This optional parameter specifies the format that is to be
used to log authentication failures in Filename when LogFormatHook is not
defined. You can use any of the special characters defined. For more
information about special characters, see
Section 3.3. Special formatters. Also %0 is replaced
by the message severity level, %1 by the reason string and %2 by the
tracing identifier. The default value is
%l:%U:%P:FAIL
.
This logs time stamp in long format, current User-Name, decoded password
and text FAIL.
CAUTION
The default FailureFormat logs the
plaintext password entered by the user. Some organisations prefer that
user passwords are not logged. In that case, FailureFormat that does not
include the %P (decoded password) special character is
preferable.