diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2003-01-01 23:45:15 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2003-01-01 23:45:15 +0000 |
| commit | bae65f57b011e083dabff47bd6f73ae072084c9b (patch) | |
| tree | a81a4b5faafebcca34151841011b3f698c5cde2a /logcheck | |
| parent | c572cd4c8bf75204716d28653ff3d35d9f3d6075 (diff) | |
Misc updates to postfix and uw-imapd and samba loglines.
Diffstat (limited to 'logcheck')
| -rw-r--r-- | logcheck/ignore.d.server/local | 9 | ||||
| -rw-r--r-- | logcheck/ignore.d.server/postfix | 2 | ||||
| -rw-r--r-- | logcheck/ignore.d.server/tmp | 7 | ||||
| -rw-r--r-- | logcheck/ignore.d.workstation/local | 9 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/local | 8 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/postfix | 7 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/temp | 1 |
7 files changed, 25 insertions, 18 deletions
diff --git a/logcheck/ignore.d.server/local b/logcheck/ignore.d.server/local index a31c413..87c4fbb 100644 --- a/logcheck/ignore.d.server/local +++ b/logcheck/ignore.d.server/local @@ -223,7 +223,7 @@ postfix/smtpd?\[[0-9]+\]: Verified: subject_CN=[^,]+, issuer=[^,]+$ postfix/smtpd?\[[0-9]+\]: warning: (numeric|malformed) domain name in resource data of MX record for [^[:space:]]+: [^[:space:]]*$ postfix/smtpd?\[[0-9]+\]: warning: valid_hostname: (empty hostname|invalid character [0-9]+\(decimal\): [^[:space:]]+)$ postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in MAIL command: <[^>]+>$ +postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in (MAIL command: <[^>]+>|RCPT command: )$ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+ sent (message header|mail content) instead of SMTP command: postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+: address not listed for hostname [^[:space:]]+$ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+: hostname [^[:space:]]+ verification failed: Host (name has no address|not found)$ @@ -339,10 +339,11 @@ portsentry\[[0-9]+\]: attackalert: .* ## pump pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument ## samba +smbd\[[0-9]+\]: process_local_message: unknown UDP message command code \(2de1\) - ignoring. $ smbd\[[0-9]+\]: read(_socket)?_data: recv failure for 4. Error = (No route to host|Connection reset by peer) $ -smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ !$ -smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\.$ -smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|smbd/(connection.c:yield_connection|service.c:find_service))\([0-9]+\) $ +smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $ +smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. $ +smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:find_service))\([0-9]+\) $ sshd\[[0-9]+\]: Failed password for [[:alnum:]]+ $ sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096 $ ## postfix diff --git a/logcheck/ignore.d.server/postfix b/logcheck/ignore.d.server/postfix index a836c8b..475b687 100644 --- a/logcheck/ignore.d.server/postfix +++ b/logcheck/ignore.d.server/postfix @@ -16,7 +16,7 @@ postfix/smtpd?\[[0-9]+\]: Verified: subject_CN=[^,]+, issuer=[^,]+$ postfix/smtpd?\[[0-9]+\]: warning: (numeric|malformed) domain name in resource data of MX record for [^[:space:]]+: [^[:space:]]*$ postfix/smtpd?\[[0-9]+\]: warning: valid_hostname: (empty hostname|invalid character [0-9]+\(decimal\): [^[:space:]]+)$ postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in MAIL command: <[^>]+>$ +postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in (MAIL command: <[^>]+>|RCPT command: )$ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+ sent (message header|mail content) instead of SMTP command: postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+: address not listed for hostname [^[:space:]]+$ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+: hostname [^[:space:]]+ verification failed: Host (name has no address|not found)$ diff --git a/logcheck/ignore.d.server/tmp b/logcheck/ignore.d.server/tmp index cef341d..50bf0fc 100644 --- a/logcheck/ignore.d.server/tmp +++ b/logcheck/ignore.d.server/tmp @@ -43,10 +43,11 @@ portsentry\[[0-9]+\]: attackalert: .* ## pump pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument ## samba +smbd\[[0-9]+\]: process_local_message: unknown UDP message command code \(2de1\) - ignoring. $ smbd\[[0-9]+\]: read(_socket)?_data: recv failure for 4. Error = (No route to host|Connection reset by peer) $ -smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ !$ -smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\.$ -smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|smbd/(connection.c:yield_connection|service.c:find_service))\([0-9]+\) $ +smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $ +smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. $ +smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:find_service))\([0-9]+\) $ sshd\[[0-9]+\]: Failed password for [[:alnum:]]+ $ sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096 $ ## postfix diff --git a/logcheck/ignore.d.workstation/local b/logcheck/ignore.d.workstation/local index 24819d6..8e4e3d8 100644 --- a/logcheck/ignore.d.workstation/local +++ b/logcheck/ignore.d.workstation/local @@ -223,7 +223,7 @@ postfix/smtpd?