From 9f3c51e3aa40910e103368b309a7775cd7518cf0 Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Tue, 22 Oct 2002 17:24:43 +0000 Subject: logcheck: Match only numerical pid numbers (.* is BAD in logcheck!). --- logcheck/ignore.d.server/amanda | 2 +- logcheck/ignore.d.server/anacron | 14 ++++----- logcheck/ignore.d.server/bind | 24 +++++++-------- logcheck/ignore.d.server/gdm | 5 +--- logcheck/ignore.d.server/gdm.da_DK | 3 ++ logcheck/ignore.d.server/local | 56 +++++++++++++++++----------------- logcheck/ignore.d.server/murasaki | 14 ++++----- logcheck/ignore.d.server/netatalk | 8 ++--- logcheck/ignore.d.server/postfix | 32 ++++++++++---------- logcheck/ignore.d.server/postgresql | 4 +-- logcheck/ignore.d.server/ppp | 18 +++++------ logcheck/ignore.d.server/proftpd | 14 ++++----- logcheck/ignore.d.server/samba | 4 +-- logcheck/ignore.d.server/squid | 16 +++++----- logcheck/ignore.d.server/ssh | 22 +++++++------- logcheck/ignore.d.server/ssmtp | 2 +- logcheck/ignore.d.server/tftpd | 4 +-- logcheck/ignore.d.server/tmp | 60 ++++++++++++++++++------------------- logcheck/ignore.d.server/ucd-snmp | 2 +- logcheck/ignore.d.server/uw-imap | 24 +++++++-------- 20 files changed, 164 insertions(+), 164 deletions(-) create mode 100644 logcheck/ignore.d.server/gdm.da_DK (limited to 'logcheck/ignore.d.server') diff --git a/logcheck/ignore.d.server/amanda b/logcheck/ignore.d.server/amanda index c5dbb69..7a6ab62 100644 --- a/logcheck/ignore.d.server/amanda +++ b/logcheck/ignore.d.server/amanda @@ -1 +1 @@ -amandad\[.*\]: connect from .* +amandad\[[0-9]+\]: connect from diff --git a/logcheck/ignore.d.server/anacron b/logcheck/ignore.d.server/anacron index 82bcc64..21a4347 100644 --- a/logcheck/ignore.d.server/anacron +++ b/logcheck/ignore.d.server/anacron @@ -1,7 +1,7 @@ -anacron\[.*\]: Job `cron.(daily|weekly|monthly)' terminated( \(exit status: 1\))?( \(mailing output\))? -anacron\[.*\]: Normal exit \([[:digit:]]+ jobs run\) -anacron\[.*\]: Anacron 2.3 started on [[:digit:]-]+ -anacron\[.*\]: Will run job `cron.(daily|weekly|monthly)' in (5|10|15) min\. -anacron\[.*\]: Jobs will be executed sequentially -anacron\[.*\]: Job `cron.(daily|weekly|monthly)' started -anacron\[.*\]: Updated timestamp for job `cron.(daily|weekly|monthly)' to [[:digit:]-]+ +anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' terminated( \(exit status: 1\))?( \(mailing output\))? +anacron\[[0-9]+\]: Normal exit +anacron\[[0-9]+\]: Anacron 2.3 started on [[:digit:]-]+ +anacron\[[0-9]+\]: Will run job `cron.(daily|weekly|monthly)' in (5|10|15) min\. +anacron\[[0-9]+\]: Jobs will be executed sequentially +anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' started +anacron\[[0-9]+\]: Updated timestamp for job `cron.(daily|weekly|monthly)' to [[:digit:]-]+ diff --git a/logcheck/ignore.d.server/bind b/logcheck/ignore.d.server/bind index 98a2e9a..b2cda22 100644 --- a/logcheck/ignore.d.server/bind +++ b/logcheck/ignore.d.server/bind @@ -1,12 +1,12 @@ -named\[.*\]: .*: query\(.*\) NS points to CNAME \(.*\) -named\[.*\]: NSTATS [[:digit:]]+ [[:digit:]]+ -named\[.*\]: .* All possible .* lame -named\[.*\]: sysquery: query\(.*\) No possible A RRs -named\[.*\]: zone .*: refresh: failure trying master .*: timed out -named\[.*\]: client .*: transfer of '.*': AXFR started -named\[.*\]: client [\.[:digit:]]+#[[:digit:]]+: update forwarding denied -named\[.*\]: zone .*/IN: transfered serial [0-9]+ -named\[.*\]: transfer of '.*/IN' from .*: end of transfer -named\[.*\]: zone .*/IN: sending notifies \(serial [0-9]+\) -named\[.*\]: rcvd NOTIFY\(.*, IN, SOA\) from \[.*\]\.[[:digit:]]+ -named\[.*\]: late CNAME in answer section for .