logcheck: Misc. improvements and .* extinguishing.

8 files changed, 41 insertions, 28 deletions

diff --git a/logcheck/ignore.d.server/amavis b/logcheck/ignore.d.server/amavis
index cd2ce17..2d38569 100644
--- a/logcheck/ignore.d.server/amavis
+++ b/logcheck/ignore.d.server/amavis
@@ -1,6 +1,6 @@
 amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+
-amavis\[[0-9]+\]: local delivery: <[^[:space:]]+> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[0-9-]+(\.gz)?
+amavis\[[0-9]+\]: local delivery: <[^[:space:]]+> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?
 amavis\[[0-9]+\]: mail checking ended: (DISCARD|REJECT)
 amavis\[[0-9]+\]: spam from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine spam-[^[:space:]]+
 amavis\[[0-9]+\]: spam_scan: Yes, hits=[\.0-9]+ tests=[^[:space:]]+ <[^[:space:]]+>
-amavis\[[0-9]+\]: warning - MIME::Parser error: unexpected end of header
+amavis\[[0-9]+\]: warning - MIME::Parser error: .*
diff --git a/logcheck/ignore.d.server/dhcp b/logcheck/ignore.d.server/dhcp
deleted file mode 100644
index 54192b1..0000000
--- a/logcheck/ignore.d.server/dhcp
+++ /dev/null
@@ -1 +0,0 @@
-dhcpd-2.2.x: Abandoning IP address [\.0-9]+: pinged before offer
diff --git a/logcheck/ignore.d.server/dhcp.changes b/logcheck/ignore.d.server/dhcp.changes
new file mode 100644
index 0000000..3485782
--- /dev/null
+++ b/logcheck/ignore.d.server/dhcp.changes
@@ -0,0 +1,8 @@
+# NB: dhcp3 entries are in dhcp3-common
+dhcpd-2.2.x: Abandoning IP address [\.0-9]+: pinged before offer
+dhcpd-2.2.x: DHCPRELEASE of [\.0-9]+ from [:0-9a-e]+ via eth[0-9]+ \(found\)
+dhcpd-2.2.x: DHCPREQUEST for .* from .* via
+dhcpd-2.2.x: DHCPACK on .* to .* via
+dhcpd-2.2.x: DHCPDISCOVER from .* via
+dhcpd-2.2.x: DHCPOFFER on .* to .* via
+dhcpd-2.2.x: BOOTREQUEST from [:0-9a-f]+
diff --git a/logcheck/ignore.d.server/dhcp3-common b/logcheck/ignore.d.server/dhcp3-common
index a272a72..c583aaf 100644
--- a/logcheck/ignore.d.server/dhcp3-common
+++ b/logcheck/ignore.d.server/dhcp3-common
@@ -1,6 +1,14 @@
+dhcpd: Abandoning IP address [\.0-9]+: pinged before offer
+dhcpd: BOOTREQUEST from
+dhcpd: DHCPACK on [\.0-9]+ to [:0-9a-f]+ via
 dhcpd: DHCPACK to [\.0-9]+
+dhcpd: DHCPDISCOVER from [:0-9a-f]+ via
+dhcpd: DHCPINFORM from
+dhcpd: DHCPNAK on
+dhcpd: DHCPOFFER on [\.0-9]+ to [:0-9a-f]+ via
+dhcpd: DHCPRELEASE of [\.0-9]+
+dhcpd: DHCPREQUEST for [\.0-9]+ from [:0-9a-f]+ via
 dhcpd: ICMP Echo reply while lease [\.0-9]+ valid.
 dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\.
 dhcpd: accepting packet with data after udp payload.
 dhcpd: ip length 576 disagrees with bytes received 590.
-dhcpd: Abandoning IP address [\.0-9]+: pinged before offer
diff --git a/logcheck/ignore.d.server/proftpd b/logcheck/ignore.d.server/proftpd
index 0b9bd66..678c6e4 100644
--- a/logcheck/ignore.d.server/proftpd
+++ b/logcheck/ignore.d.server/proftpd
@@ -1,7 +1,8 @@
-proftpd\[[0-9]+\]: .* \(.*\[[\.0-9]+\]\) - FTP session opened\.
-proftpd\[[0-9]+\]: .* \(.*\[[\.0-9]+\]\) - USER (anonymous|ftp)(@[\.[:alnum:]]+)? \(Login failed\): Can't find user\.
