diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2002-02-07 15:50:22 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2002-02-07 15:50:22 +0000 |
| commit | f73a2ab67eda7ed6a4af25a6a38ce19583017ca8 (patch) | |
| tree | 946358a53e099df1f1c3db999bf090ce937e6ad5 | |
| parent | 356152177354c73ddfa58e031afe4a2f04333df0 (diff) | |
logcheck: Misc tweaks and spliting into package-specific files.
| -rw-r--r-- | logcheck/ignore.d.server/local | 21 | ||||
| -rw-r--r-- | logcheck/ignore.d.server/murasaki | 4 | ||||
| -rw-r--r-- | logcheck/ignore.d.server/samba | 2 | ||||
| -rw-r--r-- | logcheck/ignore.d.server/squid | 7 | ||||
| -rw-r--r-- | logcheck/ignore.d.server/ssh | 11 | ||||
| -rw-r--r-- | logcheck/ignore.d.server/ssmtp | 2 | ||||
| -rw-r--r-- | logcheck/ignore.d.server/tmp | 6 | ||||
| -rw-r--r-- | logcheck/ignore.d.server/uw-imap | 12 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/local | 1 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/proftpd | 1 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/temp | 5 |
11 files changed, 38 insertions, 34 deletions
diff --git a/logcheck/ignore.d.server/local b/logcheck/ignore.d.server/local index 54eacc5..7edddec 100644 --- a/logcheck/ignore.d.server/local +++ b/logcheck/ignore.d.server/local @@ -26,18 +26,6 @@ gnu-imap4d\[.*\]: User '[[:alnum:]]+' logged in gnu-imap4d\[.*\]: Session timed out for user: [[:alnum:]]+ gnu-imap4d\[.*\]: got signal Alarm clock HylaFAX\[.*\]: Filesystem has SysV-style file creation semantics. -imapd\[.*\]: (port 143|imap|imaps SSL) service init from -imapd\[.*\]: No route to host, while reading line user=.* host=.*\[[\.[:digit:]]+\] -i(map|pop3)d\[.*\]: Killed \(lost mailbox lock\) user=.* host=.*\[[\.[:digit:]]+\] -i(map|pop3)d\[.*\]: (Login|Auth|Authenticated|Logout|Autologout) user=.* host=.*\[[\.[:digit:]]+\] -i(map|pop3)d\[.*\]: Moved [[:digit:]]+ bytes of new mail to .* from .* host=.*\[[\.[:digit:]]+\] -i(map|pop(2|3))d\[.*\]: (Broken pipe|Command stream end of file|Connection (reset by peer|timed out))(,)? while (reading (authentication|line|char)|writing text) user=[\?[:alnum:]]+ host=.*\[[\.[:digit:]]+\] -ipop[2|3]d\[.*\]: (connect|pop3(s SSL)? service init) from [\.[:digit:]]+ -ipop3d\[.*\]: Trying to get mailbox lock from process [[:digit:]]+ -ipop3d\[.*\]: Error opening or locking INBOX user=.* host=.*\[[\.[:digit:]]+\] -ipop3d\[.*\]: Expunge ignored on readonly mailbox -ipop3d\[.*\]: Mailbox is open by another process, access is readonly -ipop3d\[.*\]: Moved .* bytes of new mail to .* from .* host=.*\[[\.[:digit:]]+\] ircd\[.*\]: ircd exiting: autodie ircd\[.*\]: Server Ready (ircd\[.*\]: )?binding stream socket [\.[:alnum:]]+\[\*\.666[789]\]: Address already in use @@ -53,13 +41,4 @@ ntpd\[.*\]: precision = [[:digit:]]+ usec ntpd\[.*\]: signal_no_reset: signal 13 had flags [[:digit:]]+ ntpd\[.*\]: using kernel phase-lock loop [[:digit:]]+ pop-before-smtp\[.*\]: (opening|closing) relay for [\.[:digit:]]+( --- not in mynetworks)? -smbd\[.*\]: read_socket_data: recv failure for 4\. Error = Connection reset by peer -smbd\[.*\]: \[.*\] lib/util_sock.c:read_socket_data\([[:digit:]]+\) -squid\[.*\]: Finished. Wrote [[:digit:]]+ entries\. -squid\[.*\]: Took [\.[:digit:]]+ seconds \(.* entries/sec\)\. -squid\[.*\]: (access|store)LogRotate: Rotating(\.)? -squid\[.*\]: logfileRotate: /var/log/squid/(access|store).log -squid\[.*\]: (Closing Pinger socket|Pinger socket opened) on FD [[:digit:]]+ -squid\[.*\]: NETDB state saved; -squid\[.*\]: storeDirWriteCleanLogs: Starting\.\.\. su\[.*\]: \+ pts/[[:digit:]]+ .*-root diff --git a/logcheck/ignore.d.server/murasaki b/logcheck/ignore.d.server/murasaki index 76e805d..cd1ea90 100644 --- a/logcheck/ignore.d.server/murasaki +++ b/logcheck/ignore.d.server/murasaki @@ -1,4 +1,4 @@ murasaki\.usb\[.