logcheck/ignore.d.workstation/local



### ignore.d.server/amanda
amandad\[[0-9]+\]: connect from
### ignore.d.server/amavis
amavis\[[0-9]+\]: cached [a-f0-9]+ from <[^[:space:]]*>$
amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+$
amavis\[[0-9]+\]: local delivery: <[^[:space:]]*> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?$
amavis\[[0-9]+\]: mail checking ended: (DISCARD|REJECT)$
amavis\[[0-9]+\]: spam from=(<[^[:space:]]+>|\(\?\)), to=<[^[:space:]]+>, quarantine spam-[^[:space:]]+$
amavis\[[0-9]+\]: spam_scan: (No|Yes), hits=[\.0-9-]+ tests=[,_A-Z0-9]+ <[^[:space:]]*>$
amavis\[[0-9]+\]: spam_scan: whitelisted sender <[^[:space:]]+>, spam check skipped$
### ignore.d.server/anacron
anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' terminated( \(exit status: 1\))?( \(mailing output\))?$
anacron\[[0-9]+\]: Normal exit \([0-9]+ jobs run\)$
anacron\[[0-9]+\]: Anacron 2.3 started on [0-9-]+$
anacron\[[0-9]+\]: Will run job `cron.(daily|weekly|monthly)' in (5|10|15) min\.$
anacron\[[0-9]+\]: Jobs will be executed sequentially$
anacron\[[0-9]+\]: Job `cron.(daily|weekly|monthly)' started$
anacron\[[0-9]+\]: Updated timestamp for job `cron.(daily|weekly|monthly)' to [0-9-]+$
### ignore.d.server/bind.changes
named\[[0-9]+\]: Lame delegation
named\[[0-9]+\]: Lame server on '[^[:space:]]+' \(in '[^[:space:]]+'\?\): \[[\.0-9]+\]\.[0-9]+ '[^[:space:]]+'$
named\[[0-9]+\]: Response from
named\[[0-9]+\]: reloading
named\[[0-9]+\]: Cleaned cache of [0-9]+ RRsets$
named\[[0-9]+\]: Sent NOTIFY for [^[:space:]]+$
named\[[0-9]+\]: approved AXFR from [^[:space:]]+ for [^[:space:]]+$
named\[[0-9]+\]: zone transfer \(AXFR\) of [^[:space:]]+ to [^[:space:]]+$
named\[[0-9]+\]: suppressing duplicate notify$
named\[[0-9]+\]: USAGE [0-9]+ [0-9]+ CPU=[\.0-9]+u/[\.0-9]+s CHILDCPU=[\.0-9]+u/[\.0-9]+s$
named\[[0-9]+\]: NSTATS [0-9]+ [0-9]+( (A|CNAME|SOA|PTR|MX|TXT|AAAA|38|IXFR|AXFR|ANY)=[0-9]+)*$
named\[[0-9]+\]: XSTATS [0-9]+ [0-9]+( (RR|RNXD|RFwdR|RDupR|RFail|RFErr|RErr|RAXFR|RLame|ROpts|SSysQ|SAns|SFwdQ|SDupQ|SErr|RQ|RIQ|RFwdQ|RDupQ|RTCP|SFwdR|SFail|SFErr|SNaAns|SNXD|RUQ|RURQ|RUXFR|RUUpd)=[0-9]+)*$
named\[[0-9]+\]: lame server resolving '[^[:space:]]+' \(in '[^[:space:]]+'\?\): [\.0-9.]+#[0-9]+$
named\[[0-9]+\]: Received NOTIFY answer
named\[[0-9]+\]: (master |slave )?zone "[^[:space:]]+" \(IN\) loaded \(serial [0-9]+\)$
named\[[0-9]+\]: (ns_forw|ns_resp|sysquery): query\([^[:space:]]+\) (NS points to CNAME \([^[:space:]]+\)|No possible A RRs|All possible A RR's lame|Bogus LOOPBACK A RR \([^[:space:]]+\))( learnt \([^[:space:]]+\))?$
named\[[0-9]+\]: client [\.0-9.]+#[0-9]+: transfer of '[^[:space:]]+/IN': AXFR(-style IXFR)? started$
named\[[0-9]+\]: zone [^[:space:]]+: transfered serial [0-9]+$
named\[[0-9]+\]: transfer of '[^[:space:]]+' from [^[:space:]]+: end of transfer$
named\[[0-9]+\]: zone [^[:space:]]+/IN: sending notifies \(serial [0-9]+\)$
named\[[0-9]+\]: rcvd NOTIFY\([^[:space:]]+, IN, SOA\) from \[[\.0-9]+\]\.[0-9]+$
named\[[0-9]+\]: late CNAME in answer section for [^[:space:]]+$
named\[[0-9]+\]: unrelated additional info '[^[:space:]]+' type A from \[[\.0-9]+\]\.[0-9]+$
