diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2003-01-14 13:26:21 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2003-01-14 13:26:21 +0000 |
| commit | 1dbe2953294e07e7f47f42362e56483175c5abb3 (patch) | |
| tree | 8628f99d52ccee6fa0e11c16e3ac0c658b6ef7d0 | |
| parent | 1bcc79de8e0005561c4bdcf9c1327ba6e0a7300c (diff) | |
Various corecctions and improvements.
| -rw-r--r-- | logcheck/ignore.d.server/dhcp3-common | 2 | ||||
| -rw-r--r-- | logcheck/ignore.d.server/local | 9 | ||||
| -rw-r--r-- | logcheck/ignore.d.server/postfix | 7 | ||||
| -rw-r--r-- | logcheck/ignore.d.workstation/local | 13 | ||||
| -rw-r--r-- | logcheck/ignore.d.workstation/misc | 4 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/local | 8 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/postfix | 8 |
7 files changed, 33 insertions, 18 deletions
diff --git a/logcheck/ignore.d.server/dhcp3-common b/logcheck/ignore.d.server/dhcp3-common index cac905b..f4e016f 100644 --- a/logcheck/ignore.d.server/dhcp3-common +++ b/logcheck/ignore.d.server/dhcp3-common @@ -4,7 +4,7 @@ dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ dhcpd: DHCPACK to [\.0-9]+$ dhcpd: DHCPDISCOVER from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ dhcpd: DHCPINFORM from [\.0-9]+$ -dhcpd: DHCPRELEASE of [\.0-9]+$ +dhcpd: DHCPRELEASE of [\.0-9]+( of [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\)+ via eth[0-9]+( \(found\))?)?$ dhcpd: DHCPREQUEST for [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ dhcpd: ICMP Echo reply while lease [\.0-9]+ valid.$ dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\.$ diff --git a/logcheck/ignore.d.server/local b/logcheck/ignore.d.server/local index b5d411a..4979fc9 100644 --- a/logcheck/ignore.d.server/local +++ b/logcheck/ignore.d.server/local @@ -87,7 +87,7 @@ dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ dhcpd: DHCPACK to [\.0-9]+$ dhcpd: DHCPDISCOVER from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ dhcpd: DHCPINFORM from [\.0-9]+$ -dhcpd: DHCPRELEASE of [\.0-9]+$ +dhcpd: DHCPRELEASE of [\.0-9]+( of [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\)+ via eth[0-9]+( \(found\))?)?$ dhcpd: DHCPREQUEST for [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ dhcpd: ICMP Echo reply while lease [\.0-9]+ valid.$ dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\.$ @@ -220,11 +220,11 @@ postfix/smtp\[[0-9]+\]: setting up TLS connection to [^[:space:]]+$ postfix/smtp\[[0-9]+\]: warning: bad size limit "truncates" in EHLO reply from [^[:space:]]+$ postfix/smtp\[[0-9]+\]: warning: host [^[:space:]]+\[[\.0-9]+\] (greeted me|replied to HELO/EHLO) with my own hostname [^[:space:]]+$ postfix/smtp\[[0-9]+\]: warning: no MX host for [^[:space:]]+ has a valid A record$ -postfix/smtpd?\[[0-9]+\]: (Unv|V)erified: subject_CN=[^,]+, issuer=[^,]+$ +postfix/smtpd?\[[0-9]+\]: (Unv|V)erified: subject_CN=[^,]+, issuer=.*$ postfix/smtpd?\[[0-9]+\]: TLS connection established (from|to) [^[:space:]]+: (SSL|TLS)v[123] with cipher [^[:space:]]+ \([0-9/]+ bits\)$ postfix/smtpd?\[[0-9]+\]: fingerprint=[0-9A-F:]+$ postfix/smtpd?\[[0-9]+\]: setting up TLS connection (from|to) [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtpd?\[[0-9]+\]: verify error:num=18:self signed certificate$ +postfix/smtpd?\[[0-9]+\]: verify error:num=(18:self signed certificate|20:unable to get local issuer certificate|21:unable to verify the first certificate|26:unsupported certificate purpose|27:certificate not trusted)$ postfix/smtpd?\[[0-9]+\]: warning: (numeric|malformed) domain name in resource data of MX record for [^[:space:]]+: [^[:space:]]*$ postfix/smtpd?\[[0-9]+\]: warning: valid_hostname: (empty hostname|invalid character [0-9]+\(decimal\): [^[:space:]]+)$ postfix/smtpd\[[0-9]+\]: ((dis)?connect|setting up TLS connection|lost connection after AUTH) from [^[:space:]]+\[[\.0-9]+\]$ @@ -232,8 +232,9 @@ postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [^[:space:]] postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: [^[:space:]]+\[[\.0-9]+\], sasl_method=PLAIN, sasl_username=[[:alnum:]]+$ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in (MAIL command: <[^>]+>|RCPT command: )$ postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: address not listed for hostname [^[:space:]]+$ +postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\] sent ([^[:space:]]+ header|mail content) instead of SMTP command: .