path: root/logcheck/ignore.d.workstation/local

### ignore.d.server/amanda
amandad\[[0-9]+\]: connect from
### ignore.d.server/amavis
amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+
amavis\[[0-9]+\]: local delivery: <[^[:space:]]+> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?
amavis\[[0-9]+\]: mail checking ended: (DISCARD|REJECT)
amavis\[[0-9]+\]: spam from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine spam-[^[:space:]]+
amavis\[[0-9]+\]: spam_scan: Yes, hits=[\.0-9]+ tests=[^[:space:]]+ <[^[:space:]]+>
### ignore.d.server/anacron
anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' terminated( \(exit status: 1\))?( \(mailing output\))?
anacron\[[0-9]+\]: Normal exit
anacron\[[0-9]+\]: Anacron 2.3 started on [0-9-]+
anacron\[[0-9]+\]: Will run job `cron.(daily|weekly|monthly)' in (5|10|15) min\.
anacron\[[0-9]+\]: Jobs will be executed sequentially
anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' started
anacron\[[0-9]+\]: Updated timestamp for job `cron.(daily|weekly|monthly)' to [0-9-]+
### ignore.d.server/bind
named\[[0-9]+\]: .*: query\(.*\) NS points to CNAME \(.*\)
named\[[0-9]+\]: NSTATS [0-9]+ [0-9]+
named\[[0-9]+\]: .* All possible .* lame
named\[[0-9]+\]: sysquery: query\(.*\) No possible A RRs
named\[[0-9]+\]: client .*: transfer of '.*': AXFR started
named\[[0-9]+\]: zone .*/IN: transfered serial [0-9]+
named\[[0-9]+\]: transfer of '.*/IN' from .*: end of transfer
named\[[0-9]+\]: zone .*/IN: sending notifies \(serial [0-9]+\)
named\[[0-9]+\]: rcvd NOTIFY\(.*, IN, SOA\) from \[.*\]\.[0-9]+
named\[[0-9]+\]: late CNAME in answer section for .*
### ignore.d.server/bind.tmp
named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out
named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied
### ignore.d.server/courier
courierpop3login: Connection, ip=\[::ffff:.*\]
courierpop3login: LOGIN, user=.*, ip=\[::ffff:.*\]
courierpop3login: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.* retr=.*
courierpop3login: Disconnected, ip=\[::ffff:.*\]
courierpop3login: TIMEOUT, user=.*, ip=\[::ffff:.*\], top=0, retr=0
pop3d-ssl: Connection, ip=\[::ffff:.*\]
pop3d-ssl: LOGIN, user=.*, ip=\[::ffff:.*\]
pop3d-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.*, retr=.*
pop3d-ssl: TIMEOUT, user=.*, ip=\[::ffff:.*\],top=.*, retr=.*
imaplogin: Connection, ip=\[::ffff:.*\]
imaplogin: LOGIN, user=.*, ip=\[::ffff:.*\]
imaplogin: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.*
imaplogin: DISCONNECTED, user=.*, ip=\[::ffff:.*\].*
imapd-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.*
imapd-ssl: Connection, ip=\[::ffff:.*\]
imapd-ssl: LOGIN, user=.*, ip=\[::ffff:.*\]
imapd-ssl: DISCONNECTED, user=.*, ip=\[::ffff:.*\]
### ignore.d.server/dancer-ircd
ircd\[[0-9]+\]: ircd exiting: autodie
ircd\[[0-9]+\]: Server Ready
(ircd\[[0-9]+\]: )?binding stream socket [\.[:alnum:]]+\[\*\.666[789]\]: Address already in use
### ignore.d.server/dhcp-client
# NB: dhcp 2-x entries are in dhcp
dhclient(-2.2.x)?: DHCP(REQUEST|DISCOVER) on .* to .* port 67( interval [0-9]+)?
dhclient(-2.2.x)?: DHCP(ACK|OFFER) from [\.0-9]+
dhclient(-2.2.x)?: bound to .* -- renewal in [0-9]+ seconds\.