-proftpd\[[0-9]+\]: .* \(.*\[[\.0-9]+\]\) - USER (anonymous|ftp)(@[\.[:alnum:]]+)?: no such user found from .*\[[\.0-9]+\] to [\.0-9]+
-proftpd\[[0-9]+\]: .* \(.*\[[\.0-9]+\]\) - no such user '(anonymous|ftp)(@[\.[:alnum:]]+)?'
+proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]]+\[[\.0-9]+\]\) - FTP session opened\.
+proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]]+\[[\.0-9]+\]\) - FTP login timed out, disconnected\.
+proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]]+\[[\.0-9]+\]\) - USER (anonymous|ftp)(@[\.[:alnum:]]+)? \(Login failed\): Can't find user\.
+proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]]+\[[\.0-9]+\]\) - USER (anonymous|ftp)(@[\.[:alnum:]]+)?: no such user found from .*\[[\.0-9]+\] to [\.0-9]+
+proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]]+\[[\.0-9]+\]\) - no such user '(anonymous|ftp)(@[\.[:alnum:]]+)?'
 proftpd\[[0-9]+\]: connect from [\.0-9]+
 proftpd\[[0-9]+\]: No certificate files found!
-proftpd\[[0-9]+\]:.* (.*\[.*\]) - Refused PORT.* (address mismatch)\.
+proftpd\[[0-9]+\]: [^[:space:]]+ ([^[:space:]]+\[[\.0-9]\]) - Refused PORT.* (address mismatch)\.
diff --git a/logcheck/ignore.d.server/tmp b/logcheck/ignore.d.server/tmp
index 39883bd..c72783a 100644
--- a/logcheck/ignore.d.server/tmp
+++ b/logcheck/ignore.d.server/tmp
@@ -44,9 +44,6 @@ smbd\[[0-9]+\]: \[.*\] smbd/connection.c:yield_connection\([0-9]+\)
 smbd\[[0-9]+\]: \[.*\] passdb/pampass.c:smb_pam_passcheck\([0-9]+\)
 sshd\[[0-9]+\]: Failed password for .*
 sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096
-## dhcp
-dhcpd-2.2.x: BOOTREQUEST from (00:20:6b:18:20:35|08:00:86:11:2b:71)
-dhcpd-2.2.x: No applicable record for BOOTP host (00:20:6b:18:20:35|08:00:86:11:2b:71)
 ## postfix
 postfix.*\[[0-9]+\]: .* from=<groove@mailomat.grooveattack.com>
 postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [\.[:alnum:]-]+\[[\.0-9]+\] in MAIL command: <C:\\Email\\Headers\\fresh froms 5-1\.txt>
diff --git a/logcheck/ignore.d.server/uw-imap.changes b/logcheck/ignore.d.server/uw-imap.changes
index 42a56ef..39d603b 100644
--- a/logcheck/ignore.d.server/uw-imap.changes
+++ b/logcheck/ignore.d.server/uw-imap.changes
@@ -1,12 +1,12 @@
 imapd\[[0-9]+\]: (port 143|imap|imaps SSL) service init from
-imapd\[[0-9]+\]: No route to host, while reading line user=.* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
-i(map|pop3)d\[[0-9]+\]: Killed \(lost mailbox lock\) user=.* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
-i(map|pop3)d\[[0-9]+\]: (Login|Auth|Authenticated|Logout|Autologout) user=.* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
-i(map|pop3)d\[[0-9]+\]: Moved [0-9]+ bytes of new mail to .* from .* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
-i(map|pop(2|3))d\[[0-9]+\]: (Broken pipe|Command stream end of file|Connection (reset by peer|timed out))(,)? while (reading (authentication|line|literal|char)|writing text) (user=.* )?host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
+imapd\[[0-9]+\]: No route to host, while reading line user=.* host=(([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)
+i(map|pop3)d\[[0-9]+\]: Killed \(lost mailbox lock\) user=.* host=(([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)
+i(map|pop3)d\[[0-9]+\]: (Login|Auth|Authenticated|Logout|Autologout) user=.* host=(([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)
+i(map|pop3)d\[[0-9]+\]: Moved [0-9]+ bytes of new mail to .* from .* host=(([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)
+i(map|pop(2|3))d\[[0-9]+\]: (Broken pipe|Command stream end of file|Connection (reset by peer|timed out))(,)? while (reading (authentication|line|literal|char)|writing text) (user=.* )?host=(([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)