* +named\[[0-9]+\]: .*: query\(.*\) NS points to CNAME \(.*\) +named\[[0-9]+\]: NSTATS [[:digit:]]+ [[:digit:]]+ +named\[[0-9]+\]: .* All possible .* lame +named\[[0-9]+\]: sysquery: query\(.*\) No possible A RRs +named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out +named\[[0-9]+\]: client .*: transfer of '.*': AXFR started +named\[[0-9]+\]: client [\.[:digit:]]+#[[:digit:]]+: update forwarding denied +named\[[0-9]+\]: zone .*/IN: transfered serial [0-9]+ +named\[[0-9]+\]: transfer of '.*/IN' from .*: end of transfer +named\[[0-9]+\]: zone .*/IN: sending notifies \(serial [0-9]+\) +named\[[0-9]+\]: rcvd NOTIFY\(.*, IN, SOA\) from \[.*\]\.[[:digit:]]+ +named\[[0-9]+\]: late CNAME in answer section for .* diff --git a/logcheck/ignore.d.server/gdm b/logcheck/ignore.d.server/gdm index fd726c6..af52a72 100644 --- a/logcheck/ignore.d.server/gdm +++ b/logcheck/ignore.d.server/gdm @@ -1,4 +1 @@ -gdm\[.*\]: run_pictures: .*/.gnome/gdm .*\. -gdm\[.*\]: Pingning af.* mislykkedes, deaktiver terminal! -gdm\[.*\]: gdm_slave_xioerror_handler: Fatal X-fejl - genstarter.* - +gdm\[[0-9]+\]: run_pictures: .*/.gnome/gdm .*\. diff --git a/logcheck/ignore.d.server/gdm.da_DK b/logcheck/ignore.d.server/gdm.da_DK new file mode 100644 index 0000000..dcde91e --- /dev/null +++ b/logcheck/ignore.d.server/gdm.da_DK @@ -0,0 +1,3 @@ +gdm\[[0-9]+\]: Pingning af.* mislykkedes, deaktiver terminal! +gdm\[[0-9]+\]: gdm_slave_xioerror_handler: Fatal X-fejl - genstarter.* + diff --git a/logcheck/ignore.d.server/local b/logcheck/ignore.d.server/local index a16257f..7dfdfa2 100644 --- a/logcheck/ignore.d.server/local +++ b/logcheck/ignore.d.server/local @@ -5,37 +5,37 @@ dhcpd.*: Reclaiming( REQUESTed) abandoned IP address [\.[:digit:]]+ dhcpd.*: already acking lease dhcpd.*: send_packet: Connection refused dhcpd.*: fallback_discard: Connection refused -Fax(Getty|Send)\[.*\]: STATE CHANGE:( ->| BASE| LOCKWAIT| LISTENING| RUNNING| ANSWERING| RECEIVING| MODEMWAIT)+ -Fax(Getty|Send)\[.*\]: MODEM (ROCKWELL|ZYXEL) .* -FaxGetty\[.*\]: RECV FAX \([[:digit:]]+\): from .*, page .* in [[:digit:]]+:[[:digit:]]+, INF, .* line/mm, (1|2)-D MR(, [[:digit:]]+ bit/s)? -FaxGetty\[.*\]: RECV FAX \([[:digit:]]+\): recvq/fax[[:digit:]]+\.tif from .*, route to .*, [[:digit:]]+ pages in [[:digit:]]+:[[:digit:]]+ -FaxGetty\[.*\]: RECV FAX: bin/faxrcvd "recvq/fax[[:digit:]]+\.tif" "ttyS[012]" "[[:digit:]]+" "" -FaxGetty\[.*\]: ANSWER: Ring detected without successful handshake -FaxGetty\[.*\]: ANSWER: FAX CONNECTION -FaxQueuer\[.*\]: SUBMIT JOB [[:digit:]]+ -FaxSend\[.*\]: SEND FAX: JOB [[:digit:]]+ DEST [[:digit:]]+ COMMID [[:digit:]]+ -gnu-imap4d\[.*\]: Incoming connection opened -gnu-imap4d\[.*\]: connect from [\.[:digit:]]+ -gnu-imap4d\[.*\]: User '[[:alnum:]]+' logged in -gnu-imap4d\[.*\]: Session timed out for user: [[:alnum:]]+ -gnu-imap4d\[.*\]: got signal Alarm clock -HylaFAX\[.*\]: Filesystem has SysV-style file creation semantics. -ircd\[.*\]: ircd exiting: autodie -ircd\[.*\]: Server Ready -(ircd\[.*\]: )?binding stream socket [\.[:alnum:]]+\[\*\.666[789]\]: Address already in use -IMP\[.*\]: Login .* to .*:143 as .* +Fax(Getty|Send)\[[0-9]+\]: STATE CHANGE:( ->| BASE| LOCKWAIT| LISTENING| RUNNING| ANSWERING| RECEIVING| MODEMWAIT)+ +Fax(Getty|Send)\[[0-9]+\]: MODEM (ROCKWELL|ZYXEL) .* +FaxGetty\[[0-9]+\]: RECV FAX \([[:digit:]]+\): from .*, page .* in [[:digit:]]+:[[:digit:]]+, INF, .* line/mm, (1|2)-D MR(, [[:digit:]]+ bit/s)? +FaxGetty\[[0-9]+\]: RECV FAX \([[:digit:]]+\): recvq/fax[[:digit:]]+\.tif from .*, route to .