diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2004-02-22 10:23:41 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2004-02-22 10:23:41 +0000 |
| commit | 2bb63b0b81fb7aec533eaf645591426662e17124 (patch) | |
| tree | 0b972a4acc300ac0c324c8af136582e047d1ae2c | |
| parent | ae37e39e2ccfac4f25624a62e5f82e963a4f18a4 (diff) | |
Tighten all rules to strict left side, based on su rules.
78 files changed, 990 insertions, 990 deletions
diff --git a/logcheck/ignore.d.server/amanda b/logcheck/ignore.d.server/amanda index 7a6ab62..21026ee 100644 --- a/logcheck/ignore.d.server/amanda +++ b/logcheck/ignore.d.server/amanda @@ -1 +1 @@ -amandad\[[0-9]+\]: connect from +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amandad\[[0-9]+\]: connect from diff --git a/logcheck/ignore.d.server/amavis b/logcheck/ignore.d.server/amavis index e808f67..142f9d6 100644 --- a/logcheck/ignore.d.server/amavis +++ b/logcheck/ignore.d.server/amavis @@ -1,7 +1,7 @@ -amavis\[[0-9]+\]: cached [a-f0-9]+ from <[^[:space:]]*>$ -amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+$ -amavis\[[0-9]+\]: local delivery: <[^[:space:]]*> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?$ -amavis\[[0-9]+\]: mail checking ended: (DISCARD|REJECT)$ -amavis\[[0-9]+\]: spam from=(<[^>]+>|\(\?\)), to=(<[^>]+>,)+ quarantine spam-[0-9a-f-]+$ -amavis\[[0-9]+\]: spam_scan: (No|Yes), hits=[\.0-9-]+ tests=[,_A-Z0-9]+ <[^>]*>$ -amavis\[[0-9]+\]: spam_scan: whitelisted sender <[^[:space:]]+>, spam check skipped$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: cached [a-f0-9]+ from <[^[:space:]]*>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: local delivery: <[^[:space:]]*> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: mail checking ended: (DISCARD|REJECT)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: spam from=(<[^>]+>|\(\?\)), to=(<[^>]+>,)+ quarantine spam-[0-9a-f-]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: spam_scan: (No|Yes), hits=[\.0-9-]+ tests=[,_A-Z0-9]+ <[^>]*>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: spam_scan: whitelisted sender <[^[:space:]]+>, spam check skipped$ diff --git a/logcheck/ignore.d.server/anacron b/logcheck/ignore.d.server/anacron index 88498d3..e44d69e 100644 --- a/logcheck/ignore.d.server/anacron +++ b/logcheck/ignore.d.server/anacron @@ -1,8 +1,8 @@ -/USR/SBIN/CRON\[[0-9]+\]: \(root\) CMD \(test -e /usr/sbin/anacron || run-parts --report /etc/cron.(daily|weekly|monthly)\) $ -anacron\[[0-9]+\]: Anacron 2.3 started on [0-9-]+$ -anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' started$ -anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' terminated( \(exit status: 1\))?( \(mailing output\))?$ -anacron\[[0-9]+\]: Jobs will be executed sequentially$ -anacron\[[0-9]+\]: Normal exit \([0-9]+ jobs run\)$ -anacron\[[0-9]+\]: Updated timestamp for job `cron.(daily|weekly|monthly)' to [0-9-]+$ -anacron\[[0-9]+\]: Will run job `cron.(daily|weekly|monthly)' in (5|10|15) min\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \(root\) CMD \(test -e /usr/sbin/anacron || run-parts --report /etc/cron.(daily|weekly|monthly)\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Anacron 2.3 started on [0-9-]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' started$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' terminated( \(exit status: 1\))?( \(mailing output\))?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Jobs will be executed sequentially$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Normal exit \([0-9]+ jobs run\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Updated timestamp for job `cron.(daily|weekly|monthly)' to [0-9-]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Will run job `cron.(daily|weekly|monthly)' in (5|10|15) min\.$ diff --git a/logcheck/ignore.d.server/bind.changes b/logcheck/ignore.d.server/bind.changes index 49328b2..1477317 100644 --- a/logcheck/ignore.d.server/bind.changes +++ b/logcheck/ignore.d.server/bind.changes @@ -1,23 +1,23 @@ -named\[[0-9]+\]: Lame delegation -named\[[0-9]+\]: Lame server on '[^[:space:]]+' \(in '[^[:space:]]+'\?\): \[[\.0-9]+\]\.[0-9]+ '[^[:space:]]+'$ -named\[[0-9]+\]: Response from -named\[[0-9]+\]: reloading -named\[[0-9]+\]: Cleaned cache of [0-9]+ RRsets$ -named\[[0-9]+\]: Sent NOTIFY for [^[:space:]]+$ -named\[[0-9]+\]: approved AXFR from [^[:space:]]+ for [^[:space:]]+$ -named\[[0-9]+\]: zone transfer \(AXFR\) of [^[:space:]]+ to [^[:space:]]+$ -named\[[0-9]+\]: suppressing duplicate notify$ -named\[[0-9]+\]: USAGE [0-9]+ [0-9]+ CPU=[\.0-9]+u/[\.0-9]+s CHILDCPU=[\.0-9]+u/[\.0-9]+s$ -named\[[0-9]+\]: NSTATS [0-9]+ [0-9]+( (38|A|AAAA|ANY|AXFR|CNAME|IXFR|MX|NS|PTR|SOA|TXT)=[0-9]+)*$ -named\[[0-9]+\]: XSTATS [0-9]+ [0-9]+( (RR|RNXD|RFwdR|RDupR|RFail|RFErr|RErr|RAXFR|RLame|ROpts|SSysQ|SAns|SFwdQ|SDupQ|SErr|RQ|RIQ|RFwdQ|RDupQ|RTCP|SFwdR|SFail|SFErr|SNaAns|SNXD|RUQ|RURQ|RUXFR|RUUpd)=[0-9]+)*$ -named\[[0-9]+\]: lame server resolving '[^[:space:]]+' \(in '[^[:space:]]+'\?\): [\.0-9.]+#[0-9]+$ -named\[[0-9]+\]: Received NOTIFY answer -named\[[0-9]+\]: (master |slave )?zone "[^[:space:]]+" \(IN\) loaded \(serial [0-9]+\)$ -named\[[0-9]+\]: (ns_forw|ns_resp|sysquery): query\([^[:space:]]+\) (NS points to CNAME \([^[:space:]]+\)|No possible A RRs|All possible A RR's lame|Bogus LOOPBACK A RR \([^[:space:]]+\))( learnt \([^[:space:]]+\))?$ -named\[[0-9]+\]: client [\.0-9.]+#[0-9]+: transfer of '[^[:space:]]+/IN': AXFR(-style IXFR)? started$ -named\[[0-9]+\]: zone [^[:space:]]+: transfered serial [0-9]+$ -named\[[0-9]+\]: transfer of '[^[:space:]]+' from [^[:space:]]+: end of transfer$ -named\[[0-9]+\]: zone [^[:space:]]+/IN: sending notifies \(serial [0-9]+\)$ -named\[[0-9]+\]: rcvd NOTIFY\([^[:space:]]+, IN, SOA\) from \[[\.0-9]+\]\.[0-9]+$ -named\[[0-9]+\]: late CNAME in answer section for [^[:space:]]+$ -named\[[0-9]+\]: unrelated additional info '[^[:space:]]+' type A from \[[\.0-9]+\]\.[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Lame delegation +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Lame server on '[^[:space:]]+' \(in '[^[:space:]]+'\?\): \[[\.0-9]+\]\.[0-9]+ '[^[:space:]]+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Response from +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: reloading +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Cleaned cache of [0-9]+ RRsets$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Sent NOTIFY for [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: approved AXFR from [^[:space:]]+ for [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone transfer \(AXFR\) of [^[:space:]]+ to [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: suppressing duplicate notify$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: USAGE [0-9]+ [0-9]+ CPU=[\.0-9]+u/[\.0-9]+s CHILDCPU=[\.0-9]+u/[\.0-9]+s$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: NSTATS [0-9]+ [0-9]+( (38|A|AAAA|ANY|AXFR|CNAME|IXFR|MX|NS|PTR|SOA|TXT)=[0-9]+)*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: XSTATS [0-9]+ [0-9]+( (RR|RNXD|RFwdR|RDupR|RFail|RFErr|RErr|RAXFR|RLame|ROpts|SSysQ|SAns|SFwdQ|SDupQ|SErr|RQ|RIQ|RFwdQ|RDupQ|RTCP|SFwdR|SFail|SFErr|SNaAns|SNXD|RUQ|RURQ|RUXFR|RUUpd)=[0-9]+)*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: lame server resolving '[^[:space:]]+' \(in '[^[:space:]]+'\?\): [\.0-9.]+#[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Received NOTIFY answer +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: (master |slave )?zone "[^[:space:]]+" \(IN\) loaded \(serial [0-9]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: (ns_forw|ns_resp|sysquery): query\([^[:space:]]+\) (NS points to CNAME \([^[:space:]]+\)|No possible A RRs|All possible A RR's lame|Bogus LOOPBACK A RR \([^[:space:]]+\))( learnt \([^[:space:]]+\))?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [\.0-9.]+#[0-9]+: transfer of '[^[:space:]]+/IN': AXFR(-style IXFR)? started$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone [^[:space:]]+: transfered serial [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: transfer of '[^[:space:]]+' from [^[:space:]]+: end of transfer$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone [^[:space:]]+/IN: sending notifies \(serial [0-9]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: rcvd NOTIFY\([^[:space:]]+, IN, SOA\) from \[[\.0-9]+\]\.[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: late CNAME in answer section for [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: unrelated additional info '[^[:space:]]+' type A from \[[\.0-9]+\]\.[0-9]+$ diff --git a/logcheck/ignore.d.server/bind.tmp b/logcheck/ignore.d.server/bind.tmp index ba68c79..23d3f02 100644 --- a/logcheck/ignore.d.server/bind.tmp +++ b/logcheck/ignore.d.server/bind.tmp @@ -1,2 +1,2 @@ -named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out$ -named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$ diff --git a/logcheck/ignore.d.server/courier b/logcheck/ignore.d.server/courier index 5c36114..0bce4c8 100644 --- a/logcheck/ignore.d.server/courier +++ b/logcheck/ignore.d.server/courier @@ -1,17 +1,17 @@ -courierpop3login: Connection, ip=\[::ffff:.*\] -courierpop3login: LOGIN, user=.*, ip=\[::ffff:.*\] -courierpop3login: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.* retr=.* -courierpop3login: Disconnected, ip=\[::ffff:.*\] -courierpop3login: TIMEOUT, user=.*, ip=\[::ffff:.*\], top=0, retr=0 -pop3d-ssl: Connection, ip=\[::ffff:.*\] -pop3d-ssl: LOGIN, user=.*, ip=\[::ffff:.*\] -pop3d-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.*, retr=.* -pop3d-ssl: TIMEOUT, user=.*, ip=\[::ffff:.*\],top=.*, retr=.* -imaplogin: Connection, ip=\[::ffff:.*\] -imaplogin: LOGIN, user=.*, ip=\[::ffff:.*\] -imaplogin: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.* -imaplogin: DISCONNECTED, user=.*, ip=\[::ffff:.*\].* -imapd-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.* -imapd-ssl: Connection, ip=\[::ffff:.*\] -imapd-ssl: LOGIN, user=.*, ip=\[::ffff:.*\] -imapd-ssl: DISCONNECTED, user=.*, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierpop3login: Connection, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierpop3login: LOGIN, user=.*, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierpop3login: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.* retr=.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierpop3login: Disconnected, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierpop3login: TIMEOUT, user=.*, ip=\[::ffff:.*\], top=0, retr=0 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop3d-ssl: Connection, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop3d-ssl: LOGIN, user=.*, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop3d-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.*, retr=.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop3d-ssl: TIMEOUT, user=.*, ip=\[::ffff:.*\],top=.*, retr=.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imaplogin: Connection, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imaplogin: LOGIN, user=.*, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imaplogin: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imaplogin: DISCONNECTED, user=.*, ip=\[::ffff:.*\].* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd-ssl: Connection, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd-ssl: LOGIN, user=.*, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd-ssl: DISCONNECTED, user=.*, ip=\[::ffff:.*\] diff --git a/logcheck/ignore.d.server/dancer-ircd b/logcheck/ignore.d.server/dancer-ircd index 8c0475a..ab1e569 100644 --- a/logcheck/ignore.d.server/dancer-ircd +++ b/logcheck/ignore.d.server/dancer-ircd @@ -1,3 +1,3 @@ -ircd\[[0-9]+\]: ircd exiting: autodie$ -ircd\[[0-9]+\]: Server Ready$ -(ircd\[[0-9]+\]: )?binding stream socket [\.[:alnum:]]+\[\*\.666[789]\]: Address already in use$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ircd\[[0-9]+\]: ircd exiting: autodie$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ircd\[[0-9]+\]: Server Ready$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (ircd\[[0-9]+\]: )?binding stream socket [\.[:alnum:]]+\[\*\.666[789]\]: Address already in use$ diff --git a/logcheck/ignore.d.server/dhcp-client b/logcheck/ignore.d.server/dhcp-client index 854b4c5..7c1991e 100644 --- a/logcheck/ignore.d.server/dhcp-client +++ b/logcheck/ignore.d.server/dhcp-client @@ -1,5 +1,5 @@ # NB: dhcp 2-x entries are in dhcp -dhclient(-2.2.x)?: DHCP(REQUEST|DISCOVER) on [^[:space:]]+ to [\.0-9]+ port 67( interval [0-9]+)?$ -dhclient(-2.2.x)?: DHCP(ACK|OFFER) from [\.0-9]+$ -dhclient(-2.2.x)?: bound to [\.0-9]+ -- renewal in [0-9]+ seconds\.$ -dhclient(-2.2.x)?: irda0: unknown hardware address type 783$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: DHCP(REQUEST|DISCOVER) on [^[:space:]]+ to [\.0-9]+ port 67( interval [0-9]+)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: DHCP(ACK|OFFER) from [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: bound to [\.0-9]+ -- renewal in [0-9]+ seconds\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: irda0: unknown hardware address type 783$ diff --git a/logcheck/ignore.d.server/dhcp.changes b/logcheck/ignore.d.server/dhcp.changes index 3980d63..b4fb547 100644 --- a/logcheck/ignore.d.server/dhcp.changes +++ b/logcheck/ignore.d.server/dhcp.changes @@ -1,8 +1,8 @@ # NB: dhcp3 entries are in dhcp3-common -dhcpd-2.2.x: Abandoning IP address [\.0-9]+: (declined\.|pinged before offer) ?$ -dhcpd-2.2.x: BOOT(DISCOVER|REQUEST) from [0-9a-f:]+ via eth[0-9]+ (\(non-rfc1048)\) ?$ -dhcpd-2.2.x: BOOTREPLY for [\.0-9]+ to [^[:space:]]+ \([0-9a-f:]+\) via eth[0-9]+ ?$ -dhcpd-2.2.x: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+ via eth[0-9]+ ?$ -dhcpd-2.2.x: DHCP(DECLINE on|RELEASE of|REQUEST for) [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+ \((not )?found\) ?$ -dhcpd-2.2.x: DHCPINFORM from [\.0-9]+ ?$ -dhcpd-2.2.x: DHCPREQUEST for [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+: wrong network\. ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: Abandoning IP address [\.0-9]+: (declined\.|pinged before offer) ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: BOOT(DISCOVER|REQUEST) from [0-9a-f:]+ via eth[0-9]+ (\(non-rfc1048)\) ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: BOOTREPLY for [\.0-9]+ to [^[:space:]]+ \([0-9a-f:]+\) via eth[0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+ via eth[0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCP(DECLINE on|RELEASE of|REQUEST for) [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+ \((not )?found\) ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCPINFORM from [\.0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCPREQUEST for [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+: wrong network\. ?$ diff --git a/logcheck/ignore.d.server/dhcp3-common b/logcheck/ignore.d.server/dhcp3-common index 8ab9acc..2fce42f 100644 --- a/logcheck/ignore.d.server/dhcp3-common +++ b/logcheck/ignore.d.server/dhcp3-common @@ -1,12 +1,12 @@ -dhcpd: Abandoning IP address [\.0-9]+: pinged before offer ?$ -dhcpd: BOOTREQUEST from [0-9a-f:]+ ?$ -dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ -dhcpd: DHCPACK to [\.0-9]+ ?$ -dhcpd: DHCPDISCOVER from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ -dhcpd: DHCPINFORM from [\.0-9]+( via eth[0-9]+)? ?$ -dhcpd: DHCPRELEASE of [\.0-9]+( from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+( \(found\))?)? ?$ -dhcpd: DHCPREQUEST for [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+(: (unknown lease [\.0-9]+|wrong network)\.)? ?$ -dhcpd: ICMP Echo reply while lease [\.0-9]+ valid. ?$ -dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\. ?$ -dhcpd: accepting packet with data after udp payload. ?$ -dhcpd: ip length 576 disagrees with bytes received 590. ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: Abandoning IP address [\.0-9]+: pinged before offer ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: BOOTREQUEST from [0-9a-f:]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPACK to [\.0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPDISCOVER from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPINFORM from [\.0-9]+( via eth[0-9]+)? ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPRELEASE of [\.0-9]+( from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+( \(found\))?)? ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPREQUEST for [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+(: (unknown lease [\.0-9]+|wrong network)\.)? ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: ICMP Echo reply while lease [\.0-9]+ valid. ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\. ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: accepting packet with data after udp payload. ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: ip length 576 disagrees with bytes received 590. ?$ diff --git a/logcheck/ignore.d.server/gdm b/logcheck/ignore.d.server/gdm index 79229c6..2fd4342 100644 --- a/logcheck/ignore.d.server/gdm +++ b/logcheck/ignore.d.server/gdm @@ -1 +1 @@ -gdm\[[0-9]+\]: run_pictures: Directory [^[:space:]] does not exist\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: run_pictures: Directory [^[:space:]] does not exist\.$ diff --git a/logcheck/ignore.d.server/gdm.da_DK b/logcheck/ignore.d.server/gdm.da_DK index 56b564a..cf63c5c 100644 --- a/logcheck/ignore.d.server/gdm.da_DK +++ b/logcheck/ignore.d.server/gdm.da_DK @@ -1,4 +1,4 @@ -gdm\[[0-9]+\]: Pingning af.* mislykkedes, deaktiver terminal! -gdm\[[0-9]+\]: \(child [0-9]+\) gdm_slave_xioerror_handler: Fatal X-fejl - genstarter [0-9:\.]*$ -gdm\[[0-9]+\]: run_pictures: /usr/share/pixmaps er ikke ejet af uid [^[:space:]]\.$ -gdm\[[0-9]+\]: run_pictures: Mappen [^[:space:]] eksisterer ikke\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: Pingning af.* mislykkedes, deaktiver terminal! +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: \(child [0-9]+\) gdm_slave_xioerror_handler: Fatal X-fejl - genstarter [0-9:\.]*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: run_pictures: /usr/share/pixmaps er ikke ejet af uid [^[:space:]]\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: run_pictures: Mappen [^[:space:]] eksisterer ikke\.$ diff --git a/logcheck/ignore.d.server/hotplug b/logcheck/ignore.d.server/hotplug index 6dd646c..6dc05f1 100644 --- a/logcheck/ignore.d.server/hotplug +++ b/logcheck/ignore.d.server/hotplug @@ -1,4 +1,4 @@ -/etc/hotplug/net.agent: assuming ppp[0-9] is already up$ -/etc/hotplug/net.agent: invoke if(up|down) ppp[0-9]$ -/etc/hotplug/usb.agent: Setup [^[:space:]]+ for USB product [0-9a-f/]+$ -modprobe: modprobe: Can't locate module (keybdev|mousedev|usbcore)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /etc/hotplug/net.agent: assuming ppp[0-9] is already up$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /etc/hotplug/net.agent: invoke if(up|down) ppp[0-9]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /etc/hotplug/usb.agent: Setup [^[:space:]]+ for USB product [0-9a-f/]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ modprobe: modprobe: Can't locate module (keybdev|mousedev|usbcore)$ diff --git a/logcheck/ignore.d.server/hylafax-server b/logcheck/ignore.d.server/hylafax-server index dedf0fa..2e6f7a9 100644 --- a/logcheck/ignore.d.server/hylafax-server +++ b/logcheck/ignore.d.server/hylafax-server @@ -1,10 +1,10 @@ -Fax(Getty|Send)\[[0-9]+\]: STATE CHANGE:( ->| BASE| LOCKWAIT| LISTENING| RUNNING| ANSWERING| RECEIVING| MODEMWAIT)+$ -Fax(Getty|Send)\[[0-9]+\]: MODEM (ROCKWELL|ZYXEL) .*$ -FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): from .*, page .* in [0-9]+:[0-9]+, INF, .* line/mm, (1|2)-D MR(, [0-9]+ bit/s)?$ -FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): recvq/fax[0-9]+\.tif from .*, route to .*, [0-9]+ pages in [0-9]+:[0-9]+$ -FaxGetty\[[0-9]+\]: RECV FAX: bin/faxrcvd "recvq/fax[0-9]+\.tif" "ttyS[012]" "[0-9]+"( "")+$ -FaxGetty\[[0-9]+\]: ANSWER: Ring detected without successful handshake$ -FaxGetty\[[0-9]+\]: ANSWER: FAX CONNECTION DEVICE '[^[:blank:]']+'$ -FaxQueuer\[[0-9]+\]: SUBMIT JOB [0-9]+$ -FaxSend\[[0-9]+\]: SEND FAX: JOB [0-9]+ DEST [0-9]+ COMMID [0-9]+$ -HylaFAX\[[0-9]+\]: Filesystem has SysV-style file creation semantics.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ Fax(Getty|Send)\[[0-9]+\]: STATE CHANGE:( ->| BASE| LOCKWAIT| LISTENING| RUNNING| ANSWERING| RECEIVING| MODEMWAIT)+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ Fax(Getty|Send)\[[0-9]+\]: MODEM (ROCKWELL|ZYXEL) .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): from .*, page .* in [0-9]+:[0-9]+, INF, .* line/mm, (1|2)-D MR(, [0-9]+ bit/s)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): recvq/fax[0-9]+\.tif from .*, route to .*, [0-9]+ pages in [0-9]+:[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: RECV FAX: bin/faxrcvd "recvq/fax[0-9]+\.tif" "ttyS[012]" "[0-9]+"( "")+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: ANSWER: Ring detected without successful handshake$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: ANSWER: FAX CONNECTION DEVICE '[^[:blank:]']+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: SUBMIT JOB [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxSend\[[0-9]+\]: SEND FAX: JOB [0-9]+ DEST [0-9]+ COMMID [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ HylaFAX\[[0-9]+\]: Filesystem has SysV-style file creation semantics.$ diff --git a/logcheck/ignore.d.server/imp b/logcheck/ignore.d.server/imp index d4ce53b..1fb7a8d 100644 --- a/logcheck/ignore.d.server/imp +++ b/logcheck/ignore.d.server/imp @@ -1 +1 @@ -IMP\[[0-9]+\]: Login [0-9\.]+ to [^[:space:]]+ as [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: Login [0-9\.]+ to [^[:space:]]+ as [^[:space:]]+$ diff --git a/logcheck/ignore.d.server/libgpmg1 b/logcheck/ignore.d.server/libgpmg1 index b7450d7..d6a3da2 100644 --- a/logcheck/ignore.d.server/libgpmg1 +++ b/logcheck/ignore.d.server/libgpmg1 @@ -1 +1 @@ -[[:alnum:]]+: /dev/gpmctl: No such file or directory$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [[:alnum:]]+: /dev/gpmctl: No such file or directory$ diff --git a/logcheck/ignore.d.server/libgpmg1.da_DK b/logcheck/ignore.d.server/libgpmg1.da_DK index e14d4cd..89db7bd 100644 --- a/logcheck/ignore.d.server/libgpmg1.da_DK +++ b/logcheck/ignore.d.server/libgpmg1.da_DK @@ -1 +1 @@ -[[:alnum:]]+: /dev/gpmctl: Ingen sådan fil eller filkatalog$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [[:alnum:]]+: /dev/gpmctl: Ingen sådan fil eller filkatalog$ diff --git a/logcheck/ignore.d.server/libpam-modules b/logcheck/ignore.d.server/libpam-modules index 89f4972..1764610 100644 --- a/logcheck/ignore.d.server/libpam-modules +++ b/logcheck/ignore.d.server/libpam-modules @@ -1 +1 @@ -pam_limits\[[0-9]+\]: default limits skipped for 'root'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pam_limits\[[0-9]+\]: default limits skipped for 'root'$ diff --git a/logcheck/ignore.d.server/local b/logcheck/ignore.d.server/local index a1d30e3..34ab534 100644 --- a/logcheck/ignore.d.server/local +++ b/logcheck/ignore.d.server/local @@ -1,434 +1,434 @@ ### ignore.d.server/amanda -amandad\[[0-9]+\]: connect from +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amandad\[[0-9]+\]: connect from ### ignore.d.server/amavis -amavis\[[0-9]+\]: cached [a-f0-9]+ from <[^[:space:]]*>$ -amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+$ -amavis\[[0-9]+\]: local delivery: <[^[:space:]]*> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?$ -amavis\[[0-9]+\]: mail checking ended: (DISCARD|REJECT)$ -amavis\[[0-9]+\]: spam from=(<[^>]+>|\(\?