* -postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: hostname [^[:space:]]+ verification failed: Host (name has no address|not found)$ +postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: hostname [^[:space:]]+ verification failed: Host not found$ # These are only for postfix >= 2.0: postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server dropped connection without sending the initial greeting \(port 25\)$ ### ignore.d.server/postgresql diff --git a/logcheck/ignore.d.server/postfix b/logcheck/ignore.d.server/postfix index af1916e..8973c62 100644 --- a/logcheck/ignore.d.server/postfix +++ b/logcheck/ignore.d.server/postfix @@ -13,11 +13,11 @@ postfix/smtp\[[0-9]+\]: setting up TLS connection to [^[:space:]]+$ postfix/smtp\[[0-9]+\]: warning: bad size limit "truncates" in EHLO reply from [^[:space:]]+$ postfix/smtp\[[0-9]+\]: warning: host [^[:space:]]+\[[\.0-9]+\] (greeted me|replied to HELO/EHLO) with my own hostname [^[:space:]]+$ postfix/smtp\[[0-9]+\]: warning: no MX host for [^[:space:]]+ has a valid A record$ -postfix/smtpd?\[[0-9]+\]: (Unv|V)erified: subject_CN=[^,]+, issuer=[^,]+$ +postfix/smtpd?\[[0-9]+\]: (Unv|V)erified: subject_CN=[^,]+, issuer=.*$ postfix/smtpd?\[[0-9]+\]: TLS connection established (from|to) [^[:space:]]+: (SSL|TLS)v[123] with cipher [^[:space:]]+ \([0-9/]+ bits\)$ postfix/smtpd?\[[0-9]+\]: fingerprint=[0-9A-F:]+$ postfix/smtpd?\[[0-9]+\]: setting up TLS connection (from|to) [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtpd?\[[0-9]+\]: verify error:num=18:self signed certificate$ +postfix/smtpd?\[[0-9]+\]: verify error:num=(18:self signed certificate|20:unable to get local issuer certificate|21:unable to verify the first certificate|26:unsupported certificate purpose|27:certificate not trusted)$ postfix/smtpd?\[[0-9]+\]: warning: (numeric|malformed) domain name in resource data of MX record for [^[:space:]]+: [^[:space:]]*$ postfix/smtpd?\[[0-9]+\]: warning: valid_hostname: (empty hostname|invalid character [0-9]+\(decimal\): [^[:space:]]+)$ postfix/smtpd\[[0-9]+\]: ((dis)?connect|setting up TLS connection|lost connection after AUTH) from [^[:space:]]+\[[\.0-9]+\]$ @@ -25,7 +25,8 @@ postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [^[:space:]] postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: [^[:space:]]+\[[\.0-9]+\], sasl_method=PLAIN, sasl_username=[[:alnum:]]+$ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in (MAIL command: <[^>]+>|RCPT command: )$ postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: address not listed for hostname [^[:space:]]+$ +postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\] sent ([^[:space:]]+ header|mail content) instead of SMTP command: .* -postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: hostname [^[:space:]]+ verification failed: Host (name has no address|not found)$ +postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: hostname [^[:space:]]+ verification failed: Host not found$ # These are only for postfix >= 2.0: postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server dropped connection without sending the initial greeting \(port 25\)$ diff --git a/logcheck/ignore.d.workstation/local b/logcheck/ignore.d.workstation/local index 28d293b..0ffbcd5 100644 --- a/logcheck/ignore.d.workstation/local +++ b/logcheck/ignore.d.workstation/local @@ -87,7 +87,7 @@ dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ dhcpd: DHCPACK to [\.0-9]+$ dhcpd: DHCPDISCOVER from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ dhcpd: DHCPINFORM from [\.0-9]+$ -dhcpd: DHCPRELEASE of [\.0-9]+$ +dhcpd: DHCPRELEASE of [\.0-9]+( of [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\)+ via eth[0-9]+( \(found\))?)