*, [[:digit:]]+ pages in [[:digit:]]+:[[:digit:]]+ +FaxGetty\[[0-9]+\]: RECV FAX: bin/faxrcvd "recvq/fax[[:digit:]]+\.tif" "ttyS[012]" "[[:digit:]]+" "" +FaxGetty\[[0-9]+\]: ANSWER: Ring detected without successful handshake +FaxGetty\[[0-9]+\]: ANSWER: FAX CONNECTION +FaxQueuer\[[0-9]+\]: SUBMIT JOB [[:digit:]]+ +FaxSend\[[0-9]+\]: SEND FAX: JOB [[:digit:]]+ DEST [[:digit:]]+ COMMID [[:digit:]]+ +gnu-imap4d\[[0-9]+\]: Incoming connection opened +gnu-imap4d\[[0-9]+\]: connect from [\.[:digit:]]+ +gnu-imap4d\[[0-9]+\]: User '[[:alnum:]]+' logged in +gnu-imap4d\[[0-9]+\]: Session timed out for user: [[:alnum:]]+ +gnu-imap4d\[[0-9]+\]: got signal Alarm clock +HylaFAX\[[0-9]+\]: Filesystem has SysV-style file creation semantics. +ircd\[[0-9]+\]: ircd exiting: autodie +ircd\[[0-9]+\]: Server Ready +(ircd\[[0-9]+\]: )?binding stream socket [\.[:alnum:]]+\[\*\.666[789]\]: Address already in use +IMP\[[0-9]+\]: Login .* to .*:143 as .* kernel: isdn_net: call from [,[:digit:]]+ -> [[:digit:]]+ kernel: isdn_net: Service-Indicator not [[:digit:]], ignored kernel: Packet log: input DENY eth[[:digit:]]+ PROTO=17 .*:(137|138) .*:(137|138) L=[[:digit:]]+ S=0x00 I=[[:digit:]]+ F=0x0000 T=[[:digit:]]+ \(#[[:digit:]]+\) -ntpd\[.*\]: kern_enable is 1 -ntpd\[.*\]: kernel time discipline status 0040 -ntpd\[.*\]: ntpd 4\.[01]\..* \([12]\) -ntpd\[.*\]: precision = [[:digit:]]+ usec -ntpd\[.*\]: signal_no_reset: signal 13 had flags [[:digit:]]+ -ntpd\[.*\]: using kernel phase-lock loop [[:digit:]]+ -pam_limits\[.*\]: default limits skipped for 'root' -pop-before-smtp\[.*\]: (opening|closing) relay for [\.[:digit:]]+( --- not in mynetworks)? -su\[.*\]: \+ pts/[[:digit:]]+ .*-root +ntpd\[[0-9]+\]: kern_enable is 1 +ntpd\[[0-9]+\]: kernel time discipline status 0040 +ntpd\[[0-9]+\]: ntpd 4\.[01]\..* \([12]\) +ntpd\[[0-9]+\]: precision = [[:digit:]]+ usec +ntpd\[[0-9]+\]: signal_no_reset: signal 13 had flags [[:digit:]]+ +ntpd\[[0-9]+\]: using kernel phase-lock loop [[:digit:]]+ +pam_limits\[[0-9]+\]: default limits skipped for 'root' +pop-before-smtp\[[0-9]+\]: (opening|closing) relay for [\.[:digit:]]+( --- not in mynetworks)? +su\[[0-9]+\]: \+ pts/[[:digit:]]+ .*-root printer: peripheral low-power state printer: paper out printer: error cleared diff --git a/logcheck/ignore.d.server/murasaki b/logcheck/ignore.d.server/murasaki index f401479..6d99073 100644 --- a/logcheck/ignore.d.server/murasaki +++ b/logcheck/ignore.d.server/murasaki @@ -1,7 +1,7 @@ -murasaki\.usb\[.*\]: found depended module="[[:alnum:]]+" -murasaki\.(usb|net)\[.*\]: try expanding "\[net\]" -murasaki\.(usb|net)\[.*\]: dependent\(net\) is found -murasaki\.(usb|net)\[.*\]: net device is (added|removed|(un)?register(e)?d) -murasaki\.(usb|net)\[.*\]: Execuing "net" "(stop|start)" -murasaki\.(usb|net)\[.*\]: execute if(up|down) (eth|(i)?ppp|irda)[[:digit:]] -murasaki\.usb\[.*\]: (MATCH\(audio\) -> match_flags:[[:alnum:]]+ )?vendor:[[:alnum:]]+ product:[[:alnum:]]+ Dclass:[[:alnum:]]+ Dsubclass:[[:alnum:]]+ Dprotocol:[[:alnum:]]+ Iclass:[[:alnum:]]+ Isubclass:[[:alnum:]]+ Iprotocol:[[:alnum:]]+ +murasaki\.usb\[[0-9]+\]: found depended module="[[:alnum:]]+" +murasaki\.(usb|net)\[[0-9]+\]: try expanding "\[net\]" +murasaki\.(usb|net)\[[0-9]+\]: dependent\(net\) is found +murasaki\.(usb|net)\[[0-9]+\]: net device is (added|removed|(un)?register(e)?d) +murasaki\.(usb|net)\[[0-9]+\]: Execuing "net" "(stop|start)" +murasaki\.(usb|net)\[[0-9]+\]: execute if(up|down) (eth|(i)?ppp|irda)[[:digit:]] +murasaki\.usb\[[0-9]+\]: (MATCH\(audio\) -> match_flags:[[:alnum:]]+ )?vendor:[[:alnum:]]+ product:[[:alnum:]]+ Dclass:[[:alnum:]]+ Dsubclass:[[:alnum:]]+ Dprotocol:[[:alnum:]]+ Iclass:[[:alnum:]]+ Isubclass:[[:alnum:]]+ Iprotocol:[[:alnum:]]+ diff --git a/logcheck/ignore.d.server/netatalk b/logcheck/ignore.d.server/netatalk index 45da925..2292bc6 100644 --- a/logcheck/ignore.d.server/netatalk +++ b/logcheck/ignore.d.server/netatalk @@ -1,4 +1,4 @@ -afpd\[[0-9]*\]: removed .