\[[0-9]+\]: Verified: subject_CN=[^,]+, issuer=[^,]+$ postfix/smtpd?\[[0-9]+\]: warning: (numeric|malformed) domain name in resource data of MX record for [^[:space:]]+: [^[:space:]]*$ postfix/smtpd?\[[0-9]+\]: warning: valid_hostname: (empty hostname|invalid character [0-9]+\(decimal\): [^[:space:]]+)$ postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [^[:space:]]+\[[\.0-9]+\]$ -postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in MAIL command: <[^>]+>$ +postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in (MAIL command: <[^>]+>|RCPT command: )$ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+ sent (message header|mail content) instead of SMTP command: postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+: address not listed for hostname [^[:space:]]+$ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+: hostname [^[:space:]]+ verification failed: Host (name has no address|not found)$ @@ -339,10 +339,11 @@ portsentry\[[0-9]+\]: attackalert: .* ## pump pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument ## samba +smbd\[[0-9]+\]: process_local_message: unknown UDP message command code \(2de1\) - ignoring. $ smbd\[[0-9]+\]: read(_socket)?_data: recv failure for 4. Error = (No route to host|Connection reset by peer) $ -smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ !$ -smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\.$ -smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|smbd/(connection.c:yield_connection|service.c:find_service))\([0-9]+\) $ +smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $ +smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. $ +smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:find_service))\([0-9]+\) $ sshd\[[0-9]+\]: Failed password for [[:alnum:]]+ $ sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096 $ ## postfix diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local index ab4c42d..d1b7e46 100644 --- a/logcheck/violations.ignore.d/local +++ b/logcheck/violations.ignore.d/local @@ -37,6 +37,7 @@ netsaint: Successfully shutdown\.\.\. \(PID=[0-9]+\) $ ### violations.ignore.d/pmud pmud\[[0-9]+\]: Sleep for this PMU unsupported: will shutdown the machine on sleep request$ ### violations.ignore.d/postfix +# This extension is for postfix 2.0 (and can thus be enabled unconditionally when included in that package: ( proto=E?SMTP helo=<[^[:space:]>]+>)? postfix/(local|smtpd)\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host not found(, try again)?$ postfix/(qmgr|smtp)\[[0-9]+\]: [^\(]+ status=deferred \(connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service)\)$ postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=<[^[:space:]>]+>$ @@ -50,17 +51,17 @@ postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 504 <[^ postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 550 [^\)]+ (Access denied|Recipient address rejected|Relaying denied|Sender Not Authorised|unknown or illegal alias|User unknown; rejecting)[^\)]*\)$ postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 552 header content rejected: see [^\)]+\)$ postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 553 sorry, your envelope sender has been denied [^\)]+\)$ -postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 554 <[^[:space:]>]+>:( Recipient address rejected:)? Relay access denied\)$ +postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 554 <[^[:space:]>]+>:( Recipient address rejected:)? Relay access denied\)( proto=E?SMTP helo=<[^[:space:]>]+>)?$ postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 571 <>\.\.\. denied\)$ postfix/smtp\[[0-9]+\]: [^\(]+ status=deferred \(host [^[:space:]]+ said: 450 <[^[:space:]>]+>: (Recipient address rejected: Recipient mailbox is full|Sender address rejected: Domain not found)\)$ postfix/smtp\[[0-9]+\]: [^\(]+ status=deferred \(host [^[:space:]]+ said: 451 Transaction failed.\)$ postfix/smtp\[[0-9]+\]: connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$ -postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 450 <[^>]+>: (Sender|Recipient) address rejected: Domain not found; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ +postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 450 <[^>]+>: (Sender|Recipient) address rejected: Domain not found; from=<[^[:space:]>]+> to=<[^[:space:]>]+>( proto=E?SMTP helo=<[^[:space:]>]+>)?$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 452 Insufficient system storage; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 501 <[^>]+>: Helo command rejected: Invalid (ip address|name); from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 503 Improper use of SMTP command pipelining; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>:]+>: Helo command rejected: Invalid name; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ -postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>]+>: (Helo command|Recipient address) rejected: need fully-qualified (address|hostname); from=<[^[:space:]>]+> to=<[^[:space:]>]+>( proto=SMTP helo=<[^[:space:]>]+>)?