?$ dhcpd: DHCPREQUEST for [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ dhcpd: ICMP Echo reply while lease [\.0-9]+ valid.$ dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\.$ @@ -220,11 +220,11 @@ postfix/smtp\[[0-9]+\]: setting up TLS connection to [^[:space:]]+$ postfix/smtp\[[0-9]+\]: warning: bad size limit "truncates" in EHLO reply from [^[:space:]]+$ postfix/smtp\[[0-9]+\]: warning: host [^[:space:]]+\[[\.0-9]+\] (greeted me|replied to HELO/EHLO) with my own hostname [^[:space:]]+$ postfix/smtp\[[0-9]+\]: warning: no MX host for [^[:space:]]+ has a valid A record$ -postfix/smtpd?\[[0-9]+\]: (Unv|V)erified: subject_CN=[^,]+, issuer=[^,]+$ +postfix/smtpd?\[[0-9]+\]: (Unv|V)erified: subject_CN=[^,]+, issuer=.*$ postfix/smtpd?\[[0-9]+\]: TLS connection established (from|to) [^[:space:]]+: (SSL|TLS)v[123] with cipher [^[:space:]]+ \([0-9/]+ bits\)$ postfix/smtpd?\[[0-9]+\]: fingerprint=[0-9A-F:]+$ postfix/smtpd?\[[0-9]+\]: setting up TLS connection (from|to) [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtpd?\[[0-9]+\]: verify error:num=18:self signed certificate$ +postfix/smtpd?\[[0-9]+\]: verify error:num=(18:self signed certificate|20:unable to get local issuer certificate|21:unable to verify the first certificate|26:unsupported certificate purpose|27:certificate not trusted)$ postfix/smtpd?\[[0-9]+\]: warning: (numeric|malformed) domain name in resource data of MX record for [^[:space:]]+: [^[:space:]]*$ postfix/smtpd?\[[0-9]+\]: warning: valid_hostname: (empty hostname|invalid character [0-9]+\(decimal\): [^[:space:]]+)$ postfix/smtpd\[[0-9]+\]: ((dis)?connect|setting up TLS connection|lost connection after AUTH) from [^[:space:]]+\[[\.0-9]+\]$ @@ -232,8 +232,9 @@ postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [^[:space:]] postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: [^[:space:]]+\[[\.0-9]+\], sasl_method=PLAIN, sasl_username=[[:alnum:]]+$ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in (MAIL command: <[^>]+>|RCPT command: )$ postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: address not listed for hostname [^[:space:]]+$ +postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\] sent ([^[:space:]]+ header|mail content) instead of SMTP command: .* -postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: hostname [^[:space:]]+ verification failed: Host (name has no address|not found)$ +postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: hostname [^[:space:]]+ verification failed: Host not found$ # These are only for postfix >= 2.0: postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server dropped connection without sending the initial greeting \(port 25\)$ ### ignore.d.server/postgresql @@ -443,6 +444,10 @@ gnome-name-server\[[0-9]+\]: server_is_alive: .* syslogd started: BusyBox v[\.0-9]+ \([^[:space:]]+\)$ init: Entering runlevel: 2 rpc.mountd: authenticated mount request from 192\.168\..* for /home/opt/ltsp/i386 \(/home/opt/ltsp/i386\) +# Laptop sleep +kernel: usb-ohci.c: USB suspend: usb-10:[0-9\.]+$ +kernel: eth[0-9]: suspending, WakeOnLan disabled$ +kernel: eth[0-9]: resuming$ ### ignore.d.workstation/ntpdate ntpdate\[[0-9]+\]: can't find host$ ntpdate\[[0-9]+\]: no servers can be used, exiting$ diff --git a/logcheck/ignore.d.workstation/misc b/logcheck/ignore.d.workstation/misc index 6fe017a..ff5b6cb 100644 --- a/logcheck/ignore.d.workstation/misc +++ b/logcheck/ignore.d.workstation/misc @@ -2,3 +2,7 @@ syslogd started: BusyBox v[\.0-9]+ \([^[:space:]]+\)$ init: Entering runlevel: 2 rpc.mountd: authenticated mount request from 192\.168\..* for /home/opt/ltsp/i386 \(/home/opt/ltsp/i386\) +# Laptop sleep +kernel: usb-ohci.c: USB suspend: usb-10:[0-9\.]+$ +kernel: eth[0-9]: suspending, WakeOnLan disabled$ +kernel: eth[0-9]: resuming$ diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local index 7c07283..13974d5 100644 --- a/logcheck/violations.ignore.d/local +++ b/logcheck/violations.ignore.d/local @@ -43,14 +43,16 @@ postfix/local\[[0-9]+\]: warning: reject: ETRN [^[:space:]]+\.