*/net[\.0-9]*node[0-9]* -afpd\[[0-9]*\]: CNID DB initialized using Sleepycat Software: Berkeley DB -atalkd\[[0-9]*\]: .*: zip gnireply from [\.0-9]* \(.*\) -atalkd\[[0-9]*\]: .*: zip ignoring gnireply +afpd\[[0-9]+\]: removed .*/net[\.0-9]*node[0-9]* +afpd\[[0-9]+\]: CNID DB initialized using Sleepycat Software: Berkeley DB +atalkd\[[0-9]+\]: .*: zip gnireply from [\.0-9]* \(.*\) +atalkd\[[0-9]+\]: .*: zip ignoring gnireply diff --git a/logcheck/ignore.d.server/postfix b/logcheck/ignore.d.server/postfix index daecc6d..a2598c8 100644 --- a/logcheck/ignore.d.server/postfix +++ b/logcheck/ignore.d.server/postfix @@ -1,18 +1,18 @@ postfix.* table has changed -- exiting -postfix/cleanup\[.*\]: warning: premature end-of-input from cleanup socket while reading input attribute name -postfix/local\[.*\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied -postfix/qmgr\[.*\]: [A-Z0-9]+: skipped, still being delivered -postfix/smtp\[.*\]: .* status=deferred \(connect to .*: (Connection refused|server refused mail service)\) -postfix/smtp\[.*\]: connect to .*: (Connection (refused|reset by peer|timed out)|read timeout|server (refused mail service|dropped connection)|No route to host) \(port 25\) -postfix/smtp\[.*\]: [A-Z0-9]+: enabling PIX \. workaround for [\.[:alnum:]-]+\[[\.[:digit:]]+\] -postfix/smtp\[.*\]: warning: numeric domain name in resource data of MX record for .*: [\.[:digit:]]+ -postfix/smtp\[.*\]: warning: no MX host for [\.[:alnum:]-]+ has a valid A record -postfix/smtp\[.*\]: warning: host [\.[:alnum:]-]+\[[\.[:digit:]]+\] (greeted me|replied to HELO/EHLO) with my own hostname [\.[:alnum:]-]+ -postfix/smtpd\[.*\]: (lost connection|timeout) after [^ ]+ from [\.[:alnum:]-]+\[[\.[:digit:]]+\] -postfix/smtpd\[.*\]: warning: .*: address not listed for hostname .* -postfix/smtpd\[.*\]: warning: .*: hostname [\.[:alnum:]-]+ verification failed: Host (name has no address|not found) -postfix/smtpd\[.*\]: warning: .* sent (message header|mail content) instead of SMTP command: +postfix/cleanup\[[0-9]+\]: warning: premature end-of-input from cleanup socket while reading input attribute name +postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied +postfix/qmgr\[[0-9]+\]: [A-Z0-9]+: skipped, still being delivered +postfix/smtp\[[0-9]+\]: .* status=deferred \(connect to .*: (Connection refused|server refused mail service)\) +postfix/smtp\[[0-9]+\]: connect to .*: (Connection (refused|reset by peer|timed out)|read timeout|server (refused mail service|dropped connection)|No route to host) \(port 25\) +postfix/smtp\[[0-9]+\]: [A-Z0-9]+: enabling PIX \. workaround for [\.[:alnum:]-]+\[[\.[:digit:]]+\] +postfix/smtp\[[0-9]+\]: warning: numeric domain name in resource data of MX record for .*: [\.[:digit:]]+ +postfix/smtp\[[0-9]+\]: warning: no MX host for [\.[:alnum:]-]+ has a valid A record +postfix/smtp\[[0-9]+\]: warning: host [\.[:alnum:]-]+\[[\.[:digit:]]+\] (greeted me|replied to HELO/EHLO) with my own hostname [\.[:alnum:]-]+ +postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [\.[:alnum:]-]+\[[\.[:digit:]]+\] +postfix/smtpd\[[0-9]+\]: warning: .*: address not listed for hostname .* +postfix/smtpd\[[0-9]+\]: warning: .*: hostname [\.[:alnum:]-]+ verification failed: Host (name has no address|not found) +postfix/smtpd\[[0-9]+\]: warning: .* sent (message header|mail content) instead of SMTP command: postfix/postfix-script: refreshing the Postfix mail system -postfix/master\[.