### violations.ignore.d/amavis
amavis\[[0-9]+\]: Checking: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$
amavis\[[0-9]+\]: SMTP-in \[[\.0-9]+\] /var/lib/amavis/amavis-[^[:space:]:-]+: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$
amavis\[[0-9]+\]: cached [a-f0-9]+ from <[^[:space:]]*>$
amavis\[[0-9]+\]: fwd via smtp: \[[\.0-9]+:10025\] <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$
amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+$
amavis\[[0-9]+\]: local delivery: <[^[:space:]]+> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?$
amavis\[[0-9]+\]: spam from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine spam-[^[:space:]]+$
amavis\[[0-9]+\]: spam_scan: (No|Yes), hits=[\.0-9-]+ tests=[,_A-Z0-9]+ <[^[:space:]]*>$
### violations.ignore.d/bind
named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$
### violations.ignore.d/bind.tmp
named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out
### violations.ignore.d/dhcp-client
dhcpd(-2.2.x)?: (send_packet|fallback_discard): Connection refused$
dhclient(-2.2.x)?: receive_packet failed on eth[0-9]: Network is down$
### violations.ignore.d/misc
# This one shows up with firewalls blocking SMB ports non-silently
kernel: Packet log: input DENY eth[0-9]+ PROTO=17 .*:137 .*:137 L=78 S=0x00 I=[0-9]+ F=0x0000 T=[0-9]+ \(#[0-9]+\)
### violations.ignore.d/netatalk.changes
afpd\[[0-9]+\]: afp_die: asp_shutdown: Connection timed out$
afpd\[[0-9]+\]: afp_getsrvrparms: stat /[^/]+/: Permission denied$
afpd\[[0-9]+\]: (afp_flushfork|afp_read|getforkparms): (ad_refresh|of_find): Permission denied$
afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied$
### violations.ignore.d/netsaint
netsaint: SERVICE ALERT:.*;PING;CRITICAL;.*;PING CRITICAL - Packet loss =.*%, RTA =.*ms
netsaint: SERVICE ALERT:.*;ROUTER;CRITICAL;.*;CRITICAL - Plugin timed out after 10 seconds
netsaint: SERVICE ALERT:.*;ROUTER;OK;.*;PING OK - Packet loss =.*%, RTA =.*ms
netsaint: SERVICE FLAPPING ALERT:.*;PING;STOPPED; Service appears to have stopped flapping (.*% change < .*% threshold)
netsaint: SERVICE FLAPPING ALERT:.*;PING;STARTED; Service appears to have started flapping (.*% change >.*% threshold)
netsaint: SERVICE ALERT: mail;SMTP;CRITICAL;.*;Connection refused by host
netsaint: SERVICE NOTIFICATION:.*;CRITICAL;notify-by-.*;Connection refused by host
netsaint: SERVICE ALERT: mail;SMTP;OK;.* OK - 0 second response time 
netsaint: HOST ALERT:.*;DOWN;SOFT;.*;CRITICAL.*
netsaint: HOST ALERT:.*;UP;SOFT;.*;PING OK.*
netsaint: Successfully shutdown\.\.\. \(PID=[0-9]+\) $
### violations.ignore.d/pmud
pmud\[[0-9]+\]: Sleep for this PMU unsupported: will shutdown the machine on sleep request$
### violations.ignore.d/postfix
postfix/(local|smtpd)\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host not found(, try again)?$
postfix/(qmgr|smtp)\[[0-9]+\]: [^\(]+ status=deferred \(connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service)\)$
postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=<[^[:space:]>]+>$
postfix/local\[[0-9]+\]: warning: reject: ETRN [^[:space:]]+\.\.\. from [^[:space:]\[]+\[[\.0-9]+\]$
postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$
postfix/nqmgr\[[0-9]+\]: [A-Z0-9]+: from=<[^[:space:]>]+>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$
postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(Name service error for [^[:space:]:]+: Host not found\)$
postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(bad host/domain syntax: "[^"]+"\)$
postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host 127\.0\.0\.1\[127\.0\.0\.1\] said: 550 Message content rejected, id=[^\)]+\)?\)$
postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 504 <[^>]+>: Sender address rejected: need fully-qualified address$
postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 550 [^\)]+ (Access denied|Recipient address rejected|Relaying denied|Sender Not Authorised|unknown or illegal alias|User unknown; rejecting)[^\)]*\)$
postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 552 header content rejected: see [^\)]+\)$
postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 553 sorry, your envelope sender has been denied [^\)]+\)$
postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 554 <[^[:space:]>]+>:( Recipient address rejected:)? Relay access denied\)$
postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 571 <>\.\.\. denied\)$
postfix/smtp\[[0-9]+\]: [^\(]+ status=deferred \(host [^[:space:]]+ said: 450 <[^[:space:]>]+>: (Recipient address rejected: Recipient mailbox is full|Sender address rejected: Domain not found)\)$
postfix/smtp\[[0-9]+\]: [^\(]+ status=deferred \(host [^[:space:]]+ said: 451 Transaction failed.\)$
postfix/smtp\[[0-9]+\]: connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$
postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 450 <[^>]+>: (Sender|Recipient) address rejected: Domain not found; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 452 Insufficient system storage; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 501 <[^>]+>: Helo command rejected: Invalid (ip address|name); from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 503 Improper use of SMTP command pipelining; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>:]+>: Helo command rejected: Invalid name; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>]+>: (Helo command|Recipient address) rejected: need fully-qualified (address|hostname); from=<[^[:space:]>]+> to=<[^[:space:]>]+>( proto=SMTP helo=<[^[:space:]>]+>)?$
postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 550 <[^>]+>: User unknown; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 554 <[^>]+>: (Recipient address rejected: )?(Relay a|A)ccess denied; from=<[^[:space:]>]*> to=<[^[:space:]>]+>$
postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 554 Service unavailable; .* blocked using .*; from=<[^[:space:]>]+> to=<[^[:space:]>]+>
postfix/smtpd\[[0-9]+\]: warning: [^[:space:]:]+: hostname [\.[:alnum:]-]+ verification failed: Host name has no address$
### violations.ignore.d/proftpd
proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER anonymous \(Login failed\): Can't find user\.$
### violations.ignore.d/samba
smbd\[[0-9]+\]:   read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection reset by peer)$
### violations.ignore.d/ssh
sshd\[[0-9]+\]: Failed keyboard-interactive for [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$
### violations.ignore.d/temp
afpd\[[0-9]+\]: afp_flushfork: of_find: Permission denied
afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied
afpd\[[0-9]+\]: bad function 7A
afpd\[[0-9]+\]: cnid_open: Cannot establish logfile cleanup lock for database environment .*/\.AppleDB/cnid\.lock \(open\(\) failed\)
afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied
afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied
afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument)
IMP\[[0-9]+\]: FAILED .* to .*:143 as .*
i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\]
kernel: IP_MASQ:reverse ICMP: failed checksum from .*!
kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\)
PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service
portsentry\[[0-9]+\]: attackalert: .*
smbd\[[0-9]+\]:   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ !
smbd\[[0-9]+\]:   read_socket_data: recv failure for 4. Error = No route to host
smbd\[[0-9]+\]:   yield_connection: tdb_delete for name  failed with error Record does not exist\.
sshd\[[0-9]+\]: Failed password for .*
pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument
postfix/smtpd\[[0-9]+\]: reject: .*: 550 <.*>: User unknown; .*
postfix/smtpd\[[0-9]+\]: reject: .*: 554 <.*>: Recipient address rejected: User unknown; .*
postfix.*\[[0-9]+\]: .* from=<(groove@mailomat.grooveattack.com|refused@maila.com)>
snort: spp_http_decode: IIS Unicode attack detected:
postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .*