From 0035e6ec93147e6c5ab30495eef84c97e12381cd Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Thu, 24 Oct 2002 01:11:27 +0000
Subject: logcheck: Include server lines in workstation (and not violations).

---
 logcheck/ignore.d.workstation/local | 342 ++++++++++++++++++++++++++++++++++++
 logcheck/mklocalfiles               |   2 +-
 logcheck/violations.ignore.d/local  | 342 ------------------------------------
 3 files changed, 343 insertions(+), 343 deletions(-)

diff --git a/logcheck/ignore.d.workstation/local b/logcheck/ignore.d.workstation/local
index 82e8801..b8e24b0 100644
--- a/logcheck/ignore.d.workstation/local
+++ b/logcheck/ignore.d.workstation/local
@@ -1,3 +1,345 @@
+### ignore.d.server/amanda
+amandad\[[0-9]+\]: connect from
+### ignore.d.server/amavis
+amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+
+amavis\[[0-9]+\]: local delivery: <[^[:space:]]+> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[0-9-]+(\.gz)?
+amavis\[[0-9]+\]: mail checking ended: (DISCARD|REJECT)
+amavis\[[0-9]+\]: spam from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine spam-[^[:space:]]+
+amavis\[[0-9]+\]: spam_scan: Yes, hits=[\.0-9]+ tests=[^[:space:]]+ <[^[:space:]]+>
+amavis\[[0-9]+\]: warning - MIME::Parser error: unexpected end of header
+### ignore.d.server/anacron
+anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' terminated( \(exit status: 1\))?( \(mailing output\))?
+anacron\[[0-9]+\]: Normal exit
+anacron\[[0-9]+\]: Anacron 2.3 started on [0-9-]+
+anacron\[[0-9]+\]: Will run job `cron.(daily|weekly|monthly)' in (5|10|15) min\.
+anacron\[[0-9]+\]: Jobs will be executed sequentially
+anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' started
+anacron\[[0-9]+\]: Updated timestamp for job `cron.(daily|weekly|monthly)' to [0-9-]+
+### ignore.d.server/bind
+named\[[0-9]+\]: .*: query\(.*\) NS points to CNAME \(.*\)
+named\[[0-9]+\]: NSTATS [0-9]+ [0-9]+
+named\[[0-9]+\]: .* All possible .* lame
+named\[[0-9]+\]: sysquery: query\(.*\) No possible A RRs
+named\[[0-9]+\]: client .*: transfer of '.*': AXFR started
+named\[[0-9]+\]: zone .*/IN: transfered serial [0-9]+
+named\[[0-9]+\]: transfer of '.*/IN' from .*: end of transfer
+named\[[0-9]+\]: zone .*/IN: sending notifies \(serial [0-9]+\)
+named\[[0-9]+\]: rcvd NOTIFY\(.*, IN, SOA\) from \[.*\]\.[0-9]+
+named\[[0-9]+\]: late CNAME in answer section for .*
+### ignore.d.server/bind.tmp
+named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out
+named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied
+### ignore.d.server/courier
+courierpop3login: Connection, ip=\[::ffff:.*\]
+courierpop3login: LOGIN, user=.*, ip=\[::ffff:.*\]
+courierpop3login: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.* retr=.*
+courierpop3login: Disconnected, ip=\[::ffff:.*\]
+courierpop3login: TIMEOUT, user=.*, ip=\[::ffff:.*\], top=0, retr=0
+pop3d-ssl: Connection, ip=\[::ffff:.*\]
+pop3d-ssl: LOGIN, user=.*, ip=\[::ffff:.*\]
+pop3d-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.*, retr=.*
+pop3d-ssl: TIMEOUT, user=.*, ip=\[::ffff:.*\],top=.*, retr=.*
+imaplogin: Connection, ip=\[::ffff:.*\]
+imaplogin: LOGIN, user=.*, ip=\[::ffff:.*\]
+imaplogin: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.*
+imaplogin: DISCONNECTED, user=.*, ip=\[::ffff:.*\].*
+imapd-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.*
+imapd-ssl: Connection, ip=\[::ffff:.*\]
+imapd-ssl: LOGIN, user=.*, ip=\[::ffff:.*\]
+imapd-ssl: DISCONNECTED, user=.*, ip=\[::ffff:.*\]
+### ignore.d.server/dancer-ircd
+ircd\[[0-9]+\]: ircd exiting: autodie
+ircd\[[0-9]+\]: Server Ready
+(ircd\[[0-9]+\]: )?binding stream socket [\.[:alnum:]]+\[\*\.666[789]\]: Address already in use
+### ignore.d.server/dhcp
+dhcpd-2.2.x: Abandoning IP address [\.0-9]+: pinged before offer
+### ignore.d.server/dhcp-client
+dhclient(-2.2.x)?: DHCP(REQUEST|DISCOVER) on .* to .* port 67( interval [0-9]+)?
+dhclient(-2.2.x)?: DHCP(ACK|OFFER) from [\.0-9]+
+dhclient(-2.2.x)?: bound to .* -- renewal in [0-9]+ seconds\.
+dhclient(-2.2.x)?: irda0: unknown hardware address type 783
+### ignore.d.server/dhcp3-common
+dhcpd: DHCPACK to [\.0-9]+
+dhcpd: ICMP Echo reply while lease [\.0-9]+ valid.
+dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\.
+dhcpd: accepting packet with data after udp payload.
+dhcpd: ip length 576 disagrees with bytes received 590.
+dhcpd: Abandoning IP address [\.0-9]+: pinged before offer
+### ignore.d.server/gdm
+gdm\[[0-9]+\]: run_pictures: .*/.gnome/gdm .*\.
+### ignore.d.server/gdm.da_DK
+gdm\[[0-9]+\]: Pingning af.* mislykkedes, deaktiver terminal!
+gdm\[[0-9]+\]: gdm_slave_xioerror_handler: Fatal X-fejl - genstarter.*
+
+### ignore.d.server/hotplug
+/etc/hotplug/net.agent: invoke if(up|down) ppp[0-9]
+/etc/hotplug/net.agent: assuming ppp[0-9] is already up
+### ignore.d.server/hylafax-server
+Fax(Getty|Send)\[[0-9]+\]: STATE CHANGE:( ->| BASE| LOCKWAIT| LISTENING| RUNNING| ANSWERING| RECEIVING| MODEMWAIT)+
+Fax(Getty|Send)\[[0-9]+\]: MODEM (ROCKWELL|ZYXEL) .*
+FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): from .*, page .* in [0-9]+:[0-9]+, INF, .* line/mm, (1|2)-D MR(, [0-9]+ bit/s)?
+FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): recvq/fax[0-9]+\.tif from .*, route to .*, [0-9]+ pages in [0-9]+:[0-9]+
+FaxGetty\[[0-9]+\]: RECV FAX: bin/faxrcvd "recvq/fax[0-9]+\.tif" "ttyS[012]" "[0-9]+" ""
+FaxGetty\[[0-9]+\]: ANSWER: Ring detected without successful handshake
+FaxGetty\[[0-9]+\]: ANSWER: FAX CONNECTION
+FaxQueuer\[[0-9]+\]: SUBMIT JOB [0-9]+
+FaxSend\[[0-9]+\]: SEND FAX: JOB [0-9]+ DEST [0-9]+ COMMID [0-9]+
+HylaFAX\[[0-9]+\]: Filesystem has SysV-style file creation semantics.
+### ignore.d.server/imp
+IMP\[[0-9]+\]: Login .* to .*:143 as .*
+### ignore.d.server/libgpmg1
+[[:alnum:]]: /dev/gpmctl: No such file or directory
+### ignore.d.server/libpam-modules
+pam_limits\[[0-9]+\]: default limits skipped for 'root'
+### ignore.d.server/mailutils-imap4d
+gnu-imap4d\[[0-9]+\]: Incoming connection opened
+gnu-imap4d\[[0-9]+\]: connect from [\.0-9]+
+gnu-imap4d\[[0-9]+\]: User '[[:alnum:]]+' logged in
+gnu-imap4d\[[0-9]+\]: Session timed out for user: [[:alnum:]]+
+gnu-imap4d\[[0-9]+\]: got signal Alarm clock
+### ignore.d.server/misc
+# Figure out if these belong to dhcp or dhcp3-common (or dhclient?)
+dhcpd.*: Reclaiming( REQUESTed) abandoned IP address [\.0-9]+
+dhcpd.*: already acking lease
+dhcpd.*: send_packet: Connection refused
+dhcpd.*: fallback_discard: Connection refused
+# These show up when isdnutils is installed, but isn't strictly related to those packages
+kernel: isdn_net: call from [,0-9]+ -> [0-9]+
+kernel: isdn_net: Service-Indicator not [0-9], ignored
+# This one shows up with firewalls blocking SMB ports non-silently
+kernel: Packet log: input DENY eth[0-9]+ PROTO=17 .*:(137|138) .*:(137|138) L=[0-9]+ S=0x00 I=[0-9]+ F=0x0000 T=[0-9]+ \(#[0-9]+\)
+### ignore.d.server/murasaki
+murasaki\.usb\[[0-9]+\]: found depended module="[[:alnum:]]+"
+murasaki\.(usb|net)\[[0-9]+\]: try expanding "\[net\]"
+murasaki\.(usb|net)\[[0-9]+\]: dependent\(net\) is found
+murasaki\.(usb|net)\[[0-9]+\]: net device is (added|removed|(un)?register(e)?d)
+murasaki\.(usb|net)\[[0-9]+\]: Execuing "net" "(stop|start)"
+murasaki\.(usb|net)\[[0-9]+\]: execute if(up|down) (eth|(i)?ppp|irda)[0-9]
+murasaki\.usb\[[0-9]+\]: (MATCH\(audio\) -> match_flags:[[:alnum:]]+ )?vendor:[[:alnum:]]+ product:[[:alnum:]]+ Dclass:[[:alnum:]]+ Dsubclass:[[:alnum:]]+ Dprotocol:[[:alnum:]]+ Iclass:[[:alnum:]]+ Isubclass:[[:alnum:]]+ Iprotocol:[[:alnum:]]+
+### ignore.d.server/netatalk.changes
+afpd\[[0-9]+\]: CNID DB initialized using Sleepycat Software: Berkeley DB
+afpd\[[0-9]+\]: removed [^[:space:]]+/net[\.0-9]+node[0-9]+
+afpd\[[0-9]\]: ((dhx|cleartext|randnum/rand2num) )?login: [[:alnum:]]+
+afpd\[[0-9]\]: (server_child\[[0-9]+\] [0-9]+ )?(done|exited 1)
+afpd\[[0-9]\]: ASIP session:[0-9]+\([0-9]+\) from [\.:0-9]+\([0-9]+\)
+afpd\[[0-9]\]: Connection terminated
+afpd\[[0-9]\]: [\.[:alnum:]]+ read, [\.[:alnum:]]+ written
+afpd\[[0-9]\]: [^[:space:]]+: Broken pipe
+afpd\[[0-9]\]: [^[:space:]]+: Connection reset by peer
+afpd\[[0-9]\]: [^[:space:]]+: Connection timed out
+afpd\[[0-9]\]: [^[:space:]]+: No route to host
+afpd\[[0-9]\]: [^[:space:]]+: No such file or directory
+afpd\[[0-9]\]: [^[:space:]]+: Permission denied
+afpd\[[0-9]\]: [^[:space:]]+: child timed out
+afpd\[[0-9]\]: afp_openfork: ad_open: File Exists
+afpd\[[0-9]\]: asp_alrm: [0-9]+ timed out
+afpd\[[0-9]\]: login [[:alnum:]]+ \(uid [0-9]+, gid [0-9]+\)
+afpd\[[0-9]\]: login noauth
+afpd\[[0-9]\]: logout [[:alnum:]]+
+afpd\[[0-9]\]: registering [[:alnum:]]+ \(uid [0-9]+\) on [\.0-9]+ as /.+/net[\.0-9]+node[0-9]+
+afpd\[[0-9]\]: session from [\.:0-9]+ on [\.:0-9]+
+afpd\[[0-9]\]: uams_dhx_pam.c :PAM: PAM (Auth OK!|Success -- Success)
+afpd\[[0-9]\]: using codepage directory: /etc/netatalk/nls/maccode\.[\.[:alnum:]-]+
+atalkd\[[0-9]+\]: [^[:space:]]+: zip gnireply from [\.0-9]+ \([^[:space:]]+\)
+atalkd\[[0-9]+\]: [^[:space:]]+: zip ignoring gnireply
+atalkd\[[0-9]\]: [^[:space:]]+: Network is unreachable
+atalkd\[[0-9]\]: zip gnireply from [\.0-9]+ \([^[:space:]]+\)
+atalkd\[[0-9]\]: zip ignoring gnireply
+papd\[[0-9]\]: child [0-9]+ done
+papd\[[0-9]\]: child [0-9]+ for "[^[:space:]]+" from [\.0-9]+
+### ignore.d.server/netsaint
+netsaint: SERVICE (ALERT|NOTIFICATION|FLAPPING ALERT): .*
+netsaint: Auto-save of retention data completed successfully\.
+netsaint: HOST ALERT:.*;DOWN;SOFT;.*;CRITICAL - Plugin timed out after 10 seconds
+netsaint: HOST ALERT:*;UP;SOFT;.*;PING OK - Packet loss = 0%, RTA =.*ms
+netsaint: SERVICE ALERT:.*;HTTP;CRITICAL;HARD;.*;Connection refused or timed out
+### ignore.d.server/non-debian
+# These entries are for syslogd open for remote hosts
+# (and advertised through DHCP)
+#
+# HP printers
+printer: peripheral low-power state
+printer: paper out
+printer: error cleared
+printer: powered up
+printer: ready to print
+### ignore.d.server/ntp-simple.changes
+ntpd\[[0-9]+\]: kern_enable is 1
+ntpd\[[0-9]+\]: precision = [0-9]+ usec
+ntpd\[[0-9]+\]: signal_no_reset: signal 13 had flags [0-9]+
+ntpd\[[0-9]+\]: using kernel phase-lock loop [0-9]+
+### ignore.d.server/pop-before-smtp
+pop-before-smtp\[[0-9]+\]: (opening|closing) relay for [\.0-9]+( --- not in mynetworks)?
+### ignore.d.server/postfix
+postfix/[[:alnum:]]+\[[0-9]+\]: table has changed -- exiting
+postfix/cleanup\[[0-9]+\]: warning: premature end-of-input from cleanup socket while reading input attribute name
+postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied
+postfix/master\[[0-9]+\]: reload configuration
+postfix/postfix-script: refreshing the Postfix mail system
+postfix/qmgr\[[0-9]+\]: [A-Z0-9]+: skipped, still being delivered
+postfix/smtp\[[0-9]+\]: [A-Z0-9]+: enabling PIX <CRLF>\.<CRLF> workaround for [\.[:alnum:]-]+\[[\.0-9]+\]
+postfix/smtp\[[0-9]+\]: [^[:space:]]+ status=deferred \(connect to [^[:space:]]+: (Connection refused|server refused mail service)\)
+postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+: (Connection (refused|reset by peer|timed out)|read timeout|server (refused mail service|dropped connection)|No route to host) \(port 25\)
+postfix/smtp\[[0-9]+\]: warning: bad size limit "truncates" in EHLO reply from [^[:space:]]+
+postfix/smtp\[[0-9]+\]: warning: host [\.[:alnum:]-]+\[[\.0-9]+\] (greeted me|replied to HELO/EHLO) with my own hostname [\.[:alnum:]-]+
+postfix/smtp\[[0-9]+\]: warning: mailer loop: best MX host for [^[:space:]]+ is local
+postfix/smtp\[[0-9]+\]: warning: no MX host for [\.[:alnum:]-]+ has a valid A record
+postfix/smtp\[[0-9]+\]: warning: numeric domain name in resource data of MX record for [^[:space:]]+: [\.0-9]+
+postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [\.[:alnum:]-]+\[[\.0-9]+\]
+postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+ sent (message header|mail content) instead of SMTP command:
+postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+: address not listed for hostname [^[:space:]]+
+postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+: hostname [\.[:alnum:]-]+ verification failed: Host (name has no address|not found)
+### ignore.d.server/postgresql
+postgres\[[0-9]+\]: \[[0-9-]+\] \^ICPU .* sec elapsed .* sec\.
+postgres\[[0-9]+\]: \[[0-9-]+\] \^ITotal CPU .* sec elapsed .* sec\.
+### ignore.d.server/ppp
+chat\[[0-9]+\]: abort on \(.*\)
+chat\[[0-9]+\]: expect \(.*\)
+chat\[[0-9]+\]: send \(AT.*\^M\)
+chat\[[0-9]+\]:  -- got it
+chat\[[0-9]+\]: AT.*\^M\^M
+chat\[[0-9]+\]: \^M
+chat\[[0-9]+\]: CONNECT
+chat\[[0-9]+\]: OK
+chat\[[0-9]+\]: send \(\\d\)
+### ignore.d.server/proftpd
+proftpd\[[0-9]+\]: .* \(.*\[[\.0-9]+\]\) - FTP session opened\.
+proftpd\[[0-9]+\]: .* \(.*\[[\.0-9]+\]\) - USER (anonymous|ftp)(@[\.[:alnum:]]+)? \(Login failed\): Can't find user\.
+proftpd\[[0-9]+\]: .* \(.*\[[\.0-9]+\]\) - USER (anonymous|ftp)(@[\.[:alnum:]]+)?: no such user found from .*\[[\.0-9]+\] to [\.0-9]+
+proftpd\[[0-9]+\]: .* \(.*\[[\.0-9]+\]\) - no such user '(anonymous|ftp)(@[\.[:alnum:]]+)?'
+proftpd\[[0-9]+\]: connect from [\.0-9]+
+proftpd\[[0-9]+\]: No certificate files found!
+proftpd\[[0-9]+\]:.* (.*\[.*\]) - Refused PORT.* (address mismatch)\.
+### ignore.d.server/samba
+smbd\[[0-9]+\]:   read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection reset by peer)
+smbd\[[0-9]+\]: \[[/0-9]+ [:0-9]+, [0-9]+\] lib/util_sock.c:read(_socket)?_data\([0-9]+\)
+### ignore.d.server/spamassassin
+spamd\[[0-9]+\]: Creating default_prefs
+spamd\[[0-9]+\]: connection from .* at port
+spamd\[[0-9]+\]: clean message for
+spamd\[[0-9]+\]: identified spam for
+spamd\[[0-9]+\]: skipped large message in
+### ignore.d.server/squid
+squid\[[0-9]+\]:   Finished.  Wrote [0-9]+ entries\.
+squid\[[0-9]+\]:   Took [\.0-9]+ seconds \(.* entries/sec\)\.
+squid\[[0-9]+\]: (access|store)LogRotate: Rotating(\.)?
+squid\[[0-9]+\]: logfileRotate: /var/log/squid/(access|store).log
+squid\[[0-9]+\]: (Closing Pinger socket|Pinger socket opened) on FD [0-9]+
+squid\[[0-9]+\]: NETDB state saved;
+squid\[[0-9]+\]: storeDirWriteCleanLogs: Starting\.\.\.
+squid\[[0-9]+\]: helperOpenServers: Starting [0-9]+ '.*' processes
+### ignore.d.server/ssh
+sshd\[[0-9]+\]: syslogin_perform_logout: logout\(\) returned an error
+sshd\[[0-9]+\]: Could not reverse map address .*\.
+sshd\[[0-9]+\]: Connection closed by .*
+sshd\[[0-9]+\]: Did not receive ident(ification)? string from [\.0-9]+
+sshd\[[0-9]+\]: scanned from [\.0-9]+ with SSH-1\.0-SSH_Version_Mapper\.  Don't panic\.
+sshd\[[0-9]+\]: Disconnecting: Your ssh version is too old and is no longer supported\.  Please install a newer version\.
