logcheck: Add default configuration.
authorMatthijs Kooijman <matthijs@stdin.nl>
Tue, 5 May 2009 14:39:40 +0000 (16:39 +0200)
committerMatthijs Kooijman <matthijs@stdin.nl>
Tue, 5 May 2009 14:39:40 +0000 (16:39 +0200)
201 files changed:
etc/logcheck/cracking.d/logcheck [new file with mode: 0644]
etc/logcheck/cracking.d/smartd [new file with mode: 0644]
etc/logcheck/header.txt [new file with mode: 0644]
etc/logcheck/ignore.d.paranoid/bind [new file with mode: 0644]
etc/logcheck/ignore.d.paranoid/cron [new file with mode: 0644]
etc/logcheck/ignore.d.paranoid/incron [new file with mode: 0644]
etc/logcheck/ignore.d.paranoid/logcheck [new file with mode: 0644]
etc/logcheck/ignore.d.paranoid/nullmailer [new file with mode: 0644]
etc/logcheck/ignore.d.paranoid/postfix [new file with mode: 0644]
etc/logcheck/ignore.d.paranoid/ppp [new file with mode: 0644]
etc/logcheck/ignore.d.paranoid/qpopper [new file with mode: 0644]
etc/logcheck/ignore.d.paranoid/squid [new file with mode: 0644]
etc/logcheck/ignore.d.paranoid/ssh [new file with mode: 0644]
etc/logcheck/ignore.d.paranoid/stunnel [new file with mode: 0644]
etc/logcheck/ignore.d.paranoid/sysklogd [new file with mode: 0644]
etc/logcheck/ignore.d.paranoid/telnetd [new file with mode: 0644]
etc/logcheck/ignore.d.paranoid/tripwire [new file with mode: 0644]
etc/logcheck/ignore.d.server/acpid [new file with mode: 0644]
etc/logcheck/ignore.d.server/amandad [new file with mode: 0644]
etc/logcheck/ignore.d.server/anacron [new file with mode: 0644]
etc/logcheck/ignore.d.server/anon-proxy [new file with mode: 0644]
etc/logcheck/ignore.d.server/apache [new file with mode: 0644]
etc/logcheck/ignore.d.server/arpwatch [new file with mode: 0644]
etc/logcheck/ignore.d.server/automount [new file with mode: 0644]
etc/logcheck/ignore.d.server/bind [new file with mode: 0644]
etc/logcheck/ignore.d.server/bluez-utils [new file with mode: 0644]
etc/logcheck/ignore.d.server/courier [new file with mode: 0644]
etc/logcheck/ignore.d.server/cpqarrayd [new file with mode: 0644]
etc/logcheck/ignore.d.server/cpufreqd [new file with mode: 0644]
etc/logcheck/ignore.d.server/cracklib [new file with mode: 0644]
etc/logcheck/ignore.d.server/cron [new file with mode: 0644]
etc/logcheck/ignore.d.server/cron-apt [new file with mode: 0644]
etc/logcheck/ignore.d.server/cups-lpd [new file with mode: 0644]
etc/logcheck/ignore.d.server/cvs-pserver [new file with mode: 0644]
etc/logcheck/ignore.d.server/cvsd [new file with mode: 0644]
etc/logcheck/ignore.d.server/cyrus [new file with mode: 0644]
etc/logcheck/ignore.d.server/dcc [new file with mode: 0644]
etc/logcheck/ignore.d.server/ddclient [new file with mode: 0644]
etc/logcheck/ignore.d.server/dhclient [new file with mode: 0644]
etc/logcheck/ignore.d.server/dhcp [new file with mode: 0644]
etc/logcheck/ignore.d.server/dictd [new file with mode: 0644]
etc/logcheck/ignore.d.server/dkfilter [new file with mode: 0644]
etc/logcheck/ignore.d.server/dkim-filter [new file with mode: 0644]
etc/logcheck/ignore.d.server/dnsmasq [new file with mode: 0644]
etc/logcheck/ignore.d.server/dovecot [new file with mode: 0644]
etc/logcheck/ignore.d.server/dspam [new file with mode: 0644]
etc/logcheck/ignore.d.server/epmd [new file with mode: 0644]
etc/logcheck/ignore.d.server/exim4 [new file with mode: 0644]
etc/logcheck/ignore.d.server/ftpd [new file with mode: 0644]
etc/logcheck/ignore.d.server/gnu-imap4d [new file with mode: 0644]
etc/logcheck/ignore.d.server/gps [new file with mode: 0644]
etc/logcheck/ignore.d.server/grinch [new file with mode: 0644]
etc/logcheck/ignore.d.server/horde3 [new file with mode: 0644]
etc/logcheck/ignore.d.server/hplip [new file with mode: 0644]
etc/logcheck/ignore.d.server/hylafax [new file with mode: 0644]
etc/logcheck/ignore.d.server/ikiwiki [new file with mode: 0644]
etc/logcheck/ignore.d.server/imap [new file with mode: 0644]
etc/logcheck/ignore.d.server/imapproxy [new file with mode: 0644]
etc/logcheck/ignore.d.server/imp [new file with mode: 0644]
etc/logcheck/ignore.d.server/imp4 [new file with mode: 0644]
etc/logcheck/ignore.d.server/innd [new file with mode: 0644]
etc/logcheck/ignore.d.server/ipppd [new file with mode: 0644]
etc/logcheck/ignore.d.server/isdnlog [new file with mode: 0644]
etc/logcheck/ignore.d.server/isdnutils [new file with mode: 0644]
etc/logcheck/ignore.d.server/jabberd [new file with mode: 0644]
etc/logcheck/ignore.d.server/kernel [new file with mode: 0644]
etc/logcheck/ignore.d.server/krb5-kdc [new file with mode: 0644]
etc/logcheck/ignore.d.server/libpam-mount [new file with mode: 0644]
etc/logcheck/ignore.d.server/logcheck [new file with mode: 0644]
etc/logcheck/ignore.d.server/lpr [new file with mode: 0644]
etc/logcheck/ignore.d.server/maradns [new file with mode: 0644]
etc/logcheck/ignore.d.server/mldonkey-server [new file with mode: 0644]
etc/logcheck/ignore.d.server/mon [new file with mode: 0644]
etc/logcheck/ignore.d.server/nagios [new file with mode: 0644]
etc/logcheck/ignore.d.server/netconsole [new file with mode: 0644]
etc/logcheck/ignore.d.server/nfs [new file with mode: 0644]
etc/logcheck/ignore.d.server/nntpcache [new file with mode: 0644]
etc/logcheck/ignore.d.server/nscd [new file with mode: 0644]
etc/logcheck/ignore.d.server/ntp [new file with mode: 0644]
etc/logcheck/ignore.d.server/nullmailer [new file with mode: 0644]
etc/logcheck/ignore.d.server/oidentd [new file with mode: 0644]
etc/logcheck/ignore.d.server/openvpn [new file with mode: 0644]
etc/logcheck/ignore.d.server/otrs [new file with mode: 0644]
etc/logcheck/ignore.d.server/pdns [new file with mode: 0644]
etc/logcheck/ignore.d.server/perdition [new file with mode: 0644]
etc/logcheck/ignore.d.server/policyd [new file with mode: 0644]
etc/logcheck/ignore.d.server/popa3d [new file with mode: 0644]
etc/logcheck/ignore.d.server/postfix [new file with mode: 0644]
etc/logcheck/ignore.d.server/postfix-policyd [new file with mode: 0644]
etc/logcheck/ignore.d.server/ppp [new file with mode: 0644]
etc/logcheck/ignore.d.server/pptpd [new file with mode: 0644]
etc/logcheck/ignore.d.server/procmail [new file with mode: 0644]
etc/logcheck/ignore.d.server/proftpd [new file with mode: 0644]
etc/logcheck/ignore.d.server/puppetd [new file with mode: 0644]
etc/logcheck/ignore.d.server/pure-ftpd [new file with mode: 0644]
etc/logcheck/ignore.d.server/qpopper [new file with mode: 0644]
etc/logcheck/ignore.d.server/rbldnsd [new file with mode: 0644]
etc/logcheck/ignore.d.server/rpc_statd [new file with mode: 0644]
etc/logcheck/ignore.d.server/rsnapshot [new file with mode: 0644]
etc/logcheck/ignore.d.server/rsync [new file with mode: 0644]
etc/logcheck/ignore.d.server/sa-exim [new file with mode: 0644]
etc/logcheck/ignore.d.server/samba [new file with mode: 0644]
etc/logcheck/ignore.d.server/saned [new file with mode: 0644]
etc/logcheck/ignore.d.server/sasl2-bin [new file with mode: 0644]
etc/logcheck/ignore.d.server/saslauthd [new file with mode: 0644]
etc/logcheck/ignore.d.server/schroot [new file with mode: 0644]
etc/logcheck/ignore.d.server/scponly [new file with mode: 0644]
etc/logcheck/ignore.d.server/slapd [new file with mode: 0644]
etc/logcheck/ignore.d.server/smartd [new file with mode: 0644]
etc/logcheck/ignore.d.server/smbd_audit [new file with mode: 0644]
etc/logcheck/ignore.d.server/smokeping [new file with mode: 0644]
etc/logcheck/ignore.d.server/snmpd [new file with mode: 0644]
etc/logcheck/ignore.d.server/snort [new file with mode: 0644]
etc/logcheck/ignore.d.server/spamc [new file with mode: 0644]
etc/logcheck/ignore.d.server/spamd [new file with mode: 0644]
etc/logcheck/ignore.d.server/squid [new file with mode: 0644]
etc/logcheck/ignore.d.server/ssh [new file with mode: 0644]
etc/logcheck/ignore.d.server/stunnel [new file with mode: 0644]
etc/logcheck/ignore.d.server/sympa [new file with mode: 0644]
etc/logcheck/ignore.d.server/syslogd [new file with mode: 0644]
etc/logcheck/ignore.d.server/teapop [new file with mode: 0644]
etc/logcheck/ignore.d.server/telnetd [new file with mode: 0644]
etc/logcheck/ignore.d.server/tftpd [new file with mode: 0644]
etc/logcheck/ignore.d.server/thy [new file with mode: 0644]
etc/logcheck/ignore.d.server/ucd-snmp [new file with mode: 0644]
etc/logcheck/ignore.d.server/upsd [new file with mode: 0644]
etc/logcheck/ignore.d.server/uptimed [new file with mode: 0644]
etc/logcheck/ignore.d.server/userv [new file with mode: 0644]
etc/logcheck/ignore.d.server/vsftpd [new file with mode: 0644]
etc/logcheck/ignore.d.server/watchdog [new file with mode: 0644]
etc/logcheck/ignore.d.server/webmin [new file with mode: 0644]
etc/logcheck/ignore.d.server/wu-ftpd [new file with mode: 0644]
etc/logcheck/ignore.d.server/xinetd [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/automount [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/bind [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/bluetooth-alsa [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/bluez-utils [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/bonobo [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/francine [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/gconf [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/gdm [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/hald [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/hcid [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/ifplugd [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/ippl [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/kdm [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/kernel [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/logcheck [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/net-acct [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/nntpcache [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/nullmailer [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/polypaudio [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/postfix [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/ppp [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/proftpd [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/pump [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/sendfile [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/squid [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/udev [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/wdm [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/winbind [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/xdm [new file with mode: 0644]
etc/logcheck/ignore.d.workstation/xlockmore [new file with mode: 0644]
etc/logcheck/logcheck.conf [new file with mode: 0644]
etc/logcheck/logcheck.logfiles [new file with mode: 0644]
etc/logcheck/violations.d/kernel [new file with mode: 0644]
etc/logcheck/violations.d/logcheck [new file with mode: 0644]
etc/logcheck/violations.d/smartd [new file with mode: 0644]
etc/logcheck/violations.d/su [new file with mode: 0644]
etc/logcheck/violations.d/sudo [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-bind [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-bluez-utils [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-courier [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-cron-apt [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-cyrus [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-dcc [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-dovecot [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-hylafax [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-innd [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-kernel [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-login [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-mon [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-nagios [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-openvpn [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-passwd [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-pdns [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-postfix [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-proftpd [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-pureftp [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-samba [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-sasl2-bin [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-saslauthd [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-sendmail_tmp [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-smartd [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-spamd [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-squid [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-ssh [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-su [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-sudo [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-usb [new file with mode: 0644]
etc/logcheck/violations.ignore.d/logcheck-winbind [new file with mode: 0644]

diff --git a/etc/logcheck/cracking.d/logcheck b/etc/logcheck/cracking.d/logcheck
new file mode 100644 (file)
index 0000000..e6a4715
--- /dev/null
@@ -0,0 +1,43 @@
+"wiz"
+"WIZ"
+"debug"
+"DEBUG"
+ATTACK
+nested
+VRFY bbs
+VRFY decode
+VRFY uudecode
+VRFY lp
+VRFY demo
+VRFY guest
+VRFY root
+VRFY uucp
+VRFY oracle
+VRFY sybase
+VRFY games
+vrfy bbs
+vrfy decode
+vrfy uudecode
+vrfy lp
+vrfy demo
+vrfy guest
+vrfy root
+vrfy uucp
+vrfy oracle
+vrfy sybase
+vrfy games
+expn decode
+expn uudecode
+expn wheel
+expn root
+EXPN decode
+EXPN uudecode
+EXPN wheel
+EXPN root
+rlogind\[[0-9]+\]: Connection from [.0-9]+ on illegal port
+rshd\[[0-9]+\]: Connection from [.0-9]+ on illegal port
+uucico\[[0-9]+\]: refused connect from
+tftpd\[[0-9]+\]: refused connect from
+kernel: Oversized packet received from
+attackalert
+attack
diff --git a/etc/logcheck/cracking.d/smartd b/etc/logcheck/cracking.d/smartd
new file mode 100644 (file)
index 0000000..de0508d
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, SMART Usage Attribute: 5 Reallocated_Sector_Ct changed from [[:digit:]]+ to [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, SMART Usage Attribute: 197 Current_Pending_Sector changed from [[:digit:]]+ to [1-9][[:digit:]]*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, SMART Usage Attribute: 198 Offline_Uncorrectable changed from [[:digit:]]+ to [1-9][[:digit:]]*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, SMART Usage Attribute: 199 UDMA_CRC_Error_Count changed from [[:digit:]]+ to [[:digit:]]+$
diff --git a/etc/logcheck/header.txt b/etc/logcheck/header.txt
new file mode 100644 (file)
index 0000000..4551954
--- /dev/null
@@ -0,0 +1,4 @@
+This email is sent by logcheck. If you no longer wish to receive
+such mails, you can either deinstall the logcheck package or modify
+its configuration file (/etc/logcheck/logcheck.conf).
+
diff --git a/etc/logcheck/ignore.d.paranoid/bind b/etc/logcheck/ignore.d.paranoid/bind
new file mode 100644 (file)
index 0000000..2775af7
--- /dev/null
@@ -0,0 +1,24 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Lame delegation$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Lame server on '[^[:space:]]+' \(in '[^[:space:]]+'\?\): \[[.0-9]+\].[0-9]+ '[^[:space:]]+'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Response from$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: reloading$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Cleaned cache of [0-9]+ RRsets?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Sent NOTIFY for [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: approved AXFR from [^[:space:]]+ for [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone transfer \(AXFR\) of [^[:space:]]+ to [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: suppressing duplicate notify$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: USAGE [0-9]+ [0-9]+ CPU=[.0-9]+u/[.0-9]+s CHILDCPU=[.0-9]+u/[.0-9]+s$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: NSTATS [0-9]+ [0-9]+( (A|CNAME|SOA|NS|PTR|MX|TXT|AAAA|SRV|38|IXFR|AXFR|ANY|NAPTR)=[0-9]+)+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: XSTATS [0-9]+ [0-9]+( (RR|RNXD|RFwdR|RDupR|RFail|RFErr|RErr|RAXFR|RLame|ROpts|SSysQ|SAns|SFwdQ|SDupQ|SErr|RQ|RIQ|RFwdQ|RDupQ|RTCP|SFwdR|SFail|SFErr|SNaAns|SNXD|RUQ|RURQ|RUXFR|RUUpd)=[0-9]+)+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: lame server resolving '[^[:space:]]+' \(in '[^[:space:]]+'\?\): [.0-9.]+#[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: Received NOTIFY answer$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: (master|slave) zone "[^[:space:]]+" \(IN\) loaded \(serial [0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: (ns_forw|ns_resp|sysquery): query\([^[:space:]]+\) (NS points to CNAME \([^[:space:]]+\)|No possible A RRs|All possible A RR's lame|Bogus LOOPBACK A RR \([^[:space:]]+\) learnt \([^[:space:]]+\))$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [0-9a-f.:]+#[0-9]+: transfer of '[^[:space:]]+/IN': AXFR (started|ended)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone [^[:space:]]+: transferred serial [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: transfer of '[^[:space:]]+' from [^[:space:]]+: end of transfer$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone [^[:space:]]+/IN: sending notifies \(serial [0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: rcvd NOTIFY\([^[:space:]]+, IN, SOA\) from \[[0-9a-f.:]+\]\.[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: late CNAME in answer section for [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: no IPv6 interfaces found$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: loading configuration from '/etc/bind/named\.conf'$
diff --git a/etc/logcheck/ignore.d.paranoid/cron b/etc/logcheck/ignore.d.paranoid/cron
new file mode 100644 (file)
index 0000000..e789efa
--- /dev/null
@@ -0,0 +1,8 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \([_[:alnum:]-]+\) CMD \(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /usr/sbin/cron\[[0-9]+\]: \(CRON\) STARTUP \(fork ok\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /usr/sbin/cron\[[0-9]+\]: \([^[:space:]]+\) RELOAD \([^[:space:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /usr/sbin/cron\[[0-9]+\]: \(CRON\) INFO \(pidfile fd = [0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /usr/sbin/cron\[[0-9]+\]: \(CRON\) INFO \(Running @reboot jobs\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /usr/sbin/cron\[[0-9]+\]: \(CRON\) INFO \(Skipping @reboot jobs -- not system startup\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+( by \(uid=[0-9]+\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: pam_[[:alnum:]]+\(cron:session\): session opened for user [[:alnum:]-]+( by \(uid=[0-9]+\))?$
diff --git a/etc/logcheck/ignore.d.paranoid/incron b/etc/logcheck/ignore.d.paranoid/incron
new file mode 100644 (file)
index 0000000..bd91157
--- /dev/null
@@ -0,0 +1,5 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ incrond\[[0-9]+\]: \([[:alnum:]-]+\) CMD \(.+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ incrond\[[0-9]+\]: loading (system|user) tables$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ incrond\[[0-9]+\]: loading table for user [-_.[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ incrond\[[0-9]+\]: ready to process filesystem events$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ incrond\[[0-9]+\]: table for user [-_.[:alnum:]]+ changed, reloading$
diff --git a/etc/logcheck/ignore.d.paranoid/logcheck b/etc/logcheck/ignore.d.paranoid/logcheck
new file mode 100644 (file)
index 0000000..f5b2a59
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ -- MARK --$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ last message repeated [0-9]+ times$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: VFS: Disk change detected on device$
diff --git a/etc/logcheck/ignore.d.paranoid/nullmailer b/etc/logcheck/ignore.d.paranoid/nullmailer
new file mode 100644 (file)
index 0000000..80e069f
--- /dev/null
@@ -0,0 +1,7 @@
+nullmailer\[[0-9]+\]: Rescanning queue\.
+nullmailer\[[0-9]+\]: Trigger pulled\.
+nullmailer\[[0-9]+\]: Starting delivery, [0-9]+ message\(s\) in queue\.
+nullmailer\[[0-9]+\]: Starting delivery: protocol: [a-z]+ host: .+ file: [0-9\.]+
+nullmailer\[[0-9]+\]: Sent file\.
+nullmailer\[[0-9]+\]: Delivery complete, 0 message\(s\) remain\.