\)), to=(<[^>]+>,)+ quarantine spam-[0-9a-f-]+$ -amavis\[[0-9]+\]: spam_scan: (No|Yes), hits=[\.0-9-]+ tests=[,_A-Z0-9]+ <[^>]*>$ -amavis\[[0-9]+\]: spam_scan: whitelisted sender <[^[:space:]]+>, spam check skipped$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: cached [a-f0-9]+ from <[^[:space:]]*>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: local delivery: <[^[:space:]]*> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: mail checking ended: (DISCARD|REJECT)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: spam from=(<[^>]+>|\(\?\)), to=(<[^>]+>,)+ quarantine spam-[0-9a-f-]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: spam_scan: (No|Yes), hits=[\.0-9-]+ tests=[,_A-Z0-9]+ <[^>]*>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: spam_scan: whitelisted sender <[^[:space:]]+>, spam check skipped$ ### ignore.d.server/anacron -/USR/SBIN/CRON\[[0-9]+\]: \(root\) CMD \(test -e /usr/sbin/anacron || run-parts --report /etc/cron.(daily|weekly|monthly)\) $ -anacron\[[0-9]+\]: Anacron 2.3 started on [0-9-]+$ -anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' started$ -anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' terminated( \(exit status: 1\))?( \(mailing output\))?$ -anacron\[[0-9]+\]: Jobs will be executed sequentially$ -anacron\[[0-9]+\]: Normal exit \([0-9]+ jobs run\)$ -anacron\[[0-9]+\]: Updated timestamp for job `cron.(daily|weekly|monthly)' to [0-9-]+$ -anacron\[[0-9]+\]: Will run job `cron.(daily|weekly|monthly)' in (5|10|15) min\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \(root\) CMD \(test -e /usr/sbin/anacron || run-parts --report /etc/cron.(daily|weekly|monthly)\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Anacron 2.3 started on [0-9-]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' started$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' terminated( \(exit status: 1\))?( \(mailing output\))?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Jobs will be executed sequentially$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Normal exit \([0-9]+ jobs run\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Updated timestamp for job `cron.(daily|weekly|monthly)' to [0-9-]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Will run job `cron.(daily|weekly|monthly)' in (5|10|15) min\.$ ### ignore.d.server/bind.changes -named\[[0-9]+\]: Lame delegation -named\[[0-9]+\]: Lame server on '[^[:space:]]+' \(in '[^[:space:]]+'\?\): \[[\.0-9]+\]\.[0-9]+ '[^[:space:]]+'$ -named\[[0-9]+\]: Response from -named\[[0-9]+\]: reloading -named\[[0-9]+\]: Cleaned cache of [0-9]+ RRsets$ -named\[[0-9]+\]: Sent NOTIFY for [^[:space:]]+$ -named\[[0-9]+\]: approved AXFR from [^[:space:]]+ for [^[:space:]]+$ -named\[[0-9]+\]: zone transfer \(AXFR\) of [^[:space:]]+ to [^[:space:]]+$ -named\[[0-9]+\]: suppressing duplicate notify$ -named\[[0-9]+\]: USAGE [0-9]+ [0-9]+ CPU=[\.0-9]+u/[\.0-9]+s CHILDCPU=[\.0-9]+u/[\.0-9]+s$ -named\[[0-9]+\]: NSTATS [0-9]+ [0-9]+( (38|A|AAAA|ANY|AXFR|CNAME|IXFR|MX|NS|PTR|SOA|TXT)=[0-9]+)*$ -named\[[0-9]+\]: XSTATS [0-9]+ [0-9]+( (RR|RNXD|RFwdR|RDupR|RFail|RFErr|RErr|RAXFR|RLame|ROpts|SSysQ|SAns|SFwdQ|SDupQ|SErr|RQ|RIQ|RFwdQ|RDupQ|RTCP|SFwdR|SFail|SFErr|SNaAns|SNXD|RUQ|RURQ|RUXFR|RUUpd)=[0-9]+)*$ -named\[[0-9]+\]: lame server resolving '[^[:space:]]+' \(in '[^[:space:]]+'\?\): [\.0-9.]+#[0-9]+$ -named\[[0-9]+\]: Received NOTIFY answer -named\[[0-9]+\]: (master |slave )?zone "[^[:space:]]+" \(IN\) loaded \(serial [0-9]+\)$ -named\[[0-9]+\]: (ns_forw|ns_resp|sysquery): query\([^[:space:]]+\) (NS points to CNAME \([^[:space:]]+\)|No possible A RRs|All possible A RR's lame|Bogus LOOPBACK A RR \([^[:space:]]+\))( learnt \([^[:space:]]+\))?$ -named\[[0-9]+\]: client [\.0-9.]+#[0-9]+: transfer of '[^[:space:]]+/IN': AXFR(-style IXFR)? started$ -named\[[0-9]+\]: zone [^[:space:]]+: transfered serial [0-9]+$ -named\[[0-9]+\]: transfer of '[^[:space:]]+' from [^[:space:]]+: end of transfer$ -named\[[0-9]+\]: zone [^[:space:]]+/IN: sending notifies \(serial [0-9]+\)$ -named\[[0-9]+\]: rcvd NOTIFY\([^[:space:]]+, IN, SOA\) from \[[\.0-9]+\]\.[0-9]+$ -named\[[0-9]+\]: late CNAME in answer section for [^[:space:]]+$ -named\[[0-9]+\]: unrelated additional info '[^[:space:]]+' type A from \[[\.0-9]+\]\.[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Lame delegation +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Lame server on '[^[:space:]]+' \(in '[^[:space:]]+'\?\): \[[\.0-9]+\]\.[0-9]+ '[^[:space:]]+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Response from +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: reloading +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Cleaned cache of [0-9]+ RRsets$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Sent NOTIFY for [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: approved AXFR from [^[:space:]]+ for [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone transfer \(AXFR\) of [^[:space:]]+ to [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: suppressing duplicate notify$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: USAGE [0-9]+ [0-9]+ CPU=[\.0-9]+u/[\.0-9]+s CHILDCPU=[\.0-9]+u/[\.0-9]+s$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: NSTATS [0-9]+ [0-9]+( (38|A|AAAA|ANY|AXFR|CNAME|IXFR|MX|NS|PTR|SOA|TXT)=[0-9]+)*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: XSTATS [0-9]+ [0-9]+( (RR|RNXD|RFwdR|RDupR|RFail|RFErr|RErr|RAXFR|RLame|ROpts|SSysQ|SAns|SFwdQ|SDupQ|SErr|RQ|RIQ|RFwdQ|RDupQ|RTCP|SFwdR|SFail|SFErr|SNaAns|SNXD|RUQ|RURQ|RUXFR|RUUpd)=[0-9]+)*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: lame server resolving '[^[:space:]]+' \(in '[^[:space:]]+'\?\): [\.0-9.]+#[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Received NOTIFY answer +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: (master |slave )?zone "[^[:space:]]+" \(IN\) loaded \(serial [0-9]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: (ns_forw|ns_resp|sysquery): query\([^[:space:]]+\) (NS points to CNAME \([^[:space:]]+\)|No possible A RRs|All possible A RR's lame|Bogus LOOPBACK A RR \([^[:space:]]+\))( learnt \([^[:space:]]+\))?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [\.0-9.]+#[0-9]+: transfer of '[^[:space:]]+/IN': AXFR(-style IXFR)? started$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone [^[:space:]]+: transfered serial [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: transfer of '[^[:space:]]+' from [^[:space:]]+: end of transfer$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone [^[:space:]]+/IN: sending notifies \(serial [0-9]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: rcvd NOTIFY\([^[:space:]]+, IN, SOA\) from \[[\.0-9]+\]\.[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: late CNAME in answer section for [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: unrelated additional info '[^[:space:]]+' type A from \[[\.0-9]+\]\.[0-9]+$ ### ignore.d.server/bind.tmp -named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out$ -named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$ ### ignore.d.server/courier -courierpop3login: Connection, ip=\[::ffff:.*\] -courierpop3login: LOGIN, user=.*, ip=\[::ffff:.*\] -courierpop3login: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.* retr=.* -courierpop3login: Disconnected, ip=\[::ffff:.*\] -courierpop3login: TIMEOUT, user=.*, ip=\[::ffff:.*\], top=0, retr=0 -pop3d-ssl: Connection, ip=\[::ffff:.*\] -pop3d-ssl: LOGIN, user=.*, ip=\[::ffff:.*\] -pop3d-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.*, retr=.* -pop3d-ssl: TIMEOUT, user=.*, ip=\[::ffff:.*\],top=.*, retr=.* -imaplogin: Connection, ip=\[::ffff:.*\] -imaplogin: LOGIN, user=.*, ip=\[::ffff:.*\] -imaplogin: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.* -imaplogin: DISCONNECTED, user=.*, ip=\[::ffff:.*\].* -imapd-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.* -imapd-ssl: Connection, ip=\[::ffff:.*\] -imapd-ssl: LOGIN, user=.*, ip=\[::ffff:.*\] -imapd-ssl: DISCONNECTED, user=.*, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierpop3login: Connection, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierpop3login: LOGIN, user=.*, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierpop3login: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.* retr=.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierpop3login: Disconnected, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierpop3login: TIMEOUT, user=.*, ip=\[::ffff:.*\], top=0, retr=0 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop3d-ssl: Connection, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop3d-ssl: LOGIN, user=.*, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop3d-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.*, retr=.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop3d-ssl: TIMEOUT, user=.*, ip=\[::ffff:.*\],top=.*, retr=.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imaplogin: Connection, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imaplogin: LOGIN, user=.*, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imaplogin: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imaplogin: DISCONNECTED, user=.*, ip=\[::ffff:.*\].* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd-ssl: Connection, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd-ssl: LOGIN, user=.*, ip=\[::ffff:.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd-ssl: DISCONNECTED, user=.*, ip=\[::ffff:.*\] ### ignore.d.server/dancer-ircd -ircd\[[0-9]+\]: ircd exiting: autodie$ -ircd\[[0-9]+\]: Server Ready$ -(ircd\[[0-9]+\]: )?binding stream socket [\.[:alnum:]]+\[\*\.666[789]\]: Address already in use$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ircd\[[0-9]+\]: ircd exiting: autodie$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ircd\[[0-9]+\]: Server Ready$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (ircd\[[0-9]+\]: )?binding stream socket [\.[:alnum:]]+\[\*\.666[789]\]: Address already in use$ ### ignore.d.server/dhcp-client # NB: dhcp 2-x entries are in dhcp -dhclient(-2.2.x)?: DHCP(REQUEST|DISCOVER) on [^[:space:]]+ to [\.0-9]+ port 67( interval [0-9]+)?$ -dhclient(-2.2.x)?: DHCP(ACK|OFFER) from [\.0-9]+$ -dhclient(-2.2.x)?: bound to [\.0-9]+ -- renewal in [0-9]+ seconds\.$ -dhclient(-2.2.x)?: irda0: unknown hardware address type 783$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: DHCP(REQUEST|DISCOVER) on [^[:space:]]+ to [\.0-9]+ port 67( interval [0-9]+)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: DHCP(ACK|OFFER) from [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: bound to [\.0-9]+ -- renewal in [0-9]+ seconds\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: irda0: unknown hardware address type 783$ ### ignore.d.server/dhcp3-common -dhcpd: Abandoning IP address [\.0-9]+: pinged before offer ?$ -dhcpd: BOOTREQUEST from [0-9a-f:]+ ?$ -dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ -dhcpd: DHCPACK to [\.0-9]+ ?$ -dhcpd: DHCPDISCOVER from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ -dhcpd: DHCPINFORM from [\.0-9]+( via eth[0-9]+)? ?$ -dhcpd: DHCPRELEASE of [\.0-9]+( from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+( \(found\))?)? ?$ -dhcpd: DHCPREQUEST for [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+(: (unknown lease [\.0-9]+|wrong network)\.)? ?$ -dhcpd: ICMP Echo reply while lease [\.0-9]+ valid. ?$ -dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\. ?$ -dhcpd: accepting packet with data after udp payload. ?$ -dhcpd: ip length 576 disagrees with bytes received 590. ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: Abandoning IP address [\.0-9]+: pinged before offer ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: BOOTREQUEST from [0-9a-f:]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPACK to [\.0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPDISCOVER from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPINFORM from [\.0-9]+( via eth[0-9]+)? ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPRELEASE of [\.0-9]+( from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+( \(found\))?)? ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPREQUEST for [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+(: (unknown lease [\.0-9]+|wrong network)\.)? ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: ICMP Echo reply while lease [\.0-9]+ valid. ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\. ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: accepting packet with data after udp payload. ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: ip length 576 disagrees with bytes received 590. ?$ ### ignore.d.server/dhcp.changes # NB: dhcp3 entries are in dhcp3-common -dhcpd-2.2.x: Abandoning IP address [\.0-9]+: (declined\.|pinged before offer) ?$ -dhcpd-2.2.x: BOOT(DISCOVER|REQUEST) from [0-9a-f:]+ via eth[0-9]+ (\(non-rfc1048)\) ?$ -dhcpd-2.2.x: BOOTREPLY for [\.0-9]+ to [^[:space:]]+ \([0-9a-f:]+\) via eth[0-9]+ ?$ -dhcpd-2.2.x: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+ via eth[0-9]+ ?$ -dhcpd-2.2.x: DHCP(DECLINE on|RELEASE of|REQUEST for) [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+ \((not )?found\) ?$ -dhcpd-2.2.x: DHCPINFORM from [\.0-9]+ ?$ -dhcpd-2.2.x: DHCPREQUEST for [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+: wrong network\. ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: Abandoning IP address [\.0-9]+: (declined\.|pinged before offer) ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: BOOT(DISCOVER|REQUEST) from [0-9a-f:]+ via eth[0-9]+ (\(non-rfc1048)\) ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: BOOTREPLY for [\.0-9]+ to [^[:space:]]+ \([0-9a-f:]+\) via eth[0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+ via eth[0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCP(DECLINE on|RELEASE of|REQUEST for) [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+ \((not )?found\) ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCPINFORM from [\.0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCPREQUEST for [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+: wrong network\. ?$ ### ignore.d.server/gdm -gdm\[[0-9]+\]: run_pictures: Directory [^[:space:]] does not exist\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: run_pictures: Directory [^[:space:]] does not exist\.$ ### ignore.d.server/gdm.da_DK -gdm\[[0-9]+\]: Pingning af.* mislykkedes, deaktiver terminal! -gdm\[[0-9]+\]: \(child [0-9]+\) gdm_slave_xioerror_handler: Fatal X-fejl - genstarter [0-9:\.]*$ -gdm\[[0-9]+\]: run_pictures: /usr/share/pixmaps er ikke ejet af uid [^[:space:]]\.$ -gdm\[[0-9]+\]: run_pictures: Mappen [^[:space:]] eksisterer ikke\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: Pingning af.* mislykkedes, deaktiver terminal! +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: \(child [0-9]+\) gdm_slave_xioerror_handler: Fatal X-fejl - genstarter [0-9:\.]*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: run_pictures: /usr/share/pixmaps er ikke ejet af uid [^[:space:]]\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: run_pictures: Mappen [^[:space:]] eksisterer ikke\.$ ### ignore.d.server/hotplug -/etc/hotplug/net.agent: assuming ppp[0-9] is already up$ -/etc/hotplug/net.agent: invoke if(up|down) ppp[0-9]$ -/etc/hotplug/usb.agent: Setup [^[:space:]]+ for USB product [0-9a-f/]+$ -modprobe: modprobe: Can't locate module (keybdev|mousedev|usbcore)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /etc/hotplug/net.agent: assuming ppp[0-9] is already up$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /etc/hotplug/net.agent: invoke if(up|down) ppp[0-9]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /etc/hotplug/usb.agent: Setup [^[:space:]]+ for USB product [0-9a-f/]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ modprobe: modprobe: Can't locate module (keybdev|mousedev|usbcore)$ ### ignore.d.server/hylafax-server -Fax(Getty|Send)\[[0-9]+\]: STATE CHANGE:( ->| BASE| LOCKWAIT| LISTENING| RUNNING| ANSWERING| RECEIVING| MODEMWAIT)+$ -Fax(Getty|Send)\[[0-9]+\]: MODEM (ROCKWELL|ZYXEL) .*$ -FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): from .*, page .* in [0-9]+:[0-9]+, INF, .* line/mm, (1|2)-D MR(, [0-9]+ bit/s)?$ -FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): recvq/fax[0-9]+\.tif from .*, route to .*, [0-9]+ pages in [0-9]+:[0-9]+$ -FaxGetty\[[0-9]+\]: RECV FAX: bin/faxrcvd "recvq/fax[0-9]+\.tif" "ttyS[012]" "[0-9]+"( "")+$ -FaxGetty\[[0-9]+\]: ANSWER: Ring detected without successful handshake$ -FaxGetty\[[0-9]+\]: ANSWER: FAX CONNECTION DEVICE '[^[:blank:]']+'$ -FaxQueuer\[[0-9]+\]: SUBMIT JOB [0-9]+$ -FaxSend\[[0-9]+\]: SEND FAX: JOB [0-9]+ DEST [0-9]+ COMMID [0-9]+$ -HylaFAX\[[0-9]+\]: Filesystem has SysV-style file creation semantics.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ Fax(Getty|Send)\[[0-9]+\]: STATE CHANGE:( ->| BASE| LOCKWAIT| LISTENING| RUNNING| ANSWERING| RECEIVING| MODEMWAIT)+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ Fax(Getty|Send)\[[0-9]+\]: MODEM (ROCKWELL|ZYXEL) .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): from .*, page .* in [0-9]+:[0-9]+, INF, .* line/mm, (1|2)-D MR(, [0-9]+ bit/s)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): recvq/fax[0-9]+\.tif from .*, route to .*, [0-9]+ pages in [0-9]+:[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: RECV FAX: bin/faxrcvd "recvq/fax[0-9]+\.tif" "ttyS[012]" "[0-9]+"( "")+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: ANSWER: Ring detected without successful handshake$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: ANSWER: FAX CONNECTION DEVICE '[^[:blank:]']+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: SUBMIT JOB [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxSend\[[0-9]+\]: SEND FAX: JOB [0-9]+ DEST [0-9]+ COMMID [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ HylaFAX\[[0-9]+\]: Filesystem has SysV-style file creation semantics.$ ### ignore.d.server/imp -IMP\[[0-9]+\]: Login [0-9\.]+ to [^[:space:]]+ as [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: Login [0-9\.]+ to [^[:space:]]+ as [^[:space:]]+$ ### ignore.d.server/libgpmg1 -[[:alnum:]]+: /dev/gpmctl: No such file or directory$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [[:alnum:]]+: /dev/gpmctl: No such file or directory$ ### ignore.d.server/libgpmg1.da_DK -[[:alnum:]]+: /dev/gpmctl: Ingen sådan fil eller filkatalog$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [[:alnum:]]+: /dev/gpmctl: Ingen sådan fil eller filkatalog$ ### ignore.d.server/libpam-modules -pam_limits\[[0-9]+\]: default limits skipped for 'root'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pam_limits\[[0-9]+\]: default limits skipped for 'root'$ ### ignore.d.server/mailutils-imap4d -gnu-imap4d\[[0-9]+\]: Incoming connection opened$ -gnu-imap4d\[[0-9]+\]: connect from [\.0-9]+$ -gnu-imap4d\[[0-9]+\]: User '[[:alnum:]]+' logged in$ -gnu-imap4d\[[0-9]+\]: Session timed out for user: [[:alnum:]]+$ -gnu-imap4d\[[0-9]+\]: got signal Alarm clock$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnu-imap4d\[[0-9]+\]: Incoming connection opened$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnu-imap4d\[[0-9]+\]: connect from [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnu-imap4d\[[0-9]+\]: User '[[:alnum:]]+' logged in$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnu-imap4d\[[0-9]+\]: Session timed out for user: [[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnu-imap4d\[[0-9]+\]: got signal Alarm clock$ ### ignore.d.server/misc # Figure out if these belong to dhcp or dhcp3-common (or dhclient?) -dhcpd.*: Reclaiming( REQUESTed) abandoned IP address [\.0-9]+ -dhcpd.*: already acking lease -dhcpd.*: send_packet: Connection refused -dhcpd.*: fallback_discard: Connection refused +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd.*: Reclaiming( REQUESTed) abandoned IP address [\.0-9]+ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd.*: already acking lease +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd.*: send_packet: Connection refused +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd.*: fallback_discard: Connection refused # These show up when isdnutils is installed, but isn't strictly related to those packages -kernel: isdn_net: call from [,0-9]+ -> [0-9]+$ -kernel: isdn_net: Service-Indicator not [0-9], ignored$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: isdn_net: call from [,0-9]+ -> [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: isdn_net: Service-Indicator not [0-9], ignored$ # This one shows up with firewalls blocking SMB ports non-silently -kernel: Packet log: input DENY .*:(137|138) .*:(137|138) .*$ -kernel: Shorewall:net2all:DROP:.* (SPT|DPT)=(13[789]|445) .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Packet log: input DENY .*:(137|138) .*:(137|138) .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:net2all:DROP:.* (SPT|DPT)=(13[789]|445) .*$ ### ignore.d.server/murasaki -murasaki\.usb\[[0-9]+\]: found depended module="[[:alnum:]]+"$ -murasaki\.(usb|net)\[[0-9]+\]: try expanding "\[net\]"$ -murasaki\.(usb|net)\[[0-9]+\]: dependent\(net\) is found$ -murasaki\.(usb|net)\[[0-9]+\]: net device is (added|removed|(un)?register(e)?d)$ -murasaki\.(usb|net)\[[0-9]+\]: Execuing "net" "(stop|start)"$ -murasaki\.(usb|net)\[[0-9]+\]: execute if(up|down) (eth|(i)?ppp|irda)[0-9]$ -murasaki\.usb\[[0-9]+\]: (MATCH\(audio\) -> match_flags:[[:alnum:]]+ )?vendor:[[:alnum:]]+ product:[[:alnum:]]+ Dclass:[[:alnum:]]+ Dsubclass:[[:alnum:]]+ Dprotocol:[[:alnum:]]+ Iclass:[[:alnum:]]+ Isubclass:[[:alnum:]]+ Iprotocol:[[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ murasaki\.usb\[[0-9]+\]: found depended module="[[:alnum:]]+"$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ murasaki\.(usb|net)\[[0-9]+\]: try expanding "\[net\]"$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ murasaki\.(usb|net)\[[0-9]+\]: dependent\(net\) is found$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ murasaki\.(usb|net)\[[0-9]+\]: net device is (added|removed|(un)?register(e)?d)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ murasaki\.(usb|net)\[[0-9]+\]: Execuing "net" "(stop|start)"$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ murasaki\.(usb|net)\[[0-9]+\]: execute if(up|down) (eth|(i)?ppp|irda)[0-9]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ murasaki\.usb\[[0-9]+\]: (MATCH\(audio\) -> match_flags:[[:alnum:]]+ )?vendor:[[:alnum:]]+ product:[[:alnum:]]+ Dclass:[[:alnum:]]+ Dsubclass:[[:alnum:]]+ Dprotocol:[[:alnum:]]+ Iclass:[[:alnum:]]+ Isubclass:[[:alnum:]]+ Iprotocol:[[:alnum:]]+$ ### ignore.d.server/nagios -nagios: Auto-save of retention data completed successfully\. $ -nagios: LOG ROTATION: DAILY $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios: Auto-save of retention data completed successfully\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios: LOG ROTATION: DAILY $ ### ignore.d.server/netatalk.changes # Lines with "[^[:space:]]+:" at the beginning are for netatalk 1.6.x or newer. -afpd\[[0-9]+\]: (atp_rresp|afp_die: asp_shutdown): Connection timed out$ -afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: Parsing volset [^[:space:]]+$ -afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: using codepage directory: /etc/netatalk/nls/maccode\.[\.a-z0-9-]+$ -afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: afp_alarm: child timed out$ -afpd\[[0-9]+\]: [^[:space:]]+: E:Default: atp_rresp: Connection timed out$ -afpd\[[0-9]+\]: [^[:space:]]+: E:Default: dsi_stream_read\(-1\): Connection reset by peer$ -afpd\[[0-9]+\]: [^[:space:]]+: E:Default: dsi_stream_write: Broken pipe$ -afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: (afp_flushfork|afp_read|getforkparms): (ad_refresh|of_find): (No such file or directory|No such process|Permission denied)$ -afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: (registering [[:alnum:]]+ \(uid [0-9]+\) on [\.0-9]+ as|removed) /[^[:space:]]+/net[\.0-9]+node[0-9]+$ -afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: Connection terminated$ -afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: [\.