+sshd\[[0-9]+\]: Accepted (keyboard-interactive|publickey) for [[:alnum:]]+ from [\.0-9]+ port [0-9]+ ssh2
+sshd\[[0-9]+\]: warning: /etc/hosts.deny, line 15: can't verify hostname: gethostbyname(.*) failed
+sshd\[[0-9]+\]: refused connect from .*
+sshd\[[0-9]+\]: Received disconnect from [\.0-9]+: 11: Disconnect requested by Windows SSH Client.
+sshd\[[0-9]+\]: subsystem request for sftp
+### ignore.d.server/ssmtp
+sSMTP mail\[[0-9]+\]: .* sent mail for root
+### ignore.d.server/tftpd
+in.tftpd\[[0-9]+\]: RRQ from.*filename.*
+in.tftpd\[[0-9]+\]: tftp: client does not accept options 
+### ignore.d.server/tmp
+## imp
+IMP\[[0-9]+\]: FAILED .* to .*:143 as .*
+## libpam-modules
+PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service
+# old-style pam entries (no longer provided by logcheck but needed on woody
+PAM_.*: .* session (opened|closed) for user .*
+## netatalk
+afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM (Auth OK!|Success -- .*|User entered a null value -- .*)
+afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument)
+afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM: User entered a null value -- No such file or directory
+afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied
+afpd\[[0-9]+\]: bad function 7A
+atalkd\[[0-9]+\]: as_timer sendto: Netvaerket er ikke tilgaengeligt
+## hylafax-server
+FaxGetty\[[0-9]+\]: ANSWER: Can not lock modem device
+gnome-name-server\[[0-9]+\]: server_is_alive: .*
+## uw-imap
+i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\]
+## ppp
+ipppd\[[0-9]+\]: Connect\[0\]: /dev/ippp[0-9], fd: 12
+## misc
+kernel: Disorder[0-9] [0-9] [0-9] f[0-9] s[0-9] rr[0-9]
+kernel: IP_MASQ:reverse ICMP: failed checksum from .*!
+kernel: OPEN: [\.0-9]* -> [\.0-9]* UDP, port: [0-9]* -> [0-9]*
+kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\)
+kernel: lp[0-9]: compatibility mode
+kernel: Undo( partial)? (Hoe|loss|retrans)
+printer: offline or intervention needed
+## ntp-simple
+ntpd\[[0-9]+\]: synchronisation lost
+ntpd\[[0-9]+\]: synchronisation lost
+ntpd\[[0-9]+\]: time reset [\.0-9-]* .
+ntpd\[[0-9]+\]: time reset [\.0-9-]+ s
+## portsentry
+portsentry\[[0-9]+\]: attackalert: .*
+## pump
+pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument
+## samba
+smbd\[[0-9]+\]:   read_socket_data: recv failure for 4. Error = No route to host
+smbd\[[0-9]+\]:   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ !
+smbd\[[0-9]+\]: \[[/[0-9]]+ [:[0-9]]+, 0\] smbd/service.c:find_service\([0-9]+\)
+smbd\[[0-9]+\]:   yield_connection: tdb_delete for name  failed with error Record does not exist\.
+smbd\[[0-9]+\]: \[.*\] smbd/connection.c:yield_connection\([0-9]+\)
+smbd\[[0-9]+\]: \[.*\] passdb/pampass.c:smb_pam_passcheck\([0-9]+\)
+sshd\[[0-9]+\]: Failed password for .*
+sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096
+## dhcp
+dhcpd-2.2.x: BOOTREQUEST from (00:20:6b:18:20:35|08:00:86:11:2b:71)
+dhcpd-2.2.x: No applicable record for BOOTP host (00:20:6b:18:20:35|08:00:86:11:2b:71)
+## postfix
+postfix.*\[[0-9]+\]: .* from=<groove@mailomat.grooveattack.com>
+postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [\.[:alnum:]-]+\[[\.0-9]+\] in MAIL command: <C:\\Email\\Headers\\fresh froms 5-1\.txt>
+
+rpc.mountd: authenticated mount request from .* for .*
+## snort
+snort: .*FrontPage
+snort: IDS015 - RPC - portmap-request-status:
+snort: IDS029 - SCAN-Possible Queso Fingerprint attempt:
+snort: IDS115 - MISC-Traceroute-UDP:
+snort: IDS212 - MISC - DNS Zone Transfer:
+snort: IDS226 - CVE-1999-0172 - CGI-formmail:
+snort: IDS246 - MISC - Large ICMP Packet:
+snort: IIS-
+snort: MISC-Attempted Sun RPC high port access:
+snort: NETBIOS-SMB-C:
+snort: NETBIOS-SMB-CD...:
+snort: NMAP TCP ping!:
+snort: RPC Info Query:
+snort: SCAN-SYN FIN:
+snort: spp_http_decode: IIS Unicode attack detected:
+snort: spp_portscan: End of portscan
+snort: spp_portscan: PORTSCAN DETECTED
+snort: spp_portscan: portscan status from
+snort: WEB-../..:
+snort: WEB-CGI-upload.pl:
+## postgres
+postgres\[[0-9]+\]: \[.*\] DEBUG:
+postgres\[[0-9]+\]: \[[0-9-]*\]  Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\.
+postgres\[[0-9]+\]: \[[0-9-]*\] [0-9]*; Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\.
+### ignore.d.server/ucd-snmp
+ucd-snmp\[[0-9]+\]: Connection from .*
+### ignore.d.server/uw-imap.changes
+imapd\[[0-9]+\]: (port 143|imap|imaps SSL) service init from
+imapd\[[0-9]+\]: No route to host, while reading line user=.* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
+i(map|pop3)d\[[0-9]+\]: Killed \(lost mailbox lock\) user=.* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
+i(map|pop3)d\[[0-9]+\]: (Login|Auth|Authenticated|Logout|Autologout) user=.* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
+i(map|pop3)d\[[0-9]+\]: Moved [0-9]+ bytes of new mail to .* from .* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
+i(map|pop(2|3))d\[[0-9]+\]: (Broken pipe|Command stream end of file|Connection (reset by peer|timed out))(,)? while (reading (authentication|line|literal|char)|writing text) (user=.* )?host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
+ipop[2|3]d\[[0-9]+\]: (connect|pop3(s SSL)? service init) from [\.0-9]+
+ipop3d\[[0-9]+\]: Trying to get mailbox lock from process [0-9]+
+ipop3d\[[0-9]+\]: Error opening or locking INBOX user=.* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
+ipop3d\[[0-9]+\]: Expunge ignored on readonly mailbox
+ipop3d\[[0-9]+\]: Mailbox is open by another process, access is readonly
+ipop3d\[[0-9]+\]: Moved .* bytes of new mail to .* from .* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
 ### ignore.d.workstation/bind
 named\[[0-9]+\]: ns_forw: sendto.*: Network is unreachable
 ### ignore.d.workstation/devfsd
diff --git a/logcheck/mklocalfiles b/logcheck/mklocalfiles
index 06aa7fb..3ba8a8a 100755
--- a/logcheck/mklocalfiles
+++ b/logcheck/mklocalfiles
@@ -7,7 +7,7 @@ for dir in ignore.d.server ignore.d.workstation violations.ignore.d; do
 	echo regenerating $dir
 	rm -f $dir/local
 	# Include server lines in workstation as well
-	if [ "$dir" == "violations.ignore.d" ]; then
+	if [ "$dir" == "ignore.d.workstation" ]; then
 		for file in ignore.d.server/*; do
 			if [ -f $file -a `basename $file` != "local" ]; then
 				echo "### $file" >> $dir/local
diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local
index d4d221f..61cce7a 100644
--- a/logcheck/violations.ignore.d/local
+++ b/logcheck/violations.ignore.d/local
@@ -1,345 +1,3 @@
-### ignore.d.server/amanda
-amandad\[[0-9]+\]: connect from
-### ignore.d.server/amavis
-amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+
-amavis\[[0-9]+\]: local delivery: <[^[:space:]]+> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[0-9-]+(\.gz)?
