summaryrefslogtreecommitdiff
path: root/logcheck/violations.ignore.d/local
blob: d1a003fae3cbf13d573b6452afea744158657219 (plain) 
    

  1. ### violations.ignore.d/amavis
    2. 

  2. amavis\[[0-9]+\]: Checking: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$
    3. 

  3. amavis\[[0-9]+\]: SMTP-in \[[\.0-9]+\] /var/lib/amavis/amavis-[^[:space:]:-]+: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$
    4. 

  4. amavis\[[0-9]+\]: cached [a-f0-9]+ from <[^[:space:]]*>$
    5. 

  5. amavis\[[0-9]+\]: fwd via smtp: \[[\.0-9]+:10025\] <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$
    6. 

  6. amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+$
    7. 

  7. amavis\[[0-9]+\]: local delivery: <[^[:space:]]+> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?$
    8. 

  8. amavis\[[0-9]+\]: spam from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine spam-[^[:space:]]+$
    9. 

  9. amavis\[[0-9]+\]: spam_scan: (No|Yes), hits=[\.0-9-]+ tests=[,_A-Z0-9]+ <[^[:space:]]*>$
    10. 

  10. ### violations.ignore.d/amavisd-new
    11. 

  11. amavis\[[0-9]+\]: \([0-9-]+\) SPAM, <[^[:space:]]*> -> <[^[:space:]]*>, (No|Yes), hits=[\.0-9-]+ tagged_above=[\.0-9-]+ required=[\.0-9-]+ tests=[,_A-Z0-9 ]+ quarantine spam-[^[:space:]]+ \(spam-quarantine\)$
    12. 

  12. amavis\[[0-9]+\]: \([0-9-]+\) BAD HEADER from( \((bulk|list|junk)\))? <[^[:space:]]*>: .*$
    13. 

  13. ### violations.ignore.d/bind
    14. 

  14. named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$
    15. 

  15. ### violations.ignore.d/bind.tmp
    16. 

  16. named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out
    17. 

  17. ### violations.ignore.d/dhcp-client
    18. 

  18. dhcpd(-2.2.x)?: (send_packet|fallback_discard): Connection refused$
    19. 

  19. dhclient(-2.2.x)?: receive_packet failed on eth[0-9]: Network is down$
    20. 

  20. ### violations.ignore.d/libpam-modules
    21. 

  21. pam_limits\[[0-9]+\]: setrlimit limit #[0-9]+ to soft=[-0-9]+, hard=[-0-9]+ failed: Operation not permitted; uid=[0-9]+ euid=[0-9]+$
    22. 

  22. ### violations.ignore.d/misc
    23. 

  23. # This one shows up with firewalls blocking SMB ports non-silently
    24. 

  24. kernel: Packet log: input DENY eth[0-9]+ PROTO=17 .*:137 .*:137 L=78 S=0x00 I=[0-9]+ F=0x0000 T=[0-9]+ \(#[0-9]+\)
    25. 

  25. ### violations.ignore.d/netatalk.changes
    26. 

  26. # Lines with "[^[:space:]]+:" at the beginning are for netatalk 1.6.x or newer.
    27. 

  27. afpd\[[0-9]+\]: afp_die: asp_shutdown: Connection timed out$
    28. 

  28. afpd\[[0-9]+\]: (afp_flushfork|afp_read|getforkparms): (ad_refresh|of_find): Permission denied$
    29. 

  29. afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: Parsing volset [^[:space:]]+$
    30. 

  30. afpd\[[0-9]+\]: [^[:space:]]+: D5:Default: cnid_mangle_get: Failed to find mangled entry for .*$
    31. 

  31. afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: afp_die: asp_shutdown: Connection timed out$
    32. 

  32. afpd\[[0-9]+\]: [^[:space:]]+: E:Default: cnid_open: dbenv->open of /[^[:space:]]+/\.AppleDB failed: Permission denied$
    33. 

  33. afpd\[[0-9]+\]: afp_getsrvrparms: stat /[^/]+/: Permission denied$
    34. 

  34. afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied$
    35. 

  35. ### violations.ignore.d/netsaint
    36. 

  36. netsaint: SERVICE ALERT:.*;PING;CRITICAL;.*;PING CRITICAL - Packet loss =.*%, RTA =.*ms
    37. 

  37. netsaint: SERVICE ALERT:.*;ROUTER;CRITICAL;.*;CRITICAL - Plugin timed out after 10 seconds
    38. 

  38. netsaint: SERVICE ALERT:.*;ROUTER;OK;.*;PING OK - Packet loss =.*%, RTA =.*ms
    39. 

  39. netsaint: SERVICE FLAPPING ALERT:.*;PING;STOPPED; Service appears to have stopped flapping (.*% change < .*% threshold)
    40. 

  40. netsaint: SERVICE FLAPPING ALERT:.*;PING;STARTED; Service appears to have started flapping (.*% change >.*% threshold)
    41. 

  41. netsaint: SERVICE ALERT: mail;SMTP;CRITICAL;.*;Connection refused by host
    42. 

  42. netsaint: SERVICE NOTIFICATION:.*;CRITICAL;notify-by-.*;Connection refused by host
    43. 

  43. netsaint: SERVICE ALERT: mail;SMTP;OK;.* OK - 0 second response time 
    44. 

  44. netsaint: HOST ALERT:.*;DOWN;SOFT;.*;CRITICAL.*
    45. 

  45. netsaint: HOST ALERT:.*;UP;SOFT;.*;PING OK.*
    46. 