*\]: reload configuration -postfix/smtp\[.*\]: warning: mailer loop: best MX host for .* is local -postfix/smtp\[.*\]: warning: bad size limit "truncates" in EHLO reply from .* +postfix/master\[[0-9]+\]: reload configuration +postfix/smtp\[[0-9]+\]: warning: mailer loop: best MX host for .* is local +postfix/smtp\[[0-9]+\]: warning: bad size limit "truncates" in EHLO reply from .* diff --git a/logcheck/ignore.d.server/postgresql b/logcheck/ignore.d.server/postgresql index 5af6244..29d90d2 100644 --- a/logcheck/ignore.d.server/postgresql +++ b/logcheck/ignore.d.server/postgresql @@ -1,2 +1,2 @@ -postgres\[.*\]: \[[0-9-]*\] \^ICPU .* sec elapsed .* sec\. -postgres\[.*\]: \[[0-9-]*\] \^ITotal CPU .* sec elapsed .* sec\. +postgres\[[0-9]+\]: \[[0-9-]+\] \^ICPU .* sec elapsed .* sec\. +postgres\[[0-9]+\]: \[[0-9-]+\] \^ITotal CPU .* sec elapsed .* sec\. diff --git a/logcheck/ignore.d.server/ppp b/logcheck/ignore.d.server/ppp index 595b755..4c240a7 100644 --- a/logcheck/ignore.d.server/ppp +++ b/logcheck/ignore.d.server/ppp @@ -1,9 +1,9 @@ -chat\[.*\]: abort on \(.*\) -chat\[.*\]: expect \(.*\) -chat\[.*\]: send \(AT.*\^M\) -chat\[.*\]: -- got it -chat\[.*\]: AT.*\^M\^M -chat\[.*\]: \^M -chat\[.*\]: CONNECT -chat\[.*\]: OK -chat\[.*\]: send \(\\d\) +chat\[[0-9]+\]: abort on \(.*\) +chat\[[0-9]+\]: expect \(.*\) +chat\[[0-9]+\]: send \(AT.*\^M\) +chat\[[0-9]+\]: -- got it +chat\[[0-9]+\]: AT.*\^M\^M +chat\[[0-9]+\]: \^M +chat\[[0-9]+\]: CONNECT +chat\[[0-9]+\]: OK +chat\[[0-9]+\]: send \(\\d\) diff --git a/logcheck/ignore.d.server/proftpd b/logcheck/ignore.d.server/proftpd index b1e1f0c..538a0d6 100644 --- a/logcheck/ignore.d.server/proftpd +++ b/logcheck/ignore.d.server/proftpd @@ -1,7 +1,7 @@ -proftpd\[.*\]: .* \(.*\[[\.[:digit:]]+\]\) - FTP session opened\. -proftpd\[.*\]: .* \(.*\[[\.[:digit:]]+\]\) - USER (anonymous|ftp)(@[\.[:alnum:]]+)? \(Login failed\): Can't find user\. -proftpd\[.*\]: .* \(.*\[[\.[:digit:]]+\]\) - USER (anonymous|ftp)(@[\.[:alnum:]]+)?: no such user found from .*\[[\.[:digit:]]+\] to [\.[:digit:]]+ -proftpd\[.*\]: .* \(.*\[[\.[:digit:]]+\]\) - no such user '(anonymous|ftp)(@[\.[:alnum:]]+)?' -proftpd\[.*\]: connect from [\.[:digit:]]+ -proftpd\[.*\]: No certificate files found! -proftpd\[.*\]:.* (.*\[.*\]) - Refused PORT.* (address mismatch)\. +proftpd\[[0-9]+\]: .* \(.*\[[\.[:digit:]]+\]\) - FTP session opened\. +proftpd\[[0-9]+\]: .* \(.*\[[\.[:digit:]]+\]\) - USER (anonymous|ftp)(@[\.[:alnum:]]+)? \(Login failed\): Can't find user\. +proftpd\[[0-9]+\]: .* \(.*\[[\.[:digit:]]+\]\) - USER (anonymous|ftp)(@[\.[:alnum:]]+)?: no such user found from .*\[[\.[:digit:]]+\] to [\.[:digit:]]+ +proftpd\[[0-9]+\]: .* \(.*\[[\.[:digit:]]+\]\) - no such user '(anonymous|ftp)(@[\.[:alnum:]]+)?' +proftpd\[[0-9]+\]: connect from [\.[:digit:]]+ +proftpd\[[0-9]+\]: No certificate files found! +proftpd\[[0-9]+\]:.* (.*\[.*\]) - Refused PORT.* (address mismatch)\. diff --git a/logcheck/ignore.d.server/samba b/logcheck/ignore.d.server/samba index 6cd281d..f46a3fe 100644 --- a/logcheck/ignore.d.server/samba +++ b/logcheck/ignore.d.server/samba @@ -1,2 +1,2 @@ -smbd\[.*\]: read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection reset by peer) -smbd\[.*\]: \[.*\] lib/util_sock.c:read(_socket)?_data\([[:digit:]]+\) +smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection reset by peer) +smbd\[[0-9]+\]: \[.*\] lib/util_sock.c:read(_socket)?_data\([[:digit:]]+\) diff --git a/logcheck/ignore.d.server/squid b/logcheck/ignore.d.server/squid index 53c9b1e..a778073 100644 --- a/logcheck/ignore.d.server/squid +++ b/logcheck/ignore.d.server/squid @@ -1,8 +1,8 @@ -squid\[.