*\]: found depended module="[[:alnum:]]+" -murasaki\.(usb|net)\[.*\]: device is (added|removed|(un)?registered) -murasaki\.(usb|net)\[.*\]: execute ifup (eth|(i)?ppp|irda)[[:digit:]] +murasaki\.(usb|net)\[.*\]: device is (added|removed|(un)?register(e)?d) +murasaki\.(usb|net)\[.*\]: execute if(up|down) (eth|(i)?ppp|irda)[[:digit:]] murasaki\.usb\[.*\]: (MATCH\(audio\) -> match_flags:[[:alnum:]]+ )?vendor:[[:alnum:]]+ product:[[:alnum:]]+ Dclass:[[:alnum:]]+ Dsubclass:[[:alnum:]]+ Dprotocol:[[:alnum:]]+ Iclass:[[:alnum:]]+ Isubclass:[[:alnum:]]+ Iprotocol:[[:alnum:]]+ diff --git a/logcheck/ignore.d.server/samba b/logcheck/ignore.d.server/samba new file mode 100644 index 0000000..367fce4 --- /dev/null +++ b/logcheck/ignore.d.server/samba @@ -0,0 +1,2 @@ +smbd\[.*\]: read_socket_data: recv failure for 4\. Error = Connection reset by peer +smbd\[.*\]: \[.*\] lib/util_sock.c:read_socket_data\([[:digit:]]+\) diff --git a/logcheck/ignore.d.server/squid b/logcheck/ignore.d.server/squid new file mode 100644 index 0000000..1a08492 --- /dev/null +++ b/logcheck/ignore.d.server/squid @@ -0,0 +1,7 @@ +squid\[.*\]: Finished. Wrote [[:digit:]]+ entries\. +squid\[.*\]: Took [\.[:digit:]]+ seconds \(.* entries/sec\)\. +squid\[.*\]: (access|store)LogRotate: Rotating(\.)? +squid\[.*\]: logfileRotate: /var/log/squid/(access|store).log +squid\[.*\]: (Closing Pinger socket|Pinger socket opened) on FD [[:digit:]]+ +squid\[.*\]: NETDB state saved; +squid\[.*\]: storeDirWriteCleanLogs: Starting\.\.\. diff --git a/logcheck/ignore.d.server/ssh b/logcheck/ignore.d.server/ssh index c8e7095..e7cada2 100644 --- a/logcheck/ignore.d.server/ssh +++ b/logcheck/ignore.d.server/ssh @@ -1,6 +1,7 @@ -sshd.*: syslogin_perform_logout: logout\(\) returned an error -sshd.*: Could not reverse map address .*\. -sshd.*: Connection closed by .* -sshd.*: Did not receive ident(ification)? string from [\.[:digit:]]+ -sshd.*: scanned from [\.[:digit:]]+ with SSH-1\.0-SSH_Version_Mapper\. Don't panic\. +sshd\[.*\]: syslogin_perform_logout: logout\(\) returned an error +sshd\[.*\]: Could not reverse map address .*\. +sshd\[.*\]: Connection closed by .* +sshd\[.*\]: Did not receive ident(ification)? string from [\.[:digit:]]+ +sshd\[.*\]: scanned from [\.[:digit:]]+ with SSH-1\.0-SSH_Version_Mapper\. Don't panic\. +sshd\[.*\]: Disconnecting: Your ssh version is too old and is no longer supported\. Please install a newer version\. sshd\[.*\]: Failed keyboard-interactive for [[:alnum:]]+ from [\.[:digit:]]+ port [[:digit:]]+ ssh2 diff --git a/logcheck/ignore.d.server/ssmtp b/logcheck/ignore.d.server/ssmtp index 64527aa..36b5b7c 100644 --- a/logcheck/ignore.d.server/ssmtp +++ b/logcheck/ignore.d.server/ssmtp @@ -1 +1 @@ -sSMTP mail\[.*\]: .* sent mail for [[:alnum:]]+ +sSMTP mail\[.*\]: .* sent mail for root diff --git a/logcheck/ignore.d.server/tmp b/logcheck/ignore.d.server/tmp index 3863dc2..bb8ba91 100644 --- a/logcheck/ignore.d.server/tmp +++ b/logcheck/ignore.d.server/tmp @@ -1,7 +1,7 @@ IMP\[.*\]: FAILED .* to .*:143 as .* PAM_unix\[.*\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service afpd\[.*\]: uams_dhx_pam\.c :PAM: PAM (Auth OK!|Success -- .*|User entered a null value -- .*) -afpd\[.*\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- Invalid argument +afpd\[.*\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) afpd\[.*\]: uams_dhx_pam\.c :PAM: PAM: User entered a null value -- No such file or directory afpd\[.*\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied atalkd\[.*\]: as_timer sendto: Netvaerket er ikke tilgaengeligt @@ -25,8 +25,10 @@ portsentry\[.*\]: attackalert: .* proftpd\[.*\]: .* \(.*\) - USER anonymous@ftp.microsoft.com: no such user found from .* proftpd\[.*\]: .* \(.