 ipop[2|3]d\[[0-9]+\]: (connect|pop3(s SSL)? service init) from [\.0-9]+
 ipop3d\[[0-9]+\]: Trying to get mailbox lock from process [0-9]+
-ipop3d\[[0-9]+\]: Error opening or locking INBOX user=.* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
+ipop3d\[[0-9]+\]: Error opening or locking INBOX user=.* host=(([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)
 ipop3d\[[0-9]+\]: Expunge ignored on readonly mailbox
 ipop3d\[[0-9]+\]: Mailbox is open by another process, access is readonly
-ipop3d\[[0-9]+\]: Moved .* bytes of new mail to .* from .* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
+ipop3d\[[0-9]+\]: Moved [0-9]+ bytes of new mail to [^[:space:]]+ from [^[:space:]]+ host= (([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)
diff --git a/logcheck/violations.ignore.d/postfix b/logcheck/violations.ignore.d/postfix
index 6724802..f513f5c 100644
--- a/logcheck/violations.ignore.d/postfix
+++ b/logcheck/violations.ignore.d/postfix
@@ -1,16 +1,16 @@
 postfix/(qmgr|smtp)\[[0-9]+\]: .* status=deferred \(connect to .*: (Connection refused|server refused mail service)\)
-postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=<.*@Debug>
+postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=<[^[:space:]]+@Debug>
 postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied
-postfix/smtp\[[0-9]+\]: .* status=bounced \(bad host/domain syntax: ".*"\)
+postfix/smtp\[[0-9]+\]: .* status=bounced \(bad host/domain syntax: "[^[:space:]]+"\)
 postfix/smtp\[[0-9]+\]: .* status=bounced \(Name service error for .*: Host not found\)
-postfix/smtp\[[0-9]+\]: .* status=bounced \(host .* said: 550 .* (User unknown; rejecting|Relaying denied|unknown or illegal alias: .*)\)
+postfix/smtp\[[0-9]+\]: .* status=bounced \(host .* said: 550 .* (User unknown; rejecting|Relaying denied|unknown or illegal alias: [^[:space:]]+)\)
 postfix/smtp\[[0-9]+\]: .* status=bounced \(host .* said: 552 header content rejected: see .*\)
-postfix/smtp\[[0-9]+\]: .* status=deferred \(host .* said: 450 <.*>: Sender address rejected: Domain not found\)
-postfix/smtp\[[0-9]+\]: .* status=deferred \(host .* said: 450 <.*>: Recipient address rejected: Recipient mailbox is full\)
+postfix/smtp\[[0-9]+\]: .* status=deferred \(host .* said: 450 <[^[:space:]]+>: Sender address rejected: Domain not found\)
+postfix/smtp\[[0-9]+\]: .* status=deferred \(host .* said: 450 <[^[:space:]]+>: Recipient address rejected: Recipient mailbox is full\)
 postfix/smtp\[[0-9]+\]: .* status=deferred \(host .* said: 451 Transaction failed.\)
-postfix/smtp\[[0-9]+\]: connect to .*\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)
-postfix/smtpd\[[0-9]+\]: reject: RCPT from .*\[[\.0-9]+\]: 550 <.*>: User unknown; from=<.*> to=<.*>
-postfix/smtpd\[[0-9]+\]: reject: RCPT from .*\[[\.0-9]+\]: 554 Service unavailable; .* blocked using .*; from=<.*> to=<.*>
-postfix/smtpd\[[0-9]+\]: reject: RCPT from .*\[[\.0-9]+\]: 554 <.*>: (Recipient address rejected: )?(Relay a|A)ccess denied; from=<.*> to=<.*>
+postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]]+\[[\.0-9]+\]: 550 <[^[:space:]]+>: User unknown; from=<[^[:space:]]+> to=<[^[:space:]]+>
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]]+\[[\.0-9]+\]: 554 Service unavailable; .* blocked using .*; from=<[^[:space:]]+> to=<[^[:space:]]+>
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]]+\[[\.0-9]+\]: 554 <[^[:space:]]+>: (Recipient address rejected: )?(Relay a|A)ccess denied; from=<[^[:space:]]+> to=<[^[:space:]]+>
 postfix/smtpd\[[0-9]+\]: warning: .*: hostname .* verification failed: Host not found
 postfix/smtp\[[0-9]+\]: [A-Z0-9]+: to=<[^[:space:]]+>, relay=127\.0\.0\.1\[127\.0\.0\.1\], delay=[0-9]+, status=bounced \(host 127\.0\.0\.1\[127\.0\.0\.1\] said: 550 Message content rejected, id=[^[:space:]]+\)