dhclient(-2.2.x)?: irda0: unknown hardware address type 783
### ignore.d.server/dhcp.changes
# NB: dhcp3 entries are in dhcp3-common
dhcpd-2.2.x: Abandoning IP address [\.0-9]+: pinged before offer
dhcpd-2.2.x: BOOTREQUEST from [:0-9a-f]+
dhcpd-2.2.x: DHCP(ACK|NACK|OFFER) on [\.0-9]+ to [:0-9a-f]+ via eth[0-9]+
dhcpd-2.2.x: DHCPDISCOVER from .* via eth[0-9]+
dhcpd-2.2.x: DHCPRELEASE of [\.0-9]+ from [:0-9a-f]+ via eth[0-9]+ \((not )?found\)
dhcpd-2.2.x: DHCPREQUEST for .* from .* via eth[0-9]+
### ignore.d.server/dhcp3-common
dhcpd: Abandoning IP address [\.0-9]+: pinged before offer
dhcpd: BOOTREQUEST from
dhcpd: DHCP(ACK|NACN|OFFER) on [\.0-9]+ to [:0-9a-f]+( \([^[:space:]]+\))? via eth[0-9]+
dhcpd: DHCPACK to [\.0-9]+
dhcpd: DHCPDISCOVER from [:0-9a-f]+ via eth[0-9]+
dhcpd: DHCPINFORM from
dhcpd: DHCPRELEASE of [\.0-9]+
dhcpd: DHCPREQUEST for [\.0-9]+ from [:0-9a-f]+( \([^[:space:]]+\))? via eth[0-9]+
dhcpd: ICMP Echo reply while lease [\.0-9]+ valid.
dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\.
dhcpd: accepting packet with data after udp payload.
dhcpd: ip length 576 disagrees with bytes received 590.
### ignore.d.server/gdm
gdm\[[0-9]+\]: run_pictures: .*/.gnome/gdm .*\.
### ignore.d.server/gdm.da_DK
gdm\[[0-9]+\]: Pingning af.* mislykkedes, deaktiver terminal!
gdm\[[0-9]+\]: gdm_slave_xioerror_handler: Fatal X-fejl - genstarter.*

### ignore.d.server/hotplug
/etc/hotplug/net.agent: invoke if(up|down) ppp[0-9]
/etc/hotplug/net.agent: assuming ppp[0-9] is already up
### ignore.d.server/hylafax-server
Fax(Getty|Send)\[[0-9]+\]: STATE CHANGE:( ->| BASE| LOCKWAIT| LISTENING| RUNNING| ANSWERING| RECEIVING| MODEMWAIT)+
Fax(Getty|Send)\[[0-9]+\]: MODEM (ROCKWELL|ZYXEL) .*
FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): from .*, page .* in [0-9]+:[0-9]+, INF, .* line/mm, (1|2)-D MR(, [0-9]+ bit/s)?
FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): recvq/fax[0-9]+\.tif from .*, route to .*, [0-9]+ pages in [0-9]+:[0-9]+
FaxGetty\[[0-9]+\]: RECV FAX: bin/faxrcvd "recvq/fax[0-9]+\.tif" "ttyS[012]" "[0-9]+" ""
FaxGetty\[[0-9]+\]: ANSWER: Ring detected without successful handshake
FaxGetty\[[0-9]+\]: ANSWER: FAX CONNECTION
FaxQueuer\[[0-9]+\]: SUBMIT JOB [0-9]+
FaxSend\[[0-9]+\]: SEND FAX: JOB [0-9]+ DEST [0-9]+ COMMID [0-9]+
HylaFAX\[[0-9]+\]: Filesystem has SysV-style file creation semantics.
### ignore.d.server/imp
IMP\[[0-9]+\]: Login .* to .*:143 as .*
### ignore.d.server/libgpmg1
[[:alnum:]]: /dev/gpmctl: No such file or directory
### ignore.d.server/libpam-modules
pam_limits\[[0-9]+\]: default limits skipped for 'root'