-amavis\[[0-9]+\]: mail checking ended: (DISCARD|REJECT)
-amavis\[[0-9]+\]: spam from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine spam-[^[:space:]]+
-amavis\[[0-9]+\]: spam_scan: Yes, hits=[\.0-9]+ tests=[^[:space:]]+ <[^[:space:]]+>
-amavis\[[0-9]+\]: warning - MIME::Parser error: unexpected end of header
-### ignore.d.server/anacron
-anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' terminated( \(exit status: 1\))?( \(mailing output\))?
-anacron\[[0-9]+\]: Normal exit
-anacron\[[0-9]+\]: Anacron 2.3 started on [0-9-]+
-anacron\[[0-9]+\]: Will run job `cron.(daily|weekly|monthly)' in (5|10|15) min\.
-anacron\[[0-9]+\]: Jobs will be executed sequentially
-anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' started
-anacron\[[0-9]+\]: Updated timestamp for job `cron.(daily|weekly|monthly)' to [0-9-]+
-### ignore.d.server/bind
-named\[[0-9]+\]: .*: query\(.*\) NS points to CNAME \(.*\)
-named\[[0-9]+\]: NSTATS [0-9]+ [0-9]+
-named\[[0-9]+\]: .* All possible .* lame
-named\[[0-9]+\]: sysquery: query\(.*\) No possible A RRs
-named\[[0-9]+\]: client .*: transfer of '.*': AXFR started
-named\[[0-9]+\]: zone .*/IN: transfered serial [0-9]+
-named\[[0-9]+\]: transfer of '.*/IN' from .*: end of transfer
-named\[[0-9]+\]: zone .*/IN: sending notifies \(serial [0-9]+\)
-named\[[0-9]+\]: rcvd NOTIFY\(.*, IN, SOA\) from \[.*\]\.[0-9]+
-named\[[0-9]+\]: late CNAME in answer section for .*
-### ignore.d.server/bind.tmp
-named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out
-named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied
-### ignore.d.server/courier
-courierpop3login: Connection, ip=\[::ffff:.*\]
-courierpop3login: LOGIN, user=.*, ip=\[::ffff:.*\]
-courierpop3login: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.* retr=.*
-courierpop3login: Disconnected, ip=\[::ffff:.*\]
-courierpop3login: TIMEOUT, user=.*, ip=\[::ffff:.*\], top=0, retr=0
-pop3d-ssl: Connection, ip=\[::ffff:.*\]
-pop3d-ssl: LOGIN, user=.*, ip=\[::ffff:.*\]
-pop3d-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.*, retr=.*
-pop3d-ssl: TIMEOUT, user=.*, ip=\[::ffff:.*\],top=.*, retr=.*
-imaplogin: Connection, ip=\[::ffff:.*\]
-imaplogin: LOGIN, user=.*, ip=\[::ffff:.*\]
-imaplogin: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.*
-imaplogin: DISCONNECTED, user=.*, ip=\[::ffff:.*\].*
-imapd-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.*
-imapd-ssl: Connection, ip=\[::ffff:.*\]
-imapd-ssl: LOGIN, user=.*, ip=\[::ffff:.*\]
-imapd-ssl: DISCONNECTED, user=.*, ip=\[::ffff:.*\]
-### ignore.d.server/dancer-ircd
-ircd\[[0-9]+\]: ircd exiting: autodie
-ircd\[[0-9]+\]: Server Ready
-(ircd\[[0-9]+\]: )?binding stream socket [\.[:alnum:]]+\[\*\.666[789]\]: Address already in use
-### ignore.d.server/dhcp
-dhcpd-2.2.x: Abandoning IP address [\.0-9]+: pinged before offer
-### ignore.d.server/dhcp-client
-dhclient(-2.2.x)?: DHCP(REQUEST|DISCOVER) on .* to .* port 67( interval [0-9]+)?
-dhclient(-2.2.x)?: DHCP(ACK|OFFER) from [\.0-9]+
-dhclient(-2.2.x)?: bound to .* -- renewal in [0-9]+ seconds\.
-dhclient(-2.2.x)?: irda0: unknown hardware address type 783
-### ignore.d.server/dhcp3-common
-dhcpd: DHCPACK to [\.0-9]+
-dhcpd: ICMP Echo reply while lease [\.0-9]+ valid.
-dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\.
-dhcpd: accepting packet with data after udp payload.
-dhcpd: ip length 576 disagrees with bytes received 590.
-dhcpd: Abandoning IP address [\.0-9]+: pinged before offer
-### ignore.d.server/gdm
-gdm\[[0-9]+\]: run_pictures: .*/.gnome/gdm .*\.
-### ignore.d.server/gdm.da_DK
-gdm\[[0-9]+\]: Pingning af.* mislykkedes, deaktiver terminal!
-gdm\[[0-9]+\]: gdm_slave_xioerror_handler: Fatal X-fejl - genstarter.*
-
-### ignore.d.server/hotplug
-/etc/hotplug/net.agent: invoke if(up|down) ppp[0-9]
-/etc/hotplug/net.agent: assuming ppp[0-9] is already up
-### ignore.d.server/hylafax-server
-Fax(Getty|Send)\[[0-9]+\]: STATE CHANGE:( ->| BASE| LOCKWAIT| LISTENING| RUNNING| ANSWERING| RECEIVING| MODEMWAIT)+
-Fax(Getty|Send)\[[0-9]+\]: MODEM (ROCKWELL|ZYXEL) .*
-FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): from .*, page .* in [0-9]+:[0-9]+, INF, .* line/mm, (1|2)-D MR(, [0-9]+ bit/s)?
-FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): recvq/fax[0-9]+\.tif from .*, route to .*, [0-9]+ pages in [0-9]+:[0-9]+
-FaxGetty\[[0-9]+\]: RECV FAX: bin/faxrcvd "recvq/fax[0-9]+\.tif" "ttyS[012]" "[0-9]+" ""
-FaxGetty\[[0-9]+\]: ANSWER: Ring detected without successful handshake
-FaxGetty\[[0-9]+\]: ANSWER: FAX CONNECTION
-FaxQueuer\[[0-9]+\]: SUBMIT JOB [0-9]+
-FaxSend\[[0-9]+\]: SEND FAX: JOB [0-9]+ DEST [0-9]+ COMMID [0-9]+
-HylaFAX\[[0-9]+\]: Filesystem has SysV-style file creation semantics.
-### ignore.d.server/imp
-IMP\[[0-9]+\]: Login .* to .*:143 as .*
-### ignore.d.server/libgpmg1
-[[:alnum:]]: /dev/gpmctl: No such file or directory
-### ignore.d.server/libpam-modules
-pam_limits\[[0-9]+\]: default limits skipped for 'root'
-### ignore.d.server/mailutils-imap4d
-gnu-imap4d\[[0-9]+\]: Incoming connection opened
-gnu-imap4d\[[0-9]+\]: connect from [\.0-9]+
-gnu-imap4d\[[0-9]+\]: User '[[:alnum:]]+' logged in
-gnu-imap4d\[[0-9]+\]: Session timed out for user: [[:alnum:]]+
-gnu-imap4d\[[0-9]+\]: got signal Alarm clock
-### ignore.d.server/misc
-# Figure out if these belong to dhcp or dhcp3-common (or dhclient?)
-dhcpd.*: Reclaiming( REQUESTed) abandoned IP address [\.0-9]+
-dhcpd.*: already acking lease
-dhcpd.*: send_packet: Connection refused
-dhcpd.*: fallback_discard: Connection refused
-# These show up when isdnutils is installed, but isn't strictly related to those packages
-kernel: isdn_net: call from [,0-9]+ -> [0-9]+
-kernel: isdn_net: Service-Indicator not [0-9], ignored
-# This one shows up with firewalls blocking SMB ports non-silently
-kernel: Packet log: input DENY eth[0-9]+ PROTO=17 .*:(137|138) .*:(137|138) L=[0-9]+ S=0x00 I=[0-9]+ F=0x0000 T=[0-9]+ \(#[0-9]+\)
-### ignore.d.server/murasaki
-murasaki\.usb\[[0-9]+\]: found depended module="[[:alnum:]]+"
-murasaki\.(usb|net)\[[0-9]+\]: try expanding "\[net\]"
-murasaki\.(usb|net)\[[0-9]+\]: dependent\(net\) is found
-murasaki\.(usb|net)\[[0-9]+\]: net device is (added|removed|(un)?register(e)?d)
-murasaki\.(usb|net)\[[0-9]+\]: Execuing "net" "(stop|start)"
-murasaki\.(usb|net)\[[0-9]+\]: execute if(up|down) (eth|(i)?ppp|irda)[0-9]
-murasaki\.usb\[[0-9]+\]: (MATCH\(audio\) -> match_flags:[[:alnum:]]+ )?vendor:[[:alnum:]]+ product:[[:alnum:]]+ Dclass:[[:alnum:]]+ Dsubclass:[[:alnum:]]+ Dprotocol:[[:alnum:]]+ Iclass:[[:alnum:]]+ Isubclass:[[:alnum:]]+ Iprotocol:[[:alnum:]]+
-### ignore.d.server/netatalk.changes
-afpd\[[0-9]+\]: CNID DB initialized using Sleepycat Software: Berkeley DB
-afpd\[[0-9]+\]: removed [^[:space:]]+/net[\.0-9]+node[0-9]+
-afpd\[[0-9]\]: ((dhx|cleartext|randnum/rand2num) )?login: [[:alnum:]]+
-afpd\[[0-9]\]: (server_child\[[0-9]+\] [0-9]+ )?(done|exited 1)
-afpd\[[0-9]\]: ASIP session:[0-9]+\([0-9]+\) from [\.:0-9]+\([0-9]+\)
-afpd\[[0-9]\]: Connection terminated
-afpd\[[0-9]\]: [\.[:alnum:]]+ read, [\.[:alnum:]]+ written
-afpd\[[0-9]\]: [^[:space:]]+: Broken pipe
-afpd\[[0-9]\]: [^[:space:]]+: Connection reset by peer
-afpd\[[0-9]\]: [^[:space:]]+: Connection timed out
-afpd\[[0-9]\]: [^[:space:]]+: No route to host
-afpd\[[0-9]\]: [^[:space:]]+: No such file or directory
-afpd\[[0-9]\]: [^[:space:]]+: Permission denied
-afpd\[[0-9]\]: [^[:space:]]+: child timed out
-afpd\[[0-9]\]: afp_openfork: ad_open: File Exists
-afpd\[[0-9]\]: asp_alrm: [0-9]+ timed out
-afpd\[[0-9]\]: login [[:alnum:]]+ \(uid [0-9]+, gid [0-9]+\)
-afpd\[[0-9]\]: login noauth
-afpd\[[0-9]\]: logout [[:alnum:]]+
-afpd\[[0-9]\]: registering [[:alnum:]]+ \(uid [0-9]+\) on [\.0-9]+ as /.+/net[\.0-9]+node[0-9]+
-afpd\[[0-9]\]: session from [\.:0-9]+ on [\.:0-9]+
-afpd\[[0-9]\]: uams_dhx_pam.c :PAM: PAM (Auth OK!|Success -- Success)
-afpd\[[0-9]\]: using codepage directory: /etc/netatalk/nls/maccode\.[\.[:alnum:]-]+
-atalkd\[[0-9]+\]: [^[:space:]]+: zip gnireply from [\.0-9]+ \([^[:space:]]+\)
-atalkd\[[0-9]+\]: [^[:space:]]+: zip ignoring gnireply
-atalkd\[[0-9]\]: [^[:space:]]+: Network is unreachable
-atalkd\[[0-9]\]: zip gnireply from [\.0-9]+ \([^[:space:]]+\)
-atalkd\[[0-9]\]: zip ignoring gnireply
-papd\[[0-9]\]: child [0-9]+ done
-papd\[[0-9]\]: child [0-9]+ for "[^[:space:]]+" from [\.0-9]+
-### ignore.d.server/netsaint
-netsaint: SERVICE (ALERT|NOTIFICATION|FLAPPING ALERT): .*
-netsaint: Auto-save of retention data completed successfully\.
