Hello, Attached are the pure-ftpd login/logout/failure patterns and the sample file I used. Some notes: - logouts, where username is "?" are not tagged, as these just mark that a TCP/IP connection is teared down - PAM messages are not tagged, as that would create duplicate messages about the same event. The variable part of them is simply discarded with an @ANYSTRING@ - anonymous login/logout events are tagged, username is set to "anonymous" from "ftp" You can check the attached pure-ftpd.pdb with the following command: cat pure-ftpd.samples | grep -v CzP | pdbtool match -p pure-ftpd.pdb -f - CzP lines are comments... Please check it on your own pure-ftpd logs to see, if I missed anything! Thanks! Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/