/filter.d/apache-auth.conf
@@ -12,27 +12,37 @@ before = apache-common.conf
 
 [Definition]
 
-# Option:  failregex
-# Notes.:  regex to match the password failure messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values:  TEXT
-
-# http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_auth_basic.c (1st 3)
-# http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_core.c (2nd 3)
-# http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_auth_digest.c (next 4)
+# This filter matches the authorization failures of Apache. It takes the log messages
+# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
+# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
+#
+# As an unauthorized response is the first step for a browser to instigate authentication
+# so don't set max retry too low.
+#
+# Source:
+#
+# By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
+# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get
+# all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core
+# to return the actual failure.
 
 failregex = ^%(_apache_error_client)s user .* authentication failure for "\S*": Password Mismatch$
             ^%(_apache_error_client)s user .* not found: \S*\s*$
             ^%(_apache_error_client)s client used wrong authentication scheme: \S*\s*$
             ^%(_apache_error_client)s authorization failure \(no authenticated user\): \S*\s*$
             ^%(_apache_error_client)s client denied by server configuration: (uri )?\S*\s*$
-            ^%(_apache_error_client)s user .* authorization failure for "\S*": \S*\s*$
+            ^%(_apache_error_client)s user .* authorization failure: \S*\s*$
+            ^%(_apache_error_client)s user .* authorization failure for "\S*": \s*$
             ^%(_apache_error_client)s invalid nonce .* received - (length|hash) is not \S+\s*$
             ^%(_apache_error_client)s invalid nonce .* received - user attempted time travel\s*$
             ^%(_apache_error_client)s user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
             ^%(_apache_error_client)s user .*: one-time-nonce mismatch - sending new nonce\s*$
+            ^%(_apache_error_client)s realm mismatch - got `.*' but expected `.+'\s*$
+            ^%(_apache_error_client)s unknown algorithm `\S+' received: \S*\s*"$
+            ^%(_apache_error_client)s user `.*' in realm `.+' (not found|denied by provider): \S*\s*"$
+            ^%(_apache_error_client)s user .* password mismatch: \S*\s*"$
+            ^%(_apache_error_client)s invalid qop `.*' received: \S*\s*"$
+
 
 
 # Option:  ignoreregex