### ignore.d.server/bind.tmp
named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out$
named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$
### ignore.d.server/courier
courierpop3login: Connection, ip=\[::ffff:.*\]
courierpop3login: LOGIN, user=.*, ip=\[::ffff:.*\]
courierpop3login: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.* retr=.*
courierpop3login: Disconnected, ip=\[::ffff:.*\]
courierpop3login: TIMEOUT, user=.*, ip=\[::ffff:.*\], top=0, retr=0
pop3d-ssl: Connection, ip=\[::ffff:.*\]
pop3d-ssl: LOGIN, user=.*, ip=\[::ffff:.*\]
pop3d-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], top=.*, retr=.*
pop3d-ssl: TIMEOUT, user=.*, ip=\[::ffff:.*\],top=.*, retr=.*
imaplogin: Connection, ip=\[::ffff:.*\]
imaplogin: LOGIN, user=.*, ip=\[::ffff:.*\]
imaplogin: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.*
imaplogin: DISCONNECTED, user=.*, ip=\[::ffff:.*\].*
imapd-ssl: LOGOUT, user=.*, ip=\[::ffff:.*\], headers=.* body=.*
imapd-ssl: Connection, ip=\[::ffff:.*\]
imapd-ssl: LOGIN, user=.*, ip=\[::ffff:.*\]
imapd-ssl: DISCONNECTED, user=.*, ip=\[::ffff:.*\]
### ignore.d.server/dancer-ircd
ircd\[[0-9]+\]: ircd exiting: autodie$
ircd\[[0-9]+\]: Server Ready$
(ircd\[[0-9]+\]: )?binding stream socket [\.[:alnum:]]+\[\*\.666[789]\]: Address already in use$
### ignore.d.server/dhcp-client
# NB: dhcp 2-x entries are in dhcp
dhclient(-2.2.x)?: DHCP(REQUEST|DISCOVER) on .* to .* port 67( interval [0-9]+)?$
dhclient(-2.2.x)?: DHCP(ACK|OFFER) from [\.0-9]+$
dhclient(-2.2.x)?: bound to .* -- renewal in [0-9]+ seconds\.$
dhclient(-2.2.x)?: irda0: unknown hardware address type 783$
### ignore.d.server/dhcp.changes
# NB: dhcp3 entries are in dhcp3-common
dhcpd-2.2.x: Abandoning IP address [\.0-9]+: (declined\.|pinged before offer) $
dhcpd-2.2.x: BOOT(DISCOVER|REQUEST) from [0-9a-f:]+ via eth[0-9]+ $
dhcpd-2.2.x: BOOTREPLY for [\.0-9]+ to [^[:space:]]+ ([0-9a-f:]+) via eth[0-9]+ $
dhcpd-2.2.x: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+ via eth[0-9]+ $
dhcpd-2.2.x: DHCP(DECLINE on|RELEASE of|REQUEST for) [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+ \((not )?found\) $
dhcpd-2.2.x: DHCPINFORM from [\.0-9]+ $
dhcpd-2.2.x: DHCPREQUEST for [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+: wrong network\.$
### ignore.d.server/dhcp3-common
dhcpd: Abandoning IP address [\.0-9]+: pinged before offer$
dhcpd: BOOTREQUEST from [0-9a-f:]+$
dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$
dhcpd: DHCPACK to [\.0-9]+$
dhcpd: DHCPDISCOVER from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$
dhcpd: DHCPINFORM from [\.0-9]+$
dhcpd: DHCPRELEASE of [\.0-9]+$
dhcpd: DHCPREQUEST for [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$
dhcpd: ICMP Echo reply while lease [\.0-9]+ valid.$
dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\.$
dhcpd: accepting packet with data after udp payload.$
dhcpd: ip length 576 disagrees with bytes received 590.$
### ignore.d.server/gdm
gdm\[[0-9]+\]: run_pictures: Directory [^[:space:]] does not exist\.$
### ignore.d.server/gdm.da_DK
gdm\[[0-9]+\]: Pingning af.* mislykkedes, deaktiver terminal!
