With the release of phpMyAdmin 4.8.0, the AuthLog feature has been added: https://docs.phpmyadmin.net/en/latest/config.html#cfg_AuthLog However, the logging format has been changed from ours via patch: Apr 15 18:20:11:: pma auth user='adsf' status='mysql-denied' ip='192.168.1.2' to the AuthLog format: Apr 15 18:19:17 phpmyadmin: user denied: asdf (mysql-denied) from 192.168.1.2 The brute_filter.list does not support an option for ip_until= value of (end of string), so a NULL was added as an exception. The new phpMyAdmin entry in the: /usr/local/directadmin/data/templates/brute_filter.list is: phpmyadmin3=ip_after=%20from%20'&ip_until='&text=phpmyadmin:%20user%20denied:%20&user_after=user%20denied:%20'&user_until='%20(mysql-denied) phpmyadmin4=ip_after=%20from%20&ip_until=NULL&text=phpmyadmin:%20user%20denied:%20&user_after=user%20denied:%20&user_until=%20(mysql-denied) where ip_until=NULL lets DA use the IP until the end of the line, instead of needing to look for a character. The phpmyadmin3 is used as a workaround so we can push 4.8.0 via CB2, until DA 1.53.1 is released. CB2 will automatically add the phpmyadmin3 line to your brute_filter.list file, and will patch the file: /var/www/html/phpMyAdmin-4.8.0/libraries/classes/Logging.php so log entries look like this: Apr 15 18:19:17 phpmyadmin: user denied: 'asdf' (mysql-denied) from '192.168.1.2' simply adding single 'quotes' around the User and IP, so the ip_until option can look for ', since it's unable to look for the end of the line (until 1.53.1) using ip_until=NULL. As a result, if you want to use phpMyAdmin 4.8.0, you should upgrade to DirectAdmin 1.53.1, so that phpMyAdmin brute force attacks can be scanned by DA. The extra line in the brute_filter.list is not sufficient to allow brute force scanning.