Newer MySQL/MariaDB entries will log values like this to the .err log: 2017-12-29 20:03:09 140587380020992 [Warning] Access denied for user 'root'@'184.108.40.206' (using password: NO) In the logs: /var/lib/mysql/`hostname`.err or Debian/FreeBSD: /home/mysql/`hostname`.err A new directadmin.conf variable, internal default: brute_force_mysql_log=/var/lib/mysql/|HOSTNAME|.err or for Debian/FreeBSD: brute_force_mysql_log=/home/mysql/|HOSTNAME|.err where the value set is parsed for |HOSTNAME|, becoming for example: [root@server directadmin]# ./directadmin c |grep brute_force_mysql_log brute_force_mysql_log=/var/lib/mysql/server.hostanme.com.err at directadmin.conf read-time. Note that many older mysql versions don't add the failed log entries by default. Some require setting log_warnings=2 or log_error_verbosity=2 (or higher) See the documentation for your given mysqld server version for more info on the "warning" level of logging. ================ DISABLE to shut off the feature just set: brute_force_mysql_log=0 in the directadmin.conf, and it won't parse the err log at all. ================ CUSTOM VALUE If you've set some other log path in your /etc/my.cnf, you can tell DA about the new path, with (for example): brute_force_mysql_log=/var/log/mysql.log The |HOSTNAME| token can be tokenized in a custom value, in case you need some other path. Although, you could just set the value hardcoded as well to rule out any issues. ================ |HOSTNAME| token This value is taken from the directadmin.conf servername, so ensure that's correct and matches your actual hostname. DA already has a nightly check to let you know if `hostname` doesn't match server. ================ FILES brute_filter.list, new value: mysql1=text=[Warning] Access denied for user '&ip_after=@'&ip_until='&user_after=user '&user_until='