*\) - no such user 'anonymous@ftp.microsoft.com' pumpd\[.*\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument -smbd[14793]: read_socket_data: recv failure for 4. Error = No route to host +smbd\[.*\]: read_socket_data: recv failure for 4. Error = No route to host smbd\[.*\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! +smbd\[.*\]: yield_connection: tdb_delete for name failed with error Record does not exist\. +smbd\[.*\]: \[.*\] smbd/connection.c:yield_connection\([[:digit:]]+\) smbd\[.*\]: \[.*\] passdb/pampass.c:smb_pam_passcheck\([[:digit:]]+\) sshd\[.*]: Failed password for .* sshd\[.*\]: packet_set_maxsize: setting to 4096 diff --git a/logcheck/ignore.d.server/uw-imap b/logcheck/ignore.d.server/uw-imap new file mode 100644 index 0000000..09ca720 --- /dev/null +++ b/logcheck/ignore.d.server/uw-imap @@ -0,0 +1,12 @@ +imapd\[.*\]: (port 143|imap|imaps SSL) service init from +imapd\[.*\]: No route to host, while reading line user=.* host=.*\[.*\] +i(map|pop3)d\[.*\]: Killed \(lost mailbox lock\) user=.* host=.*\[.*\] +i(map|pop3)d\[.*\]: (Login|Auth|Authenticated|Logout|Autologout) user=.* host=(.*\[.*\]|UNKNOWN) +i(map|pop3)d\[.*\]: Moved [[:digit:]]+ bytes of new mail to .* from .* host=.*\[.*\] +i(map|pop(2|3))d\[.*\]: (Broken pipe|Command stream end of file|Connection (reset by peer|timed out))(,)? while (reading (authentication|line|literal|char)|writing text) user=.* host=(.*\[.*\]|UNKNOWN) +ipop[2|3]d\[.*\]: (connect|pop3(s SSL)? service init) from [\.[:digit:]]+ +ipop3d\[.*\]: Trying to get mailbox lock from process [[:digit:]]+ +ipop3d\[.*\]: Error opening or locking INBOX user=.* host=.*\[.*\] +ipop3d\[.*\]: Expunge ignored on readonly mailbox +ipop3d\[.*\]: Mailbox is open by another process, access is readonly +ipop3d\[.*\]: Moved .* bytes of new mail to .* from .* host=.*\[.*\] diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local index eedd102..44ff554 100644 --- a/logcheck/violations.ignore.d/local +++ b/logcheck/violations.ignore.d/local @@ -1,2 +1 @@ kernel: Packet log: input DENY eth[[:digit:]]+ PROTO=17 .*:137 .*:137 L=78 S=0x00 I=[[:digit:]]+ F=0x0000 T=[[:digit:]]+ \(#[[:digit:]]+\) -proftpd\[.*\]: .* \(.*\) - USER anonymous \(Login failed\): Can't find user\. diff --git a/logcheck/violations.ignore.d/proftpd b/logcheck/violations.ignore.d/proftpd new file mode 100644 index 0000000..295767a --- /dev/null +++ b/logcheck/violations.ignore.d/proftpd @@ -0,0 +1 @@ +proftpd\[.*\]: .* \(.*\) - USER anonymous \(Login failed\): Can't find user\. diff --git a/logcheck/violations.ignore.d/temp b/logcheck/violations.ignore.d/temp index 3e2259f..a3f62f6 100644 --- a/logcheck/violations.ignore.d/temp +++ b/logcheck/violations.ignore.d/temp @@ -1,5 +1,5 @@ afpd\[.*\]: error removing /.+/net[\.[:digit:]]+node[[:digit:]]+: Permission denied -afpd\[.*\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- Invalid argument +afpd\[.*\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) afpd\[.*\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied IMP\[.*\]: FAILED .* to .*:143 as .* i(map|pop3)d\[.*\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] @@ -8,7 +8,8 @@ kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I PAM_unix\[.*\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service portsentry\[.*\]: attackalert: .* smbd\[.*\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! -smbd[14793]: read_socket_data: recv failure for 4. Error = No route to host +smbd\[.*\]: read_socket_data: recv failure for 4. Error = No route to host +smbd\[.*\]: yield_connection: tdb_delete for name failed with error Record does not exist\. sshd\[.*]: Failed password for .* pumpd\[.*\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument postfix/smtpd\[.*\]: reject: .*: 550 <.*>: User unknown; .* |