+nullmailer\[[0-9]+\]: smtp: Succeeded:
diff --git a/etc/logcheck/ignore.d.paranoid/postfix b/etc/logcheck/ignore.d.paranoid/postfix
new file mode 100644 (file)
index 0000000..2b67e28
--- /dev/null
@@ -0,0 +1,19 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/pickup\[[0-9]+\]: [[:alnum:]]+: uid=[0-9]+ from=[^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: (resent-|)message-id=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:alnum:]]+: from=<[^[:space:]]*>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/nqmgr\[[0-9]+\]: [[:alnum:]]+: from=<[^[:space:]]*>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:alnum:]]+: to=[^[:space:]]+, relay=[^[:space:]]+, delay=[.0-9]+, (delays=[.0-9/]+, dsn=[.0-9]+, )?status=[[:alnum:]]+ \(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:alnum:]]+: to=[^[:space:]]+, orig_to=[^[:space:]]+, relay=[^[:space:]]+, delay=[.0-9]+, (delays=[.0-9/]+, dsn=[.0-9]+, )?status=[[:alnum:]]+ \(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:alnum:]]+: client=[^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: disconnect from [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: connect from [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(local|pipe|virtual)\[[0-9]+\]: [[:alnum:]]+: to=[^[:space:]]+, (orig_to=[^[:space:]]+, |)relay=[^[:space:]]+, delay=[.0-9]+, (delays=[.0-9/]+, dsn=[.0-9]+, )?status=[[:alnum:]]+ \(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix\[[0-9]+\]: alias database\.\*rebuilt$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix\[[0-9]+\]: aliases\.\*longest$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix\[[0-9]+\]: from=[^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix\[[0-9]+\]: lost input channel$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix\[[0-9]+\]: message-id=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix\[[0-9]+\]: putoutmsg$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix\[[0-9]+\]: status=[^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix\[[0-9]+\]: timeout waiting$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+: Connection timed out \(port 25\)$
diff --git a/etc/logcheck/ignore.d.paranoid/ppp b/etc/logcheck/ignore.d.paranoid/ppp
new file mode 100644 (file)
index 0000000..d30ec04
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: (sent|rcvd) \[LCP EchoReq id=[[:alnum:]]+ magic=[ [:alnum:]]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: (sent|rcvd) \[LCP EchoRep id=[[:alnum:]]+ magic=[ [:alnum:]]+\]$
diff --git a/etc/logcheck/ignore.d.paranoid/qpopper b/etc/logcheck/ignore.d.paranoid/qpopper
new file mode 100644 (file)
index 0000000..e2caad1
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ popper: -ERR Unknown command: "uidl"\.$
diff --git a/etc/logcheck/ignore.d.paranoid/squid b/etc/logcheck/ignore.d.paranoid/squid
new file mode 100644 (file)
index 0000000..1efc4bc
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: NETDB state saved;$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: eventCleanup$
diff --git a/etc/logcheck/ignore.d.paranoid/ssh b/etc/logcheck/ignore.d.paranoid/ssh
new file mode 100644 (file)
index 0000000..06c5416
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [^[:space:]]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: pam_[[:alnum:]]+\(ssh:session\): session opened for user [^[:space:]]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: pam_[[:alnum:]]+\(ssh:session\): session closed for user [^[:space:]]+$
diff --git a/etc/logcheck/ignore.d.paranoid/stunnel b/etc/logcheck/ignore.d.paranoid/stunnel
new file mode 100644 (file)
index 0000000..f88ae16
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel\[[0-9]+\]: Connection (closed|reset): [0-9]+ bytes sent to SSL, [0-9]+ bytes sent to socket$
diff --git a/etc/logcheck/ignore.d.paranoid/sysklogd b/etc/logcheck/ignore.d.paranoid/sysklogd
new file mode 100644 (file)
index 0000000..4ba378d
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslogd [.0-9#]+: restart\.$
diff --git a/etc/logcheck/ignore.d.paranoid/telnetd b/etc/logcheck/ignore.d.paranoid/telnetd
new file mode 100644 (file)
index 0000000..8c7fa3b
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ telnetd\[[0-9]+\]: ttloop: peer died$
diff --git a/etc/logcheck/ignore.d.paranoid/tripwire b/etc/logcheck/ignore.d.paranoid/tripwire
new file mode 100644 (file)
index 0000000..b9cdb5a
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ tripwire\[[0-9]+\]: Integrity Check Complete: .+ TWReport [._[:alnum:]-]+ [0-9]{14} V:[0-9]+ S:[0-9]+ A:[0-9]+ R:[0-9]+ C:[0-9]+$
diff --git a/etc/logcheck/ignore.d.server/acpid b/etc/logcheck/ignore.d.server/acpid
new file mode 100644 (file)
index 0000000..15ee6f3
--- /dev/null
@@ -0,0 +1,8 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: action exited with status 0$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: [[:digit:]]+ client rule[s]{0,1} loaded$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: received event "[[:lower:]_/]+ [[:upper:][:digit:]]+ [[:xdigit:]]{8} [[:xdigit:]]{8}"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: completed event "[[:lower:]_/]+ [[:upper:][:digit:]]+ [[:xdigit:]]{8} [[:xdigit:]]{8}"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: client connected from [[:digit:]]+\[[[:digit:]]+:[[:digit:]]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: notifying client [[:digit:]]+\[[[:digit:]]+:[[:digit:]]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: executing action "/etc/acpi/(actions/){0,1}[[:alnum:]_]+\.sh( [[:lower:]_/]+( [[:upper:][:digit:]]+ [[:xdigit:]]{8} [[:xdigit:]]{8}){0,1}){0,1}"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: client has disconnected$
diff --git a/etc/logcheck/ignore.d.server/amandad b/etc/logcheck/ignore.d.server/amandad
new file mode 100644 (file)
index 0000000..0348852
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amandad\[[0-9]+\]: connect from ([.0-9]{7,15}|[-._[:alnum:]]+) \([.0-9]{7,15}\)$
diff --git a/etc/logcheck/ignore.d.server/anacron b/etc/logcheck/ignore.d.server/anacron
new file mode 100644 (file)
index 0000000..a6c786b
--- /dev/null
@@ -0,0 +1,8 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Anacron [.[:alnum:]]+ started on [0-9-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Jobs will be executed sequentially$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Normal exit \([0-9]+ jobs* run\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Will run job `[._[:alnum:]-]+' in [0-9]+ min\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Job `[._[:alnum:]-]+' started$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Job `[._[:alnum:]-]+' terminated$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Job `[._[:alnum:]-]+' terminated (\(exit status: [[:digit:]]+\) )?\(mailing output\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Updated timestamp for job `[._[:alnum:]-]+' to [0-9-]+$
diff --git a/etc/logcheck/ignore.d.server/anon-proxy b/etc/logcheck/ignore.d.server/anon-proxy
new file mode 100644 (file)
index 0000000..6b11170
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ AnonMix: \[[0-9]+/[0-9]+/[0-9]+-[:0-9]+, info +\] +Try connecting to next Mix\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ AnonMix: \[[0-9]+/[0-9]+/[0-9]+-[:0-9]+, info +\] +connected\!$
diff --git a/etc/logcheck/ignore.d.server/apache b/etc/logcheck/ignore.d.server/apache
new file mode 100644 (file)
index 0000000..9faac7e
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ apache: nss_ldap: reconnect(ing|ed) to LDAP server(\.\.\.| after [0-9]+ attempt\(s\))$
diff --git a/etc/logcheck/ignore.d.server/arpwatch b/etc/logcheck/ignore.d.server/arpwatch
new file mode 100644 (file)
index 0000000..9a4a2ce
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ arpwatch: reused old ethernet address 0\.0\.0\.0 ([a-f0-9]{1,2}:){5}[a-f0-9]{1,2} \(([a-f0-9]{1,2}:){5}[a-f0-9]{1,2}\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ arpwatch: ethernet broadcast [0-9.]{7,15} 0:0:0:0:0:0$
diff --git a/etc/logcheck/ignore.d.server/automount b/etc/logcheck/ignore.d.server/automount
new file mode 100644 (file)
index 0000000..7ac59d2
--- /dev/null
@@ -0,0 +1,16 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: attempting to mount entry [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: lookup\([[:alnum:]-]+\): [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: lookup\([[:alnum:]-]+\): examining first entry$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: parse\(sun\): expanded entry: -r(o|w) [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: parse\(sun\): dequote([^[:space:]]+) -> [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: parse\(sun\): gathered options: rw$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: parse\(sun\): core of entry: options=rw, loc=[^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: parse\(sun\): mounting root [^[:space:]]+, mountpoint [^[:space:]]+, what [^[:space:]]+, fstype nfs, options rw$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: mount\(nfs\): root=[^[:space:]]+ name=[^[:space:]]+ what=[^[:space:]]+, fstype=nfs, options=rw$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: mount\(nfs\): nfs options="rw", nosymlink=(0|1)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: mount\(nfs\): [^[:space:]]+ is local, doing bind$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: mount\(bind\): calling mkdir_path [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: mount\(bind\): calling mount --bind [^[:space:]]+ [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: mount\(bind\): mounted [^[:space:]]+ type bind on [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: running expiration on path [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: expired [^[:space:]]+$
diff --git a/etc/logcheck/ignore.d.server/bind b/etc/logcheck/ignore.d.server/bind
new file mode 100644 (file)
index 0000000..6bbfa8e
--- /dev/null
@@ -0,0 +1,11 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone [._[:alnum:]-]+/IN(/[._[:alnum:]-]+)?: transferred serial [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: (client [.:[:xdigit:]]+#[[:digit:]]+: )?(view [._[:alnum:]-]+: )?received notify for zone '[._[:alnum:]-]+'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: unexpected RCODE \((FORMERR|SERVFAIL|NXDOMAIN|NOTIMP|REFUSED|YXDOMAIN|YXRRSET|NXRRSET|NOTAUTH|NOTZONE|BADVERS|<rcode [[:digit:]]+>|[[:digit:]]+)\) resolving '[^[:space:]]+': [.:[:xdigit:]]+#[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: FORMERR resolving '[^[:space:]]+': [.:[:xdigit:]]+#[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone [._[:alnum:]-]+/IN(/[._[:alnum:]-]+)?: Transfer started.$
+^\w{3} [ :0-9]{11} [-._[:alnum:]]+ named\[[0-9]+\]: client [.:[:xdigit:]]+#[[:digit:]]+: view (localhost|any|slave): query: [-._[:alnum:]]+ IN (CNAME|A6|AAAA|A|MX|PTR|TXT|NS|SOA|SSHFP) [-+](E?)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: (client [.:[:xdigit:]]+#[[:digit:]]+: )?notify question section contains no SOA$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: journal file [-./_[:alnum:]]+ does not exist, creating it$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [.:[:xdigit:]]+#[[:digit:]]+: updating zone '[-._[:alnum:]]+/IN': (adding an RR|deleting rrset) at '[._[:alnum:]-]+' A$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: dispatch 0x[[:xdigit:]]+: shutting down due to TCP receive error: [.:[:xdigit:]]+#[[:digit:]]+: connection reset$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: enforced delegation-only for '[._[:alnum:]-]+' \([._[:alnum:]-]+/(A|AAAA)/IN\) from [.:[:xdigit:]]+#[[:digit:]]+$
diff --git a/etc/logcheck/ignore.d.server/bluez-utils b/etc/logcheck/ignore.d.server/bluez-utils
new file mode 100644 (file)
index 0000000..a3caf73
--- /dev/null
@@ -0,0 +1,6 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dund\[[[:digit:]]{1,5}\]: New connection from [:[:xdigit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hcid\[[[:digit:]]{1,5}\]: Device hci[[:digit:]]+ has been removed$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pand\[[[:digit:]]{1,5}\]: New connection from [:[:xdigit:]]+ bnep[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pand\[[[:digit:]]{1,5}\]: Bluetooth PAN daemon version [.[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hidd\[[[:digit:]]{1,5}\]: Bluetooth HID daemon$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dund\[[[:digit:]]{1,5}\]: Bluetooth DUN daemon version [.[:digit:]]+$
diff --git a/etc/logcheck/ignore.d.server/courier b/etc/logcheck/ignore.d.server/courier
new file mode 100644 (file)
index 0000000..784ec49
--- /dev/null
@@ -0,0 +1,20 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ((imap|pop3)(login|d-ssl)|couriertcpd): Connection, ip=\[[.:[:alnum:]]+\](, port=\[[[:digit:]]+\])$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ((imap|pop3)(login|d-ssl)|couriertcpd): LOGIN, user=[-_.@[:alnum:]]+, ip=\[[.:[:alnum:]]+\](, port=\[[[:digit:]]+\])?(, protocol=IMAP)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ((imap|pop3)(login|d-ssl)|couriertcpd): authdaemon: starting client module$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ((imap|pop3)(login|d-ssl)|couriertcpd): authdaemon: ACCEPT, username [@._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imap(login|d-ssl): LOGOUT, user=[-_.@[:alnum:]]+, ip=\[[.:[:alnum:]]+\](, port=\[[[:digit:]]+\])?, headers=[[:digit:]]+, body=[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imap(login|d-ssl): LOGOUT, ip=\[[.:[:alnum:]]+\](, port=\[[[:digit:]]+\])?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierpop3login: LOGOUT, ip=\[[.:[:alnum:]]+\](, port=\[[[:digit:]]+\])?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ courierpop3login: (LOGOUT|TIMEOUT|DISCONNECTED), user=[-_.@[:alnum:]]+, ip=\[[.:[:alnum:]]+\](, port=\[[[:digit:]]+\])?, top=[[:digit:]]+, retr=[[:digit:]]+, time=[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ((imap|pop3)(login|d-ssl)|couriertcpd): (LOGOUT|TIMEOUT|DISCONNECTED), ip=\[[.:[:alnum:]]+\](, port=\[[[:digit:]]+\])?, headers=[[:digit:]]+, body=[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ((imap|pop3)(login|d-ssl)|couriertcpd): (LOGOUT|TIMEOUT|DISCONNECTED), user=[-_.@[:alnum:]]+, ip=\[[.:[:alnum:]]+\](, port=\[[[:digit:]]+\])?, headers=[[:digit:]]+, body=[[:digit:]]+(, rcvd=[[:digit:]]+, sent=[[:digit:]]+)?(, time=[[:digit:]]+)?(, starttls=[01])?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ((imap|pop3)(login|d-ssl)|couriertcpd): (LOGOUT|TIMEOUT|DISCONNECTED), user=[-_.@[:alnum:]]+, ip=\[[.:[:alnum:]]+\](, port=\[[[:digit:]]+\])?, top=[[:digit:]]+, retr=[[:digit:]]+(, time=[[:digit:]]+)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ((imap|pop3)(login|d-ssl)|couriertcpd): Unexpected SSL connection shutdown\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ((imap|pop3)(login|d-ssl)|couriertcpd): couriertls: read: Connection (reset by peer|timed out)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ authdaemond.plain: nss_ldap: reconnect(ing|ed) to LDAP server(\.\.\.| after [[:digit:]]+ attempt\(s\))$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ couriertcpd: LOGIN: ip=\[[.:[:alnum:]]+\](, port=\[[[:digit:]]+\])?, command=(CAPABILITY|AUTHENTICATE|LOGIN)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ couriertcpd: LOGIN: ip=\[[.:[:alnum:]]+\](, port=\[[[:digit:]]+\])?, username=[._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ couriertcpd: LOGIN, user=[._[:alnum:]-]+, ip=\[[.:[:alnum:]]+\], port=\[[[:digit:]]+\], protocol=(POP|IMAP)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ couriertcpd: Connection, ip=\[[.:[:alnum:]]+\](, port=\[[[:digit:]]+\])?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ couriertcpd: Disconnected, ip=\[[.:[:alnum:]]+\](, port=\[[[:digit:]]+\])?, time=[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ couriertcpd: (LOGOUT|TIMEOUT|DISCONNECTED), user=[-_.@[:alnum:]]+, ip=\[[.:[:alnum:]]+\](, port=\[[[:digit:]]+\])?, headers=[[:digit:]]+, body=[[:digit:]]+, rcvd=[[:digit:]]+, sent=[[:digit:]]+, time=[[:digit:]]+$
diff --git a/etc/logcheck/ignore.d.server/cpqarrayd b/etc/logcheck/ignore.d.server/cpqarrayd
new file mode 100644 (file)
index 0000000..812c28f
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cpqarrayd: Application terminated by signal\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cpqarrayd: Logging Enabled\.\.\.$
diff --git a/etc/logcheck/ignore.d.server/cpufreqd b/etc/logcheck/ignore.d.server/cpufreqd
new file mode 100644 (file)
index 0000000..cc10552
--- /dev/null
@@ -0,0 +1,5 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cpufreqd: pmu_init[[:space:]]+: /proc/pmu/info: No such file or directory$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cpufreqd: apm_init[[:space:]]+: /proc/apm: No such file or directory$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cpufreqd: sensors_post_conf[[:space:]]+: no sensors\.conf found, sensors disabled!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cpufreqd: plugins_post_conf[[:space:]]+: Unable to configure plugin [-_.[:alnum:]]+, removing$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cpufreqd: nforce2_post_conf[[:space:]]+: Unconfigured, exiting\.$
diff --git a/etc/logcheck/ignore.d.server/cracklib b/etc/logcheck/ignore.d.server/cracklib
new file mode 100644 (file)
index 0000000..886d77c
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cracklib: updating dictionary [0-9]+ [0-9]+ words\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cracklib: updated dictionary \(read/written words: [0-9]+ [0-9]+\)\.$
diff --git a/etc/logcheck/ignore.d.server/cron b/etc/logcheck/ignore.d.server/cron
new file mode 100644 (file)
index 0000000..7edf40a
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (/usr/bin/)?crontab\[[0-9]+\]: \([[:alnum:]-]+\) LIST \([[:alnum:]-]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (/usr/bin/)?crontab\[[0-9]+\]: \([[:alnum:]-]+\) REPLACE \([[:alnum:]-]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (/usr/bin/)?crontab\[[0-9]+\]: \([[:alnum:]-]+\) (BEGIN|END) EDIT \([[:alnum:]-]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: nss_ldap: reconnect(ing|ed) to LDAP server(\.\.\.| after [0-9]+ attempt\(s\))$
diff --git a/etc/logcheck/ignore.d.server/cron-apt b/etc/logcheck/ignore.d.server/cron-apt
new file mode 100644 (file)
index 0000000..8c26f0e
--- /dev/null
@@ -0,0 +1,22 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: CRON-APT RUN \[[-[:alnum:]/]+\]: \w{3} \w{3} [ [:digit:]]+ [:[:digit:]]{8} \w{3,4} [[:digit:]]{4}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: CRON-APT SLEEP: [[:digit:]]+, \w{3} \w{3} [ [:digit:]]+ [:[:digit:]]{8} \w{3,4} [[:digit:]]{4}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: CRON-APT ACTION: (0-update|3-download)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: CRON-APT LINE: (/usr/bin/apt-get )?update -o quiet=2$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: CRON-APT LINE: (/usr/bin/apt-get )?dist-upgrade -d -y -o APT::Get::Show-Upgraded=true$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: CRON-APT LINE: (/usr/bin/apt-get )?autoclean -y$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Reading [pP]ackage [lL]ists\.\.\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Building [dD]ependency [tT]ree\.\.\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: The following NEW packages will be installed:$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: The following packages will be (upgraded|REMOVED|DOWNGRADED):$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: The following packages have been kept back:$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: {3}[ .+[:alnum:]-]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: [[:digit:]]+ upgraded, [[:digit:]]+ newly installed, ([[:digit:]]+ downgraded, )?[[:digit:]]+ to remove and [[:digit:]]+ not upgraded\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Need to get [[:digit:].]+([kM]?B)(/[.[:digit:]]+([kM]?B))* of archives\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: After unpacking [[:digit:].]+([kM]?B) (of additional disk space will be used|disk space will be freed)\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Get:[[:digit:]]+ ((ht|f)tp|file)://[.[:alnum:]/_-]+ [./[:alnum:]-]+ [-[:alnum:]_+.]+ [+.:~[:alnum:]-]+ \[[.[:digit:]]+[kM]?B\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Del [-[:alnum:]_+.]+ \[[.[:digit:]]+[kM]?B\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Fetched [[:digit:].]+[kM]?B in ([[:digit:]]+m)?[[:digit:]]+s \([[:digit:].]+[kM]?B/s\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Download complete and in download only mode$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: E: Some index files failed to download, they have been ignored, or old ones used instead\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Reading state information\.\.\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: After this operation, [.[:digit:]]+[gmk]?B of additional disk space will be used\.$
diff --git a/etc/logcheck/ignore.d.server/cups-lpd b/etc/logcheck/ignore.d.server/cups-lpd
new file mode 100644 (file)
index 0000000..28d0816
--- /dev/null
@@ -0,0 +1,9 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cups-lpd\[[0-9]+\]: Connection from [._[:alnum:]-]+ \([.0-9]{7,15}\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cups-lpd\[[0-9]+\]: Print file - job ID = [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cups-lpd\[[0-9]+\]: Unknown command-line option "\\" ignored!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cups-lpd\[[0-9]+\]: Unknown LPD command [^[:space:]]+!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cups-lpd\[[0-9]+\]: Command line = [[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cups-lpd\[[0-9]+\]: Print waiting jobs \(no-op\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cups-lpd\[[0-9]+\]: Send queue state \((long|short)\) for [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cups-lpd\[[0-9]+\]: Receive print job for [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cups-lpd\[[0-9]+\]: Closing connection$
diff --git a/etc/logcheck/ignore.d.server/cvs-pserver b/etc/logcheck/ignore.d.server/cvs-pserver
new file mode 100644 (file)
index 0000000..9d4c252
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cvs-pserver\[[0-9]+\]: connect from [._[:alnum:]-]+ \([0-9.]{7,15}\)$
diff --git a/etc/logcheck/ignore.d.server/cvsd b/etc/logcheck/ignore.d.server/cvsd
new file mode 100644 (file)
index 0000000..e5526b5
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cvsd\[[0-9]+\]: connection from [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3} [0-9]{1,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cvsd\[[0-9]+\]: cvs command exited with exit-status [0-9]+$
diff --git a/etc/logcheck/ignore.d.server/cyrus b/etc/logcheck/ignore.d.server/cyrus
new file mode 100644 (file)
index 0000000..002f3ff
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/imapd\[[0-9]+\]: SQUAT returned [0-9]+ messages$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/squatter\[[0-9]+\]: (skipping|indexing) mailbox [[:alpha:]^\.]+\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (cyrus/)?notifyd\[[0-9]+\]: do_notify using method '(null|log|zephyr)'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/notifyd\[[0-9]+\]: MAIL, , [^[:space:]]+, [^[:space:]]+,  \"[ [:alnum:][:punct:]]+\"$
diff --git a/etc/logcheck/ignore.d.server/dcc b/etc/logcheck/ignore.d.server/dcc
new file mode 100644 (file)
index 0000000..17b474a
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dccproc\[[0-9]+\]: no answer from [._[:alnum:]-]+ \([.0-9]{7,15},[0-9]+\) after [0-9]+ ms$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dccproc\[[0-9]+\]: DCC servers ([-._[:alnum:]]+ )+\.\.\. at ([:.[:xdigit:]]+ )+
diff --git a/etc/logcheck/ignore.d.server/ddclient b/etc/logcheck/ignore.d.server/ddclient
new file mode 100644 (file)
index 0000000..41eaada
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[[:digit:]]+\]: SUCCESS:  updating [._[:alnum:]-]+: good: IP address set to [:[:xdigit:].]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[[:digit:]]+\]: WARNING:  forcing update of [._[:alnum:]-]+ from [:[:xdigit:].]+ to [:[:xdigit:].]+; [[:digit:]]+ days since last update on \w{3} \w{3} [ :0-9]{16}\.$
diff --git a/etc/logcheck/ignore.d.server/dhclient b/etc/logcheck/ignore.d.server/dhclient
new file mode 100644 (file)
index 0000000..1f811b0
--- /dev/null
@@ -0,0 +1,26 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: Internet (Software|Systems) Consortium DHCP Client [.[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: Copyright [-0-9]+ Internet Systems Consortium\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: All rights reserved\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: For info, please visit http://www\.isc\.org/(products/DHCP|sw/dhcp/)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: There is already a pid file /var/run/dhclient\.[[:alnum:]]+\.pid with pid [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: killed old client process, removed PID file$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: Listening on [^[:space:].]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: Sending on[[:space:]]+[^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: DHCPDISCOVER on [[:alnum:].]+ to [.0-9]{7,15} port 67 interval [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: DHCP(NAK|ACK|OFFER) from [.0-9]{7,15}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: DHCP(REQUEST|RELEASE) on [[:alnum:].]+ to [.0-9]{7,15} port 67$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: bound(:| to [.0-9]{7,15} --) renewal in [0-9]+ seconds\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: [[:lower:]]+[0-9]: unknown hardware address type [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: Trying recorded lease [.0-9]{7,15}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: No working leases in persistent database( - sleeping)?\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: send_packet: Network is unreachable$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: send_packet: please consult README file regarding broadcast address\.$
+# dhcp-client 2.0
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: Copyright (199[5-9],? ){5}(The )?Internet Software Consortium\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: Please contribute if you find this software useful\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: For info, please visit http://www.isc.org/dhcp-contrib.html$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: No DHCPOFFERS received\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: Sleeping\.$
+# 3.0
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient: parse_option_buffer: option [-[:alnum:]]+ \([[:digit:]]+\) larger than buffer\.$
diff --git a/etc/logcheck/ignore.d.server/dhcp b/etc/logcheck/ignore.d.server/dhcp
new file mode 100644 (file)
index 0000000..537cb8f
--- /dev/null
@@ -0,0 +1,40 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2\.2\.x|): Internet (Software|Systems) Consortium DHCP Server [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2\.2\.x|): Copyright [0-9-]+ Internet (Software|Systems) Consortium\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2\.2\.x|): All rights reserved\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2\.2\.x|): For info, please visit http://www.isc.org/(products/DHCP|sw/dhcp/)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2\.2\.x|): Wrote [0-9]+ deleted host decls to leases file\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2\.2\.x|): Wrote [0-9]+ new dynamic host decls to leases file\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2\.2\.x|): Wrote [0-9]+ leases to leases file\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2\.2\.x|): (BOOTREQUEST|DHCPDISCOVER) from [:[:alnum:]]+ (\([\(\):._[:alnum:]-]+\) )?via [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2\.2\.x|): BOOTREPLY (for|on) [.0-9]{7,15} to [:[:alnum:]]+ (\([:._[:alnum:]-]+\) )?via [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2\.2\.x|): DHCPOFFER on [.0-9]{7,15} to [:[:alnum:]]+ (\([\(\)._[:alnum:]-]+\) )?via [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2\.2\.x|): DHCPREQUEST for [.0-9]{7,15} (\([.0-9]{7,15}\) )?from [:._[:alnum:]-]+ (\([\(\)._[:alnum:]-]+\) )?via [.[:alnum:]-]+(: unknown lease [.0-9]{7,15}\.)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2\.2\.x|): DHCPACK on [.0-9]{7,15} to [:[:alnum:]]+ (\([\(\)._[:alnum:]-]+\) )?via [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2\.2\.x|): DHCP(NAK|RELEASE|INFORM) (on|from) ([.0-9]{7,15}|[:[:alnum:].]+)$
+#Added for dhcp 3
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPDISCOVER from [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [.[:alnum:]-]+(: load balance to peer [._[:alnum:]-]+)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPOFFER on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPREQUEST for [.0-9]{7,15} (\([.0-9]{7,15}\) |)from [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [.[:alnum:]-]+(: load balance to peer [._[:alnum:]-]+\.?|: lease owned by peer\.?|: wrong network\.?|: lease [.0-9]{7,15} unavailable\.?)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPACK on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPNAK on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPINFORM from [.0-9]{7,15} via [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPRELEASE of [.0-9]{7,15} from [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [.[:alnum:]-]+ \((not |)found\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCPACK to [.0-9]{7,15}( \(([:[:xdigit:]]+|<no client hardware address>)\) via [.[:alnum:]-]+)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: pool [0-9a-f]{7} [.0-9]{7,15}/[:[:alnum:]]+ total [:[:alnum:]]+  free [:[:alnum:]]+  backup [:[:alnum:]]+  lts [:[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: ICMP Echo reply while lease [.[:digit:]]{7,15} valid\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: Abandoning IP address [.[:digit:]]{7,15} pinged before offer$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: uid lease [.0-9]{7,15} for client [:[:xdigit:]]+ is duplicate on [.0-9]{7,15}/[[:digit:]]+$
+# Dyndns support
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: [Aa]dded (new )?(forward|reverse) map from [._[:alnum:]-]+ to [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: removed reverse map on [._[:alnum:]-]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: Can't update forward map [._[:alnum:]-]+ to [.0-9]{7,15}: no such RRset$
+# udhcpd support
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ udhcpd\[[0-9]+\]: sending OFFER of [.0-9]{7,15}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ udhcpd\[[0-9]+\]: sending ACK to [.0-9]{7,15}$
+# These two rules match specifically for ddns_remove_a()
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: if [._[:alnum:]-]+ IN TXT "[[:alnum:]]+" rrset exists and [._[:alnum:]-]+ IN A [.0-9]{7,15} rrset exists delete [._[:alnum:]-]+ IN A [.0-9]{7,15}: success\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: if [._[:alnum:]-]+ IN A rrset doesn't exist delete [._[:alnum:]-]+ IN TXT "[[:alnum:]]+": success\.$
+# The preceding rules could be rewritten as follows to match most output from
+# print_dns_status(), also called for the expr_dns_transaction opcode.  I'd
+# rather not proceed without hearing from someone using DDNS updates, though.