### ignore.d.server/mailutils-imap4d
gnu-imap4d\[[0-9]+\]: Incoming connection opened
gnu-imap4d\[[0-9]+\]: connect from [\.0-9]+
gnu-imap4d\[[0-9]+\]: User '[[:alnum:]]+' logged in
gnu-imap4d\[[0-9]+\]: Session timed out for user: [[:alnum:]]+
gnu-imap4d\[[0-9]+\]: got signal Alarm clock
### ignore.d.server/misc
# Figure out if these belong to dhcp or dhcp3-common (or dhclient?)
dhcpd.*: Reclaiming( REQUESTed) abandoned IP address [\.0-9]+
dhcpd.*: already acking lease
dhcpd.*: send_packet: Connection refused
dhcpd.*: fallback_discard: Connection refused
# These show up when isdnutils is installed, but isn't strictly related to those packages
kernel: isdn_net: call from [,0-9]+ -> [0-9]+
kernel: isdn_net: Service-Indicator not [0-9], ignored
# This one shows up with firewalls blocking SMB ports non-silently
kernel: Packet log: input DENY eth[0-9]+ PROTO=17 .*:(137|138) .*:(137|138) L=[0-9]+ S=0x00 I=[0-9]+ F=0x0000 T=[0-9]+ \(#[0-9]+\)
### ignore.d.server/murasaki
murasaki\.usb\[[0-9]+\]: found depended module="[[:alnum:]]+"
murasaki\.(usb|net)\[[0-9]+\]: try expanding "\[net\]"
murasaki\.(usb|net)\[[0-9]+\]: dependent\(net\) is found
murasaki\.(usb|net)\[[0-9]+\]: net device is (added|removed|(un)?register(e)?d)
murasaki\.(usb|net)\[[0-9]+\]: Execuing "net" "(stop|start)"
murasaki\.(usb|net)\[[0-9]+\]: execute if(up|down) (eth|(i)?ppp|irda)[0-9]
murasaki\.usb\[[0-9]+\]: (MATCH\(audio\) -> match_flags:[[:alnum:]]+ )?vendor:[[:alnum:]]+ product:[[:alnum:]]+ Dclass:[[:alnum:]]+ Dsubclass:[[:alnum:]]+ Dprotocol:[[:alnum:]]+ Iclass:[[:alnum:]]+ Isubclass:[[:alnum:]]+ Iprotocol:[[:alnum:]]+
### ignore.d.server/netatalk.changes
afpd\[[0-9]+\]: CNID DB initialized using Sleepycat Software: Berkeley DB
afpd\[[0-9]+\]: removed [^[:space:]]+/net[\.0-9]+node[0-9]+
afpd\[[0-9]\]: ((dhx|cleartext|randnum/rand2num) )?login: [[:alnum:]]+
afpd\[[0-9]\]: (server_child\[[0-9]+\] [0-9]+ )?(done|exited 1)
afpd\[[0-9]\]: ASIP session:[0-9]+\([0-9]+\) from [\.:0-9]+\([0-9]+\)
afpd\[[0-9]\]: Connection terminated
afpd\[[0-9]\]: [\.[:alnum:]]+ read, [\.[:alnum:]]+ written
afpd\[[0-9]\]: [^[:space:]]+: Broken pipe
afpd\[[0-9]\]: [^[:space:]]+: Connection reset by peer
afpd\[[0-9]\]: [^[:space:]]+: (C|c)onnection timed out
afpd\[[0-9]\]: [^[:space:]]+: No route to host
afpd\[[0-9]\]: [^[:space:]]+: No such file or directory
afpd\[[0-9]\]: [^[:space:]]+: Permission denied
afpd\[[0-9]\]: [^[:space:]]+: child timed out
afpd\[[0-9]\]: afp_openfork: ad_open: File Exists
afpd\[[0-9]\]: asp_alrm: [0-9]+ timed out
afpd\[[0-9]\]: login [[:alnum:]]+ \(uid [0-9]+, gid [0-9]+\)
afpd\[[0-9]\]: login noauth
afpd\[[0-9]\]: logout [[:alnum:]]+
afpd\[[0-9]\]: registering [[:alnum:]]+ \(uid [0-9]+\) on [\.0-9]+ as /.+/net[\.0-9]+node[0-9]+
afpd\[[0-9]\]: session from [\.:0-9]+ on [\.:0-9]+
afpd\[[0-9]\]: uams_dhx_pam.c :PAM: PAM (Auth OK!|Success -- Success)
afpd\[[0-9]\]: using codepage directory: /etc/netatalk/nls/maccode\.[\.[:alnum:]-]+
atalkd\[[0-9]+\]: [^[:space:]]+: zip gnireply from [\.0-9]+ \([^[:space:]]+\)
atalkd\[[0-9]+\]: [^[:space:]]+: zip ignoring gnireply
atalkd\[[0-9]\]: [^[:space:]]+: Network is unreachable
atalkd\[[0-9]\]: zip gnireply from [\.0-9]+ \([^[:space:]]+\)
atalkd\[[0-9]\]: zip ignoring gnireply
papd\[[0-9]\]: child [0-9]+ done
papd\[[0-9]\]: child [0-9]+ for "[^[:space:]]+" from [\.0-9]+
### ignore.d.server/netsaint
netsaint: SERVICE (ALERT|NOTIFICATION|FLAPPING ALERT): .*
netsaint: Auto-save of retention data completed successfully\.