$ +postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>]+>: (Helo command|Recipient address) rejected: need fully-qualified (address|hostname); from=<[^[:space:]>]+> to=<[^[:space:]>]+>( proto=E?SMTP helo=<[^[:space:]>]+>)?$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 550 <[^>]+>: User unknown; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 554 <[^>]+>: (Recipient address rejected: )?(Relay a|A)ccess denied; from=<[^[:space:]>]*> to=<[^[:space:]>]+>$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 554 Service unavailable; .* blocked using .*; from=<[^[:space:]>]+> to=<[^[:space:]>]+> @@ -81,6 +82,7 @@ afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) IMP\[[0-9]+\]: FAILED .* to .*:143 as .* i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] +imap\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=[[:alnum:]]+$ kernel: IP_MASQ:reverse ICMP: failed checksum from .*! kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service diff --git a/logcheck/violations.ignore.d/postfix b/logcheck/violations.ignore.d/postfix index 3374ccc..cbc44c1 100644 --- a/logcheck/violations.ignore.d/postfix +++ b/logcheck/violations.ignore.d/postfix @@ -1,3 +1,4 @@ +# This extension is for postfix 2.0 (and can thus be enabled unconditionally when included in that package: ( proto=E?SMTP helo=<[^[:space:]>]+>)? postfix/(local|smtpd)\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host not found(, try again)?$ postfix/(qmgr|smtp)\[[0-9]+\]: [^\(]+ status=deferred \(connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service)\)$ postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=<[^[:space:]>]+>$ @@ -11,17 +12,17 @@ postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 504 <[^ postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 550 [^\)]+ (Access denied|Recipient address rejected|Relaying denied|Sender Not Authorised|unknown or illegal alias|User unknown; rejecting)[^\)]*\)$ postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 552 header content rejected: see [^\)]+\)$ postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 553 sorry, your envelope sender has been denied [^\)]+\)$ -postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 554 <[^[:space:]>]+>:( Recipient address rejected:)? Relay access denied\)$ +postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 554 <[^[:space:]>]+>:( Recipient address rejected:)? Relay access denied\)( proto=E?SMTP helo=<[^[:space:]>]+>)?$ postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 571 <>\.\.\. denied\)$ postfix/smtp\[[0-9]+\]: [^\(]+ status=deferred \(host [^[:space:]]+ said: 450 <[^[:space:]>]+>: (Recipient address rejected: Recipient mailbox is full|Sender address rejected: Domain not found)\)$ postfix/smtp\[[0-9]+\]: [^\(]+ status=deferred \(host [^[:space:]]+ said: 451 Transaction failed.\)$ postfix/smtp\[[0-9]+\]: connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$ -postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 450 <[^>]+>: (Sender|Recipient) address rejected: Domain not found; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ +postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 450 <[^>]+>: (Sender|Recipient) address rejected: Domain not found; from=<[^[:space:]>]+> to=<[^[:space:]>]+>( proto=E?SMTP helo=<[^[:space:]>]+>)?$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 452 Insufficient system storage; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 501 <[^>]+>: Helo command rejected: Invalid (ip address|name); from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 503 Improper use of SMTP command pipelining; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>:]+>: Helo command rejected: Invalid name; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ -postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>]+>: (Helo command|Recipient address) rejected: need fully-qualified (address|hostname); from=<[^[:space:]>]+> to=<[^[:space:]>]+>( proto=SMTP helo=<[^[:space:]>]+>)?$ +postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>]+>: (Helo command|Recipient address) rejected: need fully-qualified (address|hostname); from=<[^[:space:]>]+> to=<[^[:space:]>]+>( proto=E?SMTP helo=<[^[:space:]>]+>)?$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 550 <[^>]+>: User unknown; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 554 <[^>]+>: (Recipient address rejected: )?(Relay a|A)ccess denied; from=<[^[:space:]>]*> to=<[^[:space:]>]+>$ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 554 Service unavailable; .* blocked using .*; from=<[^[:space:]>]+> to=<[^[:space:]>]+> diff --git a/logcheck/violations.ignore.d/temp b/logcheck/violations.ignore.d/temp index e21b4fc..18c331f 100644 --- a/logcheck/violations.ignore.d/temp +++ b/logcheck/violations.ignore.d/temp @@ -7,6 +7,7 @@ afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) IMP\[[0-9]+\]: FAILED .* to .*:143 as .* i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] +imap\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=[[:alnum:]]+$ kernel: IP_MASQ:reverse ICMP: failed checksum from .*! kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service |