From e25e815689670be2b13c8c193a774c19f54a3e8a Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Wed, 30 Jan 2013 10:29:51 +0100 Subject: Add some logcheck rules for dovecot lda, amavisd-new and postfix. --- logcheck/ignore.d.server/dovecot | 1 + logcheck/ignore.d.server/postfix | 5 +++-- logcheck/violations.ignore.d/amavisd-new | 2 +- logcheck/violations.ignore.d/postfix | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) (limited to 'logcheck') diff --git a/logcheck/ignore.d.server/dovecot b/logcheck/ignore.d.server/dovecot index ef74262..37003fe 100644 --- a/logcheck/ignore.d.server/dovecot +++ b/logcheck/ignore.d.server/dovecot @@ -1,2 +1,3 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: IMAP\([^[:space:]]*\): Connection closed$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: lda\([^[:space:]]*\): sieve: msgid=<[^[:space:]]*>: stored mail into mailbox '[^']*'$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imap-login: Aborted login \(3 authentication attempts\): user=<[^[:space:]]*>, method=LOGIN, rip=127\.0\.0\.1, lip=127\.0\.0\.1, secured$ diff --git a/logcheck/ignore.d.server/postfix b/logcheck/ignore.d.server/postfix index 57da305..43a0396 100644 --- a/logcheck/ignore.d.server/postfix +++ b/logcheck/ignore.d.server/postfix @@ -18,7 +18,7 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: host [^[:space:]]+\[[\.0-9]+\] (greeted me|replied to HELO/EHLO) with my own hostname [^[:space:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: no MX host for [^[:space:]]+ has a valid A record$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: (Unv|V)erified: subject_CN=.*, issuer=.*$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: TLS connection established (from|to) [^[:space:]]+: (SSL|TLS)v[123] with cipher [^[:space:]]+ \([0-9/]+ bits\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix(/submission)?/smtpd?\[[0-9]+\]: (Anonymous)? TLS connection established (from|to) [^[:space:]]+: (SSL|TLS)v[123] with cipher [^[:space:]]+ \([0-9/]+ bits\)$ #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: cert has expired$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: fingerprint=[0-9A-F:]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: setting up TLS connection (from|to) [^[:space:]]+\[[\.0-9]+\]$ @@ -26,12 +26,13 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify error:num=(20:unable to get local issuer certificate|21:unable to verify the first certificate|26:unsupported certificate purpose|27:certificate not trusted)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: warning: (numeric|malformed) domain name in resource data of MX record for [^[:space:]]+: [^[:space:]]*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: warning: valid_hostname: (empty hostname|invalid character [0-9]+\(decimal\): [^[:space:]]+)$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: ((dis)?connect|setting up TLS connection|lost connection after AUTH) from [^[:space:]]+\[[\.0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix(/submission)?/smtpd\[[0-9]+\]: ((dis)?connect|setting up TLS connection|lost connection after AUTH) from [^[:space:]]+\[[\.0-9]+\]$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [^[:space:]]+\[[\.0-9]+\]$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: SSL_accept error from [^[:space:]]+\[[\.0-9]+\]: 0 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [0-9]+:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1\.c:100: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [0-9]+:error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature:s3_srvr\.c:1833: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:xdigit:]]+: [^[:space:]]+\[[\.0-9]+\], sasl_method=PLAIN, sasl_username=[[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/submission/smtpd\[[0-9]+\]: [[:xdigit:]]+: client=[^[:space:]]+\[[\.0-9]+\]$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: too many errors after RCPT from [^[:space:]]+\[[\.0-9]+\]$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in (MAIL|RCPT) command: (<[^>]+>)?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: address not listed for hostname [^[:space:]]+$ diff --git a/logcheck/violations.ignore.d/amavisd-new b/logcheck/violations.ignore.d/amavisd-new index 38b08d5..71f608c 100644 --- a/logcheck/violations.ignore.d/amavisd-new +++ b/logcheck/violations.ignore.d/amavisd-new @@ -7,4 +7,4 @@ #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) mail_via_smtp: 550 5\.1\.0 <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) INFO: unfolded [0-9]+ illegal all-whitespace continuation lines$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) (Blocked|Passed) (BAD-HEADER|CLEAN|SPAM(MY)?)(, \[[\.0-9]+\])? <[^[:space:]]*> -> <[^[:space:]]*>(, (quarantine|Message-ID|mail_id|Hits|queued_as): [^[:space:]]+)+, [0-9]+ ms$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) (Blocked|Passed) (BAD-HEADER|CLEAN|SPAM(MY)?)( {RelayedInbound})?(, \[[\.0-9]+\])? <[^[:space:]]*> -> <[^[:space:]]*>(, (quarantine|(Resent-)?Message-ID|mail_id|Hits|size|queued_as): [^[:space:]]+)+, [0-9]+ ms$ diff --git a/logcheck/violations.ignore.d/postfix b/logcheck/violations.ignore.d/postfix index 166f43b..31e526f 100644 --- a/logcheck/violations.ignore.d/postfix +++ b/logcheck/violations.ignore.d/postfix @@ -3,7 +3,7 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(local|smtpd)\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(local|smtpd)\[[0-9]+\]: warning: reject: ETRN [^[:space:]]+\.\.\. from [^[:space:]]+\[[\.0-9]+\]$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [[:xdigit:]]+: ((to|orig_to|relay|conn_use|delay|delays|dsn)=[^[:space:]]+, )+status=(sent|bounced|deferred) \((\(.*\)|[^\(\)]*)*\)( proto=E?SMTP helo=<[^>]*>)?$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: ([[:xdigit:]]+|NOQUEUE): (filter|reject): (DATA|MAIL|RCPT) from [^[:space:]]+\[[\.0-9]+\]: .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix(/submission)?/smtpd\[[0-9]+\]: ([[:xdigit:]]+|NOQUEUE): (filter|reject): (DATA|MAIL|RCPT) from [^[:space:]]+\[[\.0-9]+\]: .*$ # Certificate handling is non-fatal ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:xdigit:]]+: Cannot start TLS: handshake failure$ -- cgit v1.2.3