\.\. from [^[:spac postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$ postfix/nqmgr\[[0-9]+\]: [A-Z0-9]+: from=<[^[:space:]>]+>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$ postfix/smtp\[[0-9]+\]: Peer verification: CommonName in certificate does not match: [^!]+ != [^[:space:]]+$ -postfix/smtp\[[0-9]+\]: [A-Z0-9]+: to=<[^>,]*>(, orig_to=<[^>,]>*)?, relay=[^[:space:]\[]+\[[\.0-9]+\], delay=[0-9]+, status=(bounced|deferred) \([^\(\)]+(\([^\(\)]*)?\)+( proto=E?SMTP helo=<[^[:space:]>]+>)?$ +postfix/smtp\[[0-9]+\]: Verified: subject_CN=[^[:space:]]+, issuer=.*$ +postfix/smtp\[[0-9]+\]: [A-Z0-9]+: to=<[^>,]*>(, orig_to=<[^>,]>*)?, relay=[^[:space:]\[,]+\[[\.0-9]+\], delay=[0-9]+, status=(bounced|deferred) \([^\(\)]+(\([^\(\)]*\))*[^\(\)]*\)( proto=E?SMTP helo=<[^[:space:]>]+>)?$ postfix/smtp\[[0-9]+\]: connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: 452 Insufficient system storage; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ -postfix/smtpd\[[0-9]+\]: warning: [^[:space:]\[]+\[[\.0-9]+\]: hostname [\.[:alnum:]-]+ verification failed: Host name has no address$ +postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\]: in RCPT command: .* +postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ # These are only for postfix << 2.0: postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: [45][0-9]{2} [^;]+; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ # These are only for postfix >= 2.0: -postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: [45][0-9]{2} [^;]+; from=<[^[:space:]>]+>( to=<[^[:space:]>]+>)? proto=E?SMTP helo=<[^[:space:]>]+>$ +postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: [45][0-9]{2} [^;]+; from=<[^[:space:]>]*>( to=<[^[:space:]>]+>)? proto=E?SMTP helo=<[^[:space:]>]+>$ ### violations.ignore.d/proftpd proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER anonymous \(Login failed\): Can't find user\.$ ### violations.ignore.d/samba diff --git a/logcheck/violations.ignore.d/postfix b/logcheck/violations.ignore.d/postfix index 8187ef7..58f1ea7 100644 --- a/logcheck/violations.ignore.d/postfix +++ b/logcheck/violations.ignore.d/postfix @@ -4,11 +4,13 @@ postfix/local\[[0-9]+\]: warning: reject: ETRN [^[:space:]]+\.\.\. from [^[:spac postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$ postfix/nqmgr\[[0-9]+\]: [A-Z0-9]+: from=<[^[:space:]>]+>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$ postfix/smtp\[[0-9]+\]: Peer verification: CommonName in certificate does not match: [^!]+ != [^[:space:]]+$ -postfix/smtp\[[0-9]+\]: [A-Z0-9]+: to=<[^>,]*>(, orig_to=<[^>,]>*)?, relay=[^[:space:]\[]+\[[\.0-9]+\], delay=[0-9]+, status=(bounced|deferred) \([^\(\)]+(\([^\(\)]*)?\)+( proto=E?SMTP helo=<[^[:space:]>]+>)?$ +postfix/smtp\[[0-9]+\]: Verified: subject_CN=[^[:space:]]+, issuer=.*$ +postfix/smtp\[[0-9]+\]: [A-Z0-9]+: to=<[^>,]*>(, orig_to=<[^>,]>*)?, relay=[^[:space:]\[,]+\[[\.0-9]+\], delay=[0-9]+, status=(bounced|deferred) \([^\(\)]+(\([^\(\)]*\))*[^\(\)]*\)( proto=E?SMTP helo=<[^[:space:]>]+>)?$ postfix/smtp\[[0-9]+\]: connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: 452 Insufficient system storage; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ -postfix/smtpd\[[0-9]+\]: warning: [^[:space:]\[]+\[[\.0-9]+\]: hostname [\.[:alnum:]-]+ verification failed: Host name has no address$ +postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\]: in RCPT command: .* +postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ # These are only for postfix << 2.0: postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: [45][0-9]{2} [^;]+; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ # These are only for postfix >= 2.0: -postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: [45][0-9]{2} [^;]+; from=<[^[:space:]>]+>( to=<[^[:space:]>]+>)? proto=E?SMTP helo=<[^[:space:]>]+>$ +postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: [45][0-9]{2} [^;]+; from=<[^[:space:]>]*>( to=<[^[:space:]>]+>)? proto=E?SMTP helo=<[^[:space:]>]+>$ |