+#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd:( (if|and|add|delete) [._[:alnum:]-]+ ([[:digit:]]+ )?IN ((A|PTR|MX|CNAME)( [._[:alnum:]-]+)?|TXT "[^"]*"|CNAME <keydata>)( (rrset|domain) (exists|doesn't exist))?)+: success\.$
diff --git a/etc/logcheck/ignore.d.server/dictd b/etc/logcheck/ignore.d.server/dictd
new file mode 100644 (file)
index 0000000..a4beebe
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dictd\[[0-9]+\]: connect from [._[:alnum:]-]+ \(127\.0\.0\.1\)$
diff --git a/etc/logcheck/ignore.d.server/dkfilter b/etc/logcheck/ignore.d.server/dkfilter
new file mode 100644 (file)
index 0000000..447bb2d
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkfilter.in\[[0-9]+\]: DomainKeys verification - (pass|neutral)( \(no signature; (no policy for [._[:alnum:]-]+|domain testing)\))?; (from|sender)=<[^[:space:]]+>(, message-id=<[^[:space:]]+>)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dkfilter.out\[[0-9]+\]: DomainKeys signing - (signed|skipped \(wrong sender domain\)); (from|sender)=<[^[:space:]]+>, message-id=<[^[:space:]]+>$
diff --git a/etc/logcheck/ignore.d.server/dkim-filter b/etc/logcheck/ignore.d.server/dkim-filter
new file mode 100644 (file)
index 0000000..c357d7b
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dkim-filter\[[[:digit:]]+\]: [[:xdigit:]]{10} SSL error:04077068:rsa routines:RSA_verify:bad signature$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dkim-filter\[[[:digit:]]+\]: [[:xdigit:]]{10}: bad signature data$
diff --git a/etc/logcheck/ignore.d.server/dnsmasq b/etc/logcheck/ignore.d.server/dnsmasq
new file mode 100644 (file)
index 0000000..3746b80
--- /dev/null
@@ -0,0 +1,5 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq\[[[:digit:]]+\]: read /etc/hosts - [[:digit:]]+ addresses$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq\[[[:digit:]]+\]: reading (/var/run/dnsmasq/|/etc/)resolv.conf$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq\[[[:digit:]]+\]: using nameserver [.[:digit:]#]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq\[[[:digit:]]+\]: (DHCPDISCOVER|DHCPOFFER|DHCPREQUEST|DHCPACK|DHCPRELEASE|DHCPINFORM|BOOTP)\([[:alnum:]]+\) [ :[:alnum:]._-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq\[[[:digit:]]+\]: ignoring nameserver 127\.0\.0\.1 - local interface$
diff --git a/etc/logcheck/ignore.d.server/dovecot b/etc/logcheck/ignore.d.server/dovecot
new file mode 100644 (file)
index 0000000..7313991
--- /dev/null
@@ -0,0 +1,24 @@
+# pre 1.0
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: (imap|pop3)-login: Login: [.[:alnum:]@-]+ \[[.:[:xdigit:]]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot: )?(imap|pop3)-login: Disconnected \[[.:[:xdigit:]]+\]$
+# 1.0 and beyond
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login: user=<[-_.@[:alnum:]]+>, method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5), rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS( handshake)?|secured))?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Aborted login: (user=<[-_.@[:alnum:]]+>, method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5), )?rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS( handshake)?|secured))?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected: ((Too many invalid commands|Inactivity): )?(user=<[-_.@[:alnum:]]+>, )?(method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5), )?rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS( handshake)?|secured))?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected: Logged out$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Aborted login( \([[:digit:]]+ authentication attempts\))?: rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS( handshake)?|secured))$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: POP3\([-_.@[:alnum:]]+\): Disconnected(: Logged out| for inactivity|: Disconnected)? top=[[:digit:]]+/[[:digit:]]+, retr=[[:digit:]]+/[[:digit:]]+, del=[[:digit:]]+/[[:digit:]]+, size=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: IMAP\([-_.@[:alnum:]]+\): Disconnected(: Logged out| for inactivity|: Disconnected| in [[:upper:]]+)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-build-param: SSL parameters regeneration completed$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth\(-_.[[:alnum:]]+\): (pg|my)sql: Connected to [-_.[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: \(pam_unix\) check pass; user unknown$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: pam_unix\(dovecot:[[:alnum:]]+\): check pass; user unknown$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ deliver\([-_.@[:alnum:]]+\): msgid=<[^[:space:]]+>( \((added by [^[:space:]]+|sfid-[_[:xdigit:]]+)\))?: saved mail to [-_.[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ deliver\([-_.@[:alnum:]]+\): msgid=<[^[:space:]]+>?( \((added by [^[:space:]]+|sfid-[_[:xdigit:]]+)\))?: (saved mail to [-_.[:alnum:]]+|forwarded to <[^[:space:]]+>)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth-worker\([-_.[:alnum:]]+\): (pg|my)sql: Connected to [-_.[:alnum:]]+ \([-_.[:alnum:]]+\)$
+# see #396760
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth\([[:alnum:]]+\): client in: AUTH [[:digit:]]+[[:space:]]+(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5)[[:space:]]+service=IMAP[[:space:]]+(secured )?lip=[.:[:xdigit:]]+[[:space:]]+rip=[.:[:xdigit:]]+[[:space:]]+resp=<hidden>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth\([[:alnum:]]+\): client in: CONT<hidden>
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth\([[:alnum:]]+\): client out: CONT[[:space:]]+[[:digit:]]+[[:space:]]+[[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: IMAP\([-_.@[:alnum:]]+\): Fixed index file /[-._/[:alnum:]&]+/dovecot\.index: first_(recent|unseen)_uid_lowwater [[:digit:]]+ -> [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: IMAP\([-_.@[:alnum:]]+\): Connection closed(: Connection reset by peer)?$
diff --git a/etc/logcheck/ignore.d.server/dspam b/etc/logcheck/ignore.d.server/dspam
new file mode 100644 (file)
index 0000000..96b671c
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dspam\[[0-9]+\]: spam detected from [.0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dspam\[[0-9]+\]: innocent message from [.0-9]+$
diff --git a/etc/logcheck/ignore.d.server/epmd b/etc/logcheck/ignore.d.server/epmd
new file mode 100644 (file)
index 0000000..57b88ae
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ epmd: epmd: epmd running - daemon = 1$
diff --git a/etc/logcheck/ignore.d.server/exim4 b/etc/logcheck/ignore.d.server/exim4
new file mode 100644 (file)
index 0000000..44e3379
--- /dev/null
@@ -0,0 +1,12 @@
+^[-0-9]{10} [0-9:]{8} (Start|End) queue run: pid=[0-9]+$
+^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ Completed$
+^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ [=-]> [_[:alnum:]-]+ <?[@._[:alnum:]-]+>? R=local_user T=mail_spool$
+^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ [=-]> [@._[:alnum:]-]+ <?[@._[:alnum:]-]+>? R=dnslookup T=remote_smtp H=[._[:alnum:]-]+ \[[.0-9]{7,15}\]$
+^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ [=-]> [@._[:alnum:]-]+ R=dnslookup T=remote_smtp H=[._[:alnum:]-]+ \[[.0-9]{7,15}\]( X=TLS-1.0:RSA_AES_256_CBC_SHA1?:32)?$
+^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ <= [@._[:alnum:]-]+ U=[_[:alnum:]-]+ P=local S=[0-9]+( id=[^[:space:]]+)?$
+^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ <= [@._[:alnum:]-]+ H=[._[:alnum:]-]+ \[[.0-9]{7,15}\]( U=[_[:alnum:]-]+)? P=esmtp S=[0-9]+ id=[^[:space:]]+$
+^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ <= <> R=[_[:alnum:]-]+ U=[_[:alnum:]-]+ P=local S=[0-9]+$
+^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ <= <> H=[._[:alnum:]-]+ \[[.0-9]{7,15}\] P=esmtp S=[0-9]+ id=[^[:space:]]+$
+^[-0-9]{10} [0-9:]{8} SMTP command timeout on connection from [._[:alnum:]-]+ \[[.0-9]{7,15}\]$
+^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ == [@._[:alnum:]-]+ <?[@._[:alnum:]-]+>? R=dnslookup T=remote_smtp defer \(-53\): retry time not reached for any host$
+^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ SMTP error from remote mailer after initial connection: host [._[:alnum:]-]+ \[[.0-9]{7,15}\]: 421 gluck.debian.org: Too many concurrent SMTP connections; please try again later\.$
diff --git a/etc/logcheck/ignore.d.server/ftpd b/etc/logcheck/ignore.d.server/ftpd
new file mode 100644 (file)
index 0000000..0c55823
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ftpd: PAM-listfile: Refused user [._[:alnum:]-]+ for service ftpd$
diff --git a/etc/logcheck/ignore.d.server/gnu-imap4d b/etc/logcheck/ignore.d.server/gnu-imap4d
new file mode 100644 (file)
index 0000000..4fcb1ab
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnu-imap4d\[[[:digit:]]+\]: Incoming connection opened$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnu-imap4d\[[[:digit:]]+\]: Connect from [.:[:xdigit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnu-imap4d\[[[:digit:]]+\]: Error reading from input file: Connection reset by peer$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gnu-imap4d\[[[:digit:]]+\]: No socket to send to$
diff --git a/etc/logcheck/ignore.d.server/gps b/etc/logcheck/ignore.d.server/gps
new file mode 100644 (file)
index 0000000..98b9c08
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gps\[[0-9]+\]: disconnecting from DB$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gps\[[0-9]+\]: started \(ver.: [.[:alnum:]]+ built: \w{3} [ 0-9]{1,3} [0-9]{4} [0-9:]{8}\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gps\[[0-9]+\]: (new|ok|wait): '([^[:space:]]+)?' -> '[^[:space:]]+', '([._[:alnum:]-]+|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.([0-9]{1,3})?)'( \([[:digit:]]+, [[:digit:]]+ secs\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gps\[[0-9]+\]: wl (network|nw): '([^[:space:]]+)?' -> '[^[:space:]]+', '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.([0-9]{1,3})?': [ [:graph:]]+$
diff --git a/etc/logcheck/ignore.d.server/grinch b/etc/logcheck/ignore.d.server/grinch
new file mode 100644 (file)
index 0000000..b55f91f
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ grinch\[[0-9]+\]: host allowed \((cached, )?(checked|no connection|avoiding deadlock)\): [._[:alnum:]-]+$
diff --git a/etc/logcheck/ignore.d.server/horde3 b/etc/logcheck/ignore.d.server/horde3
new file mode 100644 (file)
index 0000000..dc16b92
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ .+\[[0-9]+\]: \[horde\] Login success for [@._[:alnum:]-]+ \[[.0-9]{7,15}\] to Horde \[on line [0-9]+ of ".+"\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ .+\[[0-9]+\]: \[horde\] User [@._[:alnum:]-]+ \[[.0-9]{7,15}\] logged out of Horde \[on line [0-9]+ of ".+"\]$
diff --git a/etc/logcheck/ignore.d.server/hplip b/etc/logcheck/ignore.d.server/hplip
new file mode 100644 (file)
index 0000000..ef29eca
--- /dev/null
@@ -0,0 +1,8 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hpiod: [.[:digit:]]+ accepting connections at [[:digit:]]{1,5}\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hpiod: channel cleanup ci=[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hpiod: device cleanup uri=hp:/[-?=/_.[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hpiod: timeout JetDirectChannel::ReadData: Success hp:/[-?=/_.[:alnum:]]+ io/hpiod/jetdirect\.cpp [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hpiod: service busy uri:hp:/[-?=/_.[:alnum:]]+ Device::ChannelOpen: HP-SCAN io/hpiod/device\.cpp [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hpiod: device active clientcnt=[[:digit:]]+ channelcnt=[[:digit:]]+ uri=hp:/[-?=/_.[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hpiod: unable to read JetDirectDevice::DeviceID$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ python: hpssd\[[[:digit:]]+\]: warning: [IU]nrecognized URI: [-._/:[:alnum:]]+$
diff --git a/etc/logcheck/ignore.d.server/hylafax b/etc/logcheck/ignore.d.server/hylafax
new file mode 100644 (file)
index 0000000..899c127
--- /dev/null
@@ -0,0 +1,18 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: SUBMIT JOB [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: FIFO RECV \"Sclient/[[:digit:]]+:[[:digit:]]+\"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: JOB [[:digit:]]+ \((ready|active) dest [[:digit:]\+]+ pri [[:digit:]]+ tts [[:digit:]]+:[[:digit:]]+ killtime [[:digit:]]+:[[:digit:]]+:[[:digit:]]+\): (READY|PROCESS|ACTIVE|PREPARE START)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: LOCKWAIT$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: STATE CHANGE: RUNNING -> LOCKWAIT \(timeout [[:digit:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ HylaFAX\[[0-9]+\]: Filesystem has SysV-style file creation semantics\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: ANSWER: Can not lock modem device$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: ANSWER: FAX CONNECTION  DEVICE '[^[:space:]]+'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): recvq/fax[0-9]+.tif from .+ route to .+, [0-9]+ pages in [0-9:]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: RECV FAX: bin/faxrcvd "recvq/fax[0-9]+.tif" "[^[:space:]]+" "[0-9]+" "" "" ""$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: RECV FAX \([0-9]+\): from.+, page [0-9]+ in [0-9:]+, INF, [0-9.]+ line/mm, [12]-D M.+, [0-9]+ bit/s$
+# The .* below is the modem's identification string.
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxGetty\[[0-9]+\]: MODEM .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: MODEM .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: NOTIFY: bin/notify \"doneq/q[[:digit:]]+\" \"done\" \"[[:digit:]]+:[[:digit:]]{2}\"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: NOTIFY exit status: 0 \([[:digit:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxSend\[[0-9]+\]: SEND FAX: JOB [[:digit:]]+ DEST [ [:digit:]()-]+ COMMID \w+ DEVICE '[/[:alnum:]]+'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxSend\[[0-9]+\]: SEND FAX: JOB [[:digit:]]+ SENT in [[:digit:]]+:[[:digit:]]{2}$
diff --git a/etc/logcheck/ignore.d.server/ikiwiki b/etc/logcheck/ignore.d.server/ikiwiki
new file mode 100644 (file)
index 0000000..36133e4
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ikiwiki: rebuilding wiki\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ikiwiki: (scann|render)ing [-_./[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ikiwiki: updating hyperestraier search index$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ikiwiki: done
diff --git a/etc/logcheck/ignore.d.server/imap b/etc/logcheck/ignore.d.server/imap
new file mode 100644 (file)
index 0000000..62da737
--- /dev/null
@@ -0,0 +1,6 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd\[[0-9]+\]: port 143 service init from [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd\[[0-9]+\]: command stream end of file, while reading line user=[^[:space:]]+ host=[^[:space:]]+ \[[.0-9]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd\[[0-9]+\]: Connection reset by peer, while reading line user [^[:space:]]+ host=[^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd\[[0-9]+\]: Transport endpoint is not connected, while writing text user=[^[:space:]]+ host=[^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd\[[0-9]+\]: No route to host, while reading line user=[^[:space:]]+ host=[^[:space:]]+ \[[.0-9]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd\[[0-9]+\]: Moved [0-9]+ bytes of new mail to [^[:space:]]+ from [^[:space:]]+ host= localhost \[127.0.0.1\]$
diff --git a/etc/logcheck/ignore.d.server/imapproxy b/etc/logcheck/ignore.d.server/imapproxy
new file mode 100644 (file)
index 0000000..c32d004
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGOUT: '"[_[:alnum:]-]+(@[-_.[:alnum:]]+)?"' from server sd \[[0-9]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGIN: '"[_[:alnum:]-]+(@[-_.[:alnum:]]+)?"' \([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]+\) on (existing|new) sd \[[0-9]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: Expiring server sd \[[0-9]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: Raw_Proxy\(\): Failed to read line from client on socket [[:digit:]]+$
diff --git a/etc/logcheck/ignore.d.server/imp b/etc/logcheck/ignore.d.server/imp
new file mode 100644 (file)
index 0000000..fa03a1e
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: Login .* to localhost:143 as .*$
diff --git a/etc/logcheck/ignore.d.server/imp4 b/etc/logcheck/ignore.d.server/imp4
new file mode 100644 (file)
index 0000000..404708d
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ .+\[[0-9]+\]: \[imp\] Login success for [@._[:alnum:]-]+ \[[.0-9]{7,15}\] to \{[._[:alnum:]-]+:[0-9]+\} \[on line [0-9]+ of ".+"\]$
diff --git a/etc/logcheck/ignore.d.server/innd b/etc/logcheck/ignore.d.server/innd
new file mode 100644 (file)
index 0000000..a9e26af
--- /dev/null
@@ -0,0 +1,57 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (rnews|innd|batcher): Reading config from /etc/news/inn\.conf$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (expire|expireover|ctlinnd|nnrpd)\[[0-9]+\]: Reading config from /etc/news/inn\.conf$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rnews: offered <[^[:space:]]+> [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: localhost connected [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [[:alpha:]]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [[:alpha:]]:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [[:alpha:]]:[-[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [[:alpha:]]:Expiring process [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [[:alpha:]]:Flushing log and syslog files$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [[:alpha:]]:/var/log/news/expire\.lowmark$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [._[:alnum:]-]+ flush$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [._[:alnum:]-]+ opened [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [._[:alnum:]-]+ closed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [._[:alnum:]-]+:[0-9]+ readclose$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [._[:alnum:]-]+:[0-9]+ inactive [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [._[:alnum:]-]+:[0-9]+ NCmode \"mode stream\" received$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [._[:alnum:]-]+ connected [0-9]+ streaming allowed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: ME HISstats [0-9]+ hitpos [0-9]+ hitneg [0-9]+ missed [0-9]+ dne$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: ME time [0-9]+ hishave [0-9]+\([0-9]+\) hiswrite [0-9]+\([0-9]+\) hissync [0-9]+\([0-9]+\) idle [0-9]+\([0-9]+\) artclean [0-9]+\([0-9]+\) artwrite [0-9]+\([0-9]+\) artcncl [0-9]+\([0-9]+\) hishave/artcncl [0-9]+\([0-9]+\) his(grep|write)/artcncl [0-9]+\([0-9]+\) artlog/artcncl [0-9]+\([0-9]+\) his(write|grep)/artcncl [0-9]+\([0-9]+\) sitesend [0-9]+\([0-9]+\) overv [0-9]+\([0-9]+\) perl [0-9]+\([0-9]+\) nntpread [0-9]+\([0-9]+\) artparse [0-9]+\([0-9]+\)( artlog/artparse [0-9]+\([0-9]+\))? artlog [0-9]+\([0-9]+\) datamove [0-9]+\([0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: SERVER (servermode|flushlogs) (running|paused)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: SERVER paused Flushing log and syslog files$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: SERVER running$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: SERVER paused Expiring process [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ batcher\[[0-9]+\]: batcher [[:alnum:]]+ times user [.0-9]+ system [.0-9]+ elapsed [.0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ batcher\[[0-9]+\]: batcher [[:alnum:]]+ stats batches [0-9]+ articles [0-9]+ bytes [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: Reading access from /etc/news/readers\.conf$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: SERVER perl filtering enabled$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ \([.0-9]+\) connect$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ timeout$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ group [.[:alnum:]+-]+ [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: Auth strategy '[[:alnum:]]+' does not match client\.  Removing\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ (no_)?match_user [<>_[:alnum:]-]+(@[._[:alnum:]-]+)? [<>,_,\*,\![:alnum:][:punct:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ res <[_[:alnum:]-]+>(@[._[:alnum:]-]+)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ time [0-9]+ (hisgrep [0-9]+\([0-9]+\) )?idle [0-9]+\([0-9]+\) (readart [0-9]+\([0-9]+\) )?nntpwrite [0-9]+\([0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ times user [.0-9]+ system [.0-9]+ idle [.0-9]+ elapsed [.0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ exit articles [0-9]+ groups [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ artstats get [0-9]+ time [0-9]+ size [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ post ok <[[:graph:]]+@[._[:alnum:]-]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ \(unknown\) posttrack ok [[:graph:]]+<[[:graph:]]+@[._[:alnum:]-]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ user [[:alnum:][:punct:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ Tracking Disabled \(unknown\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ auth authenticator successful, user [[:alnum:][:punct:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ auth starting authenticator [[:alnum:][:space:][:punct:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [._[:alnum:]-]+ no_access_realm$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cnfsstat\[[0-9]+\]: Class (ARCHIV|SPOOL) for groups matching \"[^[:space:]]+\" Buffer (ARCH|SPOOL)[0-9]+, len: [0-9]+  Mbytes, used: [0-9]+\.[0-9]+ Mbytes \([0-9 ]+\.[0-9]%\) [ 0-9]+ cycles$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ send-uucp\[[0-9]+\]: checking site [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ send-uucp\[[0-9]+\]: no articles for [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ send-uucp\[[0-9]+\]: Flushing [^[:space:]]+ for site [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ send-uucp\[[0-9]+\]: batched articles for [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: ME time [0-9]+ idle [0-9]+\([0-9]+\) blstats [0-9]+\([0-9]+\) stsfile [0-9]+\([0-9]+\) newart [0-9]+\([0-9]+\) readart [0-9]+\([0-9]+\) prepart [0-9]+\([0-9]+\) read [0-9]+\([0-9]+\) write [0-9]+\([0-9]+\) cb [0-9]+\([0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: [._[:alnum:]-]+ spooling no active connections$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: [._[:alnum:]-]+:[0-9]+ connected$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: [._[:alnum:]-]+ remote MODE STREAM$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: [._[:alnum:]-]+ (final|checkpoint) seconds [0-9]+ spooled [0-9]+ on_close [0-9]+ sleeping [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: [._[:alnum:]-]+ hostChkCxns - maxConnections was [0-9]+ now [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: ME articles (active|total) [0-9]+ bytes [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: [._[:alnum:]-]+:[0-9]+ cxnsleep connect: Connection refused$
diff --git a/etc/logcheck/ignore.d.server/ipppd b/etc/logcheck/ignore.d.server/ipppd
new file mode 100644 (file)
index 0000000..2b9accf
--- /dev/null
@@ -0,0 +1,17 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: Local number: [0-9]+, Remote number: [0-9]+, Type: outgoing$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: PHASE_WAIT -> PHASE_ESTABLISHED, ifunit: .*, linkunit: .*, fd:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: Remote message: .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: MPPP negotiation, He: .* We: .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: CCP enabled! Trying CCP\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: CCP:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: LCP terminated by peer$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: local  IP address$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: remote IP address$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: ccp_resetci!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: Modem hangup$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: Connection terminated\.i$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: taking down PHASE_DEAD link .*, linkunit:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: closing fd [0-9]+ from unit$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: link .* closed , linkunit:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: reinit_unit:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipppd\[[0-9]+\]: Connect\[[0-9]+\]: /dev/(ippp.|isdn.), fd: [0-9]+$
diff --git a/etc/logcheck/ignore.d.server/isdnlog b/etc/logcheck/ignore.d.server/isdnlog
new file mode 100644 (file)
index 0000000..d1f919f
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ isdnlog: | line.* : free$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ isdnlog: | line.* : outgoing$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ isdnlog: .* outgoing .* -> .*$
diff --git a/etc/logcheck/ignore.d.server/isdnutils b/etc/logcheck/ignore.d.server/isdnutils
new file mode 100644 (file)
index 0000000..7360dcc
--- /dev/null
@@ -0,0 +1,13 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: isdn_tty: call from .* -> .* ignored$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: isdn_net: Incoming call without CPN, assuming '0'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: isdn_tty: Incoming call without CPN, assuming '0'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: isdn_net: Incoming call without OAD, assuming '0'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: isdn_tty: Incoming call without OAD, assuming '0'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: (ippp.|isdn.): dialing$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: (ippp.|isdn.): Chargesum is$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: isdn_net: chargetime of (ippp.|isdn.) now$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: isdn_net: (ippp.|isdn.) connected$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: isdn_net: local hangup (ippp.|isdn.)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: (ippp.|isdn.): remote hangup$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: ippp_ccp:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: ippp, open, slot: .*, minor: .*, state:$
diff --git a/etc/logcheck/ignore.d.server/jabberd b/etc/logcheck/ignore.d.server/jabberd
new file mode 100644 (file)
index 0000000..7ae7dee
--- /dev/null
@@ -0,0 +1,28 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/resolver\[[0-9]+\]: \[[._[:alnum:]-]+\] resolved to \[?[0-9.]{7,15}:[0-9]+\]? \([0-9]+ seconds to live\)$
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] (dis)?connect$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] (incoming|outgoing) connection$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: (incoming|outgoing) route '[._[:alnum:]-]+/[._[:alnum:]-]+' is now (in)?valid; (source|destination)=[0-9.]{7,15}, port [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] error: Stream error \(\(null\)\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] write error: Connection refused \(111\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] write error: Connection timed out \(110\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] write error: No route to host \(113\)$