[:alnum:]]+ read, [\.[:alnum:]]+ written$ -afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: login [[:alnum:]]+ \(uid [0-9]+, gid [0-9]+\)( AFP2\.2)?$ -afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: logout [[:alnum:]]+$ -afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: session from [\.:0-9]+ on [\.:0-9]+$ -afpd\[[0-9]+\]: [^[:space:]]+: I:Default: (server_child\[[0-9]+\] [0-9]+ )?(done|exited 1)$ -afpd\[[0-9]+\]: [^[:space:]]+: I:Default: ASIP session:[0-9]+\([0-9]+\) from [\.:0-9]+\([0-9]+\)$ -afpd\[[0-9]+\]: [^[:space:]]+: I:Default: CNID DB initialized using Sleepycat Software: Berkeley DB( [\.0-9]+: \([^\(]+\))?$ -afpd\[[0-9]+\]: [^[:space:]]+: I:Default: asp_alrm: [0-9]+ timed out$ -afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: ((dhx|cleartext|randnum/rand2num) )?login: [[:alnum:]]+$ -afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: login noauth$ -afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: uams_dhx_pam.c :PAM: PAM (Auth OK!|Success -- Success)$ -afpd\[[0-9]+\]: [^[:space:]]+: S:Logger: can't open Logfile /var/log/netatalk.log$ -afpd\[[0-9]+\]: [_[:alnum:]]+(\(-?[0-9]+\))?: stat [^:]+: (No such file or directory|Permission denied)$ -afpd\[[0-9]+\]: dsi_stream_read\(0\): (No such file or directory|No such process|Permission denied)$ -afpd\[[0-9]+\]: dsi_stream_read\(0\): Success$ -afpd\[[0-9]+\]: error stat'ing /[^[:space:]]+/net[\.0-9]+node[0-9]+: No such file or directory$ -atalkd\[[0-9]+\]: (as_timer|nbp brrq) sendto [\.0-9]+( \([0-9]+\))?: Network is unreachable $ -atalkd\[[0-9]+\]: zip (ignoring gnireply|gnireply from [\.0-9]+ \([[:alnum:]]+ [[:alnum:]]+\)) $ -papd\[[0-9]+\]: [^[:space:]]+: I:PAPDaemon: child [0-9]+ done$ -papd\[[0-9]+\]: [^[:space:]]+: I:PAPDaemon: child [0-9]+ for "[^"]+" from [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: (atp_rresp|afp_die: asp_shutdown): Connection timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: Parsing volset [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: using codepage directory: /etc/netatalk/nls/maccode\.[\.a-z0-9-]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: afp_alarm: child timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:Default: atp_rresp: Connection timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:Default: dsi_stream_read\(-1\): Connection reset by peer$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:Default: dsi_stream_write: Broken pipe$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: (afp_flushfork|afp_read|getforkparms): (ad_refresh|of_find): (No such file or directory|No such process|Permission denied)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: (registering [[:alnum:]]+ \(uid [0-9]+\) on [\.0-9]+ as|removed) /[^[:space:]]+/net[\.0-9]+node[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: Connection terminated$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: [\.[:alnum:]]+ read, [\.[:alnum:]]+ written$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: login [[:alnum:]]+ \(uid [0-9]+, gid [0-9]+\)( AFP2\.2)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: logout [[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: session from [\.:0-9]+ on [\.:0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:Default: (server_child\[[0-9]+\] [0-9]+ )?(done|exited 1)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:Default: ASIP session:[0-9]+\([0-9]+\) from [\.:0-9]+\([0-9]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:Default: CNID DB initialized using Sleepycat Software: Berkeley DB( [\.0-9]+: \([^\(]+\))?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:Default: asp_alrm: [0-9]+ timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: ((dhx|cleartext|randnum/rand2num) )?login: [[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: login noauth$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: uams_dhx_pam.c :PAM: PAM (Auth OK!|Success -- Success)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: S:Logger: can't open Logfile /var/log/netatalk.log$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [_[:alnum:]]+(\(-?[0-9]+\))?: stat [^:]+: (No such file or directory|Permission denied)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dsi_stream_read\(0\): (No such file or directory|No such process|Permission denied)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dsi_stream_read\(0\): Success$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: error stat'ing /[^[:space:]]+/net[\.0-9]+node[0-9]+: No such file or directory$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ atalkd\[[0-9]+\]: (as_timer|nbp brrq) sendto [\.0-9]+( \([0-9]+\))?: Network is unreachable $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ atalkd\[[0-9]+\]: zip (ignoring gnireply|gnireply from [\.0-9]+ \([[:alnum:]]+ [[:alnum:]]+\)) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ papd\[[0-9]+\]: [^[:space:]]+: I:PAPDaemon: child [0-9]+ done$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ papd\[[0-9]+\]: [^[:space:]]+: I:PAPDaemon: child [0-9]+ for "[^"]+" from [\.0-9]+$ ### ignore.d.server/netsaint -netsaint: (HOST|SERVICE) (ALERT|NOTIFICATION|FLAPPING ALERT): .*$ -netsaint: Auto-save of retention data completed successfully\. $ -netsaint: Caught SIGTERM, shutting down\.\.\. $ -netsaint: Entering active mode\.\.\. $ -netsaint: NetSaint [\.0-9]+ starting\.\.\. \(PID=[0-9]+\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: (HOST|SERVICE) (ALERT|NOTIFICATION|FLAPPING ALERT): .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: Auto-save of retention data completed successfully\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: Caught SIGTERM, shutting down\.\.\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: Entering active mode\.\.\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: NetSaint [\.0-9]+ starting\.\.\. \(PID=[0-9]+\) $ ### ignore.d.server/nfs-kernel-server -mountd\[[0-9]+\]: NFS mount of /[^[:space:]]+ attempted from [\.0-9]+$ -mountd\[[0-9]+\]: /[^[:space:]]+ has been mounted by [\.0-9]+$ -rpc\.mountd: authenticated unmount request from [\.0-9]+:[0-9]+ for /[^[:space:]]+ \(/[^[:space:]\)]+\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mountd\[[0-9]+\]: NFS mount of /[^[:space:]]+ attempted from [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mountd\[[0-9]+\]: /[^[:space:]]+ has been mounted by [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpc\.mountd: authenticated unmount request from [\.0-9]+:[0-9]+ for /[^[:space:]]+ \(/[^[:space:]\)]+\) $ ### ignore.d.server/non-debian # These entries are for syslogd open for remote hosts # (and advertised through DHCP) # # HP printers -printer: peripheral low-power state$ -printer: paper out$ -printer: error cleared$ -printer: powered up$ -printer: ready to print$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ printer: peripheral low-power state$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ printer: paper out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ printer: error cleared$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ printer: powered up$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ printer: ready to print$ # FloppyFW DHCP server -[0-9A-F]+ 400 DHCP SERVER Offered \| Offering: [\.0-9]+ To: [0-9A-F]+ By: [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [0-9A-F]+ 400 DHCP SERVER Offered \| Offering: [\.0-9]+ To: [0-9A-F]+ By: [\.0-9]+$ ### ignore.d.server/ntp-simple.changes -ntpd\[[0-9]+\]: kern_enable is 1$ -ntpd\[[0-9]+\]: kernel time discipline status [0-9]+$ -ntpd\[[0-9]+\]: precision = [0-9]+ usec$ -ntpd\[[0-9]+\]: signal_no_reset: signal 13 had flags [0-9]+$ -ntpd\[[0-9]+\]: using kernel phase-lock loop [0-9]+$ -ntpd\[[0-9]+\]: ntpd [\.0-9]+ [a-zA-Z]+ [a-zA-Z]+ [0-9]+ [0-9:]+ UTC 200[2-9]+ \(2\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kern_enable is 1$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time discipline status [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: precision = [0-9]+ usec$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: signal_no_reset: signal 13 had flags [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: using kernel phase-lock loop [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: ntpd [\.0-9]+ [a-zA-Z]+ [a-zA-Z]+ [0-9]+ [0-9:]+ UTC 200[2-9]+ \(2\)$ ### ignore.d.server/pop-before-smtp -pop-before-smtp\[[0-9]+\]: (opening|closing) relay for [\.0-9]+( --- not in mynetworks)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop-before-smtp\[[0-9]+\]: (opening|closing) relay for [\.0-9]+( --- not in mynetworks)?$ ### ignore.d.server/postfix -postfix/[[:alnum:]]+\[[0-9]+\]: table has changed -- exiting$ -postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=.*$ -postfix/cleanup\[[0-9]+\]: warning: premature end-of-input from cleanup socket while reading input attribute name$ -postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$ -postfix/master\[[0-9]+\]: reload configuration$ -postfix/n?qmgr\[[0-9]+\]: [A-Z0-9]+: from=<[^,]*>, status=expired, returned to sender$ -postfix/n?qmgr\[[0-9]+\]: [A-Z0-9]+: skipped, still being delivered$ -postfix/postfix-script: refreshing the Postfix mail system$ -postfix/smtp\[[0-9]+\]: Peer certi?ficate could not be verified$ -postfix/smtp\[[0-9]+\]: SSL_connect error to [^[:space:]]+: -1 -postfix/smtp\[[0-9]+\]: [A-Z0-9]+: enabling PIX <CRLF>\.<CRLF> workaround for [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtp\[[0-9]+\]: [^[:space:]]+ status=deferred \(connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused mail service)\)$ -postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection (refused|reset by peer|timed out)|read timeout|server (refused mail service|dropped connection)|No route to host) \(port 25\)$ -postfix/smtp\[[0-9]+\]: setting up TLS connection to [^[:space:]]+$ -postfix/smtp\[[0-9]+\]: verify error:num=10:certificate has expired$ -postfix/smtp\[[0-9]+\]: warning: bad size limit "truncates" in EHLO reply from [^[:space:]]+$ -postfix/smtp\[[0-9]+\]: warning: host [^[:space:]]+\[[\.0-9]+\] (greeted me|replied to HELO/EHLO) with my own hostname [^[:space:]]+$ -postfix/smtp\[[0-9]+\]: warning: no MX host for [^[:space:]]+ has a valid A record$ -postfix/smtpd?\[[0-9]+\]: (Unv|V)erified: subject_CN=.*, issuer=.*$ -postfix/smtpd?\[[0-9]+\]: TLS connection established (from|to) [^[:space:]]+: (SSL|TLS)v[123] with cipher [^[:space:]]+ \([0-9/]+ bits\)$ -postfix/smtpd?\[[0-9]+\]: cert has expired$ -postfix/smtpd?\[[0-9]+\]: fingerprint=[0-9A-F:]+$ -postfix/smtpd?\[[0-9]+\]: setting up TLS connection (from|to) [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtpd?\[[0-9]+\]: verify error:num=(10:certificate has expired|18:self signed certificate|19:self signed certificate in certificate chain|20:unable to get local issuer certificate|21:unable to verify the first certificate|26:unsupported certificate purpose|27:certificate not trusted)$ -postfix/smtpd?\[[0-9]+\]: warning: (numeric|malformed) domain name in resource data of MX record for [^[:space:]]+: [^[:space:]]*$ -postfix/smtpd?\[[0-9]+\]: warning: valid_hostname: (empty hostname|invalid character [0-9]+\(decimal\): [^[:space:]]+)$ -postfix/smtpd\[[0-9]+\]: ((dis)?connect|setting up TLS connection|lost connection after AUTH) from [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtpd\[[0-9]+\]: SSL_accept error from [^[:space:]]+\[[\.0-9]+\]: 0 -postfix/smtpd\[[0-9]+\]: [0-9]+:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1\.c:100: -postfix/smtpd\[[0-9]+\]: [0-9]+:error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature:s3_srvr\.c:1833: -postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: [^[:space:]]+\[[\.0-9]+\], sasl_method=PLAIN, sasl_username=[[:alnum:]]+$ -postfix/smtpd\[[0-9]+\]: too many errors after RCPT from [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in (MAIL|RCPT) command: (<[^>]+>)?$ -postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: address not listed for hostname [^[:space:]]+$ -postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ -postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\] sent ([^[:space:]]+ header|mail content) instead of SMTP command: .* -postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: hostname [^[:space:]]+ verification failed: Host not found$ -postfix/smtpd\[[0-9]+\]: warning: numeric result [\.0-9]+ in address->name lookup for [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: table has changed -- exiting$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=.*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: warning: premature end-of-input from cleanup socket while reading input attribute name$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/master\[[0-9]+\]: reload configuration$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [A-Z0-9]+: from=<[^,]*>, status=expired, returned to sender$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [A-Z0-9]+: skipped, still being delivered$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/postfix-script: refreshing the Postfix mail system$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: Peer certi?ficate could not be verified$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: SSL_connect error to [^[:space:]]+: -1 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [A-Z0-9]+: enabling PIX <CRLF>\.<CRLF> workaround for [^[:space:]]+\[[\.0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [^[:space:]]+ status=deferred \(connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused mail service)\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection (refused|reset by peer|timed out)|read timeout|server (refused mail service|dropped connection)|No route to host) \(port 25\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: setting up TLS connection to [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: verify error:num=10:certificate has expired$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: bad size limit "truncates" in EHLO reply from [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: host [^[:space:]]+\[[\.0-9]+\] (greeted me|replied to HELO/EHLO) with my own hostname [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: no MX host for [^[:space:]]+ has a valid A record$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: (Unv|V)erified: subject_CN=.*, issuer=.*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: TLS connection established (from|to) [^[:space:]]+: (SSL|TLS)v[123] with cipher [^[:space:]]+ \([0-9/]+ bits\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: cert has expired$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: fingerprint=[0-9A-F:]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: setting up TLS connection (from|to) [^[:space:]]+\[[\.0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify error:num=(10:certificate has expired|18:self signed certificate|19:self signed certificate in certificate chain|20:unable to get local issuer certificate|21:unable to verify the first certificate|26:unsupported certificate purpose|27:certificate not trusted)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: warning: (numeric|malformed) domain name in resource data of MX record for [^[:space:]]+: [^[:space:]]*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: warning: valid_hostname: (empty hostname|invalid character [0-9]+\(decimal\): [^[:space:]]+)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: ((dis)?connect|setting up TLS connection|lost connection after AUTH) from [^[:space:]]+\[[\.0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [^[:space:]]+\[[\.0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: SSL_accept error from [^[:space:]]+\[[\.0-9]+\]: 0 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [0-9]+:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1\.c:100: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [0-9]+:error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature:s3_srvr\.c:1833: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: [^[:space:]]+\[[\.0-9]+\], sasl_method=PLAIN, sasl_username=[[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: too many errors after RCPT from [^[:space:]]+\[[\.0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in (MAIL|RCPT) command: (<[^>]+>)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: address not listed for hostname [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\] sent ([^[:space:]]+ header|mail content) instead of SMTP command: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: hostname [^[:space:]]+ verification failed: Host not found$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: numeric result [\.0-9]+ in address->name lookup for [\.0-9]+$ # These are only for postfix >= 2.0: -postfix/qmgr\[[0-9]+\]: [A-Z0-9]+: to=<[^,]+, relay=none, delay=[0-9]+, status=deferred \(connect to [^[:space:]]+\[[\.0-9]+\]: server dropped connection without sending the initial greeting\)$ -postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server dropped connection without sending the initial greeting \(port 25\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [A-Z0-9]+: to=<[^,]+, relay=none, delay=[0-9]+, status=deferred \(connect to [^[:space:]]+\[[\.0-9]+\]: server dropped connection without sending the initial greeting\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server dropped connection without sending the initial greeting \(port 25\)$ ### ignore.d.server/postgresql -postgres\[[0-9]+\]: \[[0-9-]+\] \^ICPU .* sec elapsed .* sec\.$ -postgres\[[0-9]+\]: \[[0-9-]+\] \^ITotal CPU .* sec elapsed .* sec\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] \^ICPU .* sec elapsed .* sec\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] \^ITotal CPU .* sec elapsed .* sec\.$ ### ignore.d.server/ppp -chat\[[0-9]+\]: abort on \(.*\)$ -chat\[[0-9]+\]: expect \(.*\)$ -chat\[[0-9]+\]: send \(AT.*\^M\)$ -chat\[[0-9]+\]: -- got it$ -chat\[[0-9]+\]: AT.*\^M\^M$ -chat\[[0-9]+\]: \^M$ -chat\[[0-9]+\]: CONNECT$ -chat\[[0-9]+\]: OK$ -chat\[[0-9]+\]: send \(\\d\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: abort on \(.*\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: expect \(.*\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: send \(AT.*\^M\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: -- got it$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: AT.*\^M\^M$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: \^M$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: CONNECT$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: OK$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: send \(\\d\)$ ### ignore.d.server/proftpd -proftpd\[[0-9]+\]: No certificate files found! $ -proftpd\[[0-9]+\]: [^[:space:]]+ ([^[:space:]\[]+\[[\.0-9]\]) - Refused PORT.* (address mismatch)\. $ -proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - FTP (login timed out|no transfer timeout), disconnected\. $ -proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - FTP session (closed|opened)\. $ -proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER [^[:space:]]+: (Login successful\.|no such user found from .*\[[\.0-9]+\] to [\.0-9]+:21) $ -proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - no such user '[^[:space:]]+' $ -proftpd\[[0-9]+\]: connect from [\.0-9]+ $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: No certificate files found! $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ ([^[:space:]\[]+\[[\.0-9]\]) - Refused PORT.* (address mismatch)\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - FTP (login timed out|no transfer timeout), disconnected\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - FTP session (closed|opened)\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER [^[:space:]]+: (Login successful\.|no such user found from .*\[[\.0-9]+\] to [\.0-9]+:21) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - no such user '[^[:space:]]+' $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: connect from [\.0-9]+ $ ### ignore.d.server/rpld -rpld\[[0-9]+\]: client [:a-f0-9]+ requested block [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpld\[[0-9]+\]: client [:a-f0-9]+ requested block [\.0-9]+$ ### ignore.d.server/samba -smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection reset by peer)$ -smbd\[[0-9]+\]: \[[/0-9]+ [0-9:]+, [0-9]+\] lib/util_sock.c:read(_socket)?_data\([0-9]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection reset by peer)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: \[[/0-9]+ [0-9:]+, [0-9]+\] lib/util_sock.c:read(_socket)?_data\([0-9]+\)$ ### ignore.d.server/sfs-client -: nfsmounter: mounted /sfs/\.linuxmnt/[^[:blank:]]+:[0-9a-z]+/r$ -: sfsrwcd: [^[:blank:]]+:[0-9a-z]+ deleted$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ : nfsmounter: mounted /sfs/\.linuxmnt/[^[:blank:]]+:[0-9a-z]+/r$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ : sfsrwcd: [^[:blank:]]+:[0-9a-z]+ deleted$ ### ignore.d.server/sfs-server -: sfsauthd: serving [^:]+:[0-9a-z]+$ -: sfssd: accepted connection from [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ : sfsauthd: serving [^:]+:[0-9a-z]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ : sfssd: accepted connection from [\.0-9]+$ ### ignore.d.server/spamassassin -spamd\[[0-9]+\]: Creating default_prefs -spamd\[[0-9]+\]: connection from .* at port -spamd\[[0-9]+\]: clean message for -spamd\[[0-9]+\]: identified spam for -spamd\[[0-9]+\]: skipped large message in +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Creating default_prefs +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: connection from .* at port +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: clean message for +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: identified spam for +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: skipped large message in ### ignore.d.server/squid -squid\[[0-9]+\]: Finished. Wrote [0-9]+ entries\. $ -squid\[[0-9]+\]: Took [\.0-9]+ seconds \( *[\.0-9]+ entries/sec\)\. $ -squid\[[0-9]+\]: (Closing Pinger socket|Pinger socket opened) on FD [0-9]+$ -squid\[[0-9]+\]: (access|store)LogRotate: Rotating(\.)?$ -squid\[[0-9]+\]: NETDB state saved;$ -squid\[[0-9]+\]: helperOpenServers: Starting [0-9]+ '.*' processes -squid\[[0-9]+\]: logfileRotate: /var/log/squid/(access|store).log $ -squid\[[0-9]+\]: sslReadServer: FD [0-9]+: read failure: \(104\) Connection reset by peer $ -squid\[[0-9]+\]: storeDirWriteCleanLogs: Starting\.\.\. $ -squid\[[0-9]+\]: urlParse: Illegal character in hostname '[^']+' $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Finished. Wrote [0-9]+ entries\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Took [\.0-9]+ seconds \( *[\.0-9]+ entries/sec\)\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: (Closing Pinger socket|Pinger socket opened) on FD [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: (access|store)LogRotate: Rotating(\.)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: NETDB state saved;$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: helperOpenServers: Starting [0-9]+ '.*' processes +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: logfileRotate: /var/log/squid/(access|store).log $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: sslReadServer: FD [0-9]+: read failure: \(104\) Connection reset by peer $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: storeDirWriteCleanLogs: Starting\.\.\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: urlParse: Illegal character in hostname '[^']+' $ ### ignore.d.server/ssh -sshd\[[0-9]+\]: syslogin_perform_logout: logout\(\) returned an error$ -sshd\[[0-9]+\]: Could not reverse map address .*\. -sshd\[[0-9]+\]: Connection closed by .