-netsaint: HOST ALERT:.*;DOWN;SOFT;.*;CRITICAL - Plugin timed out after 10 seconds
-netsaint: HOST ALERT:*;UP;SOFT;.*;PING OK - Packet loss = 0%, RTA =.*ms
-netsaint: SERVICE ALERT:.*;HTTP;CRITICAL;HARD;.*;Connection refused or timed out
-### ignore.d.server/non-debian
-# These entries are for syslogd open for remote hosts
-# (and advertised through DHCP)
-#
-# HP printers
-printer: peripheral low-power state
-printer: paper out
-printer: error cleared
-printer: powered up
-printer: ready to print
-### ignore.d.server/ntp-simple.changes
-ntpd\[[0-9]+\]: kern_enable is 1
-ntpd\[[0-9]+\]: precision = [0-9]+ usec
-ntpd\[[0-9]+\]: signal_no_reset: signal 13 had flags [0-9]+
-ntpd\[[0-9]+\]: using kernel phase-lock loop [0-9]+
-### ignore.d.server/pop-before-smtp
-pop-before-smtp\[[0-9]+\]: (opening|closing) relay for [\.0-9]+( --- not in mynetworks)?
-### ignore.d.server/postfix
-postfix/[[:alnum:]]+\[[0-9]+\]: table has changed -- exiting
-postfix/cleanup\[[0-9]+\]: warning: premature end-of-input from cleanup socket while reading input attribute name
-postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied
-postfix/master\[[0-9]+\]: reload configuration
-postfix/postfix-script: refreshing the Postfix mail system
-postfix/qmgr\[[0-9]+\]: [A-Z0-9]+: skipped, still being delivered
-postfix/smtp\[[0-9]+\]: [A-Z0-9]+: enabling PIX <CRLF>\.<CRLF> workaround for [\.[:alnum:]-]+\[[\.0-9]+\]
-postfix/smtp\[[0-9]+\]: [^[:space:]]+ status=deferred \(connect to [^[:space:]]+: (Connection refused|server refused mail service)\)
-postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+: (Connection (refused|reset by peer|timed out)|read timeout|server (refused mail service|dropped connection)|No route to host) \(port 25\)
-postfix/smtp\[[0-9]+\]: warning: bad size limit "truncates" in EHLO reply from [^[:space:]]+
-postfix/smtp\[[0-9]+\]: warning: host [\.[:alnum:]-]+\[[\.0-9]+\] (greeted me|replied to HELO/EHLO) with my own hostname [\.[:alnum:]-]+
-postfix/smtp\[[0-9]+\]: warning: mailer loop: best MX host for [^[:space:]]+ is local
-postfix/smtp\[[0-9]+\]: warning: no MX host for [\.[:alnum:]-]+ has a valid A record
-postfix/smtp\[[0-9]+\]: warning: numeric domain name in resource data of MX record for [^[:space:]]+: [\.0-9]+
-postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [\.[:alnum:]-]+\[[\.0-9]+\]
-postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+ sent (message header|mail content) instead of SMTP command:
-postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+: address not listed for hostname [^[:space:]]+
-postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+: hostname [\.[:alnum:]-]+ verification failed: Host (name has no address|not found)
-### ignore.d.server/postgresql
-postgres\[[0-9]+\]: \[[0-9-]+\] \^ICPU .* sec elapsed .* sec\.
-postgres\[[0-9]+\]: \[[0-9-]+\] \^ITotal CPU .* sec elapsed .* sec\.
-### ignore.d.server/ppp
-chat\[[0-9]+\]: abort on \(.*\)
-chat\[[0-9]+\]: expect \(.*\)
-chat\[[0-9]+\]: send \(AT.*\^M\)
-chat\[[0-9]+\]:  -- got it
-chat\[[0-9]+\]: AT.*\^M\^M
-chat\[[0-9]+\]: \^M
-chat\[[0-9]+\]: CONNECT
-chat\[[0-9]+\]: OK
-chat\[[0-9]+\]: send \(\\d\)
-### ignore.d.server/proftpd
-proftpd\[[0-9]+\]: .* \(.*\[[\.0-9]+\]\) - FTP session opened\.
-proftpd\[[0-9]+\]: .* \(.*\[[\.0-9]+\]\) - USER (anonymous|ftp)(@[\.[:alnum:]]+)? \(Login failed\): Can't find user\.
-proftpd\[[0-9]+\]: .* \(.*\[[\.0-9]+\]\) - USER (anonymous|ftp)(@[\.[:alnum:]]+)?: no such user found from .*\[[\.0-9]+\] to [\.0-9]+
-proftpd\[[0-9]+\]: .* \(.*\[[\.0-9]+\]\) - no such user '(anonymous|ftp)(@[\.[:alnum:]]+)?'
-proftpd\[[0-9]+\]: connect from [\.0-9]+
-proftpd\[[0-9]+\]: No certificate files found!
-proftpd\[[0-9]+\]:.* (.*\[.*\]) - Refused PORT.* (address mismatch)\.
-### ignore.d.server/samba
-smbd\[[0-9]+\]:   read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection reset by peer)
-smbd\[[0-9]+\]: \[[/0-9]+ [:0-9]+, [0-9]+\] lib/util_sock.c:read(_socket)?_data\([0-9]+\)
-### ignore.d.server/spamassassin
-spamd\[[0-9]+\]: Creating default_prefs
-spamd\[[0-9]+\]: connection from .* at port
-spamd\[[0-9]+\]: clean message for
-spamd\[[0-9]+\]: identified spam for
-spamd\[[0-9]+\]: skipped large message in
-### ignore.d.server/squid
-squid\[[0-9]+\]:   Finished.  Wrote [0-9]+ entries\.
-squid\[[0-9]+\]:   Took [\.0-9]+ seconds \(.* entries/sec\)\.
-squid\[[0-9]+\]: (access|store)LogRotate: Rotating(\.)?
-squid\[[0-9]+\]: logfileRotate: /var/log/squid/(access|store).log
-squid\[[0-9]+\]: (Closing Pinger socket|Pinger socket opened) on FD [0-9]+
-squid\[[0-9]+\]: NETDB state saved;
-squid\[[0-9]+\]: storeDirWriteCleanLogs: Starting\.\.\.
-squid\[[0-9]+\]: helperOpenServers: Starting [0-9]+ '.*' processes
-### ignore.d.server/ssh
-sshd\[[0-9]+\]: syslogin_perform_logout: logout\(\) returned an error
-sshd\[[0-9]+\]: Could not reverse map address .*\.
-sshd\[[0-9]+\]: Connection closed by .*
-sshd\[[0-9]+\]: Did not receive ident(ification)? string from [\.0-9]+
-sshd\[[0-9]+\]: scanned from [\.0-9]+ with SSH-1\.0-SSH_Version_Mapper\.  Don't panic\.
-sshd\[[0-9]+\]: Disconnecting: Your ssh version is too old and is no longer supported\.  Please install a newer version\.