netsaint: HOST ALERT:.*;DOWN;SOFT;.*;CRITICAL - Plugin timed out after 10 seconds
netsaint: HOST ALERT:*;UP;SOFT;.*;PING OK - Packet loss = 0%, RTA =.*ms
netsaint: SERVICE ALERT:.*;HTTP;CRITICAL;HARD;.*;Connection refused or timed out
### ignore.d.server/non-debian
# These entries are for syslogd open for remote hosts
# (and advertised through DHCP)
#
# HP printers
printer: peripheral low-power state
printer: paper out
printer: error cleared
printer: powered up
printer: ready to print
### ignore.d.server/ntp-simple.changes
ntpd\[[0-9]+\]: kern_enable is 1
ntpd\[[0-9]+\]: precision = [0-9]+ usec
ntpd\[[0-9]+\]: signal_no_reset: signal 13 had flags [0-9]+
ntpd\[[0-9]+\]: using kernel phase-lock loop [0-9]+
### ignore.d.server/pop-before-smtp
pop-before-smtp\[[0-9]+\]: (opening|closing) relay for [\.0-9]+( --- not in mynetworks)?
### ignore.d.server/postfix
postfix/[[:alnum:]]+\[[0-9]+\]: table has changed -- exiting
postfix/cleanup\[[0-9]+\]: warning: premature end-of-input from cleanup socket while reading input attribute name
postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied
postfix/master\[[0-9]+\]: reload configuration
postfix/postfix-script: refreshing the Postfix mail system
postfix/qmgr\[[0-9]+\]: [A-Z0-9]+: skipped, still being delivered
postfix/smtp\[[0-9]+\]: [A-Z0-9]+: enabling PIX <CRLF>\.<CRLF> workaround for [\.[:alnum:]-]+\[[\.0-9]+\]
postfix/smtp\[[0-9]+\]: [^[:space:]]+ status=deferred \(connect to [^[:space:]]+: (Connection refused|server refused mail service)\)
postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+: (Connection (refused|reset by peer|timed out)|read timeout|server (refused mail service|dropped connection)|No route to host) \(port 25\)
postfix/smtp\[[0-9]+\]: warning: bad size limit "truncates" in EHLO reply from [^[:space:]]+
postfix/smtp\[[0-9]+\]: warning: host [\.[:alnum:]-]+\[[\.0-9]+\] (greeted me|replied to HELO/EHLO) with my own hostname [\.[:alnum:]-]+
postfix/smtp\[[0-9]+\]: warning: mailer loop: best MX host for [^[:space:]]+ is local
postfix/smtp\[[0-9]+\]: warning: no MX host for [\.[:alnum:]-]+ has a valid A record
postfix/smtp\[[0-9]+\]: warning: numeric domain name in resource data of MX record for [^[:space:]]+: [\.0-9]+
postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [\.[:alnum:]-]+\[[\.0-9]+\]
postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+ sent (message header|mail content) instead of SMTP command:
postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+: address not listed for hostname [^[:space:]]+
postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+: hostname [\.[:alnum:]-]+ verification failed: Host (name has no address|not found)
### ignore.d.server/postgresql
postgres\[[0-9]+\]: \[[0-9-]+\] \^ICPU .* sec elapsed .* sec\.
postgres\[[0-9]+\]: \[[0-9-]+\] \^ITotal CPU .* sec elapsed .* sec\.