*\]: Finished. Wrote [[:digit:]]+ entries\. -squid\[.*\]: Took [\.[:digit:]]+ seconds \(.* entries/sec\)\. -squid\[.*\]: (access|store)LogRotate: Rotating(\.)? -squid\[.*\]: logfileRotate: /var/log/squid/(access|store).log -squid\[.*\]: (Closing Pinger socket|Pinger socket opened) on FD [[:digit:]]+ -squid\[.*\]: NETDB state saved; -squid\[.*\]: storeDirWriteCleanLogs: Starting\.\.\. -squid\[.*\]: helperOpenServers: Starting [[:digit:]]+ '.*' processes +squid\[[0-9]+\]: Finished. Wrote [[:digit:]]+ entries\. +squid\[[0-9]+\]: Took [\.[:digit:]]+ seconds \(.* entries/sec\)\. +squid\[[0-9]+\]: (access|store)LogRotate: Rotating(\.)? +squid\[[0-9]+\]: logfileRotate: /var/log/squid/(access|store).log +squid\[[0-9]+\]: (Closing Pinger socket|Pinger socket opened) on FD [[:digit:]]+ +squid\[[0-9]+\]: NETDB state saved; +squid\[[0-9]+\]: storeDirWriteCleanLogs: Starting\.\.\. +squid\[[0-9]+\]: helperOpenServers: Starting [[:digit:]]+ '.*' processes diff --git a/logcheck/ignore.d.server/ssh b/logcheck/ignore.d.server/ssh index 3ff907f..fb0a3a8 100644 --- a/logcheck/ignore.d.server/ssh +++ b/logcheck/ignore.d.server/ssh @@ -1,11 +1,11 @@ -sshd\[.*\]: syslogin_perform_logout: logout\(\) returned an error -sshd\[.*\]: Could not reverse map address .*\. -sshd\[.*\]: Connection closed by .* -sshd\[.*\]: Did not receive ident(ification)? string from [\.[:digit:]]+ -sshd\[.*\]: scanned from [\.[:digit:]]+ with SSH-1\.0-SSH_Version_Mapper\. Don't panic\. -sshd\[.*\]: Disconnecting: Your ssh version is too old and is no longer supported\. Please install a newer version\. -sshd\[.*\]: Accepted (keyboard-interactive|publickey) for [[:alnum:]]+ from [\.[:digit:]]+ port [[:digit:]]+ ssh2 -sshd\[.*\]: warning: /etc/hosts.deny, line 15: can't verify hostname: gethostbyname(.*) failed -sshd\[.*\]: refused connect from .* -sshd\[.*\]: Received disconnect from [\.[:digit:]]+: 11: Disconnect requested by Windows SSH Client. -sshd\[.*\]: subsystem request for sftp +sshd\[[0-9]+\]: syslogin_perform_logout: logout\(\) returned an error +sshd\[[0-9]+\]: Could not reverse map address .*\. +sshd\[[0-9]+\]: Connection closed by .* +sshd\[[0-9]+\]: Did not receive ident(ification)? string from [\.[:digit:]]+ +sshd\[[0-9]+\]: scanned from [\.[:digit:]]+ with SSH-1\.0-SSH_Version_Mapper\. Don't panic\. +sshd\[[0-9]+\]: Disconnecting: Your ssh version is too old and is no longer supported\. Please install a newer version\. +sshd\[[0-9]+\]: Accepted (keyboard-interactive|publickey) for [[:alnum:]]+ from [\.[:digit:]]+ port [[:digit:]]+ ssh2 +sshd\[[0-9]+\]: warning: /etc/hosts.deny, line 15: can't verify hostname: gethostbyname(.*) failed +sshd\[[0-9]+\]: refused connect from .* +sshd\[[0-9]+\]: Received disconnect from [\.[:digit:]]+: 11: Disconnect requested by Windows SSH Client. +sshd\[[0-9]+\]: subsystem request for sftp diff --git a/logcheck/ignore.d.server/ssmtp b/logcheck/ignore.d.server/ssmtp index 36b5b7c..462187c 100644 --- a/logcheck/ignore.d.server/ssmtp +++ b/logcheck/ignore.d.server/ssmtp @@ -1 +1 @@ -sSMTP mail\[.*\]: .* sent mail for root +sSMTP mail\[[0-9]+\]: .* sent mail for root diff --git a/logcheck/ignore.d.server/tftpd b/logcheck/ignore.d.server/tftpd index f197a11..8711e09 100644 --- a/logcheck/ignore.d.server/tftpd +++ b/logcheck/ignore.d.server/tftpd @@ -1,2 +1,2 @@ -in.tftpd\[.*\]: RRQ from.*filename.* -in.tftpd\[.*\]: tftp: client does not accept options +in.tftpd\[[0-9]+\]: RRQ from.*filename.* +in.tftpd\[[0-9]+\]: tftp: client does not accept options diff --git a/logcheck/ignore.d.server/tmp b/logcheck/ignore.d.server/tmp index 1593f31..c7e66a7 100644 --- a/logcheck/ignore.d.server/tmp +++ b/logcheck/ignore.d.server/tmp @@ -1,38 +1,38 @@ -IMP\[.