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] incoming stream online \(id [a-z0-9]{40}\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] (sending|received) dialback auth request for route '[._[:alnum:]-]+/[._[:alnum:]-]+'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] (incoming|outgoing) route '[._[:alnum:]-]+/[._[:alnum:]-]+' is now valid(, SSL negotiated)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] checking dialback verification from [._[:alnum:]-]+: sending valid$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] no dialback started$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] closing connection$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] dns lookup for [._[:alnum:]-]+ timed out$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: connection to [._[:alnum:]-]+ timed out$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] error: XML parse error \((syntax error|junk after document element)\)$
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/sm\[[0-9]+\]: session (replaced|ended|started): jid=[._[:alnum:]-]+@[._[:alnum:]-]+/[._[:alnum:]-]+$
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/c2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] (dis)?connect$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/c2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] error: XML parse error \(syntax error\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/c2s\[[0-9]+\]: \[[0-9]+\] requesting session: jid=[._[:alnum:]-]+@[._[:alnum:]-]+/[._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/c2s\[[0-9]+\]: \[[0-9]+\] auth succeeded: username=[._[:alnum:]-]+, resource=[._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/c2s\[[0-9]+\]: \[[0-9]+\] SASL authentication succeeded: mechanism=DIGEST-MD5; authzid=[._[:alnum:]-]+@[._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/c2s\[[0-9]+\]: \[[0-9]+\] bound: jid=[._[:alnum:]-]+@[._[:alnum:]-]+/[._[:alnum:]-]+$
diff --git a/etc/logcheck/ignore.d.server/kernel b/etc/logcheck/ignore.d.server/kernel
new file mode 100644 (file)
index 0000000..cb914fe
--- /dev/null
@@ -0,0 +1,75 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? lp[0-9]+ out of paper$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? lp[0-9]+: ECP mode$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ll header: [:[:xdigit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? martian source 255\.255\.255\.255 from [.[:digit:]]{7,15} on dev [[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? icmpv6_send: no reply to icmp error$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:alnum:]]+: link up\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ADDRCONF\(NETDEV_CHANGE\): [[:alnum:]]+: link becomes ready$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? TCP: Treason uncloaked! Peer [.[:digit:]]{7,15}:[[:digit:]]{1,5}/[[:digit:]]{1,5} shrinks window [[:digit:]]+:[[:digit:]]+\. Repaired\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? device-mapper: [-.[:alnum:]]+ \([-[:digit:]]{10}\) initialised: dm-devel@redhat\.com$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ACPI: PCI interrupt for device [[:alnum:]:.]+ disabled$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ACPI: PCI Interrupt [[:alnum:]:.]+\[[AB]\] (-> Link \[LNK[AB]\] )?-> GSI [0-9]+ \(level, low\) -> IRQ [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:alnum:]]+: no IPv6 routers present$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? tun: Universal TUN/TAP device driver, [.[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? tun: \(C\) 1999-2[[:digit:]]+ Max Krasnyansky <maxk@qualcomm.com>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? kjournald starting\.  Commit interval [[:digit:]]+ seconds$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? EXT3 FS on [^[:space:]]+, internal journal$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? EXT3-fs: mounted filesystem with ordered data mode\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? XFS mounting filesystem [[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Ending clean XFS mount for filesystem: [[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? apm: overridden by ACPI\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Intel machine check (architecture supported|reporting enabled on CPU#[0-9])\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? PCI: Setting latency timer of device [[:alnum:]:.]+ to [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? apm: BIOS version [.0-9]+ Flags [x0-9]+ \(Driver version [.[:alnum:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ modprobe: FATAL: Error inserting apm \([^[:space:]]+\): No such device$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? IPv6 over IPv4 tunneling driver$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? NET: Registered protocol family [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? eth[0-9]+: Media Link (Off|On [0-9]+mbps (full|half)-duplex)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? SCSI subsystem initialized$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? SCSI device [[:alnum:]]+: drive cache: write (through|back)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? BIOS EDD facility v[.0-9]+ [0-9]+-\w{3}-[0-9]+, [0-9]+ devices found$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Device not ready\. Make sure there is a disc in the drive\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? libata version [.[:digit:]]+ loaded\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ata[[:digit:]]+: EH complete$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:lower:]]+: unknown partition table$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ([[:lower:]]+):( (\1[[:digit:]]+|[<>]))+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:lower:]]+: cache flushes supported$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? scsi [:[:digit:]]+ Direct-Access[[:space:]]+[[:alnum:][:space:][:punct:]]+PQ: [[:digit:]]+ ANSI: [[:digit:]]+( CCS)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? sd [:[:digit:]]+ Attached scsi generic sg[[:digit:]]+ type [[:digit:]]+$
+# sk98lin output
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:space:]]+speed:[[:space:]]+100?0?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:space:]]+autonegotiation:[[:space:]]+(yes|no)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:space:]]+duplex mode:[[:space:]]+(full|half)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:space:]]+flowctrl:[[:space:]]+a?symmetric$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:space:]]+irq moderation:[[:space:]]+(en|dis)abled$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:space:]]+scatter-gather:[[:space:]]+(en|dis)abled$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:space:]]+[rt]x-checksum:[[:space:]]+(en|dis)abled$
+# skge output
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? skge [[:alnum:]]+: Link is up at 100?0? Mbps, (full|half) duplex, flow control tx and rx$
+# ipmi
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ipmi message handler version [.[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ipmi device interface$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Copyright \(C\) 20[[:digit:]]+( ?- ?[[:digit:]]+)? MontaVista Software - IPMI Powerdown via sys_reboot\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? IPMI System Interface driver\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? IPMI Watchdog: driver initialized$
+# this is stuff related to the webmin bandwidth module, also in use by shorewall it seems
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? BANDWIDTH_OUT:IN= OUT=[[:alnum:]]+ SRC=[.0-9]{7,15} DST=[.0-9]{7,15} LEN=[0-9]+ TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[0-9]+ ID=[0-9]+ (DF )?PROTO=TCP SPT=[0-9]+ DPT=[0-9]+ WINDOW=[0-9]+ RES=0x[[:xdigit:]]+ ACK PSH URGP=[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? BANDWIDTH_IN:IN=[[:alnum:]]+ OUT= MAC=[:[:xdigit:]]+ SRC=[.0-9]{7,15} DST=[.0-9]{7,15} LEN=[0-9]+ TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[0-9]+ ID=[0-9]+ (DF )?PROTO=TCP SPT=[0-9]+ DPT=[0-9]+ WINDOW=[0-9]+ RES=0x[[:xdigit:]]+ ACK (PSH )?URGP=[0-9]+$
+# bridging
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Bridge firewalling registered$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:alnum:]]+: port [[:digit:]]+\([[:alnum:].]+\) entering disabled state$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? 3ware( 9000)? Storage Controller device driver for Linux v[.[:digit:]-]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? scsi[[:digit:]] : 3ware( 9000)? Storage Controller$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? 3w-[9x]xxx: scsi[[:digit:]]: Found a 3ware( 9000)? Storage Controller at 0x[[:xdigit:]]+, IRQ: [[:digit:]]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? 3w-9xxx: scsi[[:digit:]]: Firmware [[:alnum:].]+ [.[:digit:]]+, BIOS [[:alnum:]]+ [.[:digit:]]+, Ports: [[:digit:]]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? 3w-9xxx: scsi[[:digit:]]: AEN: INFO \(0x[[:xdigit:]]+:0x[[:xdigit:]]+\): Verify (started|paused|completed):unit=[[:digit:]]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? 3w-9xxx: scsi[[:digit:]]: AEN: INFO \(0x[[:xdigit:]]+:0x[[:xdigit:]]+\): Battery charging (started|completed):\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? 3w-9xxx: scsi[[:digit:]]: AEN: INFO \(0x[[:xdigit:]]+:0x[[:xdigit:]]+\): Battery capacity test (started|completed):([[:digit:]]+ hours)?\.$
+# other
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? st: Version [[:digit:]]+, fixed bufsize [[:digit:]]+, s/g segs [[:digit:]]+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:alnum:]]+: register 'cdc_ether' at usb-[-.:[:xdigit:]]+, CDC Ethernet Device, [:[:xdigit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:alnum:]]+: unregister 'cdc_ether' usb-[-.:[:xdigit:]]+, CDC Ethernet Device[[:space:]]*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? capilib_new_ncci: kcapi: appl [0-9]+ ncci 0x[12]0[12]0[12] up$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? kcapi: appl [0-9]+ ncci 0x[12]0[12]0[12] down$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Bluetooth: HIDP \(Human Interface Emulation\) ver [.[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usbcore: registered new interface driver [_[:alnum:]]+$
diff --git a/etc/logcheck/ignore.d.server/krb5-kdc b/etc/logcheck/ignore.d.server/krb5-kdc
new file mode 100644 (file)
index 0000000..3d1e7e0
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ krb5kdc\[[0-9]+\]: (AS|TGS)_REQ \([0-9]+ etypes \{[[:digit:] ]+\}\) [.:[:xdigit:]]+: ISSUE: authtime [[:digit:]]+, etypes \{rep=[[:digit:]]+ tkt=[[:digit:]]+ ses=[[:digit:]]+\}, [._@/[:alnum:]-]+ for [._@/[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ krb5kdc\[[0-9]+\]: (AS|TGS)_REQ \([0-9]+ etypes \{[[:digit:] ]+\}\) [.:[:xdigit:]]+: NEEDED_PREAUTH: [._@/[:alnum:]-]+ for [._@/[:alnum:]-]+, Additional pre-authentication required$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ krb5kdc\[[0-9]+\]: DISPATCH: repeated \(retransmitted\?\) request from [.:[:xdigit:]]+, resending previous response$
diff --git a/etc/logcheck/ignore.d.server/libpam-mount b/etc/logcheck/ignore.d.server/libpam-mount
new file mode 100644 (file)
index 0000000..07d79f4
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [-[:alnum:]]+\[[0-9]+\]: pam_mount\(mount.c:[[:digit:]]+\) realpath of volume "[.[:alnum:]/_-]+" is "[.[:alnum:]/_-]+"$
diff --git a/etc/logcheck/ignore.d.server/logcheck b/etc/logcheck/ignore.d.server/logcheck
new file mode 100644 (file)
index 0000000..a2272ec
--- /dev/null
@@ -0,0 +1,10 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session closed for user [.[:alnum:]-]+$
+# new pam format
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_[^[:space:]]+: [^[:space:]]+ session opened for user [.[:alnum:]-]+ by \(uid=0\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_[^[:space:]]+: [^[:space:]]+ session closed for user [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ identd\[[0-9]+\]: started$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ chfn\[[0-9]+\]: changed user `logcheck' information$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ usermod\[[0-9]+\]: changed user `logcheck' home from '[^']+ to '/var/lib/logcheck'$
diff --git a/etc/logcheck/ignore.d.server/lpr b/etc/logcheck/ignore.d.server/lpr
new file mode 100644 (file)
index 0000000..6aa2411
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [\._[:alnum:]]+ lpd\[[0-9]+\]: restarted$
diff --git a/etc/logcheck/ignore.d.server/maradns b/etc/logcheck/ignore.d.server/maradns
new file mode 100644 (file)
index 0000000..059ed64
--- /dev/null
@@ -0,0 +1,10 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ maradns\.[-_[:alnum:]]+: [[:space:]]*Log: Root directory changed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ maradns\.[-_[:alnum:]]+: [[:space:]]*Log: Binding to address [:.[:xdigit:],]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ maradns\.[-_[:alnum:]]+: [[:space:]]*Log: Socket opened on UDP port 53$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ maradns\.[-_[:alnum:]]+: [[:space:]]*Log: Root privileges dropped$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ maradns\.[-_[:alnum:]]+: [[:space:]]*Log: All RRs have been loaded$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ maradns\.[-_[:alnum:]]+: Processing zone [-._[:alnum:]]+\. right now\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ maradns\.[-_[:alnum:]]+: Filename: .+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ maradns\.[-_[:alnum:]]+: /usr/sbin/maradns already running\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ maradns\.[-_[:alnum:]]+: Adding root nameserver resolvconf_nameservers for zone \.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ maradns\.[-_[:alnum:]]+: MaraDNS proudly serves you [[:digit:]]+ DNS records$
diff --git a/etc/logcheck/ignore.d.server/mldonkey-server b/etc/logcheck/ignore.d.server/mldonkey-server
new file mode 100644 (file)
index 0000000..87287a9
--- /dev/null
@@ -0,0 +1,74 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Set niceness of the process: [[:digit:]]{1,2}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Set uid/gid of the process \([[:digit:]]{1,5}, [[:digit:]]{1,5}\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Set umask of the process: [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Chdir to (home|chdir) dir: [-_./[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Fork the process$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Reset the group leader$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Fork a second time the process$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Close standard IO$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Process is running in the background$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Writing PID \([[:digit:]]+\) to pidfile: /var/run/mldonkey/mlnet\.pid$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Launching MLnet process$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Launching MLnet std(err|out) logger$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: (Terminate|Respawn) process$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: (Process stopped PID|Stopping processes PID) \( ([[:digit:]]+ )+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Waiting termination of process [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Process [[:digit:]]+ terminated
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: MLDonkey server end$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mldonkey_server: Removing pidfile: /var/run/mldonkey/mlnet\.pid$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: The core therefore is unable to get eDonkey serverlists and loading$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: \.torrent files via dllink from websites is also impossible.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: If you are using MLDonkey in a chroot environment you should$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: consider reading this article to get DNS support back:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: http://mldonkey\.sourceforge\.net/Chroot$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: Warning: unknown mime-type for "temp/[^[:space:]]+" -- using "application/\*"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: Error: no "view" mailcap rules found for type "application/\*"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: Error: no such file ".+"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cUd\] converting [[:digit:]]+ users to new format$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cCO\] Options correctly saved$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] Check http://www\.mldonkey\.net/ for updates$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] enabling networks:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] ---- enabling [[:alnum:]]+ ----$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[EDK\] loading sources completed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] using port [[:digit:]]{1,5} \(client_port (TC|UD)P\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] using port [[:digit:]]{1,5} \((http|telnet|gui)_port\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} disabled networks: [ [:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] To command: telnet [.[:digit:]]{7,15} [[:digit:]]{1,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] Or with browser: http://[.[:digit:]]{7,15}:[[:digit:]]{1,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] For a GUI check out http://sancho-gui\.sourceforge\.net$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] Connect to IP [.[:digit:]]{7,15}, port [[:digit:]]{1,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] If you connect from a remote machine adjust allowed_ips$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] mldonkey is now running as user [[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] mldonkey is now running as uid [[:digit:]]{1,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cCO\] Options correctly saved$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] Core started$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cO\] Starting MLDonkey [.[:digit:]]+ \.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cO\] Logging in \./mlnet\.log$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cO\] Language [[:upper:]]+, locale [-_.[:alnum:]]+, ulimit for open files [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cO\] MLDonkey is working in \.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cO\] loaded language resource file$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} Loading language resource /[-/_.[:alnum:]]+/mlnet_strings\.[-_.[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[DNS\] Resolving \[[-_.[:alnum:]]+\] \.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cWeb\] saving guarding\.p2p \(http://www\.bluetack\.co\.uk/config/level1\.gz\)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cWeb\] saving server\.met \(http://www\.gruk\.org/server\.met\.gz\)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cWeb\] saving contact\.dat \(http://download\.overnet\.org/contact\.dat\)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cWeb\] saving geoip\.dat \(http://www\.maxmind\.com/download/geoip/database/GeoIP\.dat\.gz\)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cWeb\] Failure\("Unknown kind \[nodes\.gzip\]"\) while loading http://update\.kceasy\.com/update/fasttrack/nodes\.gzip$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[EDK\] There are no ED2K-servers in your servers\.ini\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[EDK\] Please import servers from a server\.met file\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[EDK\] Let MLDonkey use a file configured in web_infos$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[EDK\] or enter this link into MLDonkey:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[EDK\] ed2k://\|serverlist\|http://www\.gruk\.org/server\.met\.gz\|/$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[Overnet\] Overnet module is disabled, ignoring\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cO\] server\.met loaded from http://www\.gruk\.org/server\.met\.gz, [[:digit:]]+ servers found, [[:digit:]]+ new ones inserted
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} COPY /tmp/arch_[[:alnum:]]+\.tmp TO web_infos/GeoIP\.dat$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[GeoIP\] database loaded$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[IPblock\] loading web_infos/level1\.gz$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[IPblock\] [[:digit:]]+ ranges loaded - optimized to [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cSe\] Disconnected server [- _.[:alnum:]]+ \([.[:digit:]]{7,15}:[[:digit:]]{1,5}\), IP is now blocked$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] Received SIGTERM, stopping MLDonkey\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cCO\] Sources correctly saved$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[cCO\] Options backup as \.tar\.gz correctly saved$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: [/[:digit:]]{10} [:[:digit:]]{8} \[dMain\] Core stopped$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mlnet_error: verifySignature: BER decode error$
diff --git a/etc/logcheck/ignore.d.server/mon b/etc/logcheck/ignore.d.server/mon
new file mode 100644 (file)
index 0000000..1031acf
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mon\[[0-9]+\]: client connection from [.[:digit:]]+:[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mon\[[0-9]+\]: client command "(protid [0-9]+|list disabled|disable watch websites)"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mon\[[0-9]+\]: authenticated monuser$
diff --git a/etc/logcheck/ignore.d.server/nagios b/etc/logcheck/ignore.d.server/nagios
new file mode 100644 (file)
index 0000000..9034c53
--- /dev/null
@@ -0,0 +1,21 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: Auto-save of retention data completed successfully\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: LOG ROTATION: (DAILY|WEEKLY|MONTHLY)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: Nagios (1|2)\.[0-9] starting\.\.\. \(PID=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: Caught SIGHUP, restarting\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: SERVICE ALERT: [._[:alnum:]-]+;[^;]+;(CRITICAL|WARNING|OK|UNKNOWN);(SOFT|HARD);.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: SERVICE NOTIFICATION: [._[:alnum:]-]+;[._[:alnum:]-]+;[^;]+;(ACKNOWLEDGEMENT \()?(CRITICAL|WARNING|OK|UNKNOWN)(\))?;.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: SERVICE FLAPPING ALERT: [._[:alnum:]-]+;[._[:alnum:]-]+;(STARTED|STOPPED); Service appears to have (started|stopped) flapping \([0-9.]+% change [<>] [.[:digit:]]+% threshold\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: HOST ALERT: [._[:alnum:]-]+;(DOWN|UP|UNREACHABLE);(SOFT|HARD);.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: HOST NOTIFICATION: [._[:alnum:]-]+;[._[:alnum:]-]+;(DOWN|UP|UNREACHABLE);.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: HOST DOWNTIME ALERT: [._[:alnum:]-]+;(STARTED|STOPPED);.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: HOST EVENT HANDLER: [._[:alnum:]-]+;(UP|DOWN);(SOFT|HARD);[0-9]+;.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: EXTERNAL COMMAND: PROCESS_SERVICE_CHECK_RESULT;[._[:alnum:]-]+;[^;]+;[0-9]+;.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: EXTERNAL COMMAND: (ENABLE|DISABLE)_(HOST_|HOST_SVC_|SVC_)?NOTIFICATIONS;[._[:alnum:]-]+(;[^;]+)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: EXTERNAL COMMAND: (ADD_SVC_COMMENT|ACKNOWLEDGE_SVC_PROBLEM);[._[:alnum:]-]+;[[:alnum:]]+;[0-9]+;([[:alnum:]]+;)?.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: EXTERNAL COMMAND: SCHEDULE_HOST_DOWNTIME;[._[:alnum:]-]+;[0-9;]+;[[:alnum:]]+;.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: Warning: The results of service '[ [:alnum:][:punct:]]+' on host '[._[:alnum:]-]+' are stale by [[:digit:]]+ seconds \(threshold=[[:digit:]]+ seconds\).  I'm forcing an immediate check of the service\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: SERVICE ALERT: [[:alnum:]]+;PING;(WARNING|OK).*$
+# nrpe
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nrpe\[[0-9]+\]: Error: Could not complete SSL handshake. 5$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: Warning: Host '[[:alnum:]]+' has no services associated with it\!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: LOG VERSION: 2\.[0-9]$
diff --git a/etc/logcheck/ignore.d.server/netconsole b/etc/logcheck/ignore.d.server/netconsole
new file mode 100644 (file)
index 0000000..1a90176
--- /dev/null
@@ -0,0 +1,5 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: netconsole: (local|remote) port [[:digit:]]{2,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: netconsole: interface [[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: netconsole: (local|remote) IP [.[:digit:]]{7,15}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: netconsole: remote ethernet address [:[:xdigit:]]{17}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: netconsole: network logging started$
diff --git a/etc/logcheck/ignore.d.server/nfs b/etc/logcheck/ignore.d.server/nfs
new file mode 100644 (file)
index 0000000..5c8958e
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpc\.mountd: authenticated (un|)mount request from [._[:alnum:]-]+:[0-9]+ for (/[[:alnum:]]*)+ \((/[[:alnum:]]*)+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mountd\[[0-9]+\]: authenticated (un|)mount request from [._[:alnum:]-]+:[0-9]+ for (/[[:alnum:]]*)+ \((/[[:alnum:]]*)+\)$
diff --git a/etc/logcheck/ignore.d.server/nntpcache b/etc/logcheck/ignore.d.server/nntpcache
new file mode 100644 (file)
index 0000000..f9afac0
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nntpcache-client\[[0-9]+\]: clean shutdown$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nntpcache-update\[[0-9]+\]: clean shutdown$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nntpcache-nocem\[[0-9]+\]: clean shutdown$
diff --git a/etc/logcheck/ignore.d.server/nscd b/etc/logcheck/ignore.d.server/nscd
new file mode 100644 (file)
index 0000000..3641627
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nscd: nss_ldap: reconnect(ing|ed) to LDAP server(\.\.\.| after [0-9]+ attempt\(s\))$
diff --git a/etc/logcheck/ignore.d.server/ntp b/etc/logcheck/ignore.d.server/ntp
new file mode 100644 (file)
index 0000000..c377a5b
--- /dev/null
@@ -0,0 +1,13 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: time reset [+-]*[0-9]{1,2}\.[0-9]{6} s$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronisation lost$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: no servers reachable$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronized to ([0-9.]{7,15}|[0-9a-fA-F:.]{4,39}), stratum [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronized to LOCAL\([0-9]+\), stratum [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status change) [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: precision = [0-9]+\.[0-9]+ usec$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: peer ([.0-9]{7,15}|[0-9a-fA-F:.]{4,39}) now (in)?valid$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: adjusting local clock by -?[.0-9]+s$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: adjust time server -?[.0-9]+ offset$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: too many recvbufs allocated \([0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: Listening on interface [[:alnum:]]+, [:.[:xdigit:]]+#[[:digit:]]{1,5} (En|Dis)abled$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd(_initres)?\[[0-9]+\]: signal_no_reset: signal [[:digit:]]+ had flags [[:xdigit:]]+$
diff --git a/etc/logcheck/ignore.d.server/nullmailer b/etc/logcheck/ignore.d.server/nullmailer
new file mode 100644 (file)
index 0000000..80e069f
--- /dev/null
@@ -0,0 +1,7 @@
+nullmailer\[[0-9]+\]: Rescanning queue\.
