diff --git a/etc/decoder.xml b/etc/decoder.xml
index 887473f90..5a96b08d3 100755
--- a/etc/decoder.xml
+++ b/etc/decoder.xml
@@ -559,11 +559,13 @@ Jan 8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke
- Sun Jun 4 22:08:39 2006 [pid 21611] [dcid] OK LOGIN: Client "192.168.2.10"
- Sun Jun 4 22:09:22 2006 [pid 21622] CONNECT: Client "192.168.2.10"
- Sun Jun 4 22:09:24 2006 [pid 21621] [lalal] FAIL LOGIN: Client "192.168.2.10"
- - Sat Jun 3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client
- "211.100.27.101"
+ - Sat Jun 3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client "211.100.27.101"
- Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec
- Jul 13 12:31:20 www vsftpd: Sun Jul 13 10:31:20 2008 [pid 27528] [anonymous] FAIL LOGIN: Client "84.140.234.76"
- -->
+ - Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"
+ - Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"
+ - Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"
+
^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+]
Client "(\S+)"$
@@ -576,7 +578,46 @@ Jan 8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke
Client "(\S+)"$
srcip
+-->
+
+
+
+ ^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+]
+
+
+
+ ^vsftpd
+ ^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+]
+
+
+
+ vsftpd
+ LOGIN:
+ [(\S+)] (\S+ LOGIN): Client "(\d+.\d+.\d+.\d+)"$
+ user,status,srcip
+
+
+
+ vsftpd
+ ^CONNECT:
+ (CONNECT): Client "(\d+.\d+.\d+.\d+)"$
+ action,srcip
+
+
+
+ vsftpd
+ [(\S+)] (OK \S+): Client "(\d+.\d+.\d+.\d+)", "(\.+)"\.*
+ user,status,srcip,url
+
+
+
+ vsftpd
+ Client "(\d+.\d+.\d+.\d+)"$
+ srcip
+