*\]: FAILED .* to .*:143 as .* -PAM_unix\[.*\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service -afpd\[.*\]: uams_dhx_pam\.c :PAM: PAM (Auth OK!|Success -- .*|User entered a null value -- .*) -afpd\[.*\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) -afpd\[.*\]: uams_dhx_pam\.c :PAM: PAM: User entered a null value -- No such file or directory -afpd\[.*\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied -afpd\[.*\]: bad function 7A -atalkd\[.*\]: as_timer sendto: Netvaerket er ikke tilgaengeligt -FaxGetty\[.*\]: ANSWER: Can not lock modem device -gnome-name-server\[.*\]: server_is_alive: .* -i(map|pop3)d\[.*\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] -ipppd\[.*\]: Connect\[0\]: /dev/ippp[[:digit:]], fd: 12 +IMP\[[0-9]+\]: FAILED .* to .*:143 as .* +PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service +afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM (Auth OK!|Success -- .*|User entered a null value -- .*) +afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) +afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM: User entered a null value -- No such file or directory +afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied +afpd\[[0-9]+\]: bad function 7A +atalkd\[[0-9]+\]: as_timer sendto: Netvaerket er ikke tilgaengeligt +FaxGetty\[[0-9]+\]: ANSWER: Can not lock modem device +gnome-name-server\[[0-9]+\]: server_is_alive: .* +i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] +ipppd\[[0-9]+\]: Connect\[0\]: /dev/ippp[[:digit:]], fd: 12 kernel: Disorder[[:digit:]] [[:digit:]] [[:digit:]] f[[:digit:]] s[[:digit:]] rr[[:digit:]] kernel: IP_MASQ:reverse ICMP: failed checksum from .*! kernel: OPEN: [\.[:digit:]]* -> [\.[:digit:]]* UDP, port: [[:digit:]]* -> [[:digit:]]* kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) kernel: lp[[:digit:]]: compatibility mode kernel: Undo( partial)? (Hoe|loss|retrans) -ntpd\[.*\]: synchronisation lost -ntpd\[.*\]: synchronisation lost -ntpd\[.*\]: time reset [\.[:digit:]-]* . -ntpd\[.*\]: time reset [\.[:digit:]-]+ s -portsentry\[.*\]: attackalert: .* -pumpd\[.*\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument -smbd\[.*\]: read_socket_data: recv failure for 4. Error = No route to host -smbd\[.*\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! -smbd\[.*\]: yield_connection: tdb_delete for name failed with error Record does not exist\. -smbd\[.*\]: \[.*\] smbd/connection.c:yield_connection\([[:digit:]]+\) -smbd\[.*\]: \[.*\] passdb/pampass.c:smb_pam_passcheck\([[:digit:]]+\) -sshd\[.*]: Failed password for .* -sshd\[.*\]: packet_set_maxsize: setting to 4096 +ntpd\[[0-9]+\]: synchronisation lost +ntpd\[[0-9]+\]: synchronisation lost +ntpd\[[0-9]+\]: time reset [\.[:digit:]-]* . +ntpd\[[0-9]+\]: time reset [\.[:digit:]-]+ s +portsentry\[[0-9]+\]: attackalert: .* +pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument +smbd\[[0-9]+\]: read_socket_data: recv failure for 4. Error = No route to host +smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! +smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. +smbd\[[0-9]+\]: \[.*\] smbd/connection.c:yield_connection\([[:digit:]]+\) +smbd\[[0-9]+\]: \[.*\] passdb/pampass.c:smb_pam_passcheck\([[:digit:]]+\) +sshd\[[0-9]+\]: Failed password for .* +sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096 dhcpd-2.2.x: BOOTREQUEST from (00:20:6b:18:20:35|08:00:86:11:2b:71) dhcpd-2.2.x: No applicable record for BOOTP host (00:20:6b:18:20:35|08:00:86:11:2b:71) -postfix.*\[.*\]: .* from= -postfix/smtpd\[.*\]: warning: Illegal address syntax from [\.[:alnum:]-]+\[[\.