diff options
Diffstat (limited to 'logcheck/ignore.d.server/tmp')
| -rw-r--r-- | logcheck/ignore.d.server/tmp | 154 |
1 files changed, 77 insertions, 77 deletions
diff --git a/logcheck/ignore.d.server/tmp b/logcheck/ignore.d.server/tmp index 15e33c5..9dd06e3 100644 --- a/logcheck/ignore.d.server/tmp +++ b/logcheck/ignore.d.server/tmp @@ -1,99 +1,99 @@ ## imp -IMP\[[0-9]+\]: FAILED .* to .*:143 as .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED .* to .*:143 as .* ## libpam-modules -PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service -PAM_unix\[[0-9]+\]: check pass; user unknown$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: check pass; user unknown$ # old-style pam entries (no longer provided by logcheck but needed on woody) -PAM_.*: .* session (opened|closed) for user .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_.*: .* session (opened|closed) for user .* ## netatalk -afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: bad function 7A -afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied -afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: (PAM Auth OK!|Success -- .*|User entered a null value -- .*) -afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) -afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: User entered a null value -- No such file or directory -atalkd\[[0-9]+\]: as_timer sendto: Netvaerket er ikke tilgaengeligt +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: bad function 7A +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: (PAM Auth OK!|Success -- .*|User entered a null value -- .*) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: User entered a null value -- No such file or directory +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ atalkd\[[0-9]+\]: as_timer sendto: Netvaerket er ikke tilgaengeligt ## hylafax-server -FaxGetty\[[0-9]+\]: ANSWER: Can not lock modem device -gnome-name-server\[[0-9]+\]: server_is_alive: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: ANSWER: Can not lock modem device +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnome-name-server\[[0-9]+\]: server_is_alive: .* ## uw-imap -i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] ## ppp -ipppd\[[0-9]+\]: Connect\[0\]: /dev/ippp[0-9], fd: 12 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: Connect\[0\]: /dev/ippp[0-9], fd: 12 ## misc -kernel: Disorder[0-9] [0-9] [0-9] f[0-9] s[0-9] rr[0-9] -kernel: IP_MASQ:reverse ICMP: failed checksum from .*! -kernel: OPEN: [\.0-9]* -> [\.0-9]* UDP, port: [0-9]* -> [0-9]* -kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) -kernel: Shorewall:net2all:DROP:.*$ -kernel: lp[0-9]: compatibility mode -kernel: Undo( partial)? (Hoe|loss|retrans) -printer: offline or intervention needed +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Disorder[0-9] [0-9] [0-9] f[0-9] s[0-9] rr[0-9] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IP_MASQ:reverse ICMP: failed checksum from .*! +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: OPEN: [\.0-9]* -> [\.0-9]* UDP, port: [0-9]* -> [0-9]* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:net2all:DROP:.*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: lp[0-9]: compatibility mode +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Undo( partial)? (Hoe|loss|retrans) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ printer: offline or intervention needed ## Printer and Windows PC at Homebase ignoring change of DHCP (192.168.101 -> 192.168.1) -kernel: Shorewall:all2all:REJECT:.*SRC=192.168.103.17 DST=192.168.101.2 .*$ -kernel: Shorewall:all2all:REJECT:.*SRC=192.168.103.248 DST=192.168.101.22 .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:all2all:REJECT:.*SRC=192.168.103.17 DST=192.168.101.2 .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Shorewall:all2all:REJECT:.*SRC=192.168.103.248 DST=192.168.101.22 .*$ ## Non-UDMA hd cable -kernel: hda: status timeout: status=0xd0 \{ Busy \} -kernel: hda: no DRQ after issuing WRITE -kernel: ide0: reset: success +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: hda: status timeout: status=0xd0 \{ Busy \} +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: hda: no DRQ after issuing WRITE +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: ide0: reset: success ## Postfix SASL not working -postfix/smtpd\[[0-9]+\]: unable to open Berkeley db /etc/sasldb: No such file or directory +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: unable to open Berkeley db /etc/sasldb: No such file or directory ## ntp-simple -ntpd\[[0-9]+\]: synchronisation lost -ntpd\[[0-9]+\]: synchronisation lost -ntpd\[[0-9]+\]: time reset [\.0-9-]* . -ntpd\[[0-9]+\]: time reset [\.0-9-]+ s +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronisation lost +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronisation lost +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: time reset [\.0-9-]* . +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: time reset [\.0-9-]+ s ## portsentry -portsentry\[[0-9]+\]: attackalert: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ portsentry\[[0-9]+\]: attackalert: .* ## pump -pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument ## samba -smbd\[[0-9]+\]: process_local_message: unknown UDP message command code \([0-9a-f]+\) - ignoring. $ -smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection (reset by peer|timed out)) $ -smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $ -smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. $ -smbd\[[0-9]+\]: [^[:space:]]+ \([\.0-9]+\) couldn't find service c $ -smbd\[[0-9]+\]: api_srv_net_share_add: Failed to unmarshall SRV_Q_NET_SHARE_ADD. $ -smbd\[[0-9]+\]: prs_mem_get: reading data of size 4 would overrun buffer. $ -smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|rpc_parse/parse_prs.c:prs_mem_get|rpc_server/srv_(pipe.c:api_rpcTNP|srvsvc.c:api_srv_net_share_add))\([0-9]+\) $ -smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:(find_service|make_connection))\([0-9]+\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: process_local_message: unknown UDP message command code \([0-9a-f]+\) - ignoring. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection (reset by peer|timed out)) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: [^[:space:]]+ \([\.0-9]+\) couldn't find service c $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: api_srv_net_share_add: Failed to unmarshall SRV_Q_NET_SHARE_ADD. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: prs_mem_get: reading data of size 4 would overrun buffer. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|rpc_parse/parse_prs.c:prs_mem_get|rpc_server/srv_(pipe.c:api_rpcTNP|srvsvc.c:api_srv_net_share_add))\([0-9]+\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:(find_service|make_connection))\([0-9]+\) $ ## ssh -sshd\[[0-9]+\]: Failed password for [[:alnum:]]+ from [0-9\.]+ port [0-9]+ ssh2$ -sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096 $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for [[:alnum:]]+ from [0-9\.]+ port [0-9]+ ssh2$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096 $ ## postfix -postfix.*\[[0-9]+\]: .* from=<groove@mailomat.grooveattack.com> -postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [\.[:alnum:]-]+\[[\.0-9]+\] in MAIL command: <C:\\Email\\Headers\\fresh froms 5-1\.txt> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix.*\[[0-9]+\]: .* from=<groove@mailomat.grooveattack.com> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [\.[:alnum:]-]+\[[\.0-9]+\] in MAIL command: <C:\\Email\\Headers\\fresh froms 5-1\.txt> ## Tulle getting spammed -tulle postfix/smtpd\[[0-9]+\]: too many errors after RCPT from unknown\[\.0-9]+[\] -rpc.mountd: authenticated mount request from .* for .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ tulle postfix/smtpd\[[0-9]+\]: too many errors after RCPT from unknown\[\.0-9]+[\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpc.mountd: authenticated mount request from .* for .* ## snort -snort: .*FrontPage -snort: IDS015 - RPC - portmap-request-status: -snort: IDS029 - SCAN-Possible Queso Fingerprint attempt: -snort: IDS115 - MISC-Traceroute-UDP: -snort: IDS212 - MISC - DNS Zone Transfer: -snort: IDS226 - CVE-1999-0172 - CGI-formmail: -snort: IDS246 - MISC - Large ICMP Packet: -snort: IIS- -snort: MISC-Attempted Sun RPC high port access: -snort: NETBIOS-SMB-C: -snort: NETBIOS-SMB-CD...: -snort: NMAP TCP ping!: -snort: RPC Info Query: -snort: SCAN-SYN FIN: -snort: spp_http_decode: IIS Unicode attack detected: -snort: spp_portscan: End of portscan -snort: spp_portscan: PORTSCAN DETECTED -snort: spp_portscan: portscan status from -snort: WEB-../..: -snort: WEB-CGI-upload.pl: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: .*FrontPage +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS015 - RPC - portmap-request-status: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS029 - SCAN-Possible Queso Fingerprint attempt: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS115 - MISC-Traceroute-UDP: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS212 - MISC - DNS Zone Transfer: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS226 - CVE-1999-0172 - CGI-formmail: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IDS246 - MISC - Large ICMP Packet: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: IIS- +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: MISC-Attempted Sun RPC high port access: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: NETBIOS-SMB-C: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: NETBIOS-SMB-CD...: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: NMAP TCP ping!: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: RPC Info Query: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: SCAN-SYN FIN: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_http_decode: IIS Unicode attack detected: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_portscan: End of portscan +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_portscan: PORTSCAN DETECTED +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_portscan: portscan status from +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: WEB-../..: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: WEB-CGI-upload.pl: ## postgres -postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* -postgres\[[0-9]+\]: \[[0-9-]+\] LOG: connection received: host=\[local\]$ -postgres\[[0-9]+\]: \[[0-9-]+\] LOG: connection authorized: user=postgres database=template1 -postgres\[[0-9]+\]: \[[0-9-]+\] Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. -postgres\[[0-9]+\]: \[[0-9-]+\] [0-9]*; Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] LOG: connection received: host=\[local\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] LOG: connection authorized: user=postgres database=template1 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] [0-9]*; Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. ## amavis -amavis\[[0-9]+\]: warning - MIME::Parser error: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: warning - MIME::Parser error: .* ## Misc entries on Gibraltar (using older logcheck and syslog...) --- MARK -- $ -/USR/SBIN/CRON\[[0-9]+\]: \(root\) CMD \(test -x /usr/sbin/logcheck && nice -n10 /usr/sbin/logcheck\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ -- MARK -- $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \(root\) CMD \(test -x /usr/sbin/logcheck && nice -n10 /usr/sbin/logcheck\) $ |