+nullmailer\[[0-9]+\]: Trigger pulled\.
+nullmailer\[[0-9]+\]: Starting delivery, [0-9]+ message\(s\) in queue\.
+nullmailer\[[0-9]+\]: Starting delivery: protocol: [a-z]+ host: .+ file: [0-9\.]+
+nullmailer\[[0-9]+\]: Sent file\.
+nullmailer\[[0-9]+\]: Delivery complete, 0 message\(s\) remain\.
+nullmailer\[[0-9]+\]: smtp: Succeeded:
diff --git a/etc/logcheck/ignore.d.server/oidentd b/etc/logcheck/ignore.d.server/oidentd
new file mode 100644 (file)
index 0000000..516012e
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ oidentd\[[0-9]+\]: Connection from [._[:alnum:]-]+ \([0-9a-f.:]+\):[0-9]{1,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ oidentd\[[0-9]+\]: Connection from [0-9a-f.:]+:[0-9]{1,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ oidentd\[[0-9]+\]: \[[0-9a-f.:]+\.[0-9]{1,3}\] Successful lookup \(by forward\): [0-9]+ \([0-9]+\) , [0-9]+ : [_[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ oidentd\[[0-9]+\]: \[[._[:alnum:]-]+\] Successful lookup: [0-9]+ , [0-9]+ : [_[:alnum:]-]+ \([_[:alnum:]-]+\)$
diff --git a/etc/logcheck/ignore.d.server/openvpn b/etc/logcheck/ignore.d.server/openvpn
new file mode 100644 (file)
index 0000000..c02486c
--- /dev/null
@@ -0,0 +1,70 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:(( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})?( \[[-._[:alnum:]]+\])?)? Peer Connection Initiated with [0-9.]{7,15}:[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: Control Channel Authentication: using '[-._/[:alnum:]]+' as a OpenVPN static key file$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: (Outgo|Incom)ing Control Channel Authentication: Using [[:digit:]]+ bit message hash '(SHA1|MD5)' for HMAC authentication$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: [GU]ID set to [-._[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? Data Channel (En|De)crypt: Cipher '[[:alnum:]-]+' initialized with [[:digit:]]+ bit key$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? Data Channel (En|De)crypt: Using [0-9]+ bit message hash '[[:alnum:]-]+' for HMAC authentication$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? Control Channel: TLSv1, cipher TLSv1/SSLv3 [[:alnum:]-]+, [0-9]+ bit RSA$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: VERIFY OK: nsCertType=SERVER$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:(( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? \[[-_.[:alnum:]]+\])? Inactivity timeout \(--ping-restart\), restarting$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? Connection reset, restarting \[[[:digit:]]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? SIGUSR1\[soft,(ping-restart|connection-reset)\] received, (process|client-instance) restarting$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: Restart pause, [[:digit:]]+ second\(s\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: (Closing TCP/UDP|TCP/UDP: Closing) socket$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? Re-using (SSL/TLS context|pre-shared static key)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? VERIFY SCRIPT OK: depth=[[:digit:]]+, /(CN|O)=.+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? LZO compression initialized$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? (Data|Control) Channel MTU parms \[[[:upper:]:0-9/ ]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: Preserving previous TUN/TAP instance: [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? (Local|Expected Remote) Options hash \(VER=V[34]\): '[[:xdigit:]]+'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: UDPv4 link (local( \(bound\))?|remote): (\[undef\]|[._[:alnum:]-]+)(:[0-9]+)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS: tls_multi_process: untrusted session promoted to trusted$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS: tls_multi_process: killed expiring key$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS: tls_pre_decrypt: first response to initial packet from [0-9.]{7,15}:[0-9]+, sid=[0-9a-f]+ [0-9a-f]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS: tls_pre_decrypt: new session incoming connection from [0-9.]{7,15}:[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS: tls_process: killed expiring key$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS: soft reset sec=[-0-9]+ bytes=[0-9]+/[0-9]+ pkts=[0-9]+/[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS: new session incoming connection from [0-9.]{7,15}:[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS: Initial packet from [.[:digit:]]{7,15}:[[:digit:]]+, sid=[[:xdigit:]]{8} [[:xdigit:]]{8}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS Error: Unknown data channel key ID or IP address received from [0-9.]{7,15}:[0-9]+: [0-9]+ \(see FAQ for more info on this error\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS Error: local/remote TLS keys are out of sync: [0-9.]{7,15}:[0-9]+ \[1\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS Error: Received control packet from unexpected IP addr: [0-9.]{7,15}:[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS Error: TLS key negotiation failed to occur within 60 seconds \(check your network connectivity\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: (read|write) UDPv4 \[EHOSTUNREACH\]: No route to host \(code=113\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: read UDPv4 \[EHOSTUNREACH\|EHOSTUNREACH\]: No route to host \(code=113\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: read UDPv4 \[EHOSTUNREACH\|EHOSTUNREACH\|EHOSTUNREACH\]: No route to host \(code=113\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: Adaptive compression state (OFF|ON)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: /sbin/route del -net [.[:digit:]]{7,15} netmask [.[:digit:]]{7,15}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: Closing TUN/TAP interface$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: Diffie-Hellman initialized with [[:digit:]]+ bit key$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: TLS-Auth MTU parms \[ L:[[:digit:]]+ D:[[:digit:]]+ EF:[[:digit:]]+ EB:[[:digit:]]+ ET:[[:digit:]]+ EL:[[:digit:]]+ \]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: TUN/TAP device tun[-._[:alnum:]]+ opened$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: /sbin/ifconfig tun[-._[:alnum:]]+ [.[:digit:]]{7,15} pointopoint [.[:digit:]]{7,15} mtu [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: /sbin/route add -net [.[:digit:]]{7,15} netmask [.[:digit:]]{7,15} gw [.[:digit:]]{7,15}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: TCPv4_SERVER link (local \(bound\)|remote): [.[:digit:]]{7,15}:[[:digit:]]{2,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: Listening for incoming TCP connection on [.[:digit:]]{7,15}:[[:digit:]]{2,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: TCP connection established with [.[:digit:]]{7,15}:[[:digit:]]{2,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: TCPv4_SERVER link (remote|local): \[undef\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: MULTI: multi_create_instance called$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: MULTI: multi_init called, r=[[:digit:]]+ v=[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: IFCONFIG POOL: base=[.[:digit:]]{7,15} size=[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: IFCONFIG POOL LIST$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? REMOVE PUSH ROUTE: 'route [.[:digit:]]{7,15} [.[:digit:]]{7,15}'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: Initialization Sequence Completed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: MULTI: TCP INIT maxclients=[[:digit:]]+ maxevents=[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? MULTI: internal route [.[:digit:]]{7,15}/[[:digit:]]{2} -> [-_.[:alnum:]]+/[.[:digit:]]{7,15}:[[:digit:]]{2,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? MULTI: Learn: [.[:digit:]]{7,15}(/[[:digit:]]{2})? -> [-_.[:alnum:]]+/[.[:digit:]]{7,15}:[[:digit:]]{2,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? MULTI: primary virtual IP for [-_.[:alnum:]]+/[.[:digit:]]{7,15}:[[:digit:]]{2,5}: [.[:digit:]]{7,15}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? MULTI: bad source address from client \[[.[:digit:]]{7,15}\], packet dropped$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? (PUSH: Received control message|SENT CONTROL \[[-_.[:alnum:]]+\]): 'PUSH_REPLY(,redirect-gateway)?(,route [.[:digit:]]{7,15}( [.[:digit:]]{7,15})?)*,ping [[:digit:]]+,ping-restart [[:digit:]]+,ifconfig [.[:digit:]]{7,15} [.[:digit:]]{7,15}'( \(status=[[:digit:]]+\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? (PUSH: Received control message|SENT CONTROL \[[-_.[:alnum:]]+\]): 'PUSH_REQUEST'( \(status=[[:digit:]]+\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? OPTIONS IMPORT: reading client specific options from: [-_./[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? OPTIONS IMPORT: timers and/or timeouts modified$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? OPTIONS IMPORT: --ifconfig/up options modified$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? OPTIONS IMPORT: route options modified$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? VERIFY (SCRIPT )?OK: depth=[[:digit:]]+, /[-:_./=@[:alnum:]]+$
diff --git a/etc/logcheck/ignore.d.server/otrs b/etc/logcheck/ignore.d.server/otrs
new file mode 100644 (file)
index 0000000..1e9703e
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ OTRS-CGI-[[:digit:]]+\[[0-9]+\]: \[Notice\] .+$
diff --git a/etc/logcheck/ignore.d.server/pdns b/etc/logcheck/ignore.d.server/pdns
new file mode 100644 (file)
index 0000000..e250f7f
--- /dev/null
@@ -0,0 +1,53 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pdns\[[0-9]+\]: On retrieving question of packet from [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}, encountered error: Label claims to be longer than packet$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pdns\[[0-9]+\]: Ignoring packet: too short from [.0-9]{7,15}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pdns\[[0-9]+\]: Ignoring packet: question too short from [.0-9]{7,15}, offset [[:digit:]]+>=[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pdns\[[0-9]+\]: Ignoring packet: question too short from [.0-9]{7,15}, [0-9]+>=[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pdns\[[0-9]+\]: Error sending reply with sendto \(socket=[0-9]\): Invalid argument$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pdns\[[0-9]+\]: Received packet from recursor backend with id [0-9] which is a duplicate$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pdns_recursor\[[0-9]+\]: Refreshed ([0-9]+|\.) records$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pdns_recursor\[[0-9]+\]: Unable to parse packet from remote( UDP)? server [.0-9]{7,15}: (Wrong size for A record \(0\)|Error parsing packet of 115 bytes \(rd=0\), out of bounds: vector::_M_range_check|packet smalll?er than DNS header)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Listening on controlsocket in '/var/run/pdns\.controlsocket'$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: This is a guarded instance of pdns$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: (UD|TC)P server bound to [.[:digit:]]{7,15}:[[:digit:]]{2,5}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: (UD|TC)Pv6 server bound to \[[:.[:xdigit:]]+\]:[[:digit:]]{2,5}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: PowerDNS comes with ABSOLUTELY NO WARRANTY\. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Set effective (user|group) id to [[:digit:]]{1,5}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: DNS Proxy launched, local port [[:digit:]]{1,5}, remote [.[:digit:]]{7,15}:[[:digit:]]{2,5}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Creating backend connection for TCP$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Master/slave communicator launching$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: About to create [[:digit:]]+ backend threads for UDP$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: [[:digit:]]+ domains? for which we are master needs? notifications$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Not authoritative for '[^']*', sending servfail to [.[:digit:]]{7,15}( \(recursion was desired\))?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: (No|[[:digit:]]+) master domains? needs? notifications$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: [[:digit:]]+ slave domains? needs? checking$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Domain [-_.[:alnum:]]+ is fresh$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: All slave domains are fresh$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Received a malformed qdomain from [.[:digit:]]{7,15}, '.+': dropping$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Queued notification of domain '[-_.[:alnum:]]+' to [.[:digit:]]{7,15}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Received NOTIFY for [-_.[:alnum:]]+ from [.[:digit:]]{7,15} which is not a master$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Received NOTIFY for [-_.[:alnum:]]+ from master [.[:digit:]]{7,15}, we are up to date: [[:digit:]]+<=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Received valid NOTIFY for [-_.[:alnum:]]+ (\(id=[[:digit:]]+\) )?from master [.[:digit:]]{7,15}: [[:digit:]]+ > [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Received unsuccesful notification report for '[-_.[:alnum:]]+' from [.[:digit:]]{7,15}, rcode: [25]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Received spurious notify answer for '[-_.[:alnum:]]+' from [.[:digit:]]{7,15}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Received an unknown opcode [[:digit:]]+ from [.[:digit:]]{7,15} for( [-_.[:alnum:]]+)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Received NOTIFY for ([-_.[:alnum:]]+)? from [.[:digit:]]{7,15} for which we are not authoritative$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Error resolving SOA or NS for '' at [.[:digit:]]{7,15}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Removed from notification list: '[-_.[:alnum:]]+' to [.[:digit:]]{7,15}( \(was acknowledged\))?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Notification request for domain '[-_.[:alnum:]]+' received from operator$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Recursive query for remote [.[:digit:]]{7,15} with internal id [[:digit:]]+ was not answered by backend within timeout, reusing id$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Received an overly large question from [.[:digit:]]{7,15}, dropping$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Unable to determine SOA serial for ([-_.[:alnum:]]+)? at potential supermaster [.[:digit:]]{7,15}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Created new slave zone '[-_.[:alnum:]]+' from supermaster [.[:digit:]]{7,15}, queued axfr$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: Domain [-_.[:alnum:]]+ is stale, master serial [[:digit:]]+, our serial [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: TCP nameserver had error, cycling backend:Trying to read data from remote TCP client [.[:digit:]]{7,15}: Connection reset by peer$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: TCP server is without backend connections, launching$
+# pgsql
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: This is module gpgsqlbackend\.so reporting$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: gpgsql Connection succesful$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: AXFR of domain '[-_.[:alnum:]]+' initiated by [.[:digit:]]{7,15}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: AXFR of domain '[-_.[:alnum:]]+' to [.[:digit:]]{7,15} finished$
+# sqlite 
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: This is module gsqlite reporting$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: gsqlite: connection to '[-._/[:alnum:]]+' success?ful$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: AXFR started for '[-_.[:alnum:]]+', transaction started$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: AXFR done for '[-_.[:alnum:]]+', zone committed$
diff --git a/etc/logcheck/ignore.d.server/perdition b/etc/logcheck/ignore.d.server/perdition
new file mode 100644 (file)
index 0000000..1eb8a23
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect: [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}->[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Auth: [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}->[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} user=\"[[:alnum:]+[:punct:]+]+\" server=\"[[:alnum:]+[:punct:]]+\" port=\"[0-9]+\" status=\"ok\"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Close: [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}->[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} user=\"[[:alnum:]+[:punct:]+]+\" received=[0-9]+ sent=[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Closing NULL session: [.0-9]{7,15}->[.0-9]{7,15} username=\(null\)$
diff --git a/etc/logcheck/ignore.d.server/policyd b/etc/logcheck/ignore.d.server/policyd
new file mode 100644 (file)
index 0000000..3446859
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ policyd: connection from: [._[:alnum:]-]+ \(port [[:digit:]]+\), fd: [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ policyd: rcpt=[[:digit:]]+, throttle=(new|update|clear), host=[._[:alnum:]-]+, from=[^[:space:]]+, to=[^[:space:]]+, size=[/[:digit:]]+, quota=[/[:digit:]]+, count=[/[:digit:]]+\([[:digit:]]+\)(, sasl_username=[._[:alnum:]-]+)?$
diff --git a/etc/logcheck/ignore.d.server/popa3d b/etc/logcheck/ignore.d.server/popa3d
new file mode 100644 (file)
index 0000000..6d8383e
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ popa3d\[[0-9]+\]: Session from [:0-9a-f.]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ popa3d\[[0-9]+\]: Authentication passed for [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ popa3d\[[0-9]+\]: [0-9]+ messages? \([0-9]+ bytes\) loaded$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ popa3d\[[0-9]+\]: [0-9]+ \([0-9]+\) deleted, [0-9]+ \([0-9]+\) left$
diff --git a/etc/logcheck/ignore.d.server/postfix b/etc/logcheck/ignore.d.server/postfix
new file mode 100644 (file)
index 0000000..4198301
--- /dev/null
@@ -0,0 +1,132 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/postfix-script: refreshing the Postfix mail system$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: skipped, still being delivered$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: from=<.*>, status=expired, returned to sender$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: message-id=(<?[^[:space:]]+>?)?( \(added by [^[:space:]]+\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: removed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(error|n?qmgr|smtp)\[[0-9]+\]: [[:alnum:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=(none|[^[:space:]]+\[[0-9.]{7,15}\]:25),( conn_use=[0-9]+,)? delay=[0-9.]+,( delays=[0-9./]+,)?( dsn=4\.[0-9]\.[0-9],)? status=(deferred|undeliverable) \((delivery temporarily suspended: )?(lost connection with [^[:space:]]+ while (sending [[:alnum:]]+( [[:alnum:]]+)?|performing the HELO handshake)|conversation with [^[:space:]]+ timed out while (receiving the initial server greeting|sending [[:alnum:]]+( [/[:alnum:]]+)?|sending end of data -- message may be sent more than once)|connect to [^[:space:]]+: (Connection timed out|read timeout|Connection refused)|Host or domain name not found. Name service error for name=[^[:space:]]+ type=MX: Host not found, try again)\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+: (Connection timed out|read timeout|Connection refused)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:alnum:]]+: conversation with [^[:space:]]+ timed out while (receiving the initial server greeting|performing the (EHLO|HELO) handshake)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(error|n?qmgr)\[[0-9]+\]: [[:alnum:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=none,( conn_use=[0-9]+,)? delay=[0-9.]+,( delays=[0-9./]+,)?( dsn=[45]\.[0-9]\.[0-9],)? status=bounced \(bad address syntax\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: unable to open Berkeley db /etc/sasldb: No such file or directory$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify error:num=10:certificate has expired$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify error:num=18:self signed certificate$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify error:num=19:self signed certificate in certificate chain$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify error:num=20:unable to get local issuer certificate$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify error:num=2:unable to get issuer certificate$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify error:num=21:unable to verify the first certificate$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify error:num=24:invalid CA certificate$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify error:num=26:unsupported certificate purpose$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: verify error:num=27:certificate not trusted$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: cert has expired$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: (Peer|Server) certificate could not be verified$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: smtpd_peer_init: [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+: address not listed for hostname [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: (Anonymous )?TLS connection established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher [^[:space:]]+ \([/0-9]+ bits\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: setting up TLS connection (to|from) [._[:alnum:]-]+(\[[0-9a-f.:]{3,39}\])?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: fingerprint=([0-9A-F]{2}:){15}[0-9A-F]{2}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: Verified: subject_CN=.*, issuer=.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: Unverified: subject_CN=.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: issuer=[[:space:]]*/O=.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: OTP unavailable because can't read/write key database /etc/opiekeys: No such file or directory$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+: reject: (RCPT|MAIL) from [._[:alnum:]-]+\[[0-9a-f.:]{3,39}\]: [45][0-9][0-9] .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+ Connection (refused|timed out) \(port [0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+ No route to host \(port 25\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+ Network is unreachable \(port 25\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+ server refused mail service \(port 25\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+ ?\[[0-9a-f.:]{3,39}\]: read timeout \(port 25\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: conversation with [._[:alnum:]-]+\[[0-9a-f.:]{3,39}\] timed out while (receiving the initial server greeting|sending [[:alnum:]]+( [[:alnum:]]+)?|sending end of data -- message may be sent more than once)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/bounce\[[0-9]+\]: [[:upper:]0-9]+: sender (non-delivery|delivery status) notification: [[:upper:]0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/postsuper\[[0-9]+\]: Deleted: [[:digit:]]+ messages?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/pickup\[[0-9]+\]: [[:xdigit:]]+: uid=[[:digit:]]+ from=<[^>]+> orig_id=[[:xdigit:]]+$
+# Postfix 2.1
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+ server dropped connection without sending the initial SMTP greeting \(port 25\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: host [^[:space:]]+ refused to talk to me: [45][0-9][0-9].*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: lost connection with [^[:space:]]+ while sending( [[:upper:]]+){1,2}( command)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: lost connection with [^[:space:]]+ while receiving the initial (SMTP|server) greeting$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: lost connection with [^[:space:]]+ while performing the HELO handshake$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: lost connection with [^[:space:]]+ while sending end of data -- message may be sent more than once$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: lost connection after [[:upper:]]+( \([0-9]+ bytes\))? from [._[:alnum:]-]+\[(unknown|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: host [^[:space:]]+ said: .* \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|end of DATA) command\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: no MX host for [^[:space:]]+ has a valid (A|address) record$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Unable to look up (NS|MX) host for [._[:alnum:]-]+: Host not found(, try again)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Unable to look up (NS|MX) host [._[:alnum:]-]+ for (Helo command|Sender address) [^[:space:]]+: (Name or service not known|No address associated with hostname)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: host [^[:space:]]+ greeted me with my own hostname [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: host [^[:space:]]+ replied to HELO/EHLO with my own hostname [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: decided action=DUNNO$
+# Postfix < 2.1
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+: server dropped connection without sending the initial greeting \(port 25\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:alnum:]]+: to=<.*>,( orig_to=<[^[:space:]]+>,)? relay=[^[:space:]]+\](:[0-9]+)?,( conn_use=[0-9]+,)? delay=[0-9.]+,( delays=[0-9./]+,)?( dsn=4\.[0-9]\.[0-9],)? status=deferred \(host [^[:space:]]+\] said: .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [[:upper:]0-9]+: to=<[^[:space:]]+>, relay=[._[:alnum:]-]+\[[0-9.]{7,15}\](:[[:digit:]]{1,5})?, (conn_use=[[:digit:]]+, )?delay=[.0-9]+(, delays=([.0-9]+/){3}[.0-9]+)?(, dsn=[45](\.[0-9]+){2})?, status=(deferred|bounced|undeliverable) \(host [._[:alnum:]-]+\[[0-9.]{7,15}\] said: [45][0-9][0-9] .+ \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|end of DATA) command\)\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:alnum:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=[^[:space:]]+\](:[0-9]+)?,( conn_use=[0-9]+,)? delay=[0-9.]+,( delays=[0-9./]+,)?( dsn=4\.[0-9]\.[0-9],)? status=deferred \((delivery temporarily suspended: )?conversation with [^[:space:]]+ timed out while (receiving the initial server greeting|sending [[:alnum:]]+( [[:alnum:]]+)?|sending end of data -- message may be sent more than once)\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [[:upper:]0-9]+: to=<[^[:space:]]+>, relay=[._[:alnum:]-]+\[[0-9.]{7,15}\](:[[:digit:]]{1,5})?, (conn_use=[[:digit:]]+, )?delay=[.0-9]+(, delays=([.0-9]+/){3}[.0-9]+)?(, dsn=2(\.[0-9]+){2})?, status=sent \(2[0-9][0-9] .+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: ([0-9a-f.:]{3,39})+: address not listed for hostname [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: too many errors after ([[:upper:]]{4}|UNKNOWN) from [._[:alnum:]-]+\[[.[:digit:]]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: warning: (valid_hostname: )?invalid character [0-9]+\(decimal\): .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: warning: (valid_hostname: )?misplaced delimiter: .$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: warning: (valid_hostname: )?empty hostname$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: warning: (valid_hostname: )?numeric hostname: [.[:digit:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: warning: numeric domain name in resource data of MX record for [._[:alnum:]-]+: [0-9a-f.:]{3,39}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: mailer loop: best MX for [^[:space:]]+ is local$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: enabling PIX <CRLF>\.<CRLF> workaround for .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: malformed domain name in resource data of (MX|CNAME) record for [^[:space:]]+:.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: timeout after [-[:upper:]]+( \([0-9]+ bytes\))? from [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:alnum:]]+: client=[^[:space:]]+, sasl_sender=.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:alnum:]]+: client=[^[:space:]]+, sasl_method=[-[:alnum:]]+, sasl_username=[-_.@[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:alnum:]]+: client=[._[:alnum:]-]+\[[0-9a-f.:]{3,39}\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: (resent-)?message-id=.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: numeric result [[0-9a-f.:]{3,39}]+ in address->name lookup for [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: numeric hostname: [0-9a-f.:]{3,39}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]]+ in (MAIL|RCPT) command: .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\] sent non-SMTP command: .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [._[:alnum:]-]+\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\] in MAIL command: .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: SSL_accept error from [._[:alnum:]-]+\[[0-9a-f.:]{3,39}\]: -?[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: smtpd_spf_result: unknown SPF result 4 \(unknown\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)* relay=[^[:space:]]+,( conn_use=[[:digit:]]+,)? delay=[.0-9]+,( delays=[.0-9/]+, dsn=[0-9.]+,)? status=sent \(250 [0-9.]+ (Ok((, id=[-0-9]+, from MTA(\([^[:space:]]+\))?: 250 ([0-9.]+ )?Ok)?: queued as [0-9A-F]+|, discarded, UBE, id=[-0-9]+)*|[[:alnum:]]+ Message accepted for delivery)\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)* relay=local, delay=[0-9]+, status=sent \(delivered to command: exec /usr/bin/procmail\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]: table hash:[^[:space:]]+\([-,|_[:alnum:]]+\) has changed -- restarting$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: : SPF pass: smtp_comment=.*: [.[:alnum:]]+ MX [.[:alnum:]]+ A [0-9a-f.:]+, header_comment=[.[:alnum:]]+: domain of [%[:punct:][:alnum:]]+@[.[:alnum:]]+ designates [0-9a-f.:]{3,39} as permitted sender$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/anvil\[[0-9]+\]: statistics: max (message|recipient|connection) (count|rate) [/[:digit:]s]+ for \(([.:[:xdigit:]]+)?(smtp(s)?|25|submission|587):[.:[:xdigit:]]+\) at \w{3} [ :0-9]{11}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/anvil\[[0-9]+\]: statistics: max cache size [[:digit:]]+ at \w{3} [ :0-9]{11}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/scache\[[0-9]+\]: statistics: start interval \w{3} [ :0-9]{11}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/scache\[[0-9]+\]: statistics: (domain|address) lookup hits=[0-9]+ miss=[0-9]+ success=[0-9]+%$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/scache\[[0-9]+\]: statistics: max simultaneous domains=[0-9]+ addresses=[0-9]+ connection=[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: initializing the server-side TLS engine$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: warning: reply length [0-9]+ > buffer length 4096 for name=[^[:space:]]+ type=[A-Z]+$
+# postfix 2.2
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:xdigit:]]+: replace: header [-[:alnum:]]+: .+: [-[:alnum:]]+: .+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: Peer verification: [[:digit:]]+ dNSNames in certificate found, but no one does match [-_.[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: warning: peer certificate has no (subject CN|issuer Organization)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: non-SMTP command from [^[:space:]]+\[[0-9a-f.:]{3,39}\]: .+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/local\[[[:digit:]]+\]: warning: perhaps you need to create the maildirs in advance$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/trivial-rewrite\[[[:digit:]]+\]: warning: valid_ipv4_hostaddr: invalid octet count: ?$
+# postfix 2.3
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/error\[[0-9]+\]: [[:alnum:]]+: to=<[^[:space:]]+>, relay=none, delay=[.0-9]+,( delays=[.0-9/]+,)? dsn=[45]\.0\.0, status=bounced \(User unknown in virtual alias table\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: network_biopair_interop: error reading [[:digit:]]+ bytes from the network: Connection reset by peer$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: discard: RCPT from [^[:space:]]+: <[^[:space:]]+>: .+; from=[^[:space:]]+ to=[^[:space:]]+ proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: milter-reject: MAIL from [^[:space:]]+: .+; from=[^[:space:]]+ proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:xdigit:]]+: to=<[^[:space:]]+>, relay=none,( conn_use=[0-9]+,)? delay=[0-9.]+,( delays=[0-9./]+,)?( dsn=[45]\.[0-9]\.[0-9],)? status=(bounced|deferred) \(.+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: ([-._[:alnum:]]+): RBL lookup error: Host or domain name not found\. Name service error for name=\1 type=A: Host not found, try again$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Connection concurrency limit exceeded: [[:digit:]]+ from [-._[:alnum:]]+\[[.[:digit:]]{7,15}\] for service smtp$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/bounce\[[0-9]+\]: [[:xdigit:]]+: sender delivery status notification: [[:xdigit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: to=<[^[:space:]]+>, relay=[._[:alnum:]-]+\[[0-9.]{7,15}\](:[[:digit:]]{1,5})?, (conn_use=[[:digit:]]+, )?delay=[.0-9]+(, delays=([.0-9]+/){3}[.0-9]+)?(, dsn=2(\.[0-9]+){2})?, status=deliverable \(250 Ok\)$
+# mysql
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: commit transaction$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: sql plugin: no result found$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: begin transaction$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: sql auxprop plugin using mysql engine$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: sql plugin try and connect to a host$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: sql plugin create statement from (cmusaslsecretCRAM-MD5|userPassword) [^[:space:]]+ [^[:space:]]+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: sql plugin trying to open db '[^[:space:]]+' on host '[^[:space:]]+'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: sql plugin doing query select password from [_[:alnum:]]+ where [_[:alnum:]]+='[._@[:alnum:]-]+';?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: sql plugin Parse the username [^[:space:]]+$
+# policyd-weight
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policyd-weight\[[[:digit:]]+\]: decided action=PREPEND X-policyd-weight: using cached result; rate:(hard:)? (-)?[[:digit:].]+(; delay: [[:digit:]]+s)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policyd-weight\[[[:digit:]]+\]: decided action=(450 |550) (Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs(; (in [^[:space:]]+|MTA helo: [^[:space:]]+, MTA hostname: [^[:space:]]+ \(helo/hostname mismatch\)|please relay via your ISP \([._[:alnum:]-]+\)))*|Your MTA is listed in too many DNSBLs; check [^[:space:]]+|temporarily blocked because of previous errors - retrying too fast\. penalty: [[:digit:]]+ seconds x [[:digit:]]+ retries\.)( \(multirecipient mail\))?(; delay: [[:digit:]]+s)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policyd-weight\[[[:digit:]]+\]: (weighted check|decided action=PREPEND X-policyd-weight):  ([_[:alpha:]]+=((-)?[[:digit:].]+|ERR) )+(\(check from: [^[:space:]]+ - helo: [^[:space:]]+ - helo-domain: [^[:space:]]+\)  ([\()/_[:alnum:]]+=(-)?[[:digit:].]+ )+)*<client=[^[:space:]]+> <helo=[^[:space:]]+> <from=[^[:space:]]+> <to=[^[:space:]]+>, rate: (-)?[[:digit:].]+(; delay: [[:digit:]]+s)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policyd-weight\[[[:digit:]]+\]: cache: (purged|deleted) [^[:space:]]+ from HAM cache$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: milter unix:/var/run/clamav/clamav-milter\.ctl: can't read SMFIC_MAIL reply packet header: Connection timed out$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: TLS library problem: [[:digit:]]+:error:[[:xdigit:]]+:SSL routines:SSL3_READ_BYTES:sslv3 alert (unexpected message|bad certificate):s3_pkt\.c:[[:digit:]]+:SSL alert number (10|42):$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: TLS library problem: [[:digit:]]+:error:[[:xdigit:]]+:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr\.c:[[:digit:]]+:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: gethostby\*\.getanswer: asked for "([-_.[:alnum:]]+)", got "\1"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: discarding EHLO keywords:( [[:upper:]]+)+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: milter-discard: END-OF-MESSAGE from [-._[:alnum:]]+\[[.[:digit:]]+\]: milter triggers DISCARD action; from=<[^[:space:]]*> to=<[^[:space:]]*> proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [0-9.]{7,15}: hostname [^[:space:]]+ verification failed: Name or service not known$
diff --git a/etc/logcheck/ignore.d.server/postfix-policyd b/etc/logcheck/ignore.d.server/postfix-policyd
new file mode 100644 (file)
index 0000000..1c6e3e9
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix-policyd: connection from: [._[:alnum:]-]+ port: [[:digit:]]+ slots: [[:digit:]]+ of [[:digit:]]+ used$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix-policyd: rcpt=[[:digit:]]+, type=passthrough, host=[._[:alnum:]-]+ \([._[:alnum:]-]+\), from=[^[:space:]]+, to=[^[:space:]]+, size=[/[:digit:]]+$
diff --git a/etc/logcheck/ignore.d.server/ppp b/etc/logcheck/ignore.d.server/ppp
new file mode 100644 (file)
index 0000000..ab0c3d9
--- /dev/null
@@ -0,0 +1,18 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: CSLIP: code copyright$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: PPP: version$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: PPP generic driver version [0-9.]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: PPP line discipline registered$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: PPP (BSD|Deflate) Compression module registered$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: registered device ppp[0-9]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: Couldn't increase M[RT]U to [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: Hangup \(SIGHUP\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: Modem hangup$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: Connect time [.[:digit:]]+ minutes\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: Sent [[:digit:]]+ bytes, received [[:digit:]]+ bytes\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: PPP session is [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: Using interface ppp[[:digit:]]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: Cannot determine ethernet address for proxy ARP$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: write: Bad file descriptor \([[:digit:]]+\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: (IP|L)CP terminated by peer$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: Connect: ppp[[:digit:]]+ <--> [-_/.[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: (IP|L)CP terminated by peer$
diff --git a/etc/logcheck/ignore.d.server/pptpd b/etc/logcheck/ignore.d.server/pptpd
new file mode 100644 (file)
index 0000000..f01a2d4
--- /dev/null
@@ -0,0 +1,12 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pptpd\[[0-9]+\]: CTRL: Client [.0-9]{5,17} control connection (started|finished)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pptpd\[[0-9]+\]: CTRL: Starting call \(launching pppd, opening GRE\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pptpd\[[0-9]+\]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pptpd\[[0-9]+\]: CTRL: Reaping child PPP\[[0-9]+\]$
+# typical errors on network disconnection
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pptpd\[[0-9]+\]: CTRL: PTY read or GRE write failed \(pty,gre\)=\([0-9]+,[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pptpd\[[0-9]+\]: CTRL: CTRL read failed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pptpd\[[0-9]+\]: CTRL: EOF or bad error reading ctrl packet length\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pptpd\[[0-9]+\]: CTRL: couldn't read packet header \(exit\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pptpd\[[0-9]+\]: GRE: read\(fd=[0-9]+,buffer=[0-9a-f]+,len=[0-9]+\) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs$
+# client bug
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pptpd\[[0-9]+\]: GRE: Discarding duplicate packet$
diff --git a/etc/logcheck/ignore.d.server/procmail b/etc/logcheck/ignore.d.server/procmail
new file mode 100644 (file)
index 0000000..b4fd92b
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ procmail\[[[:digit:]]{2,5}\]: Error while writing to "[-_./[:alnum:]]+"$
diff --git a/etc/logcheck/ignore.d.server/proftpd b/etc/logcheck/ignore.d.server/proftpd
new file mode 100644 (file)
index 0000000..09468e0
--- /dev/null
@@ -0,0 +1,16 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd: \(pam_unix\) session (opened|closed) for user [._[:alnum:]-]+( by \(uid=[0-9]+\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd: pam_unix\(proftpd:session\): session (opened|closed) for user [._[:alnum:]-]+( by \(uid=[0-9]+\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) FTP session (opened|closed)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) (USER [._[:alnum:]-]+|ANON (anonymous|ftp)): Login successful\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) (USER [._[:alnum:]-]+|ANON (anonymous|ftp)): Limit access denies login\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) mod_delay/[0-9]\.[0-9]: delaying for [0-9]+ usecs$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) ANON (anonymous|ftp): Login successful.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) mod_delay/[0-9.]+: delaying for [0-9]+ usecs$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) FTP ((login|session) timed out|no transfer timeout), disconnected$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) USER [-_.@[:alnum:]]+: no such user found from [.:_[:alnum:]-]+ \[[.:[:xdigit:]]+\] to [.:[:xdigit:]]+:[[:digit:]]{2,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) Maximum login attempts \([[:digit:]]+\) exceeded$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) no such user '[-_.@[:alnum:]]+'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) notice: user [-_.[:alnum:]]+: aborting transfer: Data connection closed\.
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+( \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\))?(:| -) error setting IPV6_V6ONLY: Protocol not available$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+( \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\))?(:| -) Preparing to chroot to directory '[-/._[:alnum:]]+'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd: PAM-listfile: Refused user [._[:alnum:]-]+ for service proftpd$
diff --git a/etc/logcheck/ignore.d.server/puppetd b/etc/logcheck/ignore.d.server/puppetd
new file mode 100644 (file)
index 0000000..37f0e72
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ puppetd\[[0-9]+\]: Starting configuration run$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ puppetd\[[0-9]+\]: Finished configuration run in [0-9.]+ seconds$
diff --git a/etc/logcheck/ignore.d.server/pure-ftpd b/etc/logcheck/ignore.d.server/pure-ftpd
new file mode 100644 (file)
index 0000000..9d6aadd
--- /dev/null
@@ -0,0 +1,11 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([?.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] New connection from [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([?.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] [._[:alnum:]-]+ is now logged in$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Can't change directory to .+: (No such file or|Not a) directory$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Timeout - try typing a little faster next time$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Timeout \(no new data for [0-9]+ seconds\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([?.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Logout\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\] .+ (up|down)loaded  \([0-9]+ bytes, [0-9]+.[0-9]+KB/sec\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\] File successfully renamed or moved: \[.+\]->\[.+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\] Deleted .+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Timeout$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: PAM-listfile: Refused user [._[:alnum:]-]+ for service pure-ftpd$
diff --git a/etc/logcheck/ignore.d.server/qpopper b/etc/logcheck/ignore.d.server/qpopper
new file mode 100644 (file)
index 0000000..5dc4b0a
--- /dev/null
@@ -0,0 +1,6 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.qpopper\[[0-9]+\]: connect from [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.qpopper\[[0-9]+\]: \(v[.[:digit:]]+\) POP login by user \"[@._[:alnum:]-]+\" at \([._[:alnum:]-]+\) [.[:digit:]]+ \[pop_log.c:244\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.qpopper\[[0-9]+\]: \[drac\]: login by [@._[:alnum:]-]+ from host [._[:alnum:]-]+ \([.[:digit:]]+\) \[drac.c:[0-9]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.qpopper\[[0-9]+\]: [@._[:alnum:]-]+ at [._[:alnum:]-]+ \([.[:digit:]]+\): -ERR Message [[:digit:]]+ does not exist. \[pop_send.c:289\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.qpopper\[[0-9]+\]: ([@._[:alnum:]-]+|\(null\)) at [._[:alnum:]-]+ \([.[:digit:]]+\): -ERR Unknown command: \"[[:alnum:]]+\". \[pop_get_command.c:152\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.qpopper\[[0-9]+\]: \(v[.[:digit:]]+\) Unable to get canonical name of client [.[:digit:]]+: Name or service not known \(-2\) \[pop_init.c:1196\]$
diff --git a/etc/logcheck/ignore.d.server/rbldnsd b/etc/logcheck/ignore.d.server/rbldnsd
new file mode 100644 (file)
index 0000000..823b27b
--- /dev/null
@@ -0,0 +1,5 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rbldnsd\[[0-9]+\]: listening on [0-9.]{7,15}/[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rbldnsd\[[0-9]+\]: ip4set:[._[:alnum:]-]+: [0-9]{8} [0-9]+: [[:alnum:]/=]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rbldnsd\[[0-9]+\]: zones reloaded, time [\./[:alnum:]]+ sec, mem arena=[0-9]+ free=[0-9]+ mmap=[0-9]+ \w{1,2}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rbldnsd\[[0-9]+\]: stats for [0-9]+secs zone [._[:alnum:]-]+: tot=[0-9]+ ok=[0-9]+ nxd=[0-9]+ err=[0-9]+ in=[0-9]+ out=[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rbldnsd\[[0-9]+\]: stats for [0-9]+sec: tot=[0-9]+ ok=[0-9]+ nxd=[0-9]+ err=[0-9]+ in=[0-9]+ out=[0-9]+$
diff --git a/etc/logcheck/ignore.d.server/rpc_statd b/etc/logcheck/ignore.d.server/rpc_statd
new file mode 100644 (file)
index 0000000..02dddec
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpc.statd\[[0-9]+\]: authenticated mount request from [._[:alnum:]-]+:[0-9]+ for /[/[:alnum:]]+ \(/[/[:alnum:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpc.statd\[[0-9]+\]: Received erroneous SM_UNMON request from [._[:alnum:]-]+ for [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$
diff --git a/etc/logcheck/ignore.d.server/rsnapshot b/etc/logcheck/ignore.d.server/rsnapshot
new file mode 100644 (file)
index 0000000..1be5bf7
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsnapshot\[[0-9]+\]: /usr/bin/rsnapshot( -c [^ ]*)? (hourly|semidaily|daily|weekly|monthly): completed successfully$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsnapshot\[[0-9]+\]: WARNING: /usr/bin/rsnapshot: (hourly|semidaily|daily|weekly|monthly): completed, but with some warnings$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsnapshot\[[0-9]+\]: WARNING: Some files and/or directories in root@[._[:alnum:]:/-]+ vanished during rsync operation$
diff --git a/etc/logcheck/ignore.d.server/rsync b/etc/logcheck/ignore.d.server/rsync
new file mode 100644 (file)
index 0000000..3d655f5
--- /dev/null
@@ -0,0 +1,12 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsync(d?)\[[0-9]+\]: connect from [^[:space:]]+ \([0-9.]{7,15}\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: rsync (to|on) [[:alnum:]/._-]+ from [@._[:alnum:]-]+ \([0-9.]{7,15}\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: (wrote|sent) [0-9]+ bytes  (read|received) [0-9]+ bytes  total size [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: rsync error: some files could not be transferred \(code 23\) at main.c\([0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: unknown module 'pub' tried from [._[:alnum:]-]+ \([0-9.]{7,15}\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: rsync error: received SIGUSR1 or SIGINT \(code 20\) at rsync.c\([0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: rsync error: error in rsync protocol data stream \(code 12\) at io.c\([0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: rsync: read error: Connection reset by peer \(104\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: (building|receiving) file list$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: [^[:space:]]+/$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: [^[:space:]]+ -> [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: module-list request from [._[:alnum:]-]+ \([0-9.]{7,15}\)$
diff --git a/etc/logcheck/ignore.d.server/sa-exim b/etc/logcheck/ignore.d.server/sa-exim
new file mode 100644 (file)
index 0000000..b0dfedc
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sa-exim\[[0-9]+\]: Removed 0 of 0 greylist tuplets in [012] seconds$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sa-exim\[[0-9]+\]: Removed 0 of 0 greylist directories in [012] seconds$
diff --git a/etc/logcheck/ignore.d.server/samba b/etc/logcheck/ignore.d.server/samba
new file mode 100644 (file)
index 0000000..a8395e8
--- /dev/null
@@ -0,0 +1,11 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[[:digit:]]+\]: connect from$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[[:digit:]]+\]: .* find_.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[0-9]+\]: \[[0-9 \/:,]+\] nmbd/nmbd.c:process\([0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[0-9]+\]: \[[0-9 \/:,]+\] nmbd/nmbd_workgroupdb.c:dump_workgroups\([0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[0-9]+\]: +dump_workgroups\(\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[0-9]+\]: +dump workgroup on subnet +(UNICAST_SUBNET|[0-9\.]+): netmask= +[0-9\.]+:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[0-9]+\]: +.* current master browser = .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[0-9]+\]: +.* [0-9a-f]+ \(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[[:digit:]]+\]: connect from$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_smbpass\[[[:digit:]]+\]: Located account for [-._[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_smbpass\[[[:digit:]]+\]: password for \([-._[:alnum:]]+/[[:digit:]]+\) changed by \([-._[:alnum:]]+/[[:digit:]]+\)$
diff --git a/etc/logcheck/ignore.d.server/saned b/etc/logcheck/ignore.d.server/saned
new file mode 100644 (file)
index 0000000..42a1360
--- /dev/null
@@ -0,0 +1,8 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saned\[[0-9]+\]: saned \(AF-indep\+IPv6\) from sane-backends [.[:digit:]]+ ready$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saned\[[0-9]+\]: check_host: access by remote host: [.:[:xdigit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saned\[[0-9]+\]: init: access granted to [-._[:alnum:]]+@[.:[:xdigit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saned\[[0-9]+\]: process_request: bad status [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saned\[[0-9]+\]: invalid read: exp=[[:digit:]]+ act=[[:digit:]]+ ReadMfpdtfBlock scan/sane/mfpdtf\.c [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saned\[[0-9]+\]: unable to send DeviceClose: Broken pipe: prnt/hpijs/hplip_api\.c [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saned\[[0-9]+\]: invalid message: : prnt/hpijs/hplip_api\.c [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saned\[[0-9]+\]: quit: exiting$
diff --git a/etc/logcheck/ignore.d.server/sasl2-bin b/etc/logcheck/ignore.d.server/sasl2-bin
new file mode 100644 (file)
index 0000000..65931fb
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saslpasswd2: error deleting entry from sasldb: DB_NOTFOUND: No matching key/data pair found$
diff --git a/etc/logcheck/ignore.d.server/saslauthd b/etc/logcheck/ignore.d.server/saslauthd
new file mode 100644 (file)
index 0000000..0843794
--- /dev/null
@@ -0,0 +1,5 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saslauthd+\[[0-9]+\]: Domain/Realm not available\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saslauthd+\[[0-9]+\]: DIGEST-MD5 client step [0-9]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: pam_unix\([[:alnum:]]+:[[:alnum:]]+\): check pass; user unknown$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_request[[:space:]]*: NULL password received$
diff --git a/etc/logcheck/ignore.d.server/schroot b/etc/logcheck/ignore.d.server/schroot
new file mode 100644 (file)
index 0000000..5fef074
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ schroot\[[[:digit:]]+\]: \(pam_unix\) session opened for user [-_.[:alnum:]]+ by ([-_.[:alnum:]]+)?\(uid=[[:digit:]]+\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ schroot\[[[:digit:]]+\]: \[[-._[:alnum:]]+ chroot\] \([-_.[:alnum:]]+->[-_.[:alnum:]]+\) Running login shell: '[-._/[:alnum:]]+'$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ schroot\[[[:digit:]]+\]: \[[-._[:alnum:]]+ chroot\] \([-_.[:alnum:]]+->[-_.[:alnum:]]+\) Running command: ".+"$
diff --git a/etc/logcheck/ignore.d.server/scponly b/etc/logcheck/ignore.d.server/scponly
new file mode 100644 (file)
index 0000000..cf9400e
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ \[[0-9]+\]: running: /(usr/)?bin/(groups|ls|mkdir|mv|pwd|rm|rsync|scp).* \(username: [._[:alnum:]-]+\([0-9]+\), IP/port: [.:[:alnum:]]+ [0-9]+ 22\)$
diff --git a/etc/logcheck/ignore.d.server/slapd b/etc/logcheck/ignore.d.server/slapd
new file mode 100644 (file)
index 0000000..e5b867a
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ slapd\[[0-9]+\]: OTP unavailable because can't read/write key database /etc/opiekeys: No such file or directory$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ slapcat: bdb_db_init: Initializing BDB database$