### ignore.d.server/ppp
chat\[[0-9]+\]: abort on \(.*\)
chat\[[0-9]+\]: expect \(.*\)
chat\[[0-9]+\]: send \(AT.*\^M\)
chat\[[0-9]+\]:  -- got it
chat\[[0-9]+\]: AT.*\^M\^M
chat\[[0-9]+\]: \^M
chat\[[0-9]+\]: CONNECT
chat\[[0-9]+\]: OK
chat\[[0-9]+\]: send \(\\d\)
### ignore.d.server/proftpd
proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]]+\[[\.0-9]+\]\) - FTP session opened\.
proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]]+\[[\.0-9]+\]\) - FTP login timed out, disconnected\.
proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]]+\[[\.0-9]+\]\) - USER (anonymous|ftp)(@[\.[:alnum:]]+)? \(Login failed\): Can't find user\.
proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]]+\[[\.0-9]+\]\) - USER (anonymous|ftp)(@[\.[:alnum:]]+)?: no such user found from .*\[[\.0-9]+\] to [\.0-9]+
proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]]+\[[\.0-9]+\]\) - no such user '(anonymous|ftp)(@[\.[:alnum:]]+)?'
proftpd\[[0-9]+\]: connect from [\.0-9]+
proftpd\[[0-9]+\]: No certificate files found!
proftpd\[[0-9]+\]: [^[:space:]]+ ([^[:space:]]+\[[\.0-9]\]) - Refused PORT.* (address mismatch)\.
### ignore.d.server/samba
smbd\[[0-9]+\]:   read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection reset by peer)
smbd\[[0-9]+\]: \[[/0-9]+ [:0-9]+, [0-9]+\] lib/util_sock.c:read(_socket)?_data\([0-9]+\)
### ignore.d.server/spamassassin
spamd\[[0-9]+\]: Creating default_prefs
spamd\[[0-9]+\]: connection from .* at port
spamd\[[0-9]+\]: clean message for
spamd\[[0-9]+\]: identified spam for
spamd\[[0-9]+\]: skipped large message in
### ignore.d.server/squid
squid\[[0-9]+\]:   Finished.  Wrote [0-9]+ entries\.
squid\[[0-9]+\]:   Took [\.0-9]+ seconds \(.* entries/sec\)\.
squid\[[0-9]+\]: (access|store)LogRotate: Rotating(\.)?
squid\[[0-9]+\]: logfileRotate: /var/log/squid/(access|store).log
squid\[[0-9]+\]: (Closing Pinger socket|Pinger socket opened) on FD [0-9]+
squid\[[0-9]+\]: NETDB state saved;
squid\[[0-9]+\]: storeDirWriteCleanLogs: Starting\.\.\.
squid\[[0-9]+\]: helperOpenServers: Starting [0-9]+ '.*' processes
### ignore.d.server/ssh
sshd\[[0-9]+\]: syslogin_perform_logout: logout\(\) returned an error
sshd\[[0-9]+\]: Could not reverse map address .*\.
sshd\[[0-9]+\]: Connection closed by .*
sshd\[[0-9]+\]: Did not receive ident(ification)? string from [\.0-9]+
sshd\[[0-9]+\]: scanned from [\.0-9]+ with SSH-1\.0-SSH_Version_Mapper\.  Don't panic\.
sshd\[[0-9]+\]: Disconnecting: Your ssh version is too old and is no longer supported\.  Please install a newer version\.
sshd\[[0-9]+\]: Accepted (keyboard-interactive|publickey) for [[:alnum:]]+ from [\.0-9]+ port [0-9]+ ssh2
sshd\[[0-9]+\]: warning: /etc/hosts.deny, line 15: can't verify hostname: gethostbyname(.*) failed
sshd\[[0-9]+\]: refused connect from .*
sshd\[[0-9]+\]: Received disconnect from [\.0-9]+: 11: Disconnect requested by Windows SSH Client.
sshd\[[0-9]+\]: subsystem request for sftp
### ignore.d.server/ssmtp
sSMTP mail\[[0-9]+\]: .* sent mail for root
### ignore.d.server/tftpd
in.tftpd\[[0-9]+\]: RRQ from.*filename.*
in.tftpd\[[0-9]+\]: tftp: client does not accept options 
### ignore.d.server/tmp
## imp
IMP\[[0-9]+\]: FAILED .* to .*:143 as .*
## libpam-modules
PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service
# old-style pam entries (no longer provided by logcheck but needed on woody
PAM_.*: .* session (opened|closed) for user .*
## netatalk
afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM (Auth OK!|Success -- .*|User entered a null value -- .*)
afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument)
afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM: User entered a null value -- No such file or directory
afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied
afpd\[[0-9]+\]: bad function 7A
atalkd\[[0-9]+\]: as_timer sendto: Netvaerket er ikke tilgaengeligt
## hylafax-server
FaxGetty\[[0-9]+\]: ANSWER: Can not lock modem device
gnome-name-server\[[0-9]+\]: server_is_alive: .*
## uw-imap
i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\]
## ppp
ipppd\[[0-9]+\]: Connect\[0\]: /dev/ippp[0-9], fd: 12
## misc
kernel: Disorder[0-9] [0-9] [0-9] f[0-9] s[0-9] rr[0-9]
kernel: IP_MASQ:reverse ICMP: failed checksum from .*!