* -sshd\[[0-9]+\]: Did not receive ident(ification)? string from [\.0-9]+$ -sshd\[[0-9]+\]: scanned from [\.0-9]+ with SSH-1\.0-SSH_Version_Mapper\. Don't panic\.$ -sshd\[[0-9]+\]: Disconnecting: Your ssh version is too old and is no longer supported\. Please install a newer version\.$ -sshd\[[0-9]+\]: Accepted (keyboard-interactive|password|publickey) for [[:alnum:]]+ from [\.0-9]+ port [0-9]+( ssh2)?$ -sshd\[[0-9]+\]: warning: /etc/hosts.deny, line 15: can't verify hostname: gethostbyname(.*) failed -sshd\[[0-9]+\]: refused connect from .* -sshd\[[0-9]+\]: Received disconnect from [\.0-9]+: 11: Disconnect requested by Windows SSH Client.$ -sshd\[[0-9]+\]: subsystem request for sftp$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: syslogin_perform_logout: logout\(\) returned an error$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Could not reverse map address .*\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Connection closed by .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive ident(ification)? string from [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: scanned from [\.0-9]+ with SSH-1\.0-SSH_Version_Mapper\. Don't panic\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnecting: Your ssh version is too old and is no longer supported\. Please install a newer version\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted (keyboard-interactive|password|publickey) for [[:alnum:]]+ from [\.0-9]+ port [0-9]+( ssh2)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts.deny, line 15: can't verify hostname: gethostbyname(.*) failed +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: refused connect from .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Received disconnect from [\.0-9]+: 11: Disconnect requested by Windows SSH Client.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: subsystem request for sftp$ ### ignore.d.server/ssmtp -sSMTP mail\[[0-9]+\]: .* sent mail for root +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sSMTP mail\[[0-9]+\]: .* sent mail for root ### ignore.d.server/sysklogd -syslogd [\.#0-9]+: restart \(remote reception\)\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslogd [\.#0-9]+: restart \(remote reception\)\.$ ### ignore.d.server/tftpd -in\.tftpd\[[0-9]+\]: RRQ from [\.0-9]+ filename [^[:space:]]+ $ -in\.tftpd\[[0-9]+\]: tftp: client does not accept options +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in\.tftpd\[[0-9]+\]: RRQ from [\.0-9]+ filename [^[:space:]]+ $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in\.tftpd\[[0-9]+\]: tftp: client does not accept options ### ignore.d.server/tmp ## imp -IMP\[[0-9]+\]: FAILED .* to .*:143 as .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED .* to .*:143 as .* ## libpam-modules -PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service -PAM_unix\[[0-9]+\]: check pass; user unknown$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: check pass; user unknown$ # old-style pam entries (no longer provided by logcheck but needed on woody) -PAM_.*: .* session (opened|closed) for user .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_.*: .* session (opened|closed) for user .* ## netatalk -afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: bad function 7A -afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied -afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: (PAM Auth OK!|Success -- .*|User entered a null value -- .*) -afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) -afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: User entered a null value -- No such file or directory -atalkd\[[0-9]+\]: as_timer sendto: Netvaerket er ikke tilgaengeligt +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: bad function 7A +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: (PAM Auth OK!|Success -- .*|User entered a null value -- .*) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: User entered a null value -- No such file or directory +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ atalkd\[[0-9]+\]: as_timer sendto: Netvaerket er ikke tilgaengeligt ## hylafax-server -FaxGetty\[[0-9]+\]: ANSWER: Can not lock modem device -gnome-name-server\[[0-9]+\]: server_is_alive: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: ANSWER: Can not lock modem device +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnome-name-server\[[0-9]+\]: server_is_alive: .* ## uw-imap -i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] ## ppp -ipppd\[[0-9]+\]: Connect\[0\]: /dev/ippp[0-9], fd: 12 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: Connect\[0\]: /dev/ippp[0-9], fd: 12 ## misc -kernel: Disorder[0-9] [0-9] [0-9] f[0-9] s[0-9] rr[0-9] -kernel: IP_MASQ:reverse ICMP: failed checksum from .*! -kernel: OPEN: [\.0-9]* -> [\.0-9]* UDP, port: [0-9]* -> [0-9]* -kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) -kernel: Shorewall:net2all:DROP:.*$ -kernel: lp[0-9]: compatibility mode -kernel: Undo( partial)? (Hoe|loss|retrans) -printer: offline or intervention needed +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Disorder[0-9] [0-9] [0-9] f[0-9] s[0-9] rr[0-9] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IP_MASQ:reverse ICMP: failed checksum from .*! +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: OPEN: [\.0-9]* -> [\.0-9]* UDP, port: [0-9]* -> [0-9]* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:net2all:DROP:.*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: lp[0-9]: compatibility mode +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Undo( partial)? (Hoe|loss|retrans) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ printer: offline or intervention needed ## Printer and Windows PC at Homebase ignoring change of DHCP (192.168.101 -> 192.168.1) -kernel: Shorewall:all2all:REJECT:.*SRC=192.168.103.17 DST=192.168.101.2 .*$ -kernel: Shorewall:all2all:REJECT:.*SRC=192.168.103.248 DST=192.168.101.22 .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:all2all:REJECT:.*SRC=192.168.103.17 DST=192.168.101.2 .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:all2all:REJECT:.*SRC=192.168.103.248 DST=192.168.101.22 .*$ ## Non-UDMA hd cable -kernel: hda: status timeout: status=0xd0 \{ Busy \} -kernel: hda: no DRQ after issuing WRITE -kernel: ide0: reset: success +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: hda: status timeout: status=0xd0 \{ Busy \} +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: hda: no DRQ after issuing WRITE +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: ide0: reset: success ## Postfix SASL not working -postfix/smtpd\[[0-9]+\]: unable to open Berkeley db /etc/sasldb: No such file or directory +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: unable to open Berkeley db /etc/sasldb: No such file or directory ## ntp-simple -ntpd\[[0-9]+\]: synchronisation lost -ntpd\[[0-9]+\]: synchronisation lost -ntpd\[[0-9]+\]: time reset [\.0-9-]* . -ntpd\[[0-9]+\]: time reset [\.0-9-]+ s +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronisation lost +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronisation lost +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: time reset [\.0-9-]* . +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: time reset [\.0-9-]+ s ## portsentry -portsentry\[[0-9]+\]: attackalert: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ portsentry\[[0-9]+\]: attackalert: .* ## pump -pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument ## samba -smbd\[[0-9]+\]: process_local_message: unknown UDP message command code \([0-9a-f]+\) - ignoring. $ -smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection (reset by peer|timed out)) $ -smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $ -smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. $ -smbd\[[0-9]+\]: [^[:space:]]+ \([\.0-9]+\) couldn't find service c $ -smbd\[[0-9]+\]: api_srv_net_share_add: Failed to unmarshall SRV_Q_NET_SHARE_ADD. $ -smbd\[[0-9]+\]: prs_mem_get: reading data of size 4 would overrun buffer. $ -smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|rpc_parse/parse_prs.c:prs_mem_get|rpc_server/srv_(pipe.c:api_rpcTNP|srvsvc.c:api_srv_net_share_add))\([0-9]+\) $ -smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:(find_service|make_connection))\([0-9]+\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: process_local_message: unknown UDP message command code \([0-9a-f]+\) - ignoring. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection (reset by peer|timed out)) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: [^[:space:]]+ \([\.0-9]+\) couldn't find service c $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: api_srv_net_share_add: Failed to unmarshall SRV_Q_NET_SHARE_ADD. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: prs_mem_get: reading data of size 4 would overrun buffer. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|rpc_parse/parse_prs.c:prs_mem_get|rpc_server/srv_(pipe.c:api_rpcTNP|srvsvc.c:api_srv_net_share_add))\([0-9]+\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:(find_service|make_connection))\([0-9]+\) $ ## ssh -sshd\[[0-9]+\]: Failed password for [[:alnum:]]+ from [0-9\.]+ port [0-9]+ ssh2$ -sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096 $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for [[:alnum:]]+ from [0-9\.]+ port [0-9]+ ssh2$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096 $ ## postfix -postfix.*\[[0-9]+\]: .* from=<groove@mailomat.grooveattack.com> -postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [\.[:alnum:]-]+\[[\.0-9]+\] in MAIL command: <C:\\Email\\Headers\\fresh froms 5-1\.txt> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix.*\[[0-9]+\]: .* from=<groove@mailomat.grooveattack.com> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [\.[:alnum:]-]+\[[\.0-9]+\] in MAIL command: <C:\\Email\\Headers\\fresh froms 5-1\.txt> ## Tulle getting spammed -tulle postfix/smtpd\[[0-9]+\]: too many errors after RCPT from unknown\[\.0-9]+[\] -rpc.mountd: authenticated mount request from .* for .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ tulle postfix/smtpd\[[0-9]+\]: too many errors after RCPT from unknown\[\.0-9]+[\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpc.mountd: authenticated mount request from .* for .* ## snort -snort: .*FrontPage -snort: IDS015 - RPC - portmap-request-status: -snort: IDS029 - SCAN-Possible Queso Fingerprint attempt: -snort: IDS115 - MISC-Traceroute-UDP: -snort: IDS212 - MISC - DNS Zone Transfer: -snort: IDS226 - CVE-1999-0172 - CGI-formmail: -snort: IDS246 - MISC - Large ICMP Packet: -snort: IIS- -snort: MISC-Attempted Sun RPC high port access: -snort: NETBIOS-SMB-C: -snort: NETBIOS-SMB-CD...: -snort: NMAP TCP ping!: -snort: RPC Info Query: -snort: SCAN-SYN FIN: -snort: spp_http_decode: IIS Unicode attack detected: -snort: spp_portscan: End of portscan -snort: spp_portscan: PORTSCAN DETECTED -snort: spp_portscan: portscan status from -snort: WEB-../..: -snort: WEB-CGI-upload.pl: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: .*FrontPage +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS015 - RPC - portmap-request-status: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS029 - SCAN-Possible Queso Fingerprint attempt: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS115 - MISC-Traceroute-UDP: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS212 - MISC - DNS Zone Transfer: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS226 - CVE-1999-0172 - CGI-formmail: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS246 - MISC - Large ICMP Packet: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IIS- +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: MISC-Attempted Sun RPC high port access: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: NETBIOS-SMB-C: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: NETBIOS-SMB-CD...: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: NMAP TCP ping!: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: RPC Info Query: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: SCAN-SYN FIN: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_http_decode: IIS Unicode attack detected: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_portscan: End of portscan +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_portscan: PORTSCAN DETECTED +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_portscan: portscan status from +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: WEB-../..: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: WEB-CGI-upload.pl: ## postgres -postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* -postgres\[[0-9]+\]: \[[0-9-]+\] LOG: connection received: host=\[local\]$ -postgres\[[0-9]+\]: \[[0-9-]+\] LOG: connection authorized: user=postgres database=template1 -postgres\[[0-9]+\]: \[[0-9-]+\] Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. -postgres\[[0-9]+\]: \[[0-9-]+\] [0-9]*; Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] LOG: connection received: host=\[local\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] LOG: connection authorized: user=postgres database=template1 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] [0-9]*; Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. ## amavis -amavis\[[0-9]+\]: warning - MIME::Parser error: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: warning - MIME::Parser error: .* ## Misc entries on Gibraltar (using older logcheck and syslog...) --- MARK -- $ -/USR/SBIN/CRON\[[0-9]+\]: \(root\) CMD \(test -x /usr/sbin/logcheck && nice -n10 /usr/sbin/logcheck\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ -- MARK -- $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \(root\) CMD \(test -x /usr/sbin/logcheck && nice -n10 /usr/sbin/logcheck\) $ ### ignore.d.server/ucd-snmp -ucd-snmp\[[0-9]+\]: Connection from .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ucd-snmp\[[0-9]+\]: Connection from .* ### ignore.d.server/uptimed -uptimed: moving up to position [0-9]+: [0-9]+ days, [0-9:]+ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ uptimed: moving up to position [0-9]+: [0-9]+ days, [0-9:]+ diff --git a/logcheck/ignore.d.server/mailutils-imap4d b/logcheck/ignore.d.server/mailutils-imap4d index 328d24c..c90dd27 100644 --- a/logcheck/ignore.d.server/mailutils-imap4d +++ b/logcheck/ignore.d.server/mailutils-imap4d @@ -1,5 +1,5 @@ -gnu-imap4d\[[0-9]+\]: Incoming connection opened$ -gnu-imap4d\[[0-9]+\]: connect from [\.0-9]+$ -gnu-imap4d\[[0-9]+\]: User '[[:alnum:]]+' logged in$ -gnu-imap4d\[[0-9]+\]: Session timed out for user: [[:alnum:]]+$ -gnu-imap4d\[[0-9]+\]: got signal Alarm clock$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnu-imap4d\[[0-9]+\]: Incoming connection opened$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnu-imap4d\[[0-9]+\]: connect from [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnu-imap4d\[[0-9]+\]: User '[[:alnum:]]+' logged in$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnu-imap4d\[[0-9]+\]: Session timed out for user: [[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnu-imap4d\[[0-9]+\]: got signal Alarm clock$ diff --git a/logcheck/ignore.d.server/misc b/logcheck/ignore.d.server/misc index 5d2ec5d..fa4f07c 100644 --- a/logcheck/ignore.d.server/misc +++ b/logcheck/ignore.d.server/misc @@ -1,11 +1,11 @@ # Figure out if these belong to dhcp or dhcp3-common (or dhclient?) -dhcpd.*: Reclaiming( REQUESTed) abandoned IP address [\.0-9]+ -dhcpd.*: already acking lease -dhcpd.*: send_packet: Connection refused -dhcpd.*: fallback_discard: Connection refused +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd.*: Reclaiming( REQUESTed) abandoned IP address [\.0-9]+ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd.*: already acking lease +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd.*: send_packet: Connection refused +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd.*: fallback_discard: Connection refused # These show up when isdnutils is installed, but isn't strictly related to those packages -kernel: isdn_net: call from [,0-9]+ -> [0-9]+$ -kernel: isdn_net: Service-Indicator not [0-9], ignored$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: isdn_net: call from [,0-9]+ -> [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: isdn_net: Service-Indicator not [0-9], ignored$ # This one shows up with firewalls blocking SMB ports non-silently -kernel: Packet log: input DENY .*:(137|138) .*:(137|138) .*$ -kernel: Shorewall:net2all:DROP:.* (SPT|DPT)=(13[789]|445) .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Packet log: input DENY .*:(137|138) .*:(137|138) .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:net2all:DROP:.* (SPT|DPT)=(13[789]|445) .*$ diff --git a/logcheck/ignore.d.server/murasaki b/logcheck/ignore.d.server/murasaki index a4af7d5..3fcea13 100644 --- a/logcheck/ignore.d.server/murasaki +++ b/logcheck/ignore.d.server/murasaki @@ -1,7 +1,7 @@ -murasaki\.usb\[[0-9]+\]: found depended module="[[:alnum:]]+"$ -murasaki\.(usb|net)\[[0-9]+\]: try expanding "\[net\]"$ -murasaki\.(usb|net)\[[0-9]+\]: dependent\(net\) is found$ -murasaki\.(usb|net)\[[0-9]+\]: net device is (added|removed|(un)?register(e)?d)$ -murasaki\.(usb|net)\[[0-9]+\]: Execuing "net" "(stop|start)"$ -murasaki\.(usb|net)\[[0-9]+\]: execute if(up|down) (eth|(i)?ppp|irda)[0-9]$ -murasaki\.usb\[[0-9]+\]: (MATCH\(audio\) -> match_flags:[[:alnum:]]+ )?vendor:[[:alnum:]]+ product:[[:alnum:]]+ Dclass:[[:alnum:]]+ Dsubclass:[[:alnum:]]+ Dprotocol:[[:alnum:]]+ Iclass:[[:alnum:]]+ Isubclass:[[:alnum:]]+ Iprotocol:[[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ murasaki\.usb\[[0-9]+\]: found depended module="[[:alnum:]]+"$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ murasaki\.(usb|net)\[[0-9]+\]: try expanding "\[net\]"$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ murasaki\.(usb|net)\[[0-9]+\]: dependent\(net\) is found$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ murasaki\.(usb|net)\[[0-9]+\]: net device is (added|removed|(un)?register(e)?d)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ murasaki\.(usb|net)\[[0-9]+\]: Execuing "net" "(stop|start)"$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ murasaki\.(usb|net)\[[0-9]+\]: execute if(up|down) (eth|(i)?ppp|irda)[0-9]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ murasaki\.usb\[[0-9]+\]: (MATCH\(audio\) -> match_flags:[[:alnum:]]+ )?vendor:[[:alnum:]]+ product:[[:alnum:]]+ Dclass:[[:alnum:]]+ Dsubclass:[[:alnum:]]+ Dprotocol:[[:alnum:]]+ Iclass:[[:alnum:]]+ Isubclass:[[:alnum:]]+ Iprotocol:[[:alnum:]]+$ diff --git a/logcheck/ignore.d.server/nagios b/logcheck/ignore.d.server/nagios index 248f54c..33e437f 100644 --- a/logcheck/ignore.d.server/nagios +++ b/logcheck/ignore.d.server/nagios @@ -1,2 +1,2 @@ -nagios: Auto-save of retention data completed successfully\. $ -nagios: LOG ROTATION: DAILY $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios: Auto-save of retention data completed successfully\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios: LOG ROTATION: DAILY $ diff --git a/logcheck/ignore.d.server/netatalk.changes b/logcheck/ignore.d.server/netatalk.changes index 3d91662..92b68ef 100644 --- a/logcheck/ignore.d.server/netatalk.changes +++ b/logcheck/ignore.d.server/netatalk.changes @@ -1,31 +1,31 @@ # Lines with "[^[:space:]]+:" at the beginning are for netatalk 1.6.x or newer. -afpd\[[0-9]+\]: (atp_rresp|afp_die: asp_shutdown): Connection timed out$ -afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: Parsing volset [^[:space:]]+$ -afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: using codepage directory: /etc/netatalk/nls/maccode\.[\.a-z0-9-]+$ -afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: afp_alarm: child timed out$ -afpd\[[0-9]+\]: [^[:space:]]+: E:Default: atp_rresp: Connection timed out$ -afpd\[[0-9]+\]: [^[:space:]]+: E:Default: dsi_stream_read\(-1\): Connection reset by peer$ -afpd\[[0-9]+\]: [^[:space:]]+: E:Default: dsi_stream_write: Broken pipe$ -afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: (afp_flushfork|afp_read|getforkparms): (ad_refresh|of_find): (No such file or directory|No such process|Permission denied)$ -afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: (registering [[:alnum:]]+ \(uid [0-9]+\) on [\.0-9]+ as|removed) /[^[:space:]]+/net[\.0-9]+node[0-9]+$ -afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: Connection terminated$ -afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: [\.[:alnum:]]+ read, [\.[:alnum:]]+ written$ -afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: login [[:alnum:]]+ \(uid [0-9]+, gid [0-9]+\)( AFP2\.2)?$ -afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: logout [[:alnum:]]+$ -afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: session from [\.:0-9]+ on [\.:0-9]+$ -afpd\[[0-9]+\]: [^[:space:]]+: I:Default: (server_child\[[0-9]+\] [0-9]+ )?(done|exited 1)$ -afpd\[[0-9]+\]: [^[:space:]]+: I:Default: ASIP session:[0-9]+\([0-9]+\) from [\.:0-9]+\([0-9]+\)$ -afpd\[[0-9]+\]: [^[:space:]]+: I:Default: CNID DB initialized using Sleepycat Software: Berkeley DB( [\.0-9]+: \([^\(]+\))?$ -afpd\[[0-9]+\]: [^[:space:]]+: I:Default: asp_alrm: [0-9]+ timed out$ -afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: ((dhx|cleartext|randnum/rand2num) )?login: [[:alnum:]]+$ -afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: login noauth$ -afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: uams_dhx_pam.c :PAM: PAM (Auth OK!|Success -- Success)$ -afpd\[[0-9]+\]: [^[:space:]]+: S:Logger: can't open Logfile /var/log/netatalk.log$ -afpd\[[0-9]+\]: [_[:alnum:]]+(\(-?[0-9]+\))?: stat [^:]+: (No such file or directory|Permission denied)$ -afpd\[[0-9]+\]: dsi_stream_read\(0\): (No such file or directory|No such process|Permission denied)$ -afpd\[[0-9]+\]: dsi_stream_read\(0\): Success$ -afpd\[[0-9]+\]: error stat'ing /[^[:space:]]+/net[\.0-9]+node[0-9]+: No such file or directory$ -atalkd\[[0-9]+\]: (as_timer|nbp brrq) sendto [\.0-9]+( \([0-9]+\))?: Network is unreachable $ -atalkd\[[0-9]+\]: zip (ignoring gnireply|gnireply from [\.0-9]+ \([[:alnum:]]+ [[:alnum:]]+\)) $ -papd\[[0-9]+\]: [^[:space:]]+: I:PAPDaemon: child [0-9]+ done$ -papd\[[0-9]+\]: [^[:space:]]+: I:PAPDaemon: child [0-9]+ for "[^"]+" from [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: (atp_rresp|afp_die: asp_shutdown): Connection timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: Parsing volset [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: using codepage directory: /etc/netatalk/nls/maccode\.[\.a-z0-9-]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: afp_alarm: child timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:Default: atp_rresp: Connection timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:Default: dsi_stream_read\(-1\): Connection reset by peer$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:Default: dsi_stream_write: Broken pipe$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: (afp_flushfork|afp_read|getforkparms): (ad_refresh|of_find): (No such file or directory|No such process|Permission denied)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: (registering [[:alnum:]]+ \(uid [0-9]+\) on [\.0-9]+ as|removed) /[^[:space:]]+/net[\.0-9]+node[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: Connection terminated$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: [\.[:alnum:]]+ read, [\.[:alnum:]]+ written$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: login [[:alnum:]]+ \(uid [0-9]+, gid [0-9]+\)( AFP2\.2)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: logout [[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:AFPDaemon: session from [\.:0-9]+ on [\.:0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:Default: (server_child\[[0-9]+\] [0-9]+ )?