diff --git a/etc/logcheck/ignore.d.server/smartd b/etc/logcheck/ignore.d.server/smartd
new file mode 100644 (file)
index 0000000..5d5b98d
--- /dev/null
@@ -0,0 +1,22 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: smartd version [.[:digit:]]+ (\[[-_[:alnum:]]+\] )?Copyright \(C\) 2002-[[:digit:]]+ Bruce Allen$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Home page is http://smartmontools\.sourceforge\.net/$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Opened configuration file /etc/smartd\.conf$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Configuration file /etc/smartd.conf parsed\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Monitoring [[:digit:]]+ ATA and [[:digit:]]+ SCSI devices
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: smartd has fork\(\)ed into background mode\. New PID=[[:digit:]]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: file /var/run/smartd\.pid written containing PID [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, starting scheduled (Long|Short) Self-Test\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, SMART (Prefailure|Usage) Attribute: [[:digit:]]+ [_[:alnum:]]+ changed from [[:digit:]]+( \[Raw [[:digit:]]+\])? to [[:digit:]]+( \[Raw [[:digit:]]+\])?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, Temperature changed (-|\+)?[1-3]+ Celsius to ([0-4]?[0-9]|5[0-4]) Celsius since last report$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, did test of type L in current hour, skipping test of type S$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, initial Temperature is [[:digit:]]+ Celsius$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, Temperature changed [-+][[:digit:]]+ Celsius to [[:digit:]]+ Celsius \(Min/Max [[:digit:]]+!?/[[:digit:]]+!?\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, opened$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, found in smartd database\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, is SMART capable\. Adding to "monitor" list\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, enabled SMART Attribute Autosave\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, enabled SMART Automatic Offline Testing\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, is SMART capable\. Adding to "monitor" list\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Sending warning via [^[:space:]]+ to [^[:space:]]+ \.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Warning via [^[:space:]]+ to [^[:space:]]+: successful$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]:[[:space:]]*$
diff --git a/etc/logcheck/ignore.d.server/smbd_audit b/etc/logcheck/ignore.d.server/smbd_audit
new file mode 100644 (file)
index 0000000..c0bc6bf
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd_audit: [[:alnum:]]+\|[[:alnum:]]+\|[.[:digit:]]{7,15}\|[[:alnum:][:space:]]+\|.+$
diff --git a/etc/logcheck/ignore.d.server/smokeping b/etc/logcheck/ignore.d.server/smokeping
new file mode 100644 (file)
index 0000000..d7ce943
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smokeping\[[0-9]+\]: Launched successfully$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smokeping\[[0-9]+\]: FPing: probing [0-9]+ targets$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smokeping\[[0-9]+\]: FPing6: probing [0-9]+ targets$
diff --git a/etc/logcheck/ignore.d.server/snmpd b/etc/logcheck/ignore.d.server/snmpd
new file mode 100644 (file)
index 0000000..f492599
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snmpd\[[0-9]+\]: Connection from [.0-9]{7,15}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snmpd\[[0-9]+\]: Connection from UDP: \[[.0-9]{7,15}\]:[0-9]{4,5}$
diff --git a/etc/logcheck/ignore.d.server/snort b/etc/logcheck/ignore.d.server/snort
new file mode 100644 (file)
index 0000000..057728b
--- /dev/null
@@ -0,0 +1,35 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort:[[:space:]]*.?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: (\`|\\+)-.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort:     alert_fragments: (INACTIVE|ACTIVE)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort:     alert_incomplete: (INACTIVE|ACTIVE)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort:     alert_large_fragments: (INACTIVE|ACTIVE)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort:     alert_multiple_requests: (INACTIVE|ACTIVE)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort:     Detect Protocols: [[:alpha:]].*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort:     Detect Scan Type: [[:alpha:]].*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: Final Flow Statistics$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: \| gen-id=[0-9] +sig-id=[0-9]+ +type=(Threshold|Both) +tracking=(dst|src) count=[0-9]+ +seconds=[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: | Hash Method:     [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: Initializing daemon mode$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: Log directory = /var/log/snort$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: | Memcap:          [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort:     Memcap \(in bytes\): [0-9]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: | none$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort:     Number of Nodes:   [0-9]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: | Overhead Bytes: [0-9]+\(%[0-9]\.[0-9]\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: PID path stat checked out ok, PID path set to /var/run/$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort:     Ports: [0-9].*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: Portscan Detection Config:
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort:     Ports to decode RPC on: [0-9].*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort:     Ports to decode telnet on: [0-9].*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: | Rows  :          [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: rpc_decode arguments:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: Rule application order: ->pass->activation->dynamic->alert->log$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort:     Sensitivity Level: (Low|High)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: Snort exiting$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: Snort initialization completed successfully \(pid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: | Stats Interval:  [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: telnet_decode arguments:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: \+-*\[(thresholding-config|thresholding-global|threasholding-local|suppressi on|Flow Config)\]-*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: Writing PID "[0-9]+" to file "/var/run//snort_eth[0-9]+\.pid"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: X-Link2State Config:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: Warning: flowbits key .* is set but not ever checked\.$
diff --git a/etc/logcheck/ignore.d.server/spamc b/etc/logcheck/ignore.d.server/spamc
new file mode 100644 (file)
index 0000000..9ef46f0
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamc\[[0-9]+\]:( spamd:)? skipped message, greater than max message size \([[:digit:]]+ bytes\)$
diff --git a/etc/logcheck/ignore.d.server/spamd b/etc/logcheck/ignore.d.server/spamd
new file mode 100644 (file)
index 0000000..f07d10b
--- /dev/null
@@ -0,0 +1,32 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]:( spamd:)? connection from [._[:alnum:]-]+ \[[\.[:digit:]]+\] at port [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]:( spamd:)? (info: )?setuid to [[:alnum:]-]+ succeeded(, reading scores from SQL)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]:( spamd:)? (clean message|identified spam) \([0-9.-]+/[0-9.]+\) for [-._+=[:alnum:]]+(@[-.[:alnum:]]+)?(:[[:digit:]]+)? in [0-9.]+ seconds, [0-9]+ bytes\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: prefork: child states: [[:upper:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]:( spamd:)? got connection over [/[:alnum:].-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]:( spamd:)? handled cleanup of child pid [0-9]+ due to SIGCHLD$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]:( spamd:)? server successfully spawned child process, pid [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]:( spamd:)? using default config for [-._+=[:alnum:]]+(@[-._[:alnum:]]+)?: /[-./_[:alnum:]]+/\.spamassassin/user_prefs$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]:( spamd:)? creating default_prefs: /[-./_[:alnum:]]+/\.spamassassin/user_prefs$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: config: created user preferences file: /[-./_[:alnum:]]+/\.spamassassin/user_prefs$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]:( spamd:)? (process|check)ing message (<[^>]+>|\(unknown\))( aka <[^>]+>)? for [-._+=[:alnum:]]+(@[-.[:alnum:]]+)?(:[[:digit:]]+)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]:( spamd:)? server pid: [[:digit:]]{1,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: logger: removing stderr method$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: (spamd: )?result: [.YN] [ [:digit:]-]+ - ([._[:alnum:],]+ )?scantime=[0-9.]+,size=[0-9]+,(user=[^,]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[._[:alnum:]-]+,raddr=[0-9.]+,rport=[/[:alnum:].-]+,)?mid=(<[^[:space:]]+>|\(unknown\))(rmid=(<[^[:space:]]+>|\(unknown\)),)?,(bayes=[.[:digit:]]+(e-[[:digit:]]+)?,)?autolearn=(ham|spam|no|disabled|unavailable) *$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: FuzzyOcr: FuzzyOcr stopped, message got [[:digit:]]+ points by other FuzzyOcr tests \([.[:digit:]]+>[.[:digit:]]+\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: (spamd: )?Tell: Setting (local|remote|local,remote) for [-._+=[:alnum:]]+(@[-.[:alnum:]]+)?(:[[:digit:]]+)? in [.[:digit:]]+ seconds, [[:digit:]]+ bytes$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: (spamd: )?Tell: Did nothing for [-._+=[:alnum:]]+(@[-.[:alnum:]]+)?(:[[:digit:]]+)? in [.[:digit:]]+ seconds, [[:digit:]]+ bytes$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: reporter: spam reported to (DCC|SpamCop|Pyzor|Razor)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: reporter: could not report spam to (SpamCop|Pyzor|Razor|DCC via dccproc)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: reporter: no revoke methods available, so couldn't revoke$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: reporter: no reporting methods available, so couldn't report$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: reporter: SpamCop message older than [[:digit:]]+ days, not reporting
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: reporter: SpamCop report to [-._[:alnum:]]+ succeeded$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ check\[[0-9]+\]: rules: meta test [._[:alnum:]]+ has dependency '[._[:alnum:]]+' with a zero score$
+# razor, temporary I hope
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (check|re(port|voke)|admin)\[[0-9]+\]: \[ 2\] \[bootup\] Logging initiated LogDebugLevel=[[:digit:]]+ to sys-syslog$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ check\[[0-9]+\]: \[ 3\] mail [[:digit:]]+ is (not )?known spam\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ admin\[[0-9]+\]: \[ 3\] Attempting to register\.
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ admin\[[0-9]+\]: \[ 3\] Register successful\.  Identity stored in [-/_.[:alnum:]]+/\.razor/identity-[[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ admin\[[0-9]+\]: \[ 2\]  Razor-Agents v[.[:digit:]]+ starting razor-admin -register$
+#437816
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ check\[[0-9]+\]: Use of uninitialized value in split at /usr/share/perl5/Mail/SpamAssassin/Plugin/Check\.pm line 389\.$
diff --git a/etc/logcheck/ignore.d.server/squid b/etc/logcheck/ignore.d.server/squid
new file mode 100644 (file)
index 0000000..a47844a
--- /dev/null
@@ -0,0 +1,77 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: storeDirWriteCleanLogs: Starting\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]:   Finished\.  Wrote [0-9]+ entries\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]:   Took [.0-9]+ seconds \([ .0-9]+ entries/sec\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: logfileRotate: /var/log/squid/store\.log$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: logfileRotate: /var/log/squid/access\.log$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Waiting [0-9]+ seconds for active connections to finish$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: FD [0-9]+ Closing HTTP connection$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: FD [0-9]+ Closing ICP connection$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Closing unlinkd pipe on FD [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Squid Parent: child process [0-9]+ exited with status 0$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Squid Parent: child process [0-9]+ started$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Process ID [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: With [0-9]+ file descriptors available$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: DNS Socket created at [0-9.]+, port [0-9]+, FD [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Adding nameserver [0-9.]+ from /etc/resolv.conf$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: User-Agent logging is disabled\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Referer logging is disabled\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Unlinkd pipe opened on FD [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Swap maxSize [0-9]+ KB, estimated [0-9]+ objects$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Target number of buckets: [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Using [0-9]+ Store buckets$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Max Mem  size: [0-9]+ KB$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Max Swap size: [0-9]+ KB$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Local cache digest enabled; rebuild/rewrite every [0-9]+/[0-9]+ sec$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Rebuilding storage in [/._[:alnum:]-]+ \(CLEAN\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Using Least Load store dir selection$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Current Directory is [/._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Loaded Icons\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Accepting HTTP connections at [0-9.]+, port [0-9]+, FD [0-9]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Accepting ICP messages at [0-9.]+, port [0-9]+, FD [0-9]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: HTCP Disabled\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: WCCP Disabled\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Ready to serve requests\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Done reading [/._[:alnum:]-]+ swaplog \([0-9]+ entries\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Finished rebuilding storage from disk\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: +[0-9]+ Entries scanned$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: +[0-9]+ Invalid entries\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: +[0-9]+ With invalid flags\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: +[0-9]+ Objects (loaded|expired|cancelled)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: +[0-9]+ Swapfile clashes avoided\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: +[0-9]+ Duplicate URLs purged\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: +Took [0-9.]+ seconds \( [0-9.]+ objects/sec\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Beginning Validation Procedure$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: +Completed Validation Procedure$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: +Validated [0-9]+ Entries$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: +store_swap_size = [0-9]+k$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: storeLateRelease: released [0-9]+ objects$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: +[0-9]+ entries written so far\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: urlParse: Illegal character in hostname '.*'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: httpReadReply: Excess data from "GET .*"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: WARNING: found whitespace in HTTP header name \{Cache Control: no-cache\}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: ctx: exit level  0$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: helperOpenServers: Starting [[:digit:]]+ '[-._[:alnum:]]+' processes$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Cache dir '[/[:alnum:]]+' size remains unchanged at [[:digit:]]+ KB$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: fqdncacheParse: No PTR record for '[.[:digit:]]{7,15}'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: aioSync: flushing pending I/O operations$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: aioSync: done$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: urlParse: URL too large \([[:digit:]]+ bytes\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: ipcacheParse: No Address records in response to '[-._[:alnum:]]+'$
+# next rule without $ at the end because of #350206 and locale mismatches with non-latin1 or non-ascii characters.
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: parseHttpRequest: Unsupported method 
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: parseHttpRequest: Requestheader contains NULL characters$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: clientReadRequest: FD [[:digit:]]+ (\([.[:digit:]]{7,15}:[[:digit:]]{1,5}\) )?Invalid Request$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: WARNING: Closing client [.[:digit:]]{7,15} connection due to lifetime timeout$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]:    http://[-._[:alnum:]]+(:[[:digit:]]+)?[-._/:@[:alnum:]]*
+# squidguard
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: CACHEMGR: <unknown>@127.0.0.1 requesting 'storedir'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: CACHEMGR: <unknown>@127.0.0.1 requesting 'counters'$
+# squid 2.6
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Using epoll for the IO loop$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Adding domain [-._[:alnum:]]+ from /etc/resolv\.conf$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Set Current Directory to /var/spool/squid$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Accepting transparently proxied HTTP connections at [:.[:xdigit:]]+, port [[:digit:]]{1,5}, FD [[:digit:]]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Store rebuilding is [[:space:]]*[.[:digit:]]+% complete$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: [[:space:]]*Took [.[:digit:]]+ seconds \([[:digit:].]+ objects/sec\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: storeLocateVary: Not our vary marker object, [[:xdigit:]]+ = '[^']+', '[^']+'/'[^']+'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Extension method '(MERGE|MKACTIVITY|CHECKOUT)' added, enum=[[:digit:]]+$
diff --git a/etc/logcheck/ignore.d.server/ssh b/etc/logcheck/ignore.d.server/ssh
new file mode 100644 (file)
index 0000000..1143e61
--- /dev/null
@@ -0,0 +1,33 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted (gssapi(-with-mic|-keyex)?|rsa|dsa|password|publickey|keyboard-interactive/pam|hostbased) for [^[:space:]]+ from [^[:space:]]+ port [0-9]+( (ssh|ssh2))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Postponed keyboard-interactive(/pam)? for [^[:space:]]+ from [^[:space:]]+ port [0-9]+( (ssh|ssh2))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: PAM pam_putenv: delete non-existent entry; [[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Server listening on [:[:xdigit:].]+ port [[:digit:]]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: subsystem request for sftp$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Received disconnect from [:[:xdigit:].]+: [0-9]+: Client disconnect$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Received disconnect from [:[:xdigit:].]+: [0-9]+: Disconnect requested by Windows SSH Client\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: [12]: Timeout, server not responding\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: syslogin_perform_logout: logout\(\) returned an error$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: refused connect from [:[:alnum:]._-]+ \([:[:alnum:].]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: Timeout before authentication for [:[:alnum:].]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: nss_ldap: reconnect(ing|ed) to LDAP server(\.\.\.| after [0-9]+ attempt\(s\))$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive identification string from ([:[:xdigit:].]+|UNKNOWN)+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Authorized to [^[:space:]]+, krb5 principal [^[:space:]]+ \(krb5_kuserok\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: error: Could not get shadow information for NOUSER$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '[^']*' from ([:.[:xdigit:]]+|UNKNOWN)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [-\'"@#$%^+<!>_.[:alnum:]]* from ([:.[:xdigit:]]+|UNKNOWN)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed (keyboard-interactive/pam|password|none) for i(llegal|nvalid) user [-\'"@#$%^+<!>._[:alnum:]]* from ([:.[:xdigit:]]+|UNKNOWN) port [[:digit:]]{1,5} ssh2?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) auth could not identify password for \[[-_.[:alnum:]]*\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(ssh:[[:alnum:]]+\): check pass; user unknown$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(ssh:auth\): auth could not identify password for \[[-_.[:alnum:]]*\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAK-?IN ATTEMPT!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ (\[[:.[:xdigit:]]+\] )?failed - POSSIBLE BREAK-?IN ATTEMPT!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: recv_rexec_state: ssh_msg_recv failed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: error: ssh_msg_send: write$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnecting: Corrupted MAC on input\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnecting: Bad packet length [[:digit:]]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Bad protocol version identification '[^']+' from ([:[:xdigit:].]+|UNKNOWN)+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: User [-_.[:alnum:]]+ from [-_.[:alnum:]]+ not allowed because not listed in AllowUsers$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: User [-_.[:alnum:]]+ from [-_.[:alnum:]]+ not allowed because listed in DenyUsers$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: scanned from [:[:xdigit:].]+ with SSH-[.[:digit:]]+-SSH_Version_Mapper\.  Don't panic\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Nasty PTR record "[:[:xdigit:].]+" is set up for [:[:xdigit:].]+, ignoring$
diff --git a/etc/logcheck/ignore.d.server/stunnel b/etc/logcheck/ignore.d.server/stunnel
new file mode 100644 (file)
index 0000000..535ccf9
--- /dev/null
@@ -0,0 +1,7 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(\[[0-9]+\])?: SSL_read .*: Connection reset by peer$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(\[[0-9]+\])?: .* connected from .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(\[[0-9]+\])?: VERIFY OK: depth=[0-9]+, .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(\[[0-9]+\])?: Received signal 15; terminating$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(\[[0-9]+\])?: stunnel [0-9.]+ on i386-pc-linux-gnu PTHREAD\+POLL\+IPv6\+LIBWRAP with OpenSSL [0-9a-z.]+ [0-9]{2} \w{3} [0-9]{4}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(\[[0-9]+\])?: [0-9]+ clients allowed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stunnel(\[[0-9]+\])?: SSL_accept: Peer suddenly disconnected$
diff --git a/etc/logcheck/ignore.d.server/sympa b/etc/logcheck/ignore.d.server/sympa
new file mode 100644 (file)
index 0000000..2a37879
--- /dev/null
@@ -0,0 +1,39 @@
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: Parsing: REJECT [._[:alnum:]-]+ [0-9a-f]{32}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: REJECT [._[:alnum:]-]+ [^[:space:]]+ from [0-9a-f]{32} accepted \([0-9]+ seconds\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: Ignoring message which would cause a loop, sent by [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: Moving bad file sympa\.[0-9]+\.[0-9]+ to bad/$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: Deleting old file /var/spool/sympa/msg/bad/sympa\.[0-9]+\.[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: Processing message for [._[:alnum:]-]+ with priority [0-9]+, <[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: Message for [._[:alnum:]-]+ from [^[:space:]]+ accepted \([0-9]+ seconds, [0-9]+ sessions\), size=[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: Key [0-9a-f]{32} for list [._[:alnum:]-]+ from [^[:space:]]+ sent to editors, /var/spool/sympa/msg/[^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: Processing web message for [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: Message for [._[:alnum:]-]+ sent$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: Warning : no editor defined for [._[:alnum:]-]+, contacting owners$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: Sending digest to list [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: No subscriber for sending digest in list [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: Digest of the list [^[:space:]]+ sent \([0-9]+ seconds\)$
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ archived\[[0-9]+\]: Archiving [^[:space:]]+ for list [^[:space:]]+$
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: WWSympa started$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[user [^[:space:]]+] do_home$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[user [^[:space:]]+] do_lists\([^[:space:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[user [^[:space:]]+] do_logout\([^[:space:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[alt [^[:space:]]+] do_logout: logout performed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[alt [^[:space:]]+] do_home$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] do_lists\([^[:space:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[user [^[:space:]]+] \[list [._[:alnum:]-]+\] do_admin$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[user [^[:space:]]+] \[list [._[:alnum:]-]+\] do_info$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[user [^[:space:]]+] \[list [._[:alnum:]-]+\] d_access_control$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[user [^[:space:]]+] \[list [._[:alnum:]-]+\] do_edit_list\(\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[user [^[:space:]]+] \[list [._[:alnum:]-]+\] do_edit_list_request\(\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[user [^[:space:]]+] \[list [._[:alnum:]-]+\] do_edit_list_request\(destription\)$
+