gdm\[[0-9]+\]: \(child [0-9]+\) gdm_slave_xioerror_handler: Fatal X-fejl - genstarter [0-9:\.]*$
gdm\[[0-9]+\]: run_pictures: /usr/share/pixmaps er ikke ejet af uid [^[:space:]]\.$
gdm\[[0-9]+\]: run_pictures: Mappen [^[:space:]] eksisterer ikke\.$
### ignore.d.server/hotplug
/etc/hotplug/net.agent: invoke if(up|down) ppp[0-9]$
/etc/hotplug/net.agent: assuming ppp[0-9] is already up$
### ignore.d.server/hylafax-server
Fax(Getty|Send)\[[0-9]+\]: STATE CHANGE:( ->| BASE| LOCKWAIT| LISTENING| RUNNING| ANSWERING| RECEIVING| MODEMWAIT)+$
Fax(Getty|Send)\[[0-9]+\]: MODEM (ROCKWELL|ZYXEL) .*$
FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): from .*, page .* in [0-9]+:[0-9]+, INF, .* line/mm, (1|2)-D MR(, [0-9]+ bit/s)?$
FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): recvq/fax[0-9]+\.tif from .*, route to .*, [0-9]+ pages in [0-9]+:[0-9]+$
FaxGetty\[[0-9]+\]: RECV FAX: bin/faxrcvd "recvq/fax[0-9]+\.tif" "ttyS[012]" "[0-9]+"( "")+$
FaxGetty\[[0-9]+\]: ANSWER: Ring detected without successful handshake$
FaxGetty\[[0-9]+\]: ANSWER: FAX CONNECTION  DEVICE '[^[:blank:]']+'$
FaxQueuer\[[0-9]+\]: SUBMIT JOB [0-9]+$
FaxSend\[[0-9]+\]: SEND FAX: JOB [0-9]+ DEST [0-9]+ COMMID [0-9]+$
HylaFAX\[[0-9]+\]: Filesystem has SysV-style file creation semantics.$
### ignore.d.server/imp
IMP\[[0-9]+\]: Login .* to .*:143 as .*
### ignore.d.server/libgpmg1
[[:alnum:]]+: /dev/gpmctl: No such file or directory$
### ignore.d.server/libpam-modules
pam_limits\[[0-9]+\]: default limits skipped for 'root'$
### ignore.d.server/mailutils-imap4d
gnu-imap4d\[[0-9]+\]: Incoming connection opened$
gnu-imap4d\[[0-9]+\]: connect from [\.0-9]+$
gnu-imap4d\[[0-9]+\]: User '[[:alnum:]]+' logged in$
gnu-imap4d\[[0-9]+\]: Session timed out for user: [[:alnum:]]+$
gnu-imap4d\[[0-9]+\]: got signal Alarm clock$
### ignore.d.server/misc
# Figure out if these belong to dhcp or dhcp3-common (or dhclient?)
dhcpd.*: Reclaiming( REQUESTed) abandoned IP address [\.0-9]+
dhcpd.*: already acking lease
dhcpd.*: send_packet: Connection refused
dhcpd.*: fallback_discard: Connection refused
# These show up when isdnutils is installed, but isn't strictly related to those packages
kernel: isdn_net: call from [,0-9]+ -> [0-9]+$
kernel: isdn_net: Service-Indicator not [0-9], ignored$
# This one shows up with firewalls blocking SMB ports non-silently
kernel: Packet log: input DENY .*:(137|138) .*:(137|138) .*$
kernel: Shorewall:net2all:DROP:.* (SPT|DPT)=(13[789]|445) .*$
### ignore.d.server/murasaki
murasaki\.usb\[[0-9]+\]: found depended module="[[:alnum:]]+"$
murasaki\.(usb|net)\[[0-9]+\]: try expanding "\[net\]"$
murasaki\.(usb|net)\[[0-9]+\]: dependent\(net\) is found$
murasaki\.(usb|net)\[[0-9]+\]: net device is (added|removed|(un)?register(e)?d)$
murasaki\.(usb|net)\[[0-9]+\]: Execuing "net" "(stop|start)"$
murasaki\.(usb|net)\[[0-9]+\]: execute if(up|down) (eth|(i)?ppp|irda)[0-9]$
murasaki\.usb\[[0-9]+\]: (MATCH\(audio\) -> match_flags:[[:alnum:]]+ )?vendor:[[:alnum:]]+ product:[[:alnum:]]+ Dclass:[[:alnum:]]+ Dsubclass:[[:alnum:]]+ Dprotocol:[[:alnum:]]+ Iclass:[[:alnum:]]+ Isubclass:[[:alnum:]]+ Iprotocol:[[:alnum:]]+$
### ignore.d.server/nagios
nagios: Auto-save of retention data completed successfully\. $
nagios: LOG ROTATION: DAILY $
### ignore.d.server/netatalk.changes
afpd\[[0-9]+\]: ([^[:space:]:]+: E:AFPDaemon: )?afp_alarm: child timed out$
afpd\[[0-9]+\]: ([^[:space:]:]+: I:AFPDaemon: )?Connection terminated$
afpd\[[0-9]+\]: ([^[:space:]:]+: I:AFPDaemon: )?[\.[:alnum:]]+ read, [\.[:alnum:]]+ written$