  46. netsaint: Successfully shutdown\.\.\. \(PID=[0-9]+\) $
    47. 

  47. ### violations.ignore.d/pmud
    48. 

  48. pmud\[[0-9]+\]: Sleep for this PMU unsupported: will shutdown the machine on sleep request$
    49. 

  49. ### violations.ignore.d/postfix
    50. 

  50. postfix/(local|smtpd)\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host not found(, try again)?$
    51. 

  51. postfix/(local|smtpd)\[[0-9]+\]: warning: reject: ETRN [^[:space:]]+\.\.\. from [^[:space:]\[]+\[[\.0-9]+\]$
    52. 

  52. postfix/[ls]mtp\[[0-9]+\]: [A-Z0-9]+: to=<[^>,]*>(, orig_to=<[^>,]*>)?, relay=[^[:space:],]+, delay=[0-9]+, status=(sent|bounced|deferred) \([^\(\)]+(\([^\(\)]*\)[^\(\)]*)*[^\(\)]*\)( proto=E?SMTP helo=<[^[:space:]>]+>)?$
    53. 

  53. postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=<[^[:space:]>]+>$
    54. 

  54. postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$
    55. 

  55. postfix/nqmgr\[[0-9]+\]: [A-Z0-9]+: from=<[^[:space:]>]+>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$
    56. 

  56. postfix/smtp\[[0-9]+\]: (Unv|V)erified: subject_CN=.*, issuer=.*
    57. 

  57. postfix/smtp\[[0-9]+\]: Peer verification: CommonName in certificate does not match: [^!]+ != [^[:space:]]+$
    58. 

  58. postfix/smtp\[[0-9]+\]: connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$
    59. 

  59. postfix/smtpd\[[0-9]+\]: [0-9]+:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay\.c:578:
    60. 

  60. postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: 452 Insufficient system storage; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
    61. 

  61. postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in RCPT command: .*
    62. 

  62. postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$
    63. 

  63. # These are only for postfix << 2.0:
    64. 

  64. postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: [45][0-9]{2} [^;]+; from=<[^[:space:]>]+> to=<[^>]+>$
    65. 

  65. # These are only for postfix >= 2.0:
    66. 

  66. postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: [45][0-9]{2}( [^;]+;){1,3} from=<[^>]*>( to=<[^>]*>)? proto=E?SMTP( helo=<.*>)?$
    67. 

  67. ### violations.ignore.d/proftpd
    68. 

  68. proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER anonymous \(Login failed\): Can't find user\.$
    69. 

  69. ### violations.ignore.d/samba
    70. 

  70. smbd\[[0-9]+\]:   read(_socket)?_data: (read|recv) failure for [[:digit:]]+\. Error = (No route to host|Connection (reset by peer|timed out)) $
    71. 

  71. smbd\[[0-9]+\]:   write_socket_data: write failure\. Error = Connection reset by peer $
    72. 

  72. ### violations.ignore.d/ssh
    73. 

  73. sshd\[[0-9]+\]: Failed keyboard-interactive for [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$
    74. 

  74. ssh\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=[^[:space:]]+  user=[^[:space:]]+$
    75. 

  75. ### violations.ignore.d/temp
    76. 

  76. (imap|netatalk|pop|samba)\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*  user=[[:alnum:]]+$
    77. 

  77. afpd\[[0-9]+\]: afp_flushfork: of_find: Permission denied
    78. 

  78. afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied
    79. 

  79. afpd\[[0-9]+\]: bad function 7A
    80. 

  80. afpd\[[0-9]+\]: cnid_open: Cannot establish logfile cleanup lock for database environment .*/\.AppleDB/cnid\.lock \(open\(\) failed\)
    81. 

  81. afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied
    82. 

  82. afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied
    83. 

  83. afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument)
    84. 

  84. IMP\[[0-9]+\]: FAILED .* to .*:143 as .*
    85. 

  85. i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\]
    86. 

  86. kernel: IP_MASQ:reverse ICMP: failed checksum from .*!
    87. 

  87. kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\)
    88. 

  88. PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service
    89. 

  89. portsentry\[[0-9]+\]: attackalert: .*
    90. 

  90. smbd\[[0-9]+\]:   ERROR: string overflow by [[:digit:]]+ in safe_strcpy .*$
    91. 

  91. smbd\[[0-9]+\]:   api_rpcTNP: api_srvsvc_rpc: SRV_NET_SHARE_ADD failed. $
    92. 

  92. smbd\[[0-9]+\]:   getpeername failed. Error was Transport endpoint is not connected $
    93. 

  93. smbd\[[0-9]+\]:   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ !
    94. 

  94. smbd\[[0-9]+\]:   yield_connection: tdb_delete for name  failed with error Record does not exist\.
    95. 

  95. sshd\[[0-9]+\]: Failed password for .*
    96. 

  96. pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument
    97. 

  97. postfix/smtpd\[[0-9]+\]: reject: .*: 550 <.*>: User unknown; .*
    98. 

  98. postfix/smtpd\[[0-9]+\]: reject: .*: 554 <.*>: Recipient address rejected: User unknown; .*
    99. 

  99. postfix.*\[[0-9]+\]: .* from=<(groove@mailomat.grooveattack.com|refused@maila.com)>
    100. 

  100. snort: spp_http_decode: IIS Unicode attack detected:
    101. 

  101. postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .*
    102.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-30 16:27:56 +0000