I finally got my hands on the subject, but I am not in a position to play with regular expression.
REGEX: #failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$ This captures only this kinds of logs on auth.log: #Aug 6 22:25:59 fileserver proftpd[18234]: fileserver.mzalendo.net (202.102.135.54[202.102.135.54]) - USER !...@#$%^&*: no such user found from 202.102.135.54 [202.102.135.54] to 192.168.1.34:21 It misses this: #Aug 7 20:47:18 fileserver proftpd[23323]: fileserver.mzalendo.net (gendesktop.mzalendo.net[192.168.1.33]) - USER mysql (Login failed): Incorrect password. Anyone with a smarter regex and interested to share it with me? I will see if I can learn regex and try to manipulate this expressions. Thanks GR mrfroasty -- Extra details: OSS:Gentoo Linux profile:x86 Hardware:msi geforce 8600GT asus p5k-se location:/home/muhsin language(s):C/C++,VB,VHDL,bash,PHP,SQL,HTML,CSS Typo:40WPM url:http://www.mzalendo.net
