Hello, Attached are the vsftpd login/login failure events I found. There was no trace of logout in the logs. Question: what is the correct way dealing with the last rule? It has "vsftpd" twice in it. I checked, and obviously only the last appearance counts. Is it worth to define it twice? linux-6y8u:/local/czanik/tmp/syslog-ng-patterndb/file-service # pdbtool match -D -p vsftpd.pdb -P vsftpd -M "pam_listfile(bla1:auth): Refused user root for service bla2" Pattern matching part: pam_listfile(@STRING:usracct.service=bla1@:auth): Refused user @ESTRING:usracct.username=root@for service @ANYSTRING:usracct.service=bla2@ Matching part: pam_listfile(bla1:auth): Refused user root for service bla2 Values: MESSAGE=pam_listfile(bla1:auth): Refused user root for service bla2 PROGRAM=vsftpd .classifier.class=system .classifier.rule_id=7256a6d6-c720-11df-8a1d-000c298c9ba2 usracct.username=root usracct.service=bla2 usracct.type=login usracct.sessionid= usracct.application=vsftpd secevt.verdict=REJECT Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/