diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf
index 51c28af4..dd0e7678 100644
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@@ -9,7 +9,7 @@ before = common.conf
 
 [Definition]
 
-_daemon = (dovecot(-auth)?|auth-worker)
+_daemon = (auth|dovecot(-auth)?|auth-worker)
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile.
 #          first regex is essentially a copy of pam-generic.conf
diff --git a/testcases/files/logs/dovecot b/testcases/files/logs/dovecot
index 733552df..80313b75 100644
--- a/testcases/files/logs/dovecot
+++ b/testcases/files/logs/dovecot
@@ -35,3 +35,7 @@ Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSER
 
 # failJSON: { "time": "2013-08-11T03:56:40", "match": true , "host": "1.2.3.4" }
 2013-08-11 03:56:40 auth-worker(default): Info: pam(username,1.2.3.4): pam_authenticate() failed: Authentication failure (password mismatch?)
+
+# failJSON: { "time": "2005-05-19T05:22:20", "match": true , "host": "80.255.3.104" }
+Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104
+