(done|exited 1)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:Default: ASIP session:[0-9]+\([0-9]+\) from [\.:0-9]+\([0-9]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:Default: CNID DB initialized using Sleepycat Software: Berkeley DB( [\.0-9]+: \([^\(]+\))?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:Default: asp_alrm: [0-9]+ timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: ((dhx|cleartext|randnum/rand2num) )?login: [[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: login noauth$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: uams_dhx_pam.c :PAM: PAM (Auth OK!|Success -- Success)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: S:Logger: can't open Logfile /var/log/netatalk.log$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [_[:alnum:]]+(\(-?[0-9]+\))?: stat [^:]+: (No such file or directory|Permission denied)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dsi_stream_read\(0\): (No such file or directory|No such process|Permission denied)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dsi_stream_read\(0\): Success$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: error stat'ing /[^[:space:]]+/net[\.0-9]+node[0-9]+: No such file or directory$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ atalkd\[[0-9]+\]: (as_timer|nbp brrq) sendto [\.0-9]+( \([0-9]+\))?: Network is unreachable $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ atalkd\[[0-9]+\]: zip (ignoring gnireply|gnireply from [\.0-9]+ \([[:alnum:]]+ [[:alnum:]]+\)) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ papd\[[0-9]+\]: [^[:space:]]+: I:PAPDaemon: child [0-9]+ done$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ papd\[[0-9]+\]: [^[:space:]]+: I:PAPDaemon: child [0-9]+ for "[^"]+" from [\.0-9]+$ diff --git a/logcheck/ignore.d.server/netsaint b/logcheck/ignore.d.server/netsaint index 90743ec..363b73e 100644 --- a/logcheck/ignore.d.server/netsaint +++ b/logcheck/ignore.d.server/netsaint @@ -1,5 +1,5 @@ -netsaint: (HOST|SERVICE) (ALERT|NOTIFICATION|FLAPPING ALERT): .*$ -netsaint: Auto-save of retention data completed successfully\. $ -netsaint: Caught SIGTERM, shutting down\.\.\. $ -netsaint: Entering active mode\.\.\. $ -netsaint: NetSaint [\.0-9]+ starting\.\.\. \(PID=[0-9]+\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: (HOST|SERVICE) (ALERT|NOTIFICATION|FLAPPING ALERT): .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: Auto-save of retention data completed successfully\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: Caught SIGTERM, shutting down\.\.\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: Entering active mode\.\.\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: NetSaint [\.0-9]+ starting\.\.\. \(PID=[0-9]+\) $ diff --git a/logcheck/ignore.d.server/nfs-kernel-server b/logcheck/ignore.d.server/nfs-kernel-server index ce04275..77b4b17 100644 --- a/logcheck/ignore.d.server/nfs-kernel-server +++ b/logcheck/ignore.d.server/nfs-kernel-server @@ -1,3 +1,3 @@ -mountd\[[0-9]+\]: NFS mount of /[^[:space:]]+ attempted from [\.0-9]+$ -mountd\[[0-9]+\]: /[^[:space:]]+ has been mounted by [\.0-9]+$ -rpc\.mountd: authenticated unmount request from [\.0-9]+:[0-9]+ for /[^[:space:]]+ \(/[^[:space:]\)]+\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mountd\[[0-9]+\]: NFS mount of /[^[:space:]]+ attempted from [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mountd\[[0-9]+\]: /[^[:space:]]+ has been mounted by [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpc\.mountd: authenticated unmount request from [\.0-9]+:[0-9]+ for /[^[:space:]]+ \(/[^[:space:]\)]+\) $ diff --git a/logcheck/ignore.d.server/non-debian b/logcheck/ignore.d.server/non-debian index 4f67cf7..4f6bc26 100644 --- a/logcheck/ignore.d.server/non-debian +++ b/logcheck/ignore.d.server/non-debian @@ -2,10 +2,10 @@ # (and advertised through DHCP) # # HP printers -printer: peripheral low-power state$ -printer: paper out$ -printer: error cleared$ -printer: powered up$ -printer: ready to print$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ printer: peripheral low-power state$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ printer: paper out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ printer: error cleared$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ printer: powered up$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ printer: ready to print$ # FloppyFW DHCP server -[0-9A-F]+ 400 DHCP SERVER Offered \| Offering: [\.0-9]+ To: [0-9A-F]+ By: [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [0-9A-F]+ 400 DHCP SERVER Offered \| Offering: [\.0-9]+ To: [0-9A-F]+ By: [\.0-9]+$ diff --git a/logcheck/ignore.d.server/ntp-simple.changes b/logcheck/ignore.d.server/ntp-simple.changes index 4cfc389..54438ad 100644 --- a/logcheck/ignore.d.server/ntp-simple.changes +++ b/logcheck/ignore.d.server/ntp-simple.changes @@ -1,6 +1,6 @@ -ntpd\[[0-9]+\]: kern_enable is 1$ -ntpd\[[0-9]+\]: kernel time discipline status [0-9]+$ -ntpd\[[0-9]+\]: precision = [0-9]+ usec$ -ntpd\[[0-9]+\]: signal_no_reset: signal 13 had flags [0-9]+$ -ntpd\[[0-9]+\]: using kernel phase-lock loop [0-9]+$ -ntpd\[[0-9]+\]: ntpd [\.0-9]+ [a-zA-Z]+ [a-zA-Z]+ [0-9]+ [0-9:]+ UTC 200[2-9]+ \(2\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kern_enable is 1$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time discipline status [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: precision = [0-9]+ usec$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: signal_no_reset: signal 13 had flags [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: using kernel phase-lock loop [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: ntpd [\.0-9]+ [a-zA-Z]+ [a-zA-Z]+ [0-9]+ [0-9:]+ UTC 200[2-9]+ \(2\)$ diff --git a/logcheck/ignore.d.server/pop-before-smtp b/logcheck/ignore.d.server/pop-before-smtp index 4ff492b..5394582 100644 --- a/logcheck/ignore.d.server/pop-before-smtp +++ b/logcheck/ignore.d.server/pop-before-smtp @@ -1 +1 @@ -pop-before-smtp\[[0-9]+\]: (opening|closing) relay for [\.0-9]+( --- not in mynetworks)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pop-before-smtp\[[0-9]+\]: (opening|closing) relay for [\.0-9]+( --- not in mynetworks)?$ diff --git a/logcheck/ignore.d.server/postfix b/logcheck/ignore.d.server/postfix index bda61d5..8f35255 100644 --- a/logcheck/ignore.d.server/postfix +++ b/logcheck/ignore.d.server/postfix @@ -1,42 +1,42 @@ -postfix/[[:alnum:]]+\[[0-9]+\]: table has changed -- exiting$ -postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=.*$ -postfix/cleanup\[[0-9]+\]: warning: premature end-of-input from cleanup socket while reading input attribute name$ -postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$ -postfix/master\[[0-9]+\]: reload configuration$ -postfix/n?qmgr\[[0-9]+\]: [A-Z0-9]+: from=<[^,]*>, status=expired, returned to sender$ -postfix/n?qmgr\[[0-9]+\]: [A-Z0-9]+: skipped, still being delivered$ -postfix/postfix-script: refreshing the Postfix mail system$ -postfix/smtp\[[0-9]+\]: Peer certi?ficate could not be verified$ -postfix/smtp\[[0-9]+\]: SSL_connect error to [^[:space:]]+: -1 -postfix/smtp\[[0-9]+\]: [A-Z0-9]+: enabling PIX <CRLF>\.<CRLF> workaround for [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtp\[[0-9]+\]: [^[:space:]]+ status=deferred \(connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused mail service)\)$ -postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection (refused|reset by peer|timed out)|read timeout|server (refused mail service|dropped connection)|No route to host) \(port 25\)$ -postfix/smtp\[[0-9]+\]: setting up TLS connection to [^[:space:]]+$ -postfix/smtp\[[0-9]+\]: verify error:num=10:certificate has expired$ -postfix/smtp\[[0-9]+\]: warning: bad size limit "truncates" in EHLO reply from [^[:space:]]+$ -postfix/smtp\[[0-9]+\]: warning: host [^[:space:]]+\[[\.0-9]+\] (greeted me|replied to HELO/EHLO) with my own hostname [^[:space:]]+$ -postfix/smtp\[[0-9]+\]: warning: no MX host for [^[:space:]]+ has a valid A record$ -postfix/smtpd?\[[0-9]+\]: (Unv|V)erified: subject_CN=.*, issuer=.*$ -postfix/smtpd?\[[0-9]+\]: TLS connection established (from|to) [^[:space:]]+: (SSL|TLS)v[123] with cipher [^[:space:]]+ \([0-9/]+ bits\)$ -postfix/smtpd?\[[0-9]+\]: cert has expired$ -postfix/smtpd?\[[0-9]+\]: fingerprint=[0-9A-F:]+$ -postfix/smtpd?\[[0-9]+\]: setting up TLS connection (from|to) [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtpd?\[[0-9]+\]: verify error:num=(10:certificate has expired|18:self signed certificate|19:self signed certificate in certificate chain|20:unable to get local issuer certificate|21:unable to verify the first certificate|26:unsupported certificate purpose|27:certificate not trusted)$ -postfix/smtpd?\[[0-9]+\]: warning: (numeric|malformed) domain name in resource data of MX record for [^[:space:]]+: [^[:space:]]*$ -postfix/smtpd?\[[0-9]+\]: warning: valid_hostname: (empty hostname|invalid character [0-9]+\(decimal\): [^[:space:]]+)$ -postfix/smtpd\[[0-9]+\]: ((dis)?connect|setting up TLS connection|lost connection after AUTH) from [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtpd\[[0-9]+\]: SSL_accept error from [^[:space:]]+\[[\.0-9]+\]: 0 -postfix/smtpd\[[0-9]+\]: [0-9]+:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1\.c:100: -postfix/smtpd\[[0-9]+\]: [0-9]+:error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature:s3_srvr\.c:1833: -postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: [^[:space:]]+\[[\.0-9]+\], sasl_method=PLAIN, sasl_username=[[:alnum:]]+$ -postfix/smtpd\[[0-9]+\]: too many errors after RCPT from [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in (MAIL|RCPT) command: (<[^>]+>)?$ -postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: address not listed for hostname [^[:space:]]+$ -postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ -postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\] sent ([^[:space:]]+ header|mail content) instead of SMTP command: .* -postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: hostname [^[:space:]]+ verification failed: Host not found$ -postfix/smtpd\[[0-9]+\]: warning: numeric result [\.0-9]+ in address->name lookup for [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: table has changed -- exiting$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=.*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: warning: premature end-of-input from cleanup socket while reading input attribute name$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/master\[[0-9]+\]: reload configuration$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [A-Z0-9]+: from=<[^,]*>, status=expired, returned to sender$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [A-Z0-9]+: skipped, still being delivered$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/postfix-script: refreshing the Postfix mail system$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: Peer certi?ficate could not be verified$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: SSL_connect error to [^[:space:]]+: -1 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [A-Z0-9]+: enabling PIX <CRLF>\.<CRLF> workaround for [^[:space:]]+\[[\.0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [^[:space:]]+ status=deferred \(connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused mail service)\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection (refused|reset by peer|timed out)|read timeout|server (refused mail service|dropped connection)|No route to host) \(port 25\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: setting up TLS connection to [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: verify error:num=10:certificate has expired$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: bad size limit "truncates" in EHLO reply from [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: host [^[:space:]]+\[[\.0-9]+\] (greeted me|replied to HELO/EHLO) with my own hostname [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: no MX host for [^[:space:]]+ has a valid A record$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: (Unv|V)erified: subject_CN=.*, issuer=.*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: TLS connection established (from|to) [^[:space:]]+: (SSL|TLS)v[123] with cipher [^[:space:]]+ \([0-9/]+ bits\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: cert has expired$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: fingerprint=[0-9A-F:]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: setting up TLS connection (from|to) [^[:space:]]+\[[\.0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify error:num=(10:certificate has expired|18:self signed certificate|19:self signed certificate in certificate chain|20:unable to get local issuer certificate|21:unable to verify the first certificate|26:unsupported certificate purpose|27:certificate not trusted)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: warning: (numeric|malformed) domain name in resource data of MX record for [^[:space:]]+: [^[:space:]]*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: warning: valid_hostname: (empty hostname|invalid character [0-9]+\(decimal\): [^[:space:]]+)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: ((dis)?connect|setting up TLS connection|lost connection after AUTH) from [^[:space:]]+\[[\.0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [^[:space:]]+\[[\.0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: SSL_accept error from [^[:space:]]+\[[\.0-9]+\]: 0 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [0-9]+:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1\.c:100: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [0-9]+:error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature:s3_srvr\.c:1833: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: [^[:space:]]+\[[\.0-9]+\], sasl_method=PLAIN, sasl_username=[[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: too many errors after RCPT from [^[:space:]]+\[[\.0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in (MAIL|RCPT) command: (<[^>]+>)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: address not listed for hostname [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\] sent ([^[:space:]]+ header|mail content) instead of SMTP command: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: hostname [^[:space:]]+ verification failed: Host not found$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: numeric result [\.0-9]+ in address->name lookup for [\.0-9]+$ # These are only for postfix >= 2.0: -postfix/qmgr\[[0-9]+\]: [A-Z0-9]+: to=<[^,]+, relay=none, delay=[0-9]+, status=deferred \(connect to [^[:space:]]+\[[\.0-9]+\]: server dropped connection without sending the initial greeting\)$ -postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server dropped connection without sending the initial greeting \(port 25\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [A-Z0-9]+: to=<[^,]+, relay=none, delay=[0-9]+, status=deferred \(connect to [^[:space:]]+\[[\.0-9]+\]: server dropped connection without sending the initial greeting\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server dropped connection without sending the initial greeting \(port 25\)$ diff --git a/logcheck/ignore.d.server/postgresql b/logcheck/ignore.d.server/postgresql index 8587cf7..cbc6d10 100644 --- a/logcheck/ignore.d.server/postgresql +++ b/logcheck/ignore.d.server/postgresql @@ -1,2 +1,2 @@ -postgres\[[0-9]+\]: \[[0-9-]+\] \^ICPU .* sec elapsed .* sec\.$ -postgres\[[0-9]+\]: \[[0-9-]+\] \^ITotal CPU .* sec elapsed .* sec\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] \^ICPU .* sec elapsed .* sec\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] \^ITotal CPU .* sec elapsed .* sec\.$ diff --git a/logcheck/ignore.d.server/ppp b/logcheck/ignore.d.server/ppp index 48839cb..586c9de 100644 --- a/logcheck/ignore.d.server/ppp +++ b/logcheck/ignore.d.server/ppp @@ -1,9 +1,9 @@ -chat\[[0-9]+\]: abort on \(.*\)$ -chat\[[0-9]+\]: expect \(.*\)$ -chat\[[0-9]+\]: send \(AT.*\^M\)$ -chat\[[0-9]+\]: -- got it$ -chat\[[0-9]+\]: AT.*\^M\^M$ -chat\[[0-9]+\]: \^M$ -chat\[[0-9]+\]: CONNECT$ -chat\[[0-9]+\]: OK$ -chat\[[0-9]+\]: send \(\\d\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: abort on \(.*\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: expect \(.*\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: send \(AT.*\^M\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: -- got it$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: AT.*\^M\^M$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: \^M$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: CONNECT$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: OK$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chat\[[0-9]+\]: send \(\\d\)$ diff --git a/logcheck/ignore.d.server/proftpd b/logcheck/ignore.d.server/proftpd index 09b752e..6633054 100644 --- a/logcheck/ignore.d.server/proftpd +++ b/logcheck/ignore.d.server/proftpd @@ -1,7 +1,7 @@ -proftpd\[[0-9]+\]: No certificate files found! $ -proftpd\[[0-9]+\]: [^[:space:]]+ ([^[:space:]\[]+\[[\.0-9]\]) - Refused PORT.* (address mismatch)\. $ -proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - FTP (login timed out|no transfer timeout), disconnected\. $ -proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - FTP session (closed|opened)\. $ -proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER [^[:space:]]+: (Login successful\.|no such user found from .*\[[\.0-9]+\] to [\.0-9]+:21) $ -proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - no such user '[^[:space:]]+' $ -proftpd\[[0-9]+\]: connect from [\.0-9]+ $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: No certificate files found! $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ ([^[:space:]\[]+\[[\.0-9]\]) - Refused PORT.* (address mismatch)\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - FTP (login timed out|no transfer timeout), disconnected\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - FTP session (closed|opened)\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER [^[:space:]]+: (Login successful\.|no such user found from .*\[[\.0-9]+\] to [\.0-9]+:21) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - no such user '[^[:space:]]+' $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: connect from [\.0-9]+ $ diff --git a/logcheck/ignore.d.server/rpld b/logcheck/ignore.d.server/rpld index 2dc6889..57243c9 100644 --- a/logcheck/ignore.d.server/rpld +++ b/logcheck/ignore.d.server/rpld @@ -1 +1 @@ -rpld\[[0-9]+\]: client [:a-f0-9]+ requested block [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpld\[[0-9]+\]: client [:a-f0-9]+ requested block [\.0-9]+$ diff --git a/logcheck/ignore.d.server/samba b/logcheck/ignore.d.server/samba index 868d988..7888b6f 100644 --- a/logcheck/ignore.d.server/samba +++ b/logcheck/ignore.d.server/samba @@ -1,2 +1,2 @@ -smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection reset by peer)$ -smbd\[[0-9]+\]: \[[/0-9]+ [0-9:]+, [0-9]+\] lib/util_sock.c:read(_socket)?_data\([0-9]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection reset by peer)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: \[[/0-9]+ [0-9:]+, [0-9]+\] lib/util_sock.c:read(_socket)?_data\([0-9]+\)$ diff --git a/logcheck/ignore.d.server/sfs-client b/logcheck/ignore.d.server/sfs-client index 1e77a09..5200627 100644 --- a/logcheck/ignore.d.server/sfs-client +++ b/logcheck/ignore.d.server/sfs-client @@ -1,2 +1,2 @@ -: nfsmounter: mounted /sfs/\.linuxmnt/[^[:blank:]]+:[0-9a-z]+/r$ -: sfsrwcd: [^[:blank:]]+:[0-9a-z]+ deleted$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ : nfsmounter: mounted /sfs/\.linuxmnt/[^[:blank:]]+:[0-9a-z]+/r$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ : sfsrwcd: [^[:blank:]]+:[0-9a-z]+ deleted$ diff --git a/logcheck/ignore.d.server/sfs-server b/logcheck/ignore.d.server/sfs-server index 055b1ad..95875fb 100644 --- a/logcheck/ignore.d.server/sfs-server +++ b/logcheck/ignore.d.server/sfs-server @@ -1,2 +1,2 @@ -: sfsauthd: serving [^:]+:[0-9a-z]+$ -: sfssd: accepted connection from [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ : sfsauthd: serving [^:]+:[0-9a-z]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ : sfssd: accepted connection from [\.0-9]+$ diff --git a/logcheck/ignore.d.server/spamassassin b/logcheck/ignore.d.server/spamassassin index 650f47b..c1ed42b 100644 --- a/logcheck/ignore.d.server/spamassassin +++ b/logcheck/ignore.d.server/spamassassin @@ -1,5 +1,5 @@ -spamd\[[0-9]+\]: Creating default_prefs -spamd\[[0-9]+\]: connection from .* at port -spamd\[[0-9]+\]: clean message for -spamd\[[0-9]+\]: identified spam for -spamd\[[0-9]+\]: skipped large message in +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: Creating default_prefs +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: connection from .* at port +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: clean message for +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: identified spam for +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: skipped large message in diff --git a/logcheck/ignore.d.server/squid b/logcheck/ignore.d.server/squid index 02ad6aa..5295f0c 100644 --- a/logcheck/ignore.d.server/squid +++ b/logcheck/ignore.d.server/squid @@ -1,10 +1,10 @@ -squid\[[0-9]+\]: Finished. Wrote [0-9]+ entries\. $ -squid\[[0-9]+\]: Took [\.0-9]+ seconds \( *[\.0-9]+ entries/sec\)\. $ -squid\[[0-9]+\]: (Closing Pinger socket|Pinger socket opened) on FD [0-9]+$ -squid\[[0-9]+\]: (access|store)LogRotate: Rotating(\.)?$ -squid\[[0-9]+\]: NETDB state saved;$ -squid\[[0-9]+\]: helperOpenServers: Starting [0-9]+ '.*' processes -squid\[[0-9]+\]: logfileRotate: /var/log/squid/(access|store).log $ -squid\[[0-9]+\]: sslReadServer: FD [0-9]+: read failure: \(104\) Connection reset by peer $ -squid\[[0-9]+\]: storeDirWriteCleanLogs: Starting\.\.\. $ -squid\[[0-9]+\]: urlParse: Illegal character in hostname '[^']+' $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Finished. Wrote [0-9]+ entries\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Took [\.0-9]+ seconds \( *[\.0-9]+ entries/sec\)\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: (Closing Pinger socket|Pinger socket opened) on FD [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: (access|store)LogRotate: Rotating(\.)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: NETDB state saved;$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: helperOpenServers: Starting [0-9]+ '.*' processes +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: logfileRotate: /var/log/squid/(access|store).log $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: sslReadServer: FD [0-9]+: read failure: \(104\) Connection reset by peer $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: storeDirWriteCleanLogs: Starting\.\.\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: urlParse: Illegal character in hostname '[^']+' $ diff --git a/logcheck/ignore.d.server/ssh b/logcheck/ignore.d.server/ssh index f8a7e6c..d64d593 100644 --- a/logcheck/ignore.d.server/ssh +++ b/logcheck/ignore.d.server/ssh @@ -1,11 +1,11 @@ -sshd\[[0-9]+\]: syslogin_perform_logout: logout\(\) returned an error$ -sshd\[[0-9]+\]: Could not reverse map address .*\. -sshd\[[0-9]+\]: Connection closed by .* -sshd\[[0-9]+\]: Did not receive ident(ification)? string from [\.0-9]+$ -sshd\[[0-9]+\]: scanned from [\.0-9]+ with SSH-1\.0-SSH_Version_Mapper\. Don't panic\.$ -sshd\[[0-9]+\]: Disconnecting: Your ssh version is too old and is no longer supported\. Please install a newer version\.$ -sshd\[[0-9]+\]: Accepted (keyboard-interactive|password|publickey) for [[:alnum:]]+ from [\.0-9]+ port [0-9]+( ssh2)?$ -sshd\[[0-9]+\]: warning: /etc/hosts.deny, line 15: can't verify hostname: gethostbyname(.*) failed -sshd\[[0-9]+\]: refused connect from .* -sshd\[[0-9]+\]: Received disconnect from [\.0-9]+: 11: Disconnect requested by Windows SSH Client.$ -sshd\[[0-9]+\]: subsystem request for sftp$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: syslogin_perform_logout: logout\(\) returned an error$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Could not reverse map address .*\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Connection closed by .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive ident(ification)? string from [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: scanned from [\.0-9]+ with SSH-1\.0-SSH_Version_Mapper\. Don't panic\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnecting: Your ssh version is too old and is no longer supported\. Please install a newer version\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted (keyboard-interactive|password|publickey) for [[:alnum:]]+ from [\.0-9]+ port [0-9]+( ssh2)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts.deny, line 15: can't verify hostname: gethostbyname(.*) failed +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: refused connect from .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Received disconnect from [\.0-9]+: 11: Disconnect requested by Windows SSH Client.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: subsystem request for sftp$ diff --git a/logcheck/ignore.d.server/ssmtp b/logcheck/ignore.d.server/ssmtp index 462187c..677810e 100644 --- a/logcheck/ignore.d.server/ssmtp +++ b/logcheck/ignore.d.server/ssmtp @@ -1 +1 @@ -sSMTP mail\[[0-9]+\]: .* sent mail for root +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sSMTP mail\[[0-9]+\]: .* sent mail for root diff --git a/logcheck/ignore.d.server/sysklogd b/logcheck/ignore.d.server/sysklogd index 767efb5..e8c555a 100644 --- a/logcheck/ignore.d.server/sysklogd +++ b/logcheck/ignore.d.server/sysklogd @@ -1 +1 @@ -syslogd [\.#0-9]+: restart \(remote reception\)\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslogd [\.#0-9]+: restart \(remote reception\)\.$ diff --git a/logcheck/ignore.d.server/tftpd b/logcheck/ignore.d.server/tftpd index 887c704..f6631fc 100644 --- a/logcheck/ignore.d.server/tftpd +++ b/logcheck/ignore.d.server/tftpd @@ -1,2 +1,2 @@ -in\.tftpd\[[0-9]+\]: RRQ from [\.0-9]+ filename [^[:space:]]+ $ -in\.tftpd\[[0-9]+\]: tftp: client does not accept options +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in\.tftpd\[[0-9]+\]: RRQ from [\.0-9]+ filename [^[:space:]]+ $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in\.tftpd\[[0-9]+\]: tftp: client does not accept options diff --git a/logcheck/ignore.d.server/tmp b/logcheck/ignore.d.server/tmp index 15e33c5..9dd06e3 100644 --- a/logcheck/ignore.d.server/tmp +++ b/logcheck/ignore.d.server/tmp @@ -1,99 +1,99 @@ ## imp -IMP\[[0-9]+\]: FAILED .* to .*:143 as .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED .* to .*:143 as .* ## libpam-modules -PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service -PAM_unix\[[0-9]+\]: check pass; user unknown$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: check pass; user unknown$ # old-style pam entries (no longer provided by logcheck but needed on woody) -PAM_.*: .* session (opened|closed) for user .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_.*: .* session (opened|closed) for user .* ## netatalk -afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: bad function 7A -afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied -afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: (PAM Auth OK!|Success -- .*|User entered a null value -- .*) -afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) -afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: User entered a null value -- No such file or directory -atalkd\[[0-9]+\]: as_timer sendto: Netvaerket er ikke tilgaengeligt +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: bad function 7A +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: (PAM Auth OK!|Success -- .*|User entered a null value -- .*) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: User entered a null value -- No such file or directory +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ atalkd\[[0-9]+\]: as_timer sendto: Netvaerket er ikke tilgaengeligt ## hylafax-server -FaxGetty\[[0-9]+\]: ANSWER: Can not lock modem device -gnome-name-server\[[0-9]+\]: server_is_alive: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: ANSWER: Can not lock modem device +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnome-name-server\[[0-9]+\]: server_is_alive: .* ## uw-imap -i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] ## ppp -ipppd\[[0-9]+\]: Connect\[0\]: /dev/ippp[0-9], fd: 12 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: Connect\[0\]: /dev/ippp[0-9], fd: 12 ## misc -kernel: Disorder[0-9] [0-9] [0-9] f[0-9] s[0-9] rr[0-9] -kernel: IP_MASQ:reverse ICMP: failed checksum from .*! -kernel: OPEN: [\.0-9]* -> [\.0-9]* UDP, port: [0-9]* -> [0-9]* -kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) -kernel: Shorewall:net2all:DROP:.*$ -kernel: lp[0-9]: compatibility mode -kernel: Undo( partial)? (Hoe|loss|retrans) -printer: offline or intervention needed +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Disorder[0-9] [0-9] [0-9] f[0-9] s[0-9] rr[0-9] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IP_MASQ:reverse ICMP: failed checksum from .*! +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: OPEN: [\.0-9]* -> [\.0-9]* UDP, port: [0-9]* -> [0-9]* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:net2all:DROP:.*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: lp[0-9]: compatibility mode +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Undo( partial)? (Hoe|loss|retrans) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ printer: offline or intervention needed ## Printer and Windows PC at Homebase ignoring change of DHCP (192.168.101 -> 192.168.1) -kernel: Shorewall:all2all:REJECT:.*SRC=192.168.103.17 DST=192.168.101.2 .*$ -kernel: Shorewall:all2all:REJECT:.*SRC=192.168.103.248 DST=192.168.101.22 .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:all2all:REJECT:.*SRC=192.168.103.17 DST=192.168.101.2 .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:all2all:REJECT:.*SRC=192.168.103.248 DST=192.168.101.22 .*$ ## Non-UDMA hd cable -kernel: hda: status timeout: status=0xd0 \{ Busy \} -kernel: hda: no DRQ after issuing WRITE -kernel: ide0: reset: success +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: hda: status timeout: status=0xd0 \{ Busy \} +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: hda: no DRQ after issuing WRITE +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: ide0: reset: success ## Postfix SASL not working -postfix/smtpd\[[0-9]+\]: unable to open Berkeley db /etc/sasldb: No such file or directory +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: unable to open Berkeley db /etc/sasldb: No such file or directory ## ntp-simple -ntpd\[[0-9]+\]: synchronisation lost -ntpd\[[0-9]+\]: synchronisation lost -ntpd\[[0-9]+\]: time reset [\.0-9-]* . -ntpd\[[0-9]+\]: time reset [\.0-9-]+ s +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronisation lost +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronisation lost +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: time reset [\.0-9-]* . +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: time reset [\.0-9-]+ s ## portsentry -portsentry\[[0-9]+\]: attackalert: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ portsentry\[[0-9]+\]: attackalert: .* ## pump -pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument ## samba -smbd\[[0-9]+\]: process_local_message: unknown UDP message command code \([0-9a-f]+\) - ignoring. $ -smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection (reset by peer|timed out)) $ -smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $ -smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. $ -smbd\[[0-9]+\]: [^[:space:]]+ \([\.0-9]+\) couldn't find service c $ -smbd\[[0-9]+\]: api_srv_net_share_add: Failed to unmarshall SRV_Q_NET_SHARE_ADD. $ -smbd\[[0-9]+\]: prs_mem_get: reading data of size 4 would overrun buffer. $ -smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|rpc_parse/parse_prs.c:prs_mem_get|rpc_server/srv_(pipe.c:api_rpcTNP|srvsvc.c:api_srv_net_share_add))\([0-9]+\) $ -smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:(find_service|make_connection))\([0-9]+\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: process_local_message: unknown UDP message command code \([0-9a-f]+\) - ignoring. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection (reset by peer|timed out)) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: [^[:space:]]+ \([\.0-9]+\) couldn't find service c $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: api_srv_net_share_add: Failed to unmarshall SRV_Q_NET_SHARE_ADD. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: prs_mem_get: reading data of size 4 would overrun buffer. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|rpc_parse/parse_prs.c:prs_mem_get|rpc_server/srv_(pipe.c:api_rpcTNP|srvsvc.c:api_srv_net_share_add))\([0-9]+\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:(find_service|make_connection))\([0-9]+\) $ ## ssh -sshd\[[0-9]+\]: Failed password for [[:alnum:]]+ from [0-9\.]+ port [0-9]+ ssh2$ -sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096 $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for [[:alnum:]]+ from [0-9\.]+ port [0-9]+ ssh2$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096 $ ## postfix -postfix.*\[[0-9]+\]: .* from=<groove@mailomat.grooveattack.com> -postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [\.[:alnum:]-]+\[[\.0-9]+\] in MAIL command: <C:\\Email\\Headers\\fresh froms 5-1\.txt> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix.*\[[0-9]+\]: .* from=<groove@mailomat.grooveattack.com> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [\.[:alnum:]-]+\[[\.0-9]+\] in MAIL command: <C:\\Email\\Headers\\fresh froms 5-1\.txt> ## Tulle getting spammed -tulle postfix/smtpd\[[0-9]+\]: too many errors after RCPT from unknown\[\.0-9]+[\] -rpc.mountd: authenticated mount request from .* for .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ tulle postfix/smtpd\[[0-9]+\]: too many errors after RCPT from unknown\[\.0-9]+[\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpc.mountd: authenticated mount request from .* for .* ## snort -snort: .*FrontPage -snort: IDS015 - RPC - portmap-request-status: -snort: IDS029 - SCAN-Possible Queso Fingerprint attempt: -snort: IDS115 - MISC-Traceroute-UDP: -snort: IDS212 - MISC - DNS Zone Transfer: -snort: IDS226 - CVE-1999-0172 - CGI-formmail: -snort: IDS246 - MISC - Large ICMP Packet: -snort: IIS- -snort: MISC-Attempted Sun RPC high port access: -snort: NETBIOS-SMB-C: -snort: NETBIOS-SMB-CD...: -snort: NMAP TCP ping!: -snort: RPC Info Query: -snort: SCAN-SYN FIN: -snort: spp_http_decode: IIS Unicode attack detected: -snort: spp_portscan: End of portscan -snort: spp_portscan: PORTSCAN DETECTED -snort: spp_portscan: portscan status from -snort: WEB-../..: -snort: WEB-CGI-upload.pl: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: .*FrontPage +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS015 - RPC - portmap-request-status: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS029 - SCAN-Possible Queso Fingerprint attempt: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS115 - MISC-Traceroute-UDP: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS212 - MISC - DNS Zone Transfer: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS226 - CVE-1999-0172 - CGI-formmail: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS246 - MISC - Large ICMP Packet: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IIS- +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: MISC-Attempted Sun RPC high port access: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: NETBIOS-SMB-C: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: NETBIOS-SMB-CD...: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: NMAP TCP ping!: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: RPC Info Query: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: SCAN-SYN FIN: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_http_decode: IIS Unicode attack detected: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_portscan: End of portscan +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_portscan: PORTSCAN DETECTED +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_portscan: portscan status from +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: WEB-../..: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: WEB-CGI-upload.pl: ## postgres -postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* -postgres\[[0-9]+\]: \[[0-9-]+\] LOG: connection received: host=\[local\]$ -postgres\[[0-9]+\]: \[[0-9-]+\] LOG: connection authorized: user=postgres database=template1 -postgres\[[0-9]+\]: \[[0-9-]+\] Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. -postgres\[[0-9]+\]: \[[0-9-]+\] [0-9]*; Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] LOG: connection received: host=\[local\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] LOG: connection authorized: user=postgres database=template1 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] [0-9]*; Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. ## amavis -amavis\[[0-9]+\]: warning - MIME::Parser error: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: warning - MIME::Parser error: .* ## Misc entries on Gibraltar (using older logcheck and syslog...) --- MARK -- $ -/USR/SBIN/CRON\[[0-9]+\]: \(root\) CMD \(test -x /usr/sbin/logcheck && nice -n10 /usr/sbin/logcheck\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ -- MARK -- $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \(root\) CMD \(test -x /usr/sbin/logcheck && nice -n10 /usr/sbin/logcheck\) $ diff --git a/logcheck/ignore.d.server/ucd-snmp b/logcheck/ignore.d.server/ucd-snmp index 56f0db5..af20c76 100644 --- a/logcheck/ignore.d.server/ucd-snmp +++ b/logcheck/ignore.d.server/ucd-snmp @@ -1 +1 @@ -ucd-snmp\[[0-9]+\]: Connection from .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ucd-snmp\[[0-9]+\]: Connection from .* diff --git a/logcheck/ignore.d.server/uptimed b/logcheck/ignore.d.server/uptimed index ff20f9e..7cc4782 100644 --- a/logcheck/ignore.d.server/uptimed +++ b/logcheck/ignore.d.server/uptimed @@ -1 +1 @@ -uptimed: moving up to position [0-9]+: [0-9]+ days, [0-9:]+ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ uptimed: moving up to position [0-9]+: [0-9]+ days, [0-9:]+ diff --git a/logcheck/ignore.d.workstation/bind b/logcheck/ignore.d.workstation/bind index 392d443..6ad6552 100644 --- a/logcheck/ignore.d.workstation/bind +++ b/logcheck/ignore.d.workstation/bind @@ -1,5 +1,5 @@ -named\[[0-9]+\]: deleting interface \[[\.0-9]+\]\.[0-9]+$ -named\[[0-9]+\]: listening on IPv4 interface eth[0-9], [\.0-9]+#53$ -named\[[0-9]+\]: listening on \[[\.0-9]+\]\.[0-9]+ \([^[:space:]]+\)$ -named\[[0-9]+\]: no longer listening on [\.0-9]+#53$ -named\[[0-9]+\]: ns_forw: sendto\(\[[\.0-9]+\]\.[0-9]+\): Network is unreachable$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: deleting interface \[[\.0-9]+\]\.[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: listening on IPv4 interface eth[0-9], [\.0-9]+#53$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: listening on \[[\.0-9]+\]\.[0-9]+ \([^[:space:]]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: no longer listening on [\.0-9]+#53$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: ns_forw: sendto\(\[[\.0-9]+\]\.[0-9]+\): Network is unreachable$ diff --git a/logcheck/ignore.d.workstation/devfsd b/logcheck/ignore.d.workstation/devfsd index 6180edb..087a103 100644 --- a/logcheck/ignore.d.workstation/devfsd +++ b/logcheck/ignore.d.workstation/devfsd @@ -1,2 +1,2 @@ -devfsd\[[0-9]+\]: Caught SIGHUP$ -devfsd\[[0-9]+\]: read config file: "/etc/devfsd.conf"$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ devfsd\[[0-9]+\]: Caught SIGHUP$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ devfsd\[[0-9]+\]: read config file: "/etc/devfsd.conf"$ diff --git a/logcheck/ignore.d.workstation/dhcp-client b/logcheck/ignore.d.workstation/dhcp-client index f7df051..f51cd5a 100644 --- a/logcheck/ignore.d.workstation/dhcp-client +++ b/logcheck/ignore.d.workstation/dhcp-client @@ -1,4 +1,4 @@ -dhclient(-2.2.x)?: No working leases in persistent database( - sleeping)?\.$ -dhclient(-2.2.x)?: Sleeping\.$ -dhclient(-2.2.x)?: No DHCPOFFERS received\.$ -dhclient(-2.2.x)?: receive_packet failed on eth[0-9]: Network is down$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: No working leases in persistent database( - sleeping)?\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: Sleeping\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: No DHCPOFFERS received\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: receive_packet failed on eth[0-9]: Network is down$ diff --git a/logcheck/ignore.d.workstation/gconf.changes b/logcheck/ignore.d.workstation/gconf.changes index 97a7388..1b3feff 100644 --- a/logcheck/ignore.d.workstation/gconf.changes +++ b/logcheck/ignore.d.workstation/gconf.changes @@ -1,6 +1,6 @@ -gconfd \([^[:space:]]+\): CORBA_ORB_destroy: ORB still has [0-9]+ refs\.$ -gconfd \([^[:space:]]+\): Exiting$ -gconfd \([^[:space:]]+\): GConf server is not in use, shutting down\.$ -gconfd \([^[:space:]]+\): Resolved address "xml:readonly:/[^[:space:]]+" to a read-only config source at position [0-9]+$ -gconfd \([^[:space:]]+\): Resolved address "xml:readwrite:/[^[:space:]]+" to a writable config source at position [0-9]+$ -gconfd \([^[:space:]]+\): starting \(version [\.0-9]+\), pid [0-9]+ user '[^[:space:]]+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): CORBA_ORB_destroy: ORB still has [0-9]+ refs\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Exiting$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): GConf server is not in use, shutting down\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Resolved address "xml:readonly:/[^[:space:]]+" to a read-only config source at position [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Resolved address "xml:readwrite:/[^[:space:]]+" to a writable config source at position [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): starting \(version [\.0-9]+\), pid [0-9]+ user '[^[:space:]]+'$ diff --git a/logcheck/ignore.d.workstation/gconf.da_DK b/logcheck/ignore.d.workstation/gconf.da_DK index ca56f8b..28e8151 100644 --- a/logcheck/ignore.d.workstation/gconf.da_DK +++ b/logcheck/ignore.d.workstation/gconf.da_DK @@ -1,7 +1,7 @@ -gconfd \([^[:space:]]+\): Afslutter$ -gconfd \([^[:space:]]+\): Bestemte adressen "xml:readonly:/[^[:space:]]+" til en skrivebeskyttet konfigureringskilde ved position [0-9]+$ -gconfd \([^[:space:]]+\): Bestemte adressen "xml:readwrite:/[^[:space:]]+" til en skrivbar konfigureringskilde ved position [0-9]+$ -gconfd \([^[:space:]]+\): GConf-server er ikke i brug, lukker ned\.$ -gconfd \([^[:space:]]+\): Kunne ikke fjerne kataloget '/[^[:space:]]+' fra XML-bagendemellemlageret fordi den ikke er synkroniseret med disken\.$ -gconfd \([^[:space:]]+\): Modtog signal 15, lukker pænt ned$ -gconfd \([^[:space:]]+\): starter \(version [\.0-9]+\), pid [0-9]+ bruger '[^[:space:]]+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Afslutter$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Bestemte adressen "xml:readonly:/[^[:space:]]+" til en skrivebeskyttet konfigureringskilde ved position [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Bestemte adressen "xml:readwrite:/[^[:space:]]+" til en skrivbar konfigureringskilde ved position [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): GConf-server er ikke i brug, lukker ned\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Kunne ikke fjerne kataloget '/[^[:space:]]+' fra XML-bagendemellemlageret fordi den ikke er synkroniseret med disken\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Modtog signal 15, lukker pænt ned$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): starter \(version [\.0-9]+\), pid [0-9]+ bruger '[^[:space:]]+'$ diff --git a/logcheck/ignore.d.workstation/laptop-net b/logcheck/ignore.d.workstation/laptop-net index 81dd8bd..8108fe0 100644 --- a/logcheck/ignore.d.workstation/laptop-net +++ b/logcheck/ignore.d.workstation/laptop-net @@ -1,2 +1,2 @@ -ifd\[[0-9]+\]: executing: '/usr/share/laptop-net/link-change eth[0-9]+ unwatched ((((up|down),(running|stopped),(dis)?connected|unknown)|unknown)( )?){2}'$ -ifd\[[0-9]+\]: eth[0-9]+ is unavailable$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ifd\[[0-9]+\]: executing: '/usr/share/laptop-net/link-change eth[0-9]+ unwatched ((((up|down),(running|stopped),(dis)?connected|unknown)|unknown)( )?){2}'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ifd\[[0-9]+\]: eth[0-9]+ is unavailable$ diff --git a/logcheck/ignore.d.workstation/libgnorba b/logcheck/ignore.d.workstation/libgnorba index da9f4c0..bf23f75 100644 --- a/logcheck/ignore.d.workstation/libgnorba +++ b/logcheck/ignore.d.workstation/libgnorba @@ -1,3 +1,3 @@ -gnome-name-server\[[0-9]+\]: starting -gnome-name-server\[[0-9]+\]: name server starting -gnome-name-server\[[0-9]+\]: server_is_alive: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnome-name-server\[[0-9]+\]: starting +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnome-name-server\[[0-9]+\]: name server starting +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnome-name-server\[[0-9]+\]: server_is_alive: .* diff --git a/logcheck/ignore.d.workstation/local b/logcheck/ignore.d.workstation/local index 8ee691d..ae02644 100644 --- a/logcheck/ignore.d.workstation/local +++ b/logcheck/ignore.d.workstation/local @@ -1,74 +1,74 @@ ### ignore.d.workstation/bind -named\[[0-9]+\]: deleting interface \[[\.0-9]+\]\.[0-9]+$ -named\[[0-9]+\]: listening on IPv4 interface eth[0-9], [\.0-9]+#53$ -named\[[0-9]+\]: listening on \[[\.0-9]+\]\.[0-9]+ \([^[:space:]]+\)$ -named\[[0-9]+\]: no longer listening on [\.0-9]+#53$ -named\[[0-9]+\]: ns_forw: sendto\(\[[\.0-9]+\]\.[0-9]+\): Network is unreachable$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: deleting interface \[[\.0-9]+\]\.[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: listening on IPv4 interface eth[0-9], [\.0-9]+#53$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: listening on \[[\.0-9]+\]\.[0-9]+ \([^[:space:]]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: no longer listening on [\.0-9]+#53$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: ns_forw: sendto\(\[[\.0-9]+\]\.[0-9]+\): Network is unreachable$ ### ignore.d.workstation/devfsd -devfsd\[[0-9]+\]: Caught SIGHUP$ -devfsd\[[0-9]+\]: read config file: "/etc/devfsd.conf"$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ devfsd\[[0-9]+\]: Caught SIGHUP$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ devfsd\[[0-9]+\]: read config file: "/etc/devfsd.conf"$ ### ignore.d.workstation/dhcp-client -dhclient(-2.2.x)?: No working leases in persistent database( - sleeping)?\.$ -dhclient(-2.2.x)?: Sleeping\.$ -dhclient(-2.2.x)?: No DHCPOFFERS received\.$ -dhclient(-2.2.x)?: receive_packet failed on eth[0-9]: Network is down$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: No working leases in persistent database( - sleeping)?\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: Sleeping\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: No DHCPOFFERS received\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: receive_packet failed on eth[0-9]: Network is down$ ### ignore.d.workstation/gconf.changes -gconfd \([^[:space:]]+\): CORBA_ORB_destroy: ORB still has [0-9]+ refs\.