[:digit:]]+\] in MAIL command: +postfix.*\[[0-9]+\]: .* from= +postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [\.[:alnum:]-]+\[[\.[:digit:]]+\] in MAIL command: rpc.mountd: authenticated mount request from .* for .* snort: .*FrontPage snort: IDS015 - RPC - portmap-request-status: @@ -54,9 +54,9 @@ snort: spp_portscan: PORTSCAN DETECTED snort: spp_portscan: portscan status from snort: WEB-../..: snort: WEB-CGI-upload.pl: -postgres\[.*\]: \[.*\] DEBUG: -postgres\[.*\]: \[[0-9-]*\] Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. -postgres\[.*\]: \[[0-9-]*\] [0-9]*; Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. +postgres\[[0-9]+\]: \[.*\] DEBUG: +postgres\[[0-9]+\]: \[[0-9-]*\] Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. +postgres\[[0-9]+\]: \[[0-9-]*\] [0-9]*; Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\. printer: offline or intervention needed #old-style pam entries (no longer provided by logcheck but needed on woody PAM_.*: .* session opened for user .* diff --git a/logcheck/ignore.d.server/ucd-snmp b/logcheck/ignore.d.server/ucd-snmp index 9d135c2..56f0db5 100644 --- a/logcheck/ignore.d.server/ucd-snmp +++ b/logcheck/ignore.d.server/ucd-snmp @@ -1 +1 @@ -ucd-snmp\[.*\]: Connection from .* +ucd-snmp\[[0-9]+\]: Connection from .* diff --git a/logcheck/ignore.d.server/uw-imap b/logcheck/ignore.d.server/uw-imap index 5e2900e..cda8438 100644 --- a/logcheck/ignore.d.server/uw-imap +++ b/logcheck/ignore.d.server/uw-imap @@ -1,12 +1,12 @@ -imapd\[.*\]: (port 143|imap|imaps SSL) service init from -imapd\[.*\]: No route to host, while reading line user=.* host=(.*\[.*\]|UNKNOWN) -i(map|pop3)d\[.*\]: Killed \(lost mailbox lock\) user=.* host=(.*\[.*\]|UNKNOWN) -i(map|pop3)d\[.*\]: (Login|Auth|Authenticated|Logout|Autologout) user=.* host=(.*\[.*\]|UNKNOWN) -i(map|pop3)d\[.*\]: Moved [[:digit:]]+ bytes of new mail to .* from .* host=(.*\[.*\]|UNKNOWN) -i(map|pop(2|3))d\[.*\]: (Broken pipe|Command stream end of file|Connection (reset by peer|timed out))(,)? while (reading (authentication|line|literal|char)|writing text) (user=.* )?host=(.*\[.*\]|UNKNOWN) -ipop[2|3]d\[.*\]: (connect|pop3(s SSL)? service init) from [\.[:digit:]]+ -ipop3d\[.*\]: Trying to get mailbox lock from process [[:digit:]]+ -ipop3d\[.*\]: Error opening or locking INBOX user=.* host=(.*\[.*\]|UNKNOWN) -ipop3d\[.*\]: Expunge ignored on readonly mailbox -ipop3d\[.*\]: Mailbox is open by another process, access is readonly -ipop3d\[.*\]: Moved .* bytes of new mail to .* from .* host=(.*\[.*\]|UNKNOWN) +imapd\[[0-9]+\]: (port 143|imap|imaps SSL) service init from +imapd\[[0-9]+\]: No route to host, while reading line user=.* host=(.*\[.*\]|UNKNOWN) +i(map|pop3)d\[[0-9]+\]: Killed \(lost mailbox lock\) user=.* host=(.*\[.*\]|UNKNOWN) +i(map|pop3)d\[[0-9]+\]: (Login|Auth|Authenticated|Logout|Autologout) user=.* host=(.*\[.*\]|UNKNOWN) +i(map|pop3)d\[[0-9]+\]: Moved [[:digit:]]+ bytes of new mail to .* from .* host=(.*\[.*\]|UNKNOWN) +i(map|pop(2|3))d\[[0-9]+\]: (Broken pipe|Command stream end of file|Connection (reset by peer|timed out))(,)? while (reading (authentication|line|literal|char)|writing text) (user=.* )?host=(.*\[.*\]|UNKNOWN) +ipop[2|3]d\[[0-9]+\]: (connect|pop3(s SSL)? service init) from [\.[:digit:]]+ +ipop3d\[[0-9]+\]: Trying to get mailbox lock from process [[:digit:]]+ +ipop3d\[[0-9]+\]: Error opening or locking INBOX user=.* host=(.*\[.*\]|UNKNOWN) +ipop3d\[[0-9]+\]: Expunge ignored on readonly mailbox +ipop3d\[[0-9]+\]: Mailbox is open by another process, access is readonly +ipop3d\[[0-9]+\]: Moved .* bytes of new mail to .* from .* host=(.*\[.*\]|UNKNOWN) -- cgit v1.2.3