kernel: OPEN: [\.0-9]* -> [\.0-9]* UDP, port: [0-9]* -> [0-9]*
kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\)
kernel: lp[0-9]: compatibility mode
kernel: Undo( partial)? (Hoe|loss|retrans)
printer: offline or intervention needed
## ntp-simple
ntpd\[[0-9]+\]: synchronisation lost
ntpd\[[0-9]+\]: synchronisation lost
ntpd\[[0-9]+\]: time reset [\.0-9-]* .
ntpd\[[0-9]+\]: time reset [\.0-9-]+ s
## portsentry
portsentry\[[0-9]+\]: attackalert: .*
## pump
pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument
## samba
smbd\[[0-9]+\]:   read_socket_data: recv failure for 4. Error = No route to host
smbd\[[0-9]+\]:   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ !
smbd\[[0-9]+\]: \[[/[0-9]]+ [:[0-9]]+, 0\] smbd/service.c:find_service\([0-9]+\)
smbd\[[0-9]+\]:   yield_connection: tdb_delete for name  failed with error Record does not exist\.
smbd\[[0-9]+\]: \[.*\] smbd/connection.c:yield_connection\([0-9]+\)
smbd\[[0-9]+\]: \[.*\] passdb/pampass.c:smb_pam_passcheck\([0-9]+\)
sshd\[[0-9]+\]: Failed password for .*
sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096
## postfix
postfix.*\[[0-9]+\]: .* from=<groove@mailomat.grooveattack.com>
postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [\.[:alnum:]-]+\[[\.0-9]+\] in MAIL command: <C:\\Email\\Headers\\fresh froms 5-1\.txt>

rpc.mountd: authenticated mount request from .* for .*
## snort
snort: .*FrontPage
snort: IDS015 - RPC - portmap-request-status:
snort: IDS029 - SCAN-Possible Queso Fingerprint attempt:
snort: IDS115 - MISC-Traceroute-UDP:
snort: IDS212 - MISC - DNS Zone Transfer:
snort: IDS226 - CVE-1999-0172 - CGI-formmail:
snort: IDS246 - MISC - Large ICMP Packet:
snort: IIS-
snort: MISC-Attempted Sun RPC high port access:
snort: NETBIOS-SMB-C:
snort: NETBIOS-SMB-CD...:
snort: NMAP TCP ping!:
snort: RPC Info Query:
snort: SCAN-SYN FIN:
snort: spp_http_decode: IIS Unicode attack detected:
snort: spp_portscan: End of portscan
snort: spp_portscan: PORTSCAN DETECTED
snort: spp_portscan: portscan status from
snort: WEB-../..:
snort: WEB-CGI-upload.pl:
## postgres
postgres\[[0-9]+\]: \[.*\] DEBUG:
postgres\[[0-9]+\]: \[[0-9-]*\]  Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\.
postgres\[[0-9]+\]: \[[0-9-]*\] [0-9]*; Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\.
## amavis
amavis\[[0-9]+\]: warning - MIME::Parser error: .*
### ignore.d.server/ucd-snmp
ucd-snmp\[[0-9]+\]: Connection from .*
### ignore.d.server/uw-imap.changes
i(map|pop(2|3))d\[[0-9]+\]: (Broken pipe|Command stream end of file|Connection (reset by peer|timed out))(,)? while (reading (authentication|line|literal|char)|writing text) (user=.* )?host=(([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)
i(map|pop3)d\[[0-9]+\]: (Login|Auth|Authenticated|Logout|Autologout) user=.* host=(([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)
i(map|pop3)d\[[0-9]+\]: Killed \(lost mailbox lock\) user=.* host=(([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)
i(map|pop3)d\[[0-9]+\]: Moved [0-9]+ bytes of new mail to [^[:space:]]+ from [^[:space:]]+ host= (([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)
imapd\[[0-9]+\]: (port 143|imap|imaps SSL) service init from
imapd\[[0-9]+\]: No route to host, while reading line user=.* host=(([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)
ipop3d\[[0-9]+\]: Error opening or locking INBOX user=.* host=(([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)
ipop3d\[[0-9]+\]: Expunge ignored on readonly mailbox
ipop3d\[[0-9]+\]: Mailbox is open by another process, access is readonly
ipop3d\[[0-9]+\]: Trying to get mailbox lock from process [0-9]+
ipop[2|3]d\[[0-9]+\]: (connect|pop3(s SSL)? service init) from [\.0-9]+
### ignore.d.workstation/bind
named\[[0-9]+\]: ns_forw: sendto.*: Network is unreachable
### ignore.d.workstation/devfsd
devfsd\[[0-9]+\]: Caught SIGHUP
devfsd\[[0-9]+\]: read config file: "/etc/devfsd.conf"
### ignore.d.workstation/dhcp-client
dhclient(-2.2.x)?: No working leases in persistent database( - sleeping)?\.