$ -gconfd \([^[:space:]]+\): Exiting$ -gconfd \([^[:space:]]+\): GConf server is not in use, shutting down\.$ -gconfd \([^[:space:]]+\): Resolved address "xml:readonly:/[^[:space:]]+" to a read-only config source at position [0-9]+$ -gconfd \([^[:space:]]+\): Resolved address "xml:readwrite:/[^[:space:]]+" to a writable config source at position [0-9]+$ -gconfd \([^[:space:]]+\): starting \(version [\.0-9]+\), pid [0-9]+ user '[^[:space:]]+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): CORBA_ORB_destroy: ORB still has [0-9]+ refs\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Exiting$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): GConf server is not in use, shutting down\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Resolved address "xml:readonly:/[^[:space:]]+" to a read-only config source at position [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Resolved address "xml:readwrite:/[^[:space:]]+" to a writable config source at position [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): starting \(version [\.0-9]+\), pid [0-9]+ user '[^[:space:]]+'$ ### ignore.d.workstation/gconf.da_DK -gconfd \([^[:space:]]+\): Afslutter$ -gconfd \([^[:space:]]+\): Bestemte adressen "xml:readonly:/[^[:space:]]+" til en skrivebeskyttet konfigureringskilde ved position [0-9]+$ -gconfd \([^[:space:]]+\): Bestemte adressen "xml:readwrite:/[^[:space:]]+" til en skrivbar konfigureringskilde ved position [0-9]+$ -gconfd \([^[:space:]]+\): GConf-server er ikke i brug, lukker ned\.$ -gconfd \([^[:space:]]+\): Kunne ikke fjerne kataloget '/[^[:space:]]+' fra XML-bagendemellemlageret fordi den ikke er synkroniseret med disken\.$ -gconfd \([^[:space:]]+\): Modtog signal 15, lukker pænt ned$ -gconfd \([^[:space:]]+\): starter \(version [\.0-9]+\), pid [0-9]+ bruger '[^[:space:]]+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Afslutter$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Bestemte adressen "xml:readonly:/[^[:space:]]+" til en skrivebeskyttet konfigureringskilde ved position [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Bestemte adressen "xml:readwrite:/[^[:space:]]+" til en skrivbar konfigureringskilde ved position [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): GConf-server er ikke i brug, lukker ned\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Kunne ikke fjerne kataloget '/[^[:space:]]+' fra XML-bagendemellemlageret fordi den ikke er synkroniseret med disken\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): Modtog signal 15, lukker pænt ned$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd \([^[:space:]]+\): starter \(version [\.0-9]+\), pid [0-9]+ bruger '[^[:space:]]+'$ ### ignore.d.workstation/laptop-net -ifd\[[0-9]+\]: executing: '/usr/share/laptop-net/link-change eth[0-9]+ unwatched ((((up|down),(running|stopped),(dis)?connected|unknown)|unknown)( )?){2}'$ -ifd\[[0-9]+\]: eth[0-9]+ is unavailable$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ifd\[[0-9]+\]: executing: '/usr/share/laptop-net/link-change eth[0-9]+ unwatched ((((up|down),(running|stopped),(dis)?connected|unknown)|unknown)( )?){2}'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ifd\[[0-9]+\]: eth[0-9]+ is unavailable$ ### ignore.d.workstation/libgnorba -gnome-name-server\[[0-9]+\]: starting -gnome-name-server\[[0-9]+\]: name server starting -gnome-name-server\[[0-9]+\]: server_is_alive: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnome-name-server\[[0-9]+\]: starting +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnome-name-server\[[0-9]+\]: name server starting +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnome-name-server\[[0-9]+\]: server_is_alive: .* ### ignore.d.workstation/misc # Linux Thin clients -syslogd started: BusyBox v[\.0-9]+ \([^[:space:]]+\)$ -init: Entering runlevel: 2 -rpc.mountd: authenticated mount request from 192\.168\..* for /home/opt/ltsp/i386 \(/home/opt/ltsp/i386\) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslogd started: BusyBox v[\.0-9]+ \([^[:space:]]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ init: Entering runlevel: 2 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpc.mountd: authenticated mount request from 192\.168\..* for /home/opt/ltsp/i386 \(/home/opt/ltsp/i386\) # Laptop sleep -kernel: ADB keyboard at [0-9], handler [0-9]$ -kernel: ADB mouse at [0-9], handler set to [0-9] \(trackpad\)$ -kernel: PCI: Enabling bus mastering for device [0-9:\.]+$ -kernel: adb devices:( \[[0-9]\]: [0-9] [0-9a-f]+)+$ -kernel: adb: (starting|finished) probe task\.\.\.$ -kernel: eth[0-9]: Airport (entering sleep mode|waking up)$ -kernel: eth[0-9]: __orinoco_set_multicast_list\(\) called while device not present\. -kernel: eth[0-9]: resuming$ -kernel: eth[0-9]: suspending, WakeOnLan disabled$ -kernel: hd[a-d]: Enabling MultiWord DMA [1-9]$ -kernel: hd[a-d]: Enabling Ultra DMA [1-9]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: ADB keyboard at [0-9], handler [0-9]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: ADB mouse at [0-9], handler set to [0-9] \(trackpad\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: PCI: Enabling bus mastering for device [0-9:\.]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: adb devices:( \[[0-9]\]: [0-9] [0-9a-f]+)+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: adb: (starting|finished) probe task\.\.\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: eth[0-9]: Airport (entering sleep mode|waking up)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: eth[0-9]: __orinoco_set_multicast_list\(\) called while device not present\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: eth[0-9]: resuming$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: eth[0-9]: suspending, WakeOnLan disabled$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: hd[a-d]: Enabling MultiWord DMA [1-9]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: hd[a-d]: Enabling Ultra DMA [1-9]$ ### ignore.d.workstation/ntp-simple -ntpd\[[0-9]+\]: synchronisation lost$ -ntpd\[[0-9]+\]: time reset [\.0-9]+ s$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronisation lost$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: time reset [\.0-9]+ s$ ### ignore.d.workstation/ntpdate -ntpdate\[[0-9]+\]: can't find host$ -ntpdate\[[0-9]+\]: no servers can be used, exiting$ -ntpdate\[[0-9]+\]: step time server [\.0-9]+ offset [\.0-9]+ sec$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpdate\[[0-9]+\]: can't find host$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpdate\[[0-9]+\]: no servers can be used, exiting$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpdate\[[0-9]+\]: step time server [\.0-9]+ offset [\.0-9]+ sec$ ### ignore.d.workstation/oaf -oafd: server_is_alive: cnx\[IDL:Bonobo/ConfigDatabase:1\.0\] = ([0-9a-f]+|\(nil\))$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ oafd: server_is_alive: cnx\[IDL:Bonobo/ConfigDatabase:1\.0\] = ([0-9a-f]+|\(nil\))$ ### ignore.d.workstation/pmud -pmud\[[0-9]+\]: running /etc/power/pwrctl (maximum|minimum|sleep|wakeup|lid-(closed|opened)) (ac|battery)$ -pmud\[[0-9]+\]: lid closed: request sleep$ -pmud\[[0-9]+\]: going to sleep$ -pmud\[[0-9]+\]: initiating user requested sleep$ -pmud\[[0-9]+\]: system awake again$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pmud\[[0-9]+\]: running /etc/power/pwrctl (maximum|minimum|sleep|wakeup|lid-(closed|opened)) (ac|battery)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pmud\[[0-9]+\]: lid closed: request sleep$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pmud\[[0-9]+\]: going to sleep$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pmud\[[0-9]+\]: initiating user requested sleep$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pmud\[[0-9]+\]: system awake again$ ### ignore.d.workstation/sfs-client -: sfsrwcd: reloaded resolv.conf file$ -: sfsrwcd: changing nameserver to [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ : sfsrwcd: reloaded resolv.conf file$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ : sfsrwcd: changing nameserver to [\.0-9]+$ ### ignore.d.workstation/usbutils -kernel: usb-ohci.c: USB continue: usb-[0-9:\.]+ from host wakeup$ -kernel: usb-ohci.c: USB suspend: usb-[0-9:\.]++$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: usb-ohci.c: USB continue: usb-[0-9:\.]+ from host wakeup$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: usb-ohci.c: USB suspend: usb-[0-9:\.]++$ diff --git a/logcheck/ignore.d.workstation/misc b/logcheck/ignore.d.workstation/misc index ef56323..7e59486 100644 --- a/logcheck/ignore.d.workstation/misc +++ b/logcheck/ignore.d.workstation/misc @@ -1,16 +1,16 @@ # Linux Thin clients -syslogd started: BusyBox v[\.0-9]+ \([^[:space:]]+\)$ -init: Entering runlevel: 2 -rpc.mountd: authenticated mount request from 192\.168\..* for /home/opt/ltsp/i386 \(/home/opt/ltsp/i386\) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslogd started: BusyBox v[\.0-9]+ \([^[:space:]]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ init: Entering runlevel: 2 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpc.mountd: authenticated mount request from 192\.168\..* for /home/opt/ltsp/i386 \(/home/opt/ltsp/i386\) # Laptop sleep -kernel: ADB keyboard at [0-9], handler [0-9]$ -kernel: ADB mouse at [0-9], handler set to [0-9] \(trackpad\)$ -kernel: PCI: Enabling bus mastering for device [0-9:\.]+$ -kernel: adb devices:( \[[0-9]\]: [0-9] [0-9a-f]+)+$ -kernel: adb: (starting|finished) probe task\.\.\.$ -kernel: eth[0-9]: Airport (entering sleep mode|waking up)$ -kernel: eth[0-9]: __orinoco_set_multicast_list\(\) called while device not present\. -kernel: eth[0-9]: resuming$ -kernel: eth[0-9]: suspending, WakeOnLan disabled$ -kernel: hd[a-d]: Enabling MultiWord DMA [1-9]$ -kernel: hd[a-d]: Enabling Ultra DMA [1-9]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: ADB keyboard at [0-9], handler [0-9]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: ADB mouse at [0-9], handler set to [0-9] \(trackpad\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: PCI: Enabling bus mastering for device [0-9:\.]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: adb devices:( \[[0-9]\]: [0-9] [0-9a-f]+)+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: adb: (starting|finished) probe task\.\.\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: eth[0-9]: Airport (entering sleep mode|waking up)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: eth[0-9]: __orinoco_set_multicast_list\(\) called while device not present\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: eth[0-9]: resuming$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: eth[0-9]: suspending, WakeOnLan disabled$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: hd[a-d]: Enabling MultiWord DMA [1-9]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: hd[a-d]: Enabling Ultra DMA [1-9]$ diff --git a/logcheck/ignore.d.workstation/ntp-simple b/logcheck/ignore.d.workstation/ntp-simple index 61a1838..ef4ad68 100644 --- a/logcheck/ignore.d.workstation/ntp-simple +++ b/logcheck/ignore.d.workstation/ntp-simple @@ -1,2 +1,2 @@ -ntpd\[[0-9]+\]: synchronisation lost$ -ntpd\[[0-9]+\]: time reset [\.0-9]+ s$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronisation lost$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: time reset [\.0-9]+ s$ diff --git a/logcheck/ignore.d.workstation/ntpdate b/logcheck/ignore.d.workstation/ntpdate index 9a1fe48..a88633e 100644 --- a/logcheck/ignore.d.workstation/ntpdate +++ b/logcheck/ignore.d.workstation/ntpdate @@ -1,3 +1,3 @@ -ntpdate\[[0-9]+\]: can't find host$ -ntpdate\[[0-9]+\]: no servers can be used, exiting$ -ntpdate\[[0-9]+\]: step time server [\.0-9]+ offset [\.0-9]+ sec$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpdate\[[0-9]+\]: can't find host$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpdate\[[0-9]+\]: no servers can be used, exiting$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpdate\[[0-9]+\]: step time server [\.0-9]+ offset [\.0-9]+ sec$ diff --git a/logcheck/ignore.d.workstation/oaf b/logcheck/ignore.d.workstation/oaf index 15a7439..ebe6625 100644 --- a/logcheck/ignore.d.workstation/oaf +++ b/logcheck/ignore.d.workstation/oaf @@ -1 +1 @@ -oafd: server_is_alive: cnx\[IDL:Bonobo/ConfigDatabase:1\.0\] = ([0-9a-f]+|\(nil\))$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ oafd: server_is_alive: cnx\[IDL:Bonobo/ConfigDatabase:1\.0\] = ([0-9a-f]+|\(nil\))$ diff --git a/logcheck/ignore.d.workstation/pmud b/logcheck/ignore.d.workstation/pmud index e912307..d053506 100644 --- a/logcheck/ignore.d.workstation/pmud +++ b/logcheck/ignore.d.workstation/pmud @@ -1,5 +1,5 @@ -pmud\[[0-9]+\]: running /etc/power/pwrctl (maximum|minimum|sleep|wakeup|lid-(closed|opened)) (ac|battery)$ -pmud\[[0-9]+\]: lid closed: request sleep$ -pmud\[[0-9]+\]: going to sleep$ -pmud\[[0-9]+\]: initiating user requested sleep$ -pmud\[[0-9]+\]: system awake again$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pmud\[[0-9]+\]: running /etc/power/pwrctl (maximum|minimum|sleep|wakeup|lid-(closed|opened)) (ac|battery)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pmud\[[0-9]+\]: lid closed: request sleep$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pmud\[[0-9]+\]: going to sleep$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pmud\[[0-9]+\]: initiating user requested sleep$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pmud\[[0-9]+\]: system awake again$ diff --git a/logcheck/ignore.d.workstation/sfs-client b/logcheck/ignore.d.workstation/sfs-client index c5ccdee..9a84068 100644 --- a/logcheck/ignore.d.workstation/sfs-client +++ b/logcheck/ignore.d.workstation/sfs-client @@ -1,2 +1,2 @@ -: sfsrwcd: reloaded resolv.conf file$ -: sfsrwcd: changing nameserver to [\.0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ : sfsrwcd: reloaded resolv.conf file$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ : sfsrwcd: changing nameserver to [\.0-9]+$ diff --git a/logcheck/ignore.d.workstation/usbutils b/logcheck/ignore.d.workstation/usbutils index 98b8e7f..6fa7324 100644 --- a/logcheck/ignore.d.workstation/usbutils +++ b/logcheck/ignore.d.workstation/usbutils @@ -1,2 +1,2 @@ -kernel: usb-ohci.c: USB continue: usb-[0-9:\.]+ from host wakeup$ -kernel: usb-ohci.c: USB suspend: usb-[0-9:\.]++$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: usb-ohci.c: USB continue: usb-[0-9:\.]+ from host wakeup$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: usb-ohci.c: USB suspend: usb-[0-9:\.]++$ diff --git a/logcheck/violations.ignore.d/amavis b/logcheck/violations.ignore.d/amavis index ba87dbc..6db21af 100644 --- a/logcheck/violations.ignore.d/amavis +++ b/logcheck/violations.ignore.d/amavis @@ -1,8 +1,8 @@ -amavis\[[0-9]+\]: Checking: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ -amavis\[[0-9]+\]: SMTP-in \[[\.0-9]+\] /var/lib/amavis/amavis-[^[:space:]:-]+: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ -amavis\[[0-9]+\]: cached [a-f0-9]+ from <[^[:space:]]*>$ -amavis\[[0-9]+\]: fwd via smtp: \[[\.0-9]+:10025\] <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ -amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+$ -amavis\[[0-9]+\]: local delivery: <[^[:space:]]+> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?$ -amavis\[[0-9]+\]: spam from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine spam-[^[:space:]]+$ -amavis\[[0-9]+\]: spam_scan: (No|Yes), hits=[\.0-9-]+ tests=[,_A-Z0-9]+ <[^[:space:]]*>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: Checking: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: SMTP-in \[[\.0-9]+\] /var/lib/amavis/amavis-[^[:space:]:-]+: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: cached [a-f0-9]+ from <[^[:space:]]*>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: fwd via smtp: \[[\.0-9]+:10025\] <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: local delivery: <[^[:space:]]+> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: spam from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine spam-[^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: spam_scan: (No|Yes), hits=[\.0-9-]+ tests=[,_A-Z0-9]+ <[^[:space:]]*>$ diff --git a/logcheck/violations.ignore.d/amavisd-new b/logcheck/violations.ignore.d/amavisd-new index b8d31c8..9189574 100644 --- a/logcheck/violations.ignore.d/amavisd-new +++ b/logcheck/violations.ignore.d/amavisd-new @@ -1,2 +1,2 @@ -amavis\[[0-9]+\]: \([0-9-]+\) SPAM, <[^[:space:]]*> -> <[^[:space:]]*>, (No|Yes), hits=[\.0-9-]+ tagged_above=[\.0-9-]+ required=[\.0-9-]+ tests=[,_A-Z0-9 ]+ quarantine spam-[^[:space:]]+ \(spam-quarantine\)$ -amavis\[[0-9]+\]: \([0-9-]+\) BAD HEADER from( \((bulk|list|junk)\))? <[^[:space:]]*>: .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) SPAM, <[^[:space:]]*> -> <[^[:space:]]*>, (No|Yes), hits=[\.0-9-]+ tagged_above=[\.0-9-]+ required=[\.0-9-]+ tests=[,_A-Z0-9 ]+ quarantine spam-[^[:space:]]+ \(spam-quarantine\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) BAD HEADER from( \((bulk|list|junk)\))? <[^[:space:]]*>: .*$ diff --git a/logcheck/violations.ignore.d/bind b/logcheck/violations.ignore.d/bind index b7230f5..ca39c0a 100644 --- a/logcheck/violations.ignore.d/bind +++ b/logcheck/violations.ignore.d/bind @@ -1 +1 @@ -named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$ diff --git a/logcheck/violations.ignore.d/bind.tmp b/logcheck/violations.ignore.d/bind.tmp index 1756019..d88e533 100644 --- a/logcheck/violations.ignore.d/bind.tmp +++ b/logcheck/violations.ignore.d/bind.tmp @@ -1 +1 @@ -named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out diff --git a/logcheck/violations.ignore.d/dhcp-client b/logcheck/violations.ignore.d/dhcp-client index 88caa05..02d2994 100644 --- a/logcheck/violations.ignore.d/dhcp-client +++ b/logcheck/violations.ignore.d/dhcp-client @@ -1,2 +1,2 @@ -dhcpd(-2.2.x)?: (send_packet|fallback_discard): Connection refused$ -dhclient(-2.2.x)?: receive_packet failed on eth[0-9]: Network is down$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2.2.x)?: (send_packet|fallback_discard): Connection refused$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: receive_packet failed on eth[0-9]: Network is down$ diff --git a/logcheck/violations.ignore.d/dovecot-common b/logcheck/violations.ignore.d/dovecot-common index 2314c4d..4879465 100644 --- a/logcheck/violations.ignore.d/dovecot-common +++ b/logcheck/violations.ignore.d/dovecot-common @@ -1 +1 @@ -xayide dovecot\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xayide dovecot\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= $ diff --git a/logcheck/violations.ignore.d/libpam-modules b/logcheck/violations.ignore.d/libpam-modules index 466ca4a..2f2c463 100644 --- a/logcheck/violations.ignore.d/libpam-modules +++ b/logcheck/violations.ignore.d/libpam-modules @@ -1 +1 @@ -pam_limits\[[0-9]+\]: setrlimit limit #[0-9]+ to soft=[-0-9]+, hard=[-0-9]+ failed: Operation not permitted; uid=[0-9]+ euid=[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pam_limits\[[0-9]+\]: setrlimit limit #[0-9]+ to soft=[-0-9]+, hard=[-0-9]+ failed: Operation not permitted; uid=[0-9]+ euid=[0-9]+$ diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local index 463d983..3287c7d 100644 --- a/logcheck/violations.ignore.d/local +++ b/logcheck/violations.ignore.d/local @@ -1,102 +1,102 @@ ### violations.ignore.d/amavis -amavis\[[0-9]+\]: Checking: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ -amavis\[[0-9]+\]: SMTP-in \[[\.0-9]+\] /var/lib/amavis/amavis-[^[:space:]:-]+: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ -amavis\[[0-9]+\]: cached [a-f0-9]+ from <[^[:space:]]*>$ -amavis\[[0-9]+\]: fwd via smtp: \[[\.0-9]+:10025\] <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ -amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+$ -amavis\[[0-9]+\]: local delivery: <[^[:space:]]+> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?$ -amavis\[[0-9]+\]: spam from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine spam-[^[:space:]]+$ -amavis\[[0-9]+\]: spam_scan: (No|Yes), hits=[\.0-9-]+ tests=[,_A-Z0-9]+ <[^[:space:]]*>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: Checking: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: SMTP-in \[[\.0-9]+\] /var/lib/amavis/amavis-[^[:space:]:-]+: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: cached [a-f0-9]+ from <[^[:space:]]*>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: fwd via smtp: \[[\.0-9]+:10025\] <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: local delivery: <[^[:space:]]+> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: spam from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine spam-[^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: spam_scan: (No|Yes), hits=[\.0-9-]+ tests=[,_A-Z0-9]+ <[^[:space:]]*>$ ### violations.ignore.d/amavisd-new -amavis\[[0-9]+\]: \([0-9-]+\) SPAM, <[^[:space:]]*> -> <[^[:space:]]*>, (No|Yes), hits=[\.0-9-]+ tagged_above=[\.0-9-]+ required=[\.0-9-]+ tests=[,_A-Z0-9 ]+ quarantine spam-[^[:space:]]+ \(spam-quarantine\)$ -amavis\[[0-9]+\]: \([0-9-]+\) BAD HEADER from( \((bulk|list|junk)\))? <[^[:space:]]*>: .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) SPAM, <[^[:space:]]*> -> <[^[:space:]]*>, (No|Yes), hits=[\.0-9-]+ tagged_above=[\.0-9-]+ required=[\.0-9-]+ tests=[,_A-Z0-9 ]+ quarantine spam-[^[:space:]]+ \(spam-quarantine\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) BAD HEADER from( \((bulk|list|junk)\))? <[^[:space:]]*>: .*$ ### violations.ignore.d/bind -named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$ ### violations.ignore.d/bind.tmp -named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out ### violations.ignore.d/dhcp-client -dhcpd(-2.2.x)?: (send_packet|fallback_discard): Connection refused$ -dhclient(-2.2.x)?: receive_packet failed on eth[0-9]: Network is down$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2.2.x)?: (send_packet|fallback_discard): Connection refused$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: receive_packet failed on eth[0-9]: Network is down$ ### violations.ignore.d/dovecot-common -xayide dovecot\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xayide dovecot\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= $ ### violations.ignore.d/libpam-modules -pam_limits\[[0-9]+\]: setrlimit limit #[0-9]+ to soft=[-0-9]+, hard=[-0-9]+ failed: Operation not permitted; uid=[0-9]+ euid=[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pam_limits\[[0-9]+\]: setrlimit limit #[0-9]+ to soft=[-0-9]+, hard=[-0-9]+ failed: Operation not permitted; uid=[0-9]+ euid=[0-9]+$ ### violations.ignore.d/misc # This one shows up with firewalls blocking SMB ports non-silently -kernel: Packet log: input DENY eth[0-9]+ PROTO=17 .*:137 .*:137 L=78 S=0x00 I=[0-9]+ F=0x0000 T=[0-9]+ \(#[0-9]+\) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Packet log: input DENY eth[0-9]+ PROTO=17 .*:137 .*:137 L=78 S=0x00 I=[0-9]+ F=0x0000 T=[0-9]+ \(#[0-9]+\) ### violations.ignore.d/netatalk.changes # Lines with "[^[:space:]]+:" at the beginning are for netatalk 1.6.x or newer. -afpd\[[0-9]+\]: afp_die: asp_shutdown: Connection timed out$ -afpd\[[0-9]+\]: (afp_flushfork|afp_read|getforkparms): (ad_refresh|of_find): Permission denied$ -afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: Parsing volset [^[:space:]]+$ -afpd\[[0-9]+\]: [^[:space:]]+: D5:Default: cnid_mangle_get: Failed to find mangled entry for .*$ -afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: afp_die: asp_shutdown: Connection timed out$ -afpd\[[0-9]+\]: [^[:space:]]+: E:Default: cnid_open: dbenv->open of /[^[:space:]]+/\.AppleDB failed: Permission denied$ -afpd\[[0-9]+\]: afp_getsrvrparms: stat /[^/]+/: Permission denied$ -afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_die: asp_shutdown: Connection timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: (afp_flushfork|afp_read|getforkparms): (ad_refresh|of_find): Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: Parsing volset [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: D5:Default: cnid_mangle_get: Failed to find mangled entry for .