afpd\[[0-9]+\]: ([^[:space:]:]+: I:AFPDaemon: )?login [[:alnum:]]+ \(uid [0-9]+, gid [0-9]+\)( AFP2\.2)?$
afpd\[[0-9]+\]: ([^[:space:]:]+: I:Default: )?(server_child\[[0-9]+\] [0-9]+ )?(done|exited 1)$
afpd\[[0-9]+\]: ([^[:space:]:]+: I:Default: )?ASIP session:[0-9]+\([0-9]+\) from [\.:0-9]+\([0-9]+\)$
afpd\[[0-9]+\]: ([^[:space:]:]+: I:Default: )?CNID DB initialized using Sleepycat Software: Berkeley DB( [\.0-9]+: \([^\(]+\))?$
afpd\[[0-9]+\]: ([^[:space:]:]+: I:UAMSDaemon: )?((dhx|cleartext|randnum/rand2num) )?login: [[:alnum:]]+$
afpd\[[0-9]+\]: ([^[:space:]:]+: I:UAMSDaemon: )?uams_dhx_pam.c :PAM: PAM (Auth OK!|Success -- Success)$
afpd\[[0-9]+\]: (afp_flushfork|afp_read|getforkparms): (ad_refresh|of_find): (No such file or directory|No such process|Permission denied)$
afpd\[[0-9]+\]: (atp_rresp|afp_die: asp_shutdown): Connection timed out$
afpd\[[0-9]+\]: (registering [[:alnum:]]+ \(uid [0-9]+\) on [\.0-9]+ as|removed) /[^[:space:]]+/net[\.0-9]+node[0-9]+$
afpd\[[0-9]+\]: [_[:alnum:]]+(\(-?[0-9]+\))?: stat [^:]+: (No such file or directory|Permission denied)$
afpd\[[0-9]+\]: asp_alrm: [0-9]+ timed out$
afpd\[[0-9]+\]: dsi_stream_(read\(-1\)|write): Connection reset by peer$
afpd\[[0-9]+\]: dsi_stream_read\(0\): (No such file or directory|No such process|Permission denied)$
afpd\[[0-9]+\]: dsi_stream_read\(0\): Success$
afpd\[[0-9]+\]: error stat'ing /[^[:space:]]+/net[\.0-9]+node[0-9]+: No such file or directory$
afpd\[[0-9]+\]: login noauth$
afpd\[[0-9]+\]: logout [[:alnum:]]+$
afpd\[[0-9]+\]: session from [\.:0-9]+ on [\.:0-9]+$
afpd\[[0-9]+\]: using codepage directory: /etc/netatalk/nls/maccode\.[\.a-z0-9-]+$
atalkd\[[0-9]+\]: as_timer sendto: Network is unreachable $
atalkd\[[0-9]+\]: zip (ignoring gnireply|gnireply from [\.0-9]+ \([[:alnum:]]+ [[:alnum:]]+\)) $
papd\[[0-9]+\]: child [0-9]+ done$
papd\[[0-9]+\]: child [0-9]+ for "[^[:space:]]+" from [\.0-9]+$
### ignore.d.server/netsaint
netsaint: (HOST|SERVICE) (ALERT|NOTIFICATION|FLAPPING ALERT): .*$
netsaint: Auto-save of retention data completed successfully\. $
netsaint: Caught SIGTERM, shutting down\.\.\. $
netsaint: Entering active mode\.\.\. $
netsaint: NetSaint [\.0-9]+ starting\.\.\. \(PID=[0-9]+\) $
### ignore.d.server/nfs-kernel-server
mountd\[[0-9]+\]: NFS mount of /[^[:space:]]+ attempted from [\.0-9]+$
mountd\[[0-9]+\]: /[^[:space:]]+ has been mounted by [\.0-9]+$
rpc\.mountd: authenticated unmount request from [\.0-9]+:[0-9]+ for /[^[:space:]]* \(/[^[:space:]\)]*\) $
### ignore.d.server/non-debian
# These entries are for syslogd open for remote hosts
# (and advertised through DHCP)
#
# HP printers
printer: peripheral low-power state$
printer: paper out$
printer: error cleared$
printer: powered up$
printer: ready to print$
### ignore.d.server/ntp-simple.changes
ntpd\[[0-9]+\]: kern_enable is 1$
ntpd\[[0-9]+\]: kernel time discipline status [0-9]+$
ntpd\[[0-9]+\]: precision = [0-9]+ usec$
ntpd\[[0-9]+\]: signal_no_reset: signal 13 had flags [0-9]+$
ntpd\[[0-9]+\]: using kernel phase-lock loop [0-9]+$
### ignore.d.server/pop-before-smtp
pop-before-smtp\[[0-9]+\]: (opening|closing) relay for [\.0-9]+( --- not in mynetworks)?$
### ignore.d.server/postfix
postfix/[[:alnum:]]+\[[0-9]+\]: table has changed -- exiting$
postfix/cleanup\[[0-9]+\]: warning: premature end-of-input from cleanup socket while reading input attribute name$
postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$
postfix/master\[[0-9]+\]: reload configuration$
