Better differentiation between web-access and pure-transfer logs

[bchavet]

Apache access logs are being decoded as PureFTP transfer logs because the first part of the log entries for each of these uses the same format. This change makes the prematch more specific.

[cgzones]

Can you provide some log examples?

[bchavet]

The log examples are already present in the decoder.xml file. For example:

pure-transfer:
example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220

web-accesslog:
123.4.5.6 aa.xx.com - [05/Nov/2006:00:46:56 -0500] "GET / HTTP/1.1" 302 -

As you can see, the first part of these entries use the same format, so web-accesslog was being matched as pure-transfer. The differentiator is that web-accesslog entries have HTTP* in the quoted string after the date. So, the change I am proposing just makes the prematch go farther down the string to make sure the right decoder is used.

[cgzones]

Based on your log examples:
Can't we distinguish both at the start?
pure-transfer:

^\S+ - \S+ [...

web-accesslog:

^\S+ \S+ - [...

[bchavet]

No, because those dashes are not necessarily always dashes, they are just placeholders for when there is no data to put there. For web-accesslog, this would be a username if HTTP authentication is used, for example.

[bchavet]

This is directly related to #158