dhclient(-2.2.x)?: Sleeping\.
dhclient(-2.2.x)?: No DHCPOFFERS received\.
dhclient(-2.2.x)?: receive_packet failed on eth[0-9]: Network is down
### ignore.d.workstation/gconf.changes
gconfd \(.*\): starting \(version [\.0-9]+\), pid [0-9]+ user '.*'
gconfd \(.*\): Resolved address "xml:readonly:.*" to a read-only config source at position [0-9]+
gconfd \(.*\): Resolved address "xml:readwrite:.*" to a writable config source at position [0-9]+
gconfd \(.*\): CORBA_ORB_destroy: ORB still has [0-9]+ refs\.
gconfd \(.*\): GConf server is not in use, shutting down\.
gconfd \(.*\): Exiting
### ignore.d.workstation/gconf.da_DK
gconfd \(.*\): Modtog signal 15, lukker pænt ned
gconfd \(.*\): starter \(version [\.0-9]+\), pid [0-9]+ bruger '.*'
gconfd \(.*\): Bestemte adressen "xml:readonly:.*" til en skrivebeskyttet konfigureringskilde ved position [0-9]+
gconfd \(.*\): Bestemte adressen "xml:readwrite:.*" til en skrivbar konfigureringskilde ved position [0-9]+
gconfd \(.*\): GConf-server er ikke i brug, lukker ned\.
gconfd \(.*\): Afslutter
### ignore.d.workstation/gdm
gdm\[[0-9]+\]: run_pictures: Directory [^[:space:]] does not exist\.
### ignore.d.workstation/gdm.da_DK
gdm\[[0-9]+\]: run_pictures: Mappen [^[:space:]] eksisterer ikke\.
gdm\[[0-9]+\]: run_pictures: /usr/share/pixmaps er ikke ejet af uid [^[:space:]]\.
gdm\[[0-9]+\]: \(child [0-9]+\) gdm_slave_xioerror_handler: Fatal X-fejl - genstarter [0-9:\.]*
### ignore.d.workstation/libgnorba
gnome-name-server\[[0-9]+\]: starting
gnome-name-server\[[0-9]+\]: name server starting
gnome-name-server\[[0-9]+\]: server_is_alive: .*
### ignore.d.workstation/misc
# Linux Thin clients
syslogd started: BusyBox v[\.0-9]+ \([:space:]]2\)
init: Entering runlevel: 2
rpc.mountd: authenticated mount request from 192\.168\..* for /home/opt/ltsp/i386 \(/home/opt/ltsp/i386\)
### ignore.d.workstation/ntpdate
ntpdate\[[0-9]+\]: can't find host
ntpdate\[[0-9]+\]: no servers can be used, exiting
ntpdate\[[0-9]+\]: step time server [\.0-9]+ offset [\.0-9]+ sec
### ignore.d.workstation/oaf
oafd: server_is_alive: cnx\[IDL:Bonobo/ConfigDatabase:1\.0\] = \(nil\)
### ignore.d.workstation/pmud
pmud\[[0-9]+\]: running /etc/power/pwrctl (maximum|minimum|sleep|wakeup|lid-(closed|opened)) (ac|battery)
pmud\[[0-9]+\]: lid closed: request sleep
pmud\[[0-9]+\]: going to sleep
pmud\[[0-9]+\]: initiating user requested sleep
pmud\[[0-9]+\]: system awake again