postfix/n?qmgr\[[0-9]+\]: [A-Z0-9]+: skipped, still being delivered$
postfix/postfix-script: refreshing the Postfix mail system$
postfix/smtp\[[0-9]+\]: [A-Z0-9]+: enabling PIX <CRLF>\.<CRLF> workaround for [^[:space:]]+\[[\.0-9]+\]$
postfix/smtp\[[0-9]+\]: [^[:space:]]+ status=deferred \(connect to [^[:space:]]+: (Connection refused|server refused mail service)\)$
postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+: (Connection (refused|reset by peer|timed out)|read timeout|server (refused mail service|dropped connection)|No route to host) \(port 25\)$
postfix/smtp\[[0-9]+\]: warning: bad size limit "truncates" in EHLO reply from [^[:space:]]+$
postfix/smtp\[[0-9]+\]: warning: host [^[:space:]]+\[[\.0-9]+\] (greeted me|replied to HELO/EHLO) with my own hostname [^[:space:]]+$
postfix/smtp\[[0-9]+\]: warning: no MX host for [^[:space:]]+ has a valid A record$
postfix/smtpd?\[[0-9]+\]: warning: (numeric|malformed) domain name in resource data of MX record for [^[:space:]]+: [^[:space:]]*$
postfix/smtpd?\[[0-9]+\]: warning: valid_hostname: (empty hostname|invalid character [0-9]+\(decimal\): [^[:space:]]+)$
postfix/smtpd\[[0-9]+\]: (lost connection|timeout) after [^ ]+ from [^[:space:]]+\[[\.0-9]+\]$
postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in MAIL command: <[^[:space:]>]+>$
postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+ sent (message header|mail content) instead of SMTP command:
postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+: address not listed for hostname [^[:space:]]+$
postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+: hostname [^[:space:]]+ verification failed: Host (name has no address|not found)$
### ignore.d.server/postgresql
postgres\[[0-9]+\]: \[[0-9-]+\] \^ICPU .* sec elapsed .* sec\.$
postgres\[[0-9]+\]: \[[0-9-]+\] \^ITotal CPU .* sec elapsed .* sec\.$
### ignore.d.server/ppp
chat\[[0-9]+\]: abort on \(.*\)$
chat\[[0-9]+\]: expect \(.*\)$
chat\[[0-9]+\]: send \(AT.*\^M\)$
chat\[[0-9]+\]:  -- got it$
chat\[[0-9]+\]: AT.*\^M\^M$
chat\[[0-9]+\]: \^M$
chat\[[0-9]+\]: CONNECT$
chat\[[0-9]+\]: OK$
chat\[[0-9]+\]: send \(\\d\)$
### ignore.d.server/proftpd
proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - FTP session opened\. $
proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - FTP login timed out, disconnected\. $
proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER [^[:space:]]+: no such user found from .*\[[\.0-9]+\] to [\.0-9]+:21 $
proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - no such user '[^[:space:]]+' $
proftpd\[[0-9]+\]: connect from [\.0-9]+ $
proftpd\[[0-9]+\]: No certificate files found! $
proftpd\[[0-9]+\]: [^[:space:]]+ ([^[:space:]\[]+\[[\.0-9]\]) - Refused PORT.* (address mismatch)\. $
### ignore.d.server/rpld
rpld\[[0-9]+\]: client [:a-f0-9]+ requested block [\.0-9]+$
### ignore.d.server/samba
smbd\[[0-9]+\]:   read(_socket)?_data: (read|recv) failure for 4\. Error = (No route to host|Connection reset by peer)$
smbd\[[0-9]+\]: \[[/0-9]+ [0-9:]+, [0-9]+\] lib/util_sock.c:read(_socket)?_data\([0-9]+\)$
### ignore.d.server/sfs-client
: nfsmounter: mounted /sfs/\.linuxmnt/[^[:blank:]]+:[0-9a-z]+/r$
: sfsrwcd: [^[:blank:]]+:[0-9a-z]+ deleted$
### ignore.d.server/sfs-server
: sfsauthd: serving [^:]+:[0-9a-z]+$
: sfssd: accepted connection from [\.0-9]+$
### ignore.d.server/spamassassin
spamd\[[0-9]+\]: Creating default_prefs
spamd\[[0-9]+\]: connection from .* at port
spamd\[[0-9]+\]: clean message for
spamd\[[0-9]+\]: identified spam for
spamd\[[0-9]+\]: skipped large message in
