From b64bf3fa7b8b70c39e9fdff554f29d306543f7f4 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Sat, 5 Oct 2013 19:18:44 +1000
Subject: [PATCH] ENH: filter.d/webmin anchor at start and use syslog

---
 ChangeLog                        |  1 +
 config/filter.d/webmin-auth.conf | 23 ++++++++++-------------
 testcases/files/logs/webmin-auth |  4 ++++
 3 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 46b12528..96fefa45 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -84,6 +84,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
 	 	 regular expressions with the -D parameter.
    * filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian
      bug #722970
+   * filter.d/webmin - anchored regex at start
   Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
    * filter.d/exim.conf -- regex hardening and extra failure examples in
      sample logs
diff --git a/config/filter.d/webmin-auth.conf b/config/filter.d/webmin-auth.conf
index 67f6e73f..b98075b5 100644
--- a/config/filter.d/webmin-auth.conf
+++ b/config/filter.d/webmin-auth.conf
@@ -5,23 +5,20 @@
 #
 #
 
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = webmin
+
 [Definition]
 
 # patern :      webmin[15673]: Non-existent login as toto from 86.0.6.217
 #               webmin[29544]: Invalid login as root from 86.0.6.217
 #
-# Option:  failregex
-# Notes.:  regex to match the password failure messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values:  TEXT
-#
-failregex = webmin.* Non-existent login as .+ from <HOST>\s*$
-            webmin.* Invalid login as .+ from <HOST>\s*$
+failregex = ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$
+            ^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$
 
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
 ignoreregex = 
diff --git a/testcases/files/logs/webmin-auth b/testcases/files/logs/webmin-auth
index 424c114d..1ad9f2a6 100644
--- a/testcases/files/logs/webmin-auth
+++ b/testcases/files/logs/webmin-auth
@@ -7,3 +7,7 @@ Dec 13 08:15:18 sb1 webmin[25875]: Invalid login as root from 89.2.49.230
 #2 User does not exists
 # failJSON: { "time": "2004-12-12T23:14:19", "match": true , "host": "188.40.105.142" }
 Dec 12 23:14:19 sb1 webmin[22134]: Non-existent login as robert from 188.40.105.142 
+
+# failJSON: { "time": "2004-09-25T10:38:11", "match": true , "host": "14.200.251.155" }
+Sep 25 10:38:11 platypus webmin[27249]: Non-existent login as admin@goodeyedeer.com.au from 14.200.251.155
+