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: afp_die: asp_shutdown: Connection timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:Default: cnid_open: dbenv->open of /[^[:space:]]+/\.AppleDB failed: Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_getsrvrparms: stat /[^/]+/: Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied$ ### violations.ignore.d/netsaint -netsaint: SERVICE ALERT:.*;PING;CRITICAL;.*;PING CRITICAL - Packet loss =.*%, RTA =.*ms -netsaint: SERVICE ALERT:.*;ROUTER;CRITICAL;.*;CRITICAL - Plugin timed out after 10 seconds -netsaint: SERVICE ALERT:.*;ROUTER;OK;.*;PING OK - Packet loss =.*%, RTA =.*ms -netsaint: SERVICE FLAPPING ALERT:.*;PING;STOPPED; Service appears to have stopped flapping (.*% change < .*% threshold) -netsaint: SERVICE FLAPPING ALERT:.*;PING;STARTED; Service appears to have started flapping (.*% change >.*% threshold) -netsaint: SERVICE ALERT: mail;SMTP;CRITICAL;.*;Connection refused by host -netsaint: SERVICE NOTIFICATION:.*;CRITICAL;notify-by-.*;Connection refused by host -netsaint: SERVICE ALERT: mail;SMTP;OK;.* OK - 0 second response time -netsaint: HOST ALERT:.*;DOWN;SOFT;.*;CRITICAL.* -netsaint: HOST ALERT:.*;UP;SOFT;.*;PING OK.* -netsaint: Successfully shutdown\.\.\. \(PID=[0-9]+\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT:.*;PING;CRITICAL;.*;PING CRITICAL - Packet loss =.*%, RTA =.*ms +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT:.*;ROUTER;CRITICAL;.*;CRITICAL - Plugin timed out after 10 seconds +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT:.*;ROUTER;OK;.*;PING OK - Packet loss =.*%, RTA =.*ms +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE FLAPPING ALERT:.*;PING;STOPPED; Service appears to have stopped flapping (.*% change < .*% threshold) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE FLAPPING ALERT:.*;PING;STARTED; Service appears to have started flapping (.*% change >.*% threshold) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT: mail;SMTP;CRITICAL;.*;Connection refused by host +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE NOTIFICATION:.*;CRITICAL;notify-by-.*;Connection refused by host +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT: mail;SMTP;OK;.* OK - 0 second response time +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: HOST ALERT:.*;DOWN;SOFT;.*;CRITICAL.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: HOST ALERT:.*;UP;SOFT;.*;PING OK.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: Successfully shutdown\.\.\. \(PID=[0-9]+\) $ ### violations.ignore.d/pmud -pmud\[[0-9]+\]: Sleep for this PMU unsupported: will shutdown the machine on sleep request$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pmud\[[0-9]+\]: Sleep for this PMU unsupported: will shutdown the machine on sleep request$ ### violations.ignore.d/postfix -postfix/(local|smtpd)\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host not found(, try again)?$ -postfix/(local|smtpd)\[[0-9]+\]: warning: reject: ETRN [^[:space:]]+\.\.\. from [^[:space:]\[]+\[[\.0-9]+\]$ -postfix/[ls]mtp\[[0-9]+\]: [A-Z0-9]+: to=<[^>,]*>(, orig_to=<[^>,]*>)?, relay=[^[:space:],]+, delay=[0-9]+, status=(sent|bounced|deferred) \([^\(\)]+(\([^\(\)]*\)[^\(\)]*)*[^\(\)]*\)( proto=E?SMTP helo=<[^[:space:]>]+>)?$ -postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=<[^[:space:]>]+>$ -postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$ -postfix/nqmgr\[[0-9]+\]: [A-Z0-9]+: from=<[^[:space:]>]+>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$ -postfix/smtp\[[0-9]+\]: (Unv|V)erified: subject_CN=.*, issuer=.* -postfix/smtp\[[0-9]+\]: Peer verification: CommonName in certificate does not match: [^!]+ != [^[:space:]]+$ -postfix/smtp\[[0-9]+\]: connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$ -postfix/smtpd\[[0-9]+\]: [0-9]+:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay\.c:578: -postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: 452 Insufficient system storage; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ -postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in RCPT command: .* -postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ -postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: (DATA|RCPT) from [^[:space:]\[]+\[[\.0-9]+\]: [45][0-9]{2}( [^;]+;){1,3} from=<[^>]*>( to=<[^>]*>)? proto=E?SMTP( helo=<.*>)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(local|smtpd)\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host not found(, try again)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(local|smtpd)\[[0-9]+\]: warning: reject: ETRN [^[:space:]]+\.\.\. from [^[:space:]\[]+\[[\.0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [A-Z0-9]+: to=<[^>,]*>(, orig_to=<[^>,]*>)?, relay=[^[:space:],]+, delay=[0-9]+, status=(sent|bounced|deferred) \([^\(\)]+(\([^\(\)]*\)[^\(\)]*)*[^\(\)]*\)( proto=E?SMTP helo=<[^[:space:]>]+>)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=<[^[:space:]>]+>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/nqmgr\[[0-9]+\]: [A-Z0-9]+: from=<[^[:space:]>]+>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: (Unv|V)erified: subject_CN=.*, issuer=.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: Peer verification: CommonName in certificate does not match: [^!]+ != [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [0-9]+:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay\.c:578: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: 452 Insufficient system storage; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in RCPT command: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: (DATA|RCPT) from [^[:space:]\[]+\[[\.0-9]+\]: [45][0-9]{2}( [^;]+;){1,3} from=<[^>]*>( to=<[^>]*>)? proto=E?SMTP( helo=<.*>)?$ ### violations.ignore.d/proftpd -proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER anonymous \(Login failed\): Can't find user\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER anonymous \(Login failed\): Can't find user\.$ ### violations.ignore.d/samba -smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for [[:digit:]]+\. Error = (No route to host|Connection (reset by peer|timed out)) $ -smbd\[[0-9]+\]: write_socket_data: write failure\. Error = Connection reset by peer $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for [[:digit:]]+\. Error = (No route to host|Connection (reset by peer|timed out)) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: write_socket_data: write failure\. Error = Connection reset by peer $ ### violations.ignore.d/ssh -sshd\[[0-9]+\]: Failed keyboard-interactive for [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$ -ssh\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=[^[:space:]]+ user=[^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed keyboard-interactive for [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ssh\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=[^[:space:]]+ user=[^[:space:]]+$ ### violations.ignore.d/su ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root:[[:alnum:]-]+ ?$ ### violations.ignore.d/temp -(imap|netatalk|pop|samba)\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]* user=[[:alnum:]]+$ -afpd\[[0-9]+\]: afp_flushfork: of_find: Permission denied -afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied -afpd\[[0-9]+\]: bad function 7A -afpd\[[0-9]+\]: cnid_open: Cannot establish logfile cleanup lock for database environment .*/\.AppleDB/cnid\.lock \(open\(\) failed\) -afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied -afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied -afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) -IMP\[[0-9]+\]: FAILED .* to .*:143 as .* -i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] -kernel: IP_MASQ:reverse ICMP: failed checksum from .*! -kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) -PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service -portsentry\[[0-9]+\]: attackalert: .* -smbd\[[0-9]+\]: ERROR: string overflow by [[:digit:]]+ in safe_strcpy .*$ -smbd\[[0-9]+\]: api_rpcTNP: api_srvsvc_rpc: SRV_NET_SHARE_ADD failed. $ -smbd\[[0-9]+\]: getpeername failed. Error was Transport endpoint is not connected $ -smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! -smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. -sshd\[[0-9]+\]: Failed password for .* -pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument -postfix/smtpd\[[0-9]+\]: reject: .*: 550 <.*>: User unknown; .* -postfix/smtpd\[[0-9]+\]: reject: .*: 554 <.*>: Recipient address rejected: User unknown; .* -postfix.*\[[0-9]+\]: .* from=<(groove@mailomat.grooveattack.com|refused@maila.com)> -snort: spp_http_decode: IIS Unicode attack detected: -postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (imap|netatalk|pop|samba)\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]* user=[[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_flushfork: of_find: Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: bad function 7A +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: cnid_open: Cannot establish logfile cleanup lock for database environment .*/\.AppleDB/cnid\.lock \(open\(\) failed\) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED .* to .*:143 as .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IP_MASQ:reverse ICMP: failed checksum from .*! +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ portsentry\[[0-9]+\]: attackalert: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: ERROR: string overflow by [[:digit:]]+ in safe_strcpy .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: api_rpcTNP: api_srvsvc_rpc: SRV_NET_SHARE_ADD failed. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: getpeername failed. Error was Transport endpoint is not connected $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 550 <.*>: User unknown; .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 554 <.*>: Recipient address rejected: User unknown; .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix.*\[[0-9]+\]: .* from=<(groove@mailomat.grooveattack.com|refused@maila.com)> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_http_decode: IIS Unicode attack detected: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* diff --git a/logcheck/violations.ignore.d/misc b/logcheck/violations.ignore.d/misc index b2324e4..b62a5d4 100644 --- a/logcheck/violations.ignore.d/misc +++ b/logcheck/violations.ignore.d/misc @@ -1,2 +1,2 @@ # This one shows up with firewalls blocking SMB ports non-silently -kernel: Packet log: input DENY eth[0-9]+ PROTO=17 .*:137 .*:137 L=78 S=0x00 I=[0-9]+ F=0x0000 T=[0-9]+ \(#[0-9]+\) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Packet log: input DENY eth[0-9]+ PROTO=17 .*:137 .*:137 L=78 S=0x00 I=[0-9]+ F=0x0000 T=[0-9]+ \(#[0-9]+\) diff --git a/logcheck/violations.ignore.d/netatalk.changes b/logcheck/violations.ignore.d/netatalk.changes index d356c1c..f149368 100644 --- a/logcheck/violations.ignore.d/netatalk.changes +++ b/logcheck/violations.ignore.d/netatalk.changes @@ -1,9 +1,9 @@ # Lines with "[^[:space:]]+:" at the beginning are for netatalk 1.6.x or newer. -afpd\[[0-9]+\]: afp_die: asp_shutdown: Connection timed out$ -afpd\[[0-9]+\]: (afp_flushfork|afp_read|getforkparms): (ad_refresh|of_find): Permission denied$ -afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: Parsing volset [^[:space:]]+$ -afpd\[[0-9]+\]: [^[:space:]]+: D5:Default: cnid_mangle_get: Failed to find mangled entry for .*$ -afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: afp_die: asp_shutdown: Connection timed out$ -afpd\[[0-9]+\]: [^[:space:]]+: E:Default: cnid_open: dbenv->open of /[^[:space:]]+/\.AppleDB failed: Permission denied$ -afpd\[[0-9]+\]: afp_getsrvrparms: stat /[^/]+/: Permission denied$ -afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_die: asp_shutdown: Connection timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: (afp_flushfork|afp_read|getforkparms): (ad_refresh|of_find): Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: Parsing volset [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: D5:Default: cnid_mangle_get: Failed to find mangled entry for .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: afp_die: asp_shutdown: Connection timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:Default: cnid_open: dbenv->open of /[^[:space:]]+/\.AppleDB failed: Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_getsrvrparms: stat /[^/]+/: Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied$ diff --git a/logcheck/violations.ignore.d/netsaint b/logcheck/violations.ignore.d/netsaint index 0bc9d58..7c5f88f 100644 --- a/logcheck/violations.ignore.d/netsaint +++ b/logcheck/violations.ignore.d/netsaint @@ -1,11 +1,11 @@ -netsaint: SERVICE ALERT:.*;PING;CRITICAL;.*;PING CRITICAL - Packet loss =.*%, RTA =.*ms -netsaint: SERVICE ALERT:.*;ROUTER;CRITICAL;.*;CRITICAL - Plugin timed out after 10 seconds -netsaint: SERVICE ALERT:.*;ROUTER;OK;.*;PING OK - Packet loss =.*%, RTA =.*ms -netsaint: SERVICE FLAPPING ALERT:.*;PING;STOPPED; Service appears to have stopped flapping (.*% change < .*% threshold) -netsaint: SERVICE FLAPPING ALERT:.*;PING;STARTED; Service appears to have started flapping (.*% change >.*% threshold) -netsaint: SERVICE ALERT: mail;SMTP;CRITICAL;.*;Connection refused by host -netsaint: SERVICE NOTIFICATION:.*;CRITICAL;notify-by-.*;Connection refused by host -netsaint: SERVICE ALERT: mail;SMTP;OK;.* OK - 0 second response time -netsaint: HOST ALERT:.*;DOWN;SOFT;.*;CRITICAL.* -netsaint: HOST ALERT:.*;UP;SOFT;.*;PING OK.* -netsaint: Successfully shutdown\.\.\. \(PID=[0-9]+\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT:.*;PING;CRITICAL;.*;PING CRITICAL - Packet loss =.*%, RTA =.*ms +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT:.*;ROUTER;CRITICAL;.*;CRITICAL - Plugin timed out after 10 seconds +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT:.*;ROUTER;OK;.*;PING OK - Packet loss =.*%, RTA =.*ms +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE FLAPPING ALERT:.*;PING;STOPPED; Service appears to have stopped flapping (.*% change < .*% threshold) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE FLAPPING ALERT:.*;PING;STARTED; Service appears to have started flapping (.*% change >.*% threshold) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT: mail;SMTP;CRITICAL;.*;Connection refused by host +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE NOTIFICATION:.*;CRITICAL;notify-by-.*;Connection refused by host +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT: mail;SMTP;OK;.* OK - 0 second response time +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: HOST ALERT:.*;DOWN;SOFT;.*;CRITICAL.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: HOST ALERT:.*;UP;SOFT;.*;PING OK.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: Successfully shutdown\.\.\. \(PID=[0-9]+\) $ diff --git a/logcheck/violations.ignore.d/pmud b/logcheck/violations.ignore.d/pmud index c035a28..8a06664 100644 --- a/logcheck/violations.ignore.d/pmud +++ b/logcheck/violations.ignore.d/pmud @@ -1 +1 @@ -pmud\[[0-9]+\]: Sleep for this PMU unsupported: will shutdown the machine on sleep request$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pmud\[[0-9]+\]: Sleep for this PMU unsupported: will shutdown the machine on sleep request$ diff --git a/logcheck/violations.ignore.d/postfix b/logcheck/violations.ignore.d/postfix index 9865751..fb74177 100644 --- a/logcheck/violations.ignore.d/postfix +++ b/logcheck/violations.ignore.d/postfix @@ -1,14 +1,14 @@ -postfix/(local|smtpd)\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host not found(, try again)?$ -postfix/(local|smtpd)\[[0-9]+\]: warning: reject: ETRN [^[:space:]]+\.\.\. from [^[:space:]\[]+\[[\.0-9]+\]$ -postfix/[ls]mtp\[[0-9]+\]: [A-Z0-9]+: to=<[^>,]*>(, orig_to=<[^>,]*>)?, relay=[^[:space:],]+, delay=[0-9]+, status=(sent|bounced|deferred) \([^\(\)]+(\([^\(\)]*\)[^\(\)]*)*[^\(\)]*\)( proto=E?SMTP helo=<[^[:space:]>]+>)?$ -postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=<[^[:space:]>]+>$ -postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$ -postfix/nqmgr\[[0-9]+\]: [A-Z0-9]+: from=<[^[:space:]>]+>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$ -postfix/smtp\[[0-9]+\]: (Unv|V)erified: subject_CN=.*, issuer=.* -postfix/smtp\[[0-9]+\]: Peer verification: CommonName in certificate does not match: [^!]+ != [^[:space:]]+$ -postfix/smtp\[[0-9]+\]: connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$ -postfix/smtpd\[[0-9]+\]: [0-9]+:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay\.c:578: -postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: 452 Insufficient system storage; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ -postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in RCPT command: .* -postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ -postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: (DATA|RCPT) from [^[:space:]\[]+\[[\.0-9]+\]: [45][0-9]{2}( [^;]+;){1,3} from=<[^>]*>( to=<[^>]*>)? proto=E?SMTP( helo=<.*>)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(local|smtpd)\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host not found(, try again)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(local|smtpd)\[[0-9]+\]: warning: reject: ETRN [^[:space:]]+\.\.\. from [^[:space:]\[]+\[[\.0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [A-Z0-9]+: to=<[^>,]*>(, orig_to=<[^>,]*>)?, relay=[^[:space:],]+, delay=[0-9]+, status=(sent|bounced|deferred) \([^\(\)]+(\([^\(\)]*\)[^\(\)]*)*[^\(\)]*\)( proto=E?SMTP helo=<[^[:space:]>]+>)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=<[^[:space:]>]+>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/nqmgr\[[0-9]+\]: [A-Z0-9]+: from=<[^[:space:]>]+>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: (Unv|V)erified: subject_CN=.*, issuer=.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: Peer verification: CommonName in certificate does not match: [^!]+ != [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [0-9]+:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay\.c:578: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: 452 Insufficient system storage; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in RCPT command: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: (DATA|RCPT) from [^[:space:]\[]+\[[\.0-9]+\]: [45][0-9]{2}( [^;]+;){1,3} from=<[^>]*>( to=<[^>]*>)? proto=E?SMTP( helo=<.*>)?$ diff --git a/logcheck/violations.ignore.d/proftpd b/logcheck/violations.ignore.d/proftpd index e622c32..74c9ddd 100644 --- a/logcheck/violations.ignore.d/proftpd +++ b/logcheck/violations.ignore.d/proftpd @@ -1 +1 @@ -proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER anonymous \(Login failed\): Can't find user\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER anonymous \(Login failed\): Can't find user\.$ diff --git a/logcheck/violations.ignore.d/samba b/logcheck/violations.ignore.d/samba index 0f695e7..8a6b2db 100644 --- a/logcheck/violations.ignore.d/samba +++ b/logcheck/violations.ignore.d/samba @@ -1,2 +1,2 @@ -smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for [[:digit:]]+\. Error = (No route to host|Connection (reset by peer|timed out)) $ -smbd\[[0-9]+\]: write_socket_data: write failure\. Error = Connection reset by peer $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for [[:digit:]]+\. Error = (No route to host|Connection (reset by peer|timed out)) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: write_socket_data: write failure\. Error = Connection reset by peer $ diff --git a/logcheck/violations.ignore.d/ssh b/logcheck/violations.ignore.d/ssh index fb1f8e7..ee13252 100644 --- a/logcheck/violations.ignore.d/ssh +++ b/logcheck/violations.ignore.d/ssh @@ -1,2 +1,2 @@ -sshd\[[0-9]+\]: Failed keyboard-interactive for [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$ -ssh\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=[^[:space:]]+ user=[^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed keyboard-interactive for [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ssh\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=[^[:space:]]+ user=[^[:space:]]+$ diff --git a/logcheck/violations.ignore.d/temp b/logcheck/violations.ignore.d/temp index ae28f0b..b9b8cd9 100644 --- a/logcheck/violations.ignore.d/temp +++ b/logcheck/violations.ignore.d/temp @@ -1,26 +1,26 @@ -(imap|netatalk|pop|samba)\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]* user=[[:alnum:]]+$ -afpd\[[0-9]+\]: afp_flushfork: of_find: Permission denied -afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied -afpd\[[0-9]+\]: bad function 7A -afpd\[[0-9]+\]: cnid_open: Cannot establish logfile cleanup lock for database environment .*/\.AppleDB/cnid\.lock \(open\(\) failed\) -afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied -afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied -afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) -IMP\[[0-9]+\]: FAILED .* to .*:143 as .* -i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] -kernel: IP_MASQ:reverse ICMP: failed checksum from .*! -kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) -PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service -portsentry\[[0-9]+\]: attackalert: .* -smbd\[[0-9]+\]: ERROR: string overflow by [[:digit:]]+ in safe_strcpy .*$ -smbd\[[0-9]+\]: api_rpcTNP: api_srvsvc_rpc: SRV_NET_SHARE_ADD failed. $ -smbd\[[0-9]+\]: getpeername failed. Error was Transport endpoint is not connected $ -smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! -smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. -sshd\[[0-9]+\]: Failed password for .* -pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument -postfix/smtpd\[[0-9]+\]: reject: .*: 550 <.*>: User unknown; .* -postfix/smtpd\[[0-9]+\]: reject: .*: 554 <.*>: Recipient address rejected: User unknown; .* -postfix.*\[[0-9]+\]: .* from=<(groove@mailomat.grooveattack.com|refused@maila.com)> -snort: spp_http_decode: IIS Unicode attack detected: -postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (imap|netatalk|pop|samba)\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]* user=[[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_flushfork: of_find: Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: bad function 7A +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: cnid_open: Cannot establish logfile cleanup lock for database environment .*/\.AppleDB/cnid\.lock \(open\(\) failed\) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED .* to .*:143 as .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IP_MASQ:reverse ICMP: failed checksum from .*! +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ portsentry\[[0-9]+\]: attackalert: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: ERROR: string overflow by [[:digit:]]+ in safe_strcpy .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: api_rpcTNP: api_srvsvc_rpc: SRV_NET_SHARE_ADD failed. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: getpeername failed. Error was Transport endpoint is not connected $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 550 <.*>: User unknown; .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 554 <.*>: Recipient address rejected: User unknown; .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix.*\[[0-9]+\]: .* from=<(groove@mailomat.grooveattack.com|refused@maila.com)> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_http_decode: IIS Unicode attack detected: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* |