### ignore.d.server/squid
squid\[[0-9]+\]:   Finished.  Wrote [0-9]+ entries\.$
squid\[[0-9]+\]:   Took [\.0-9]+ seconds \([\.0-9]+ entries/sec\)\.$
squid\[[0-9]+\]: (Closing Pinger socket|Pinger socket opened) on FD [0-9]+$
squid\[[0-9]+\]: (access|store)LogRotate: Rotating(\.)?$
squid\[[0-9]+\]: NETDB state saved;$
squid\[[0-9]+\]: helperOpenServers: Starting [0-9]+ '.*' processes
squid\[[0-9]+\]: logfileRotate: /var/log/squid/(access|store).log$
squid\[[0-9]+\]: sslReadServer: FD [0-9]+: read failure: \(104\) Connection reset by peer $
squid\[[0-9]+\]: storeDirWriteCleanLogs: Starting\.\.\.$
squid\[[0-9]+\]: urlParse: Illegal character in hostname '[^']+' $
### ignore.d.server/ssh
sshd\[[0-9]+\]: syslogin_perform_logout: logout\(\) returned an error$
sshd\[[0-9]+\]: Could not reverse map address .*\.
sshd\[[0-9]+\]: Connection closed by .*
sshd\[[0-9]+\]: Did not receive ident(ification)? string from [\.0-9]+$
sshd\[[0-9]+\]: scanned from [\.0-9]+ with SSH-1\.0-SSH_Version_Mapper\.  Don't panic\.$
sshd\[[0-9]+\]: Disconnecting: Your ssh version is too old and is no longer supported\.  Please install a newer version\.$
sshd\[[0-9]+\]: Accepted (keyboard-interactive|publickey) for [[:alnum:]]+ from [\.0-9]+ port [0-9]+ ssh2$
sshd\[[0-9]+\]: warning: /etc/hosts.deny, line 15: can't verify hostname: gethostbyname(.*) failed
sshd\[[0-9]+\]: refused connect from .*
sshd\[[0-9]+\]: Received disconnect from [\.0-9]+: 11: Disconnect requested by Windows SSH Client.$
sshd\[[0-9]+\]: subsystem request for sftp$
### ignore.d.server/ssmtp
sSMTP mail\[[0-9]+\]: .* sent mail for root
### ignore.d.server/tftpd
in.tftpd\[[0-9]+\]: RRQ from.*filename.*
in.tftpd\[[0-9]+\]: tftp: client does not accept options 
### ignore.d.server/tmp
## imp
IMP\[[0-9]+\]: FAILED .* to .*:143 as .*
## libpam-modules
PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service
# old-style pam entries (no longer provided by logcheck but needed on woody)
PAM_.*: .* session (opened|closed) for user .*
## netatalk
afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: (PAM Auth OK!|Success -- .*|User entered a null value -- .*)
afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument)
afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: User entered a null value -- No such file or directory
afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied
afpd\[[0-9]+\]: bad function 7A
atalkd\[[0-9]+\]: as_timer sendto: Netvaerket er ikke tilgaengeligt
## hylafax-server
FaxGetty\[[0-9]+\]: ANSWER: Can not lock modem device
gnome-name-server\[[0-9]+\]: server_is_alive: .*
## uw-imap
i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\]
## ppp
ipppd\[[0-9]+\]: Connect\[0\]: /dev/ippp[0-9], fd: 12
## misc
kernel: Disorder[0-9] [0-9] [0-9] f[0-9] s[0-9] rr[0-9]
kernel: IP_MASQ:reverse ICMP: failed checksum from .*!
kernel: OPEN: [\.0-9]* -> [\.0-9]* UDP, port: [0-9]* -> [0-9]*
kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\)
kernel: Shorewall:net2all:DROP:.*$
kernel: lp[0-9]: compatibility mode
kernel: Undo( partial)? (Hoe|loss|retrans)
printer: offline or intervention needed
## Non-UDMA hd cable
kernel: hda: status timeout: status=0xd0 \{ Busy \}
kernel: hda: no DRQ after issuing WRITE
kernel: ide0: reset: success
## Postfix SASL not working
postfix/smtpd\[[0-9]+\]: unable to open Berkeley db /etc/sasldb: No such file or directory
## ntp-simple
ntpd\[[0-9]+\]: synchronisation lost
ntpd\[[0-9]+\]: synchronisation lost
ntpd\[[0-9]+\]: time reset [\.0-9-]* .
ntpd\[[0-9]+\]: time reset [\.0-9-]+ s
## portsentry
portsentry\[[0-9]+\]: attackalert: .*
## pump
pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument
## samba
smbd\[[0-9]+\]:   read_socket_data: recv failure for 4. Error = No route to host
smbd\[[0-9]+\]:   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ !
smbd\[[0-9]+\]: \[[/[0-9]]+ [:[0-9]]+, 0\] smbd/service.c:find_service\([0-9]+\)
smbd\[[0-9]+\]:   yield_connection: tdb_delete for name  failed with error Record does not exist\.
smbd\[[0-9]+\]: \[.*\] smbd/connection.c:yield_connection\([0-9]+\)
smbd\[[0-9]+\]: \[.*\] passdb/pampass.c:smb_pam_passcheck\([0-9]+\)
sshd\[[0-9]+\]: Failed password for .*
sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096
## postfix
postfix.*\[[0-9]+\]: .* from=<groove@mailomat.grooveattack.com>
postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [\.[:alnum:]-]+\[[\.0-9]+\] in MAIL command: <C:\\Email\\Headers\\fresh froms 5-1\.txt>
## Tulle getting spammed
tulle postfix/smtpd\[[0-9]+\]: too many errors after RCPT from unknown\[\.0-9]+[\]
rpc.mountd: authenticated mount request from .* for .*
## snort
snort: .*FrontPage
snort: IDS015 - RPC - portmap-request-status:
snort: IDS029 - SCAN-Possible Queso Fingerprint attempt:
snort: IDS115 - MISC-Traceroute-UDP:
snort: IDS212 - MISC - DNS Zone Transfer:
snort: IDS226 - CVE-1999-0172 - CGI-formmail:
snort: IDS246 - MISC - Large ICMP Packet:
snort: IIS-
snort: MISC-Attempted Sun RPC high port access:
snort: NETBIOS-SMB-C:
snort: NETBIOS-SMB-CD...:
snort: NMAP TCP ping!:
snort: RPC Info Query:
snort: SCAN-SYN FIN:
snort: spp_http_decode: IIS Unicode attack detected:
snort: spp_portscan: End of portscan
snort: spp_portscan: PORTSCAN DETECTED
snort: spp_portscan: portscan status from
snort: WEB-../..:
snort: WEB-CGI-upload.pl:
## postgres
postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .*
postgres\[[0-9]+\]: \[[0-9-]+\]  Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\.
postgres\[[0-9]+\]: \[[0-9-]+\] [0-9]*; Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\.
## amavis
amavis\[[0-9]+\]: warning - MIME::Parser error: .*
### ignore.d.server/ucd-snmp
ucd-snmp\[[0-9]+\]: Connection from .*
### ignore.d.server/uw-imap.changes
i(map|pop(2|3))d\[[0-9]+\]: (Broken pipe|Command stream end of file|Connection (reset by peer|timed out))(,)? while (reading (authentication|line|literal|char)|writing text) (user=.* )?host=(([^[:space:]]+ )?\[[\.0-9]+\]|NON-IPv4|UNKNOWN)$
i(map|pop3)d\[[0-9]+\]: (Login|Auth|Authenticated|Logout|Autologout) user=.* host=(([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)( nmsgs=[0-9]+(/[0-9]+)?( ndele=[0-9]+)?)?$
i(map|pop3)d\[[0-9]+\]: Killed \(lost mailbox lock\) user=.* host=(([^[:space:]]+ )?\[[\.0-9]+\]|NON-IPv4|UNKNOWN)$
i(map|pop3)d\[[0-9]+\]: Moved [0-9]+ bytes of new mail to [^[:space:]]+ from [^[:space:]]+ host= (([^[:space:]]+ )?\[[\.0-9]+\]|NON-IPv4|UNKNOWN)$
imapd\[[0-9]+\]: (port (143|220)|imap|imaps SSL) service init from
imapd\[[0-9]+\]: No route to host, while reading line user=.* host=(([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)$
ipop3d\[[0-9]+\]: Error opening or locking INBOX user=.* host=(([^[:space:]]+ )?\[[\.0-9]+\]|UNKNOWN)$
ipop3d\[[0-9]+\]: Expunge ignored on readonly mailbox$
ipop3d\[[0-9]+\]: Mailbox is open by another process, access is readonly$