-sshd\[[0-9]+\]: Accepted (keyboard-interactive|publickey) for [[:alnum:]]+ from [\.0-9]+ port [0-9]+ ssh2
-sshd\[[0-9]+\]: warning: /etc/hosts.deny, line 15: can't verify hostname: gethostbyname(.*) failed
-sshd\[[0-9]+\]: refused connect from .*
-sshd\[[0-9]+\]: Received disconnect from [\.0-9]+: 11: Disconnect requested by Windows SSH Client.
-sshd\[[0-9]+\]: subsystem request for sftp
-### ignore.d.server/ssmtp
-sSMTP mail\[[0-9]+\]: .* sent mail for root
-### ignore.d.server/tftpd
-in.tftpd\[[0-9]+\]: RRQ from.*filename.*
-in.tftpd\[[0-9]+\]: tftp: client does not accept options 
-### ignore.d.server/tmp
-## imp
-IMP\[[0-9]+\]: FAILED .* to .*:143 as .*
-## libpam-modules
-PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service
-# old-style pam entries (no longer provided by logcheck but needed on woody
-PAM_.*: .* session (opened|closed) for user .*
-## netatalk
-afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM (Auth OK!|Success -- .*|User entered a null value -- .*)
-afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument)
-afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM: User entered a null value -- No such file or directory
-afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied
-afpd\[[0-9]+\]: bad function 7A
-atalkd\[[0-9]+\]: as_timer sendto: Netvaerket er ikke tilgaengeligt
-## hylafax-server
-FaxGetty\[[0-9]+\]: ANSWER: Can not lock modem device
-gnome-name-server\[[0-9]+\]: server_is_alive: .*
-## uw-imap
-i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\]
-## ppp
-ipppd\[[0-9]+\]: Connect\[0\]: /dev/ippp[0-9], fd: 12
-## misc
-kernel: Disorder[0-9] [0-9] [0-9] f[0-9] s[0-9] rr[0-9]
-kernel: IP_MASQ:reverse ICMP: failed checksum from .*!
-kernel: OPEN: [\.0-9]* -> [\.0-9]* UDP, port: [0-9]* -> [0-9]*
-kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\)
-kernel: lp[0-9]: compatibility mode
-kernel: Undo( partial)? (Hoe|loss|retrans)
-printer: offline or intervention needed
-## ntp-simple
-ntpd\[[0-9]+\]: synchronisation lost
-ntpd\[[0-9]+\]: synchronisation lost
-ntpd\[[0-9]+\]: time reset [\.0-9-]* .
-ntpd\[[0-9]+\]: time reset [\.0-9-]+ s
-## portsentry
-portsentry\[[0-9]+\]: attackalert: .*
-## pump
-pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument
-## samba
-smbd\[[0-9]+\]:   read_socket_data: recv failure for 4. Error = No route to host
-smbd\[[0-9]+\]:   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ !
-smbd\[[0-9]+\]: \[[/[0-9]]+ [:[0-9]]+, 0\] smbd/service.c:find_service\([0-9]+\)
-smbd\[[0-9]+\]:   yield_connection: tdb_delete for name  failed with error Record does not exist\.
-smbd\[[0-9]+\]: \[.*\] smbd/connection.c:yield_connection\([0-9]+\)
-smbd\[[0-9]+\]: \[.*\] passdb/pampass.c:smb_pam_passcheck\([0-9]+\)
-sshd\[[0-9]+\]: Failed password for .*
-sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096
-## dhcp
-dhcpd-2.2.x: BOOTREQUEST from (00:20:6b:18:20:35|08:00:86:11:2b:71)
-dhcpd-2.2.x: No applicable record for BOOTP host (00:20:6b:18:20:35|08:00:86:11:2b:71)
-## postfix
-postfix.*\[[0-9]+\]: .* from=<groove@mailomat.grooveattack.com>
-postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [\.[:alnum:]-]+\[[\.0-9]+\] in MAIL command: <C:\\Email\\Headers\\fresh froms 5-1\.txt>
-
-rpc.mountd: authenticated mount request from .* for .*
-## snort
-snort: .*FrontPage
-snort: IDS015 - RPC - portmap-request-status:
-snort: IDS029 - SCAN-Possible Queso Fingerprint attempt:
-snort: IDS115 - MISC-Traceroute-UDP:
-snort: IDS212 - MISC - DNS Zone Transfer:
-snort: IDS226 - CVE-1999-0172 - CGI-formmail:
-snort: IDS246 - MISC - Large ICMP Packet:
-snort: IIS-
-snort: MISC-Attempted Sun RPC high port access:
-snort: NETBIOS-SMB-C:
-snort: NETBIOS-SMB-CD...:
-snort: NMAP TCP ping!:
-snort: RPC Info Query:
-snort: SCAN-SYN FIN:
-snort: spp_http_decode: IIS Unicode attack detected:
-snort: spp_portscan: End of portscan
-snort: spp_portscan: PORTSCAN DETECTED
-snort: spp_portscan: portscan status from
-snort: WEB-../..:
-snort: WEB-CGI-upload.pl:
-## postgres
-postgres\[[0-9]+\]: \[.*\] DEBUG:
-postgres\[[0-9]+\]: \[[0-9-]*\]  Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\.
-postgres\[[0-9]+\]: \[[0-9-]*\] [0-9]*; Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\.
-### ignore.d.server/ucd-snmp
-ucd-snmp\[[0-9]+\]: Connection from .*
-### ignore.d.server/uw-imap.changes
-imapd\[[0-9]+\]: (port 143|imap|imaps SSL) service init from
-imapd\[[0-9]+\]: No route to host, while reading line user=.* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
-i(map|pop3)d\[[0-9]+\]: Killed \(lost mailbox lock\) user=.* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
-i(map|pop3)d\[[0-9]+\]: (Login|Auth|Authenticated|Logout|Autologout) user=.* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
-i(map|pop3)d\[[0-9]+\]: Moved [0-9]+ bytes of new mail to .* from .* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
-i(map|pop(2|3))d\[[0-9]+\]: (Broken pipe|Command stream end of file|Connection (reset by peer|timed out))(,)? while (reading (authentication|line|literal|char)|writing text) (user=.* )?host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
-ipop[2|3]d\[[0-9]+\]: (connect|pop3(s SSL)? service init) from [\.0-9]+
-ipop3d\[[0-9]+\]: Trying to get mailbox lock from process [0-9]+
-ipop3d\[[0-9]+\]: Error opening or locking INBOX user=.* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
-ipop3d\[[0-9]+\]: Expunge ignored on readonly mailbox
-ipop3d\[[0-9]+\]: Mailbox is open by another process, access is readonly
-ipop3d\[[0-9]+\]: Moved .* bytes of new mail to .* from .* host=([^[:space:]]+ \[[\.0-9]+\]|UNKNOWN)
 ### violations.ignore.d/bind
 named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out
 named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied
-- 
cgit v1.2.3