ipop3d\[[0-9]+\]: Trying to get mailbox lock from process [0-9]+$
ipop[2|3]d\[[0-9]+\]: (connect|pop3(s SSL)? service init) from [\.0-9]+$
### ignore.d.workstation/bind
named\[[0-9]+\]: ns_forw: sendto\(\[[\.0-9]+\]\.[0-9]+\): Network is unreachable$
named\[[0-9]+\]: deleting interface \[[\.0-9]+\]\.[0-9]+$
named\[[0-9]+\]: listening on \[[\.0-9]+\]\.[0-9]+ \([^[:space:]+\)$
### ignore.d.workstation/devfsd
devfsd\[[0-9]+\]: Caught SIGHUP$
devfsd\[[0-9]+\]: read config file: "/etc/devfsd.conf"$
### ignore.d.workstation/dhcp-client
dhclient(-2.2.x)?: No working leases in persistent database( - sleeping)?\.$
dhclient(-2.2.x)?: Sleeping\.$
dhclient(-2.2.x)?: No DHCPOFFERS received\.$
dhclient(-2.2.x)?: receive_packet failed on eth[0-9]: Network is down$
### ignore.d.workstation/gconf.changes
gconfd \([^[:space:]]+\): CORBA_ORB_destroy: ORB still has [0-9]+ refs\.$
gconfd \([^[:space:]]+\): Exiting$
gconfd \([^[:space:]]+\): GConf server is not in use, shutting down\.$
gconfd \([^[:space:]]+\): Resolved address "xml:readonly:/[^[:space:]]+" to a read-only config source at position [0-9]+$
gconfd \([^[:space:]]+\): Resolved address "xml:readwrite:/[^[:space:]]+" to a writable config source at position [0-9]+$
gconfd \([^[:space:]]+\): starting \(version [\.0-9]+\), pid [0-9]+ user '[^[:space:]]+'$
### ignore.d.workstation/gconf.da_DK
gconfd \([^[:space:]]+\): Afslutter$
gconfd \([^[:space:]]+\): Bestemte adressen "xml:readonly:/[^[:space:]]+" til en skrivebeskyttet konfigureringskilde ved position [0-9]+$
gconfd \([^[:space:]]+\): Bestemte adressen "xml:readwrite:/[^[:space:]]+" til en skrivbar konfigureringskilde ved position [0-9]+$
gconfd \([^[:space:]]+\): GConf-server er ikke i brug, lukker ned\.$
gconfd \([^[:space:]]+\): Kunne ikke fjerne kataloget '/[^[:space:]]+' fra XML-bagendemellemlageret fordi den ikke er synkroniseret med disken\.$
gconfd \([^[:space:]]+\): Modtog signal 15, lukker pænt ned$
gconfd \([^[:space:]]+\): starter \(version [\.0-9]+\), pid [0-9]+ bruger '[^[:space:]]+'$
### ignore.d.workstation/laptop-net
ifd\[[0-9]+\]: executing: '/usr/share/laptop-net/link-change eth[0-9]+ unwatched ((((up|down),(running|stopped),(dis)?connected|unknown)|unknown)( )?){2}'$
ifd\[[0-9]+\]: eth[0-9]+ is unavailable$
### ignore.d.workstation/libgnorba
gnome-name-server\[[0-9]+\]: starting
gnome-name-server\[[0-9]+\]: name server starting
gnome-name-server\[[0-9]+\]: server_is_alive: .*
### ignore.d.workstation/misc
# Linux Thin clients
syslogd started: BusyBox v[\.0-9]+ \([^[:space:]]+\)$
init: Entering runlevel: 2
rpc.mountd: authenticated mount request from 192\.168\..* for /home/opt/ltsp/i386 \(/home/opt/ltsp/i386\)
### ignore.d.workstation/ntpdate
ntpdate\[[0-9]+\]: can't find host$
ntpdate\[[0-9]+\]: no servers can be used, exiting$
ntpdate\[[0-9]+\]: step time server [\.0-9]+ offset [\.0-9]+ sec$
### ignore.d.workstation/oaf
oafd: server_is_alive: cnx\[IDL:Bonobo/ConfigDatabase:1\.0\] = ([0-9a-f]+|\(nil\))$
### ignore.d.workstation/pmud
pmud\[[0-9]+\]: running /etc/power/pwrctl (maximum|minimum|sleep|wakeup|lid-(closed|opened)) (ac|battery)$
pmud\[[0-9]+\]: lid closed: request sleep$
pmud\[[0-9]+\]: going to sleep$
pmud\[[0-9]+\]: initiating user requested sleep$
pmud\[[0-9]+\]: system awake again$
### ignore.d.workstation/sfs-client
: sfsrwcd: reloaded resolv.conf file$
: sfsrwcd: changing nameserver to [\.0-9]+$