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[list [._[:alnum:]-]+\] do_info$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[list [._[:alnum:]-]+\] d_access_control$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[list [._[:alnum:]-]+\] do_subrequest\(\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[list [._[:alnum:]-]+\] do_subrequest\([^[:space:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[list [._[:alnum:]-]+\] do_sendpasswd\([^[:space:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: \[robot [._[:alnum:]-]+\] \[client [0-9.]{7,15}\] \[list [._[:alnum:]-]+\] do_login\([^[:space:]]+\)$
diff --git a/etc/logcheck/ignore.d.server/syslogd b/etc/logcheck/ignore.d.server/syslogd
new file mode 100644 (file)
index 0000000..1d18e9f
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslogd [.0-9]{5}#[0-9]+: restart \(remote reception\)\.$
diff --git a/etc/logcheck/ignore.d.server/teapop b/etc/logcheck/ignore.d.server/teapop
new file mode 100644 (file)
index 0000000..fa7641f
--- /dev/null
@@ -0,0 +1,5 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ teapop\[[[:digit:]]+\]: [-_.@[:alnum:]]+ \[[.[:digit:]]{7,15}\] R[[:digit:]]+\([[:digit:]]+\) D[[:digit:]]+\([[:digit:]]+\) L[[:digit:]]+\([[:digit:]]+\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ teapop\[[[:digit:]]+\]: connect from [.[:digit:]]{7,15} \([.[:digit:]]{7,15}\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ teapop\[[[:digit:]]+\]: Successful login for [-_.@[:alnum:]]+ \[[.[:digit:]]{7,15}\] from [^[:space:]]+ \[[.[:digit:]]{7,15}\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ teapop\[[[:digit:]]+\]: can't do reverse dns on client (error = 0)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ teapop\[[[:digit:]]+\]: Caught SIGPIPE \(signal = [[:digit:]]+\) - Lost connection$
diff --git a/etc/logcheck/ignore.d.server/telnetd b/etc/logcheck/ignore.d.server/telnetd
new file mode 100644 (file)
index 0000000..2ab2013
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in\.telnetd\[[[:digit:]]+\]: connect from [._[:alnum:]-]+ \([:[:xdigit:].]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ telnetd\[[[:digit:]]+\]: ttloop: peer died: EOF$
diff --git a/etc/logcheck/ignore.d.server/tftpd b/etc/logcheck/ignore.d.server/tftpd
new file mode 100644 (file)
index 0000000..609715d
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.tftpd\[[0-9]+\]: connect from [._[:alnum:]-]+ \([.[:digit:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ tftpd\[[0-9]+\]: tftpd: trying to get file: [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ tftpd\[[0-9]+\]: tftpd: serving file from .*$
diff --git a/etc/logcheck/ignore.d.server/thy b/etc/logcheck/ignore.d.server/thy
new file mode 100644 (file)
index 0000000..5187e0e
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ thy\[[0-9]+\]: Server uptime: [0-9]+ days, [0-9:]{8}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ thy\[[0-9]+\]: Accepted [0-9]+ connections, served [0-9]+ bytes$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ thy\[[0-9]+\]: Active connections: [0-9]+$
diff --git a/etc/logcheck/ignore.d.server/ucd-snmp b/etc/logcheck/ignore.d.server/ucd-snmp
new file mode 100644 (file)
index 0000000..a9ca2bd
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ucd-snmp\[[0-9]+\]: Connection from [.0-9]+$
diff --git a/etc/logcheck/ignore.d.server/upsd b/etc/logcheck/ignore.d.server/upsd
new file mode 100644 (file)
index 0000000..0ba57f3
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ upsd\[[0-9]+\]: Connection from [.[:digit:]]{7,15}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ upsd\[[0-9]+\]: Client on [.[:digit:]]{7,15} logged out$
diff --git a/etc/logcheck/ignore.d.server/uptimed b/etc/logcheck/ignore.d.server/uptimed
new file mode 100644 (file)
index 0000000..9834c40
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ uptimed: moving up to position [0-9]+: [0-9]+ day[s ], [:0-9]{8}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ uptimed: milestone: [0-9]+ day[s ], [:0-9]{8} \([[:alnum:] ]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ uptimed: new uptime record: .*$
diff --git a/etc/logcheck/ignore.d.server/userv b/etc/logcheck/ignore.d.server/userv
new file mode 100644 (file)
index 0000000..f955ff8
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ uservd\[[0-9]+\]: call connected$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ uservd/check\[[0-9]+\]: uservd\[[0-9]+\] is running$
diff --git a/etc/logcheck/ignore.d.server/vsftpd b/etc/logcheck/ignore.d.server/vsftpd
new file mode 100644 (file)
index 0000000..77da366
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ vsftpd: PAM-listfile: Refused user [._[:alnum:]-]+ for service vsftpd$
diff --git a/etc/logcheck/ignore.d.server/watchdog b/etc/logcheck/ignore.d.server/watchdog
new file mode 100644 (file)
index 0000000..c0b3c80
--- /dev/null
@@ -0,0 +1,6 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ watchdog\[[0-9]+\]: int=[[:digit:]]+s realtime=(yes|no) sync=(yes|no) soft=(yes|no) mla=[[:digit:]]+ mem=[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ watchdog\[[0-9]+\]: ping: no machine to check$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ watchdog\[[0-9]+\]: file: no file to check$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ watchdog\[[0-9]+\]: pidfile: no server process to check$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ watchdog\[[0-9]+\]: interface: no interface to check$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ watchdog\[[0-9]+\]: test=none\([[:digit:]]+\) repair=none alive=none heartbeat=none temp=none to=root no_act=(yes|no)$
diff --git a/etc/logcheck/ignore.d.server/webmin b/etc/logcheck/ignore.d.server/webmin
new file mode 100644 (file)
index 0000000..cfd5b4b
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ webmin\[[0-9]+\]: Successful login as [[:alnum:]]+ from [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ webmin\[[0-9]+\]: Logout by [[:alnum:]]+ from [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ webmin\[[0-9]+\]: Timeout of [[:alnum:]]+$
diff --git a/etc/logcheck/ignore.d.server/wu-ftpd b/etc/logcheck/ignore.d.server/wu-ftpd
new file mode 100644 (file)
index 0000000..1d2a3c7
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wu-ftpd: PAM-listfile: Refused user [._[:alnum:]-]+ for service wu-ftpd$
diff --git a/etc/logcheck/ignore.d.server/xinetd b/etc/logcheck/ignore.d.server/xinetd
new file mode 100644 (file)
index 0000000..049445c
--- /dev/null
@@ -0,0 +1,7 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xinetd\[[0-9]+\]: START: [[:alpha:]]+ pid=[0-9]+ from=[0-9a-f.:]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xinetd\[[0-9]+\]: USERID: [[:alpha:]]+ UNIX : [[:alpha:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xinetd\[[0-9]+\]: EXIT: [[:alpha:]]+ pid=[0-9]+ duration=[0-9]+\(sec\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xinetd\[[0-9]+\]: Reading included configuration file: [-._/[:alnum:]]+ \[file=[-._/[:alnum:]]+\] \[line=[[:digit:]]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xinetd\[[0-9]+\]: removing (chargen|(day)?time|echo|discard)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xinetd\[[0-9]+\]: xinetd Version [.[:digit:]]+ started with libwrap loadavg options compiled in\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xinetd\[[0-9]+\]: Started working: [[:digit:]]+ available services?$
diff --git a/etc/logcheck/ignore.d.workstation/automount b/etc/logcheck/ignore.d.workstation/automount
new file mode 100644 (file)
index 0000000..fda154b
--- /dev/null
@@ -0,0 +1,18 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: attempting to mount entry$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: lookup\(file\): looking up [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: lookup\(file\): [._[:alnum:]-]+ -> -fstype=[[:alnum:]]+,uid=[_[:alnum:]-]+,gid=[_[:alnum:]-]+,credentials=.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: expanded entry:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: parse\(sun\): multimount: croak:[^[:space:]]+ on [^[:space:]]+ with options fstype=[[:alnum:]]+(,[[:alnum:]]+)*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: parse\(sun\): mounting root [^[:space:]]+, mountpoint [^[:space:]]+, what [^[:space:]]+, fstype [[:alnum:]]+, options [[:alnum:]]+(,[[:alnum:]]+)*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: parse\(sun\): (expanded entry|gathered options): -?fstype=[[:alnum:]]+,uid=[_[:alnum:]-]+,gid=[_[:alnum:]-]+,credentials=.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: parse\(sun\): core of entry: options=fstype=[[:alnum:]]+,uid=[_[:alnum:]-]+,gid=[_[:alnum:]-]+,credentials=.*, loc=[^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: do_mount [^[:space:]]+ [^[:space:]]+ type [[:alnum:]]+ options uid=[_[:alnum:]-]+,gid=[_[:alnum:]-]+,credentials=[^[:space:]]+ using module [[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: mount\((nfs|generic)\): calling (mkdir|mount)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: mount\((nfs|generic)\):   root=[^[:space:]]+ name=[^[:space:]]+ what=[^[:space:]]+, fstype=[[:alnum:]]+, options=[[:alnum:]]+(,[[:alnum:]]+)*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: mount\((nfs|generic)\): (nfs|generic) options=[[:alnum:]]+(,[[:alnum:]]+)*, nosymlink=0$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: mount\((nfs|generic)\): calling mkdir_path [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: mount\((nfs|generic)\): calling mount -t [[:alnum:]]+ -s -o [[:alnum:]]+(,[[:alnum:]]+)*(,credentials=[^[:space:]]+)? [^[:space:]]+ [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: mount\(nfs\): [[:alnum:]]+ is local, symlinking$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: mount\((nfs|generic)\): mounted [^[:space:]]+( type [[:alnum:]]+)? on [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: running expiration on path$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ automount\[[0-9]+\]: expired$
diff --git a/etc/logcheck/ignore.d.workstation/bind b/etc/logcheck/ignore.d.workstation/bind
new file mode 100644 (file)
index 0000000..18a88b8
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: ns_forw: sendto\(\[[\.0-9]+\]\.[0-9]+\): Network is unreachable$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: deleting interface \[[\.0-9]+\]\.[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: listening on \[[\.0-9]+\]\.[0-9]+ \([^[:space:]+]\)$
diff --git a/etc/logcheck/ignore.d.workstation/bluetooth-alsa b/etc/logcheck/ignore.d.workstation/bluetooth-alsa
new file mode 100644 (file)
index 0000000..99059cb
--- /dev/null
@@ -0,0 +1,9 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ headsetd\[[[:digit:]]{1,5}\]: Bluetooth headset daemon version [.[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ headsetd\[[[:digit:]]{1,5}\]: Changing state: (Idle|Paging|Connecting|Ready|Opening|Streaming|Zombie(Appl)?|Connected)-->(Idle|Paging|Connecting|Ready|Opening|Streaming|Zombie(Appl)?|Connected)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ headsetd\[[[:digit:]]{1,5}\]: Configuration phase ended: target bdaddr is [:[:xdigit:]]+, timeout is -?[[:digit:]]+ ms$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ headsetd\[[[:digit:]]{1,5}\]: SCO channel opened handle=0x[[:xdigit:]]+ mtu=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ headsetd\[[[:digit:]]{1,5}\]: Appli closed socket$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ headsetd\[[[:digit:]]{1,5}\]: Nobody uses SCO channel anymore, closing it\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ headsetd\[[[:digit:]]{1,5}\]: Headset disconnected as (SCO|RFCOMM) socket died$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ headsetd\[[[:digit:]]{1,5}\]: exiting cleanly$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ headsetd\[[[:digit:]]{1,5}\]: unable to connect L2CAP socket to headset: Device or resource busy$
diff --git a/etc/logcheck/ignore.d.workstation/bluez-utils b/etc/logcheck/ignore.d.workstation/bluez-utils
new file mode 100644 (file)
index 0000000..d8c398c
--- /dev/null
@@ -0,0 +1,6 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hcid\[[[:digit:]]{1,5}\]: Bluetooth HCI daemon
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hcid\[[[:digit:]]{1,5}\]: (Unr|R)egister path:/org/bluez[-/_.[:alnum:]]*( fallback:[[:digit:]]+)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hcid\[[[:digit:]]{1,5}\]: HCI dev [[:digit:]]+ (registered|already up)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hcid\[[[:digit:]]{1,5}\]: Device [[:alnum:]]+ has been a(dd|ctivat)ed$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hcid\[[[:digit:]]{1,5}\]: Starting security manager [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sdpd\[[[:digit:]]{1,5}\]: Bluetooth SDP daemon$
diff --git a/etc/logcheck/ignore.d.workstation/bonobo b/etc/logcheck/ignore.d.workstation/bonobo
new file mode 100644 (file)
index 0000000..0308d64
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ bonobo-activation-server \([[:alnum:]-]+\): iid OAFIID:BrokenNoType:[0-9]+ has a NULL type$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ bonobo-activation-server \([[:alnum:]-]+\): invalid character '.' in iid 'OAFIID:[^[:space:]]+OAFIID_ContainsBadChars'$
diff --git a/etc/logcheck/ignore.d.workstation/francine b/etc/logcheck/ignore.d.workstation/francine
new file mode 100644 (file)
index 0000000..58c3534
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ francine: \(pam_unix\) session (opened|closed) for user [a-z]+( by LOGIN\(uid=0\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ francine: pam_unix\(francine:session\): session (opened|closed) for user [a-z]+( by LOGIN\(uid=0\))?$
diff --git a/etc/logcheck/ignore.d.workstation/gconf b/etc/logcheck/ignore.d.workstation/gconf
new file mode 100644 (file)
index 0000000..852ed18
--- /dev/null
@@ -0,0 +1,7 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (gconfd )?\([._[:alnum:]-]+-[0-9]+\): starting \(version [.[:alnum:]]+\), pid [0-9]+ user '[[:alnum:]-]+'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (gconfd )?\([._[:alnum:]-]+-[0-9]+\): Received signal 15, shutting down cleanly$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (gconfd )?\([._[:alnum:]-]+-[0-9]+\): Exiting$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (gconfd )?\([._[:alnum:]-]+-[0-9]+\): Resolved address [^[:space:]]+ to a read-only configuration source at position [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (gconfd )?\([._[:alnum:]-]+-[0-9]+\): Resolved address [^[:space:]]+ to a writable configuration source at position [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (gconfd )?\([._[:alnum:]-]+-[0-9]+\): GConf server is not in use, shutting down\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (gconfd )?\([._[:alnum:]-]+-[0-9]+\): SIGHUP received, reloading all databases$
diff --git a/etc/logcheck/ignore.d.workstation/gdm b/etc/logcheck/ignore.d.workstation/gdm
new file mode 100644 (file)
index 0000000..f2c73a3
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: [[:alnum:]]+: \(pam_securetty\) access denied: tty ':0' is not secure !$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: [[:alnum:]]+: pam_securetty\(gdm:[[:alnum:]]+\): access denied: tty ':0' is not secure !$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: gdm_slave_xioerror_handler: Fatal X error - Restarting :[0-9]$
diff --git a/etc/logcheck/ignore.d.workstation/hald b/etc/logcheck/ignore.d.workstation/hald
new file mode 100644 (file)
index 0000000..428cef2
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hald\[[0-9]+\]: Timed out waiting for hotplug event [0-9]+\. Rebasing to [0-9]+$
diff --git a/etc/logcheck/ignore.d.workstation/hcid b/etc/logcheck/ignore.d.workstation/hcid
new file mode 100644 (file)
index 0000000..b9e4dcc
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hcid\[[0-9]+\]: HCI dev [0-9]+ (registered|up|down|unregistered)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hcid\[[0-9]+\]: (Stoping|Starting) security manager [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hcid\[[0-9]+\]: link_key_request \([[:alpha:]]+=[:[:alnum:]]+, [[:alpha:]]+=[:[:alnum:]]+\)$
diff --git a/etc/logcheck/ignore.d.workstation/ifplugd b/etc/logcheck/ignore.d.workstation/ifplugd
new file mode 100644 (file)
index 0000000..59e3785
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ifplugd\(eth[0-9]\)\[[0-9]+\]: Link beat lost\.$
diff --git a/etc/logcheck/ignore.d.workstation/ippl b/etc/logcheck/ignore.d.workstation/ippl
new file mode 100644 (file)
index 0000000..9497356
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ippl: spamd connection attempt from 127.0.0.1$
diff --git a/etc/logcheck/ignore.d.workstation/kdm b/etc/logcheck/ignore.d.workstation/kdm
new file mode 100644 (file)
index 0000000..febace7
--- /dev/null
@@ -0,0 +1,5 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: pam_[[:alnum:]]+\(kdm:session\): session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: pam_[[:alnum:]]+\(kdm:session\): session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm_greet\[[0-9]+\]: Can't open default user face$
diff --git a/etc/logcheck/ignore.d.workstation/kernel b/etc/logcheck/ignore.d.workstation/kernel
new file mode 100644 (file)
index 0000000..93dd0ea
--- /dev/null
@@ -0,0 +1,138 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? cdrom: This disc doesn't have any tracks I recognize!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? cdrom: open failed\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? hd[[:lower:]]+: (ATAPI reset complete|drive not ready for command)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? hd[[:lower:]]+: ATAPI [0-9]+X DVD-ROM CD-R/RW drive, [0-9]+kB Cache$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Uniform CD-ROM driver Revision: [0-9]\.[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? spurious 8259A interrupt: IRQ7\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? icmpv6: msg of unknown type$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? i2c_adapter i2c-0: sendbytes: error - bailout\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? msp34xx: I/O error #1 \((read|write) 0x[0-9a-fA-F]+/0x[0-9a-fA-F]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? eth[0-9]: New link status: AP (In|Out of) Range \([0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? eth[0-9]: New link status: (Disconnected|Connected) \([0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? REJECT input_ext IN=[[:alnum:]]+ OUT= MAC=.*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:alnum:]]+: eth[0-9]: Link is down\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ISO 9660 Extensions: Microsoft Joliet Level [0-3]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ISO 9660 Extensions: [_[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ISOFS: changing to secondary root$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? agpgart: Found an AGP [0-9.]+ compliant device at [0-9:.]+\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? agpgart: Putting AGP V[0-9] device at [0-9:.]+ into [0-9]x mode$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? hub [0-9]+-[0-9]+:[0-9]+\.[0-9]+: (USB hub found|[0-9]+ ports detected)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? hub [0-9]+-[0-9]+:[0-9]+\.[0-9]+: over-current change on port [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? hub [0-9]+-[0-9]+:[0-9]+\.[0-9]+: port [[:digit:]]+ disabled by hub \(EMI\?\), re-enabling\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usb [0-9]+-[.[:digit:]]+: configuration #[[:digit:]] chosen from [[:digit:]]+ choices?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usb [0-9]+-[.[:digit:]]+: new (low|full|high) speed USB device using ([_[:alnum:]-]+ and )?address [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? hub\.c: new USB device [.:0-9-]+, assigned address [0-9]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usb [0-9]-[.[:digit:]]+: USB disconnect, address [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usb.c: USB disconnect on device [.:0-9-]+ address [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usb.c: USB device [0-9]+ \(vend/prod [x/[0-9]+\) is not claimed by any active driver\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? USB Mass Storage device found at [0-9]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usb-storage: (device found at [0-9]|waiting for device to settle before scanning|device scan complete)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Initializing USB Mass Storage driver\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? USB Mass Storage support registered\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? WARNING: USB Mass Storage data integrity not assured$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? drivers/usb/serial/usb-serial\.c: USB Serial Driver core( [.[:alnum:]]+)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? drivers/usb/serial/usb-serial\.c: USB Serial support registered for [_[:alnum:][:space:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? drivers/usb/class/usblp.c: usblp[0-9]: removed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? drivers/usb/class/usblp.c: usblp[0-9]: USB Bidirectional printer dev [0-9] if [0-9] alt [0-9] proto [0-9] vid [[:alnum:]]+ pid [[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? drivers/usb/serial/ipaq.c: USB PocketPC PDA driver v[.0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ipaq [-0-9.:]+ PocketPC PDA converter detected$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ipaq [-0-9.:]+ device disconnected$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ usb.agent\[[0-9]+\]:[[:space:]]+[_[:alnum:]-]+: (loaded successfully|already loaded)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ usb.agent\[[0-9]+\]: Keeping default configuration with [\./:[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ieee1394: Node changed: [-:0-9]+ -> [-:0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ieee1394: Node (suspended|resumed): ID:BUS\[[-:0-9]+\]  GUID\[[0-9a-f]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ieee1394: The root node is not cycle master capable; selecting a new root node and resetting\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ieee1394: Error parsing configrom for node [-:0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ieee1394: sbp2: Logged into SBP-2 device$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ieee1394: Node [:0-9\-]+ Max speed \[S[0-9]+\] - Max payload \[[0-9]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? scsi[0-9]+ : SCSI emulation for (IEEE-1394 SBP-2 Devices|USB Mass Storage devices)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Attached scsi removable disk sd[a-z]( at scsi[0-9], channel [0-9], id [0-9], lun [0-9])?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? sd [0-9:]+ Attached scsi (removable )?disk sd[a-z]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? SCSI device sd[a-z]: [0-9]+ 512-byte hdwr sectors \([0-9]+ MB\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:space:]]*sd[a-z]: sd[a-z]1( sd[a-z][0-9]+)*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? sr[0-9]+: [^[:space:]]+ drive: [ \/[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? +Type: +[^[:space:]]+ +ANSI SCSI revision: [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Attached scsi CD-ROM sr[0-9]+ at scsi[0-9], channel [0-9], id [0-9], lun [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ scsi.agent\[[0-9]+\]: (disk|cdrom) at [\./:[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ scsi.agent\[[0-9]+\]:[[:space:]]+ sd_mod: loaded successfully \(for disk\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])?  /dev/scsi/host[0-9]/bus[0-9]/target[0-9]/lun[0-9]: p[0-9]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? keyboard: Too many NACKs -- noisy kbd cable\?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? keyboard.c: can't emulate rawmode for keycode [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ide-floppy driver [[:alnum:].]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ide: Assuming [0-9]+MHz system bus speed for PIO modes; override with idebus=xx$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Uniform Multi-Platform E-IDE driver Revision: [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ohci_hcd [.[:digit:]\:]+: wakeup$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usbcore: registered new driver [_[:lower:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usb.c: registered new driver [_[:lower:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? drivers/usb/input/hid-core.c: ctrl urb status [-[:digit:]]+ received$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? drivers/usb/input/hid-core.c: v[\:[:digit:].]+USB HID core driver$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? drivers/usb/class/cdc-acm.c: v[\:[:digit:].]+USB Abstract Control Model driver for USB modems and ISDN adapters$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ input.agent\[[0-9]+\]:[[:space:]]+((mouse|ts|ev|joy)dev|evbug): (already loaded|loaded successfully|blacklisted)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? input: USB HID v[.[:digit:]]+ (Joystick|Keyboard|Mouse) \[[ [:alnum:][:punct:]]+\] on usb-[\:[:xdigit:].-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? input: [-_/[:alnum:][:space:]]+ as /class/input/input[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? input: AT Translated Set 2 keyboard on isa[[:digit:]]+/serio[[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? pl2303 [-:0-9.]+ PL-2303 converter detected$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usb [-:0-9]+ [-[:alnum:][:space:]]+ converter now attached to ttyUSB[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [-[:alnum:]]+ ttyUSB[0-9]: [-[:alnum:][:space:]]+ converter now disconnected from ttyUSB[0-9]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? cdc_acm [-:0-9.]+ ttyACM[0-9]: USB ACM device$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? drivers/usb/serial/pl2303.c: Prolific PL2303 USB to serial adaptor driver v[.0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Bluetooth: HCI USB driver ver [.0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? drivers\/usb\/class\/audio\.c: v[.0-9]+:USB Audio Class driver$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usbaudio: assuming that a stereo channel connected directly to a mixer is missing in search \(got .*\?\)\. Should be fine\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usbaudio: constructing mixer for Terminal [0-9]+ type 0x[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usbaudio: device [0-9] audiocontrol interface [0-9] has [0-9] input and [0-9] output AudioStreaming interfaces$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usbaudio: device [0-9]+ interface [0-9]+ altsetting [0-9]+: format 0x[0-9]+ sratelo [0-9]+ sratehi [0-9]+ attributes 0x[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usb_audio_parsecontrol: usb_audio_state at [[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usbaudio: (registered|unregister) (dsp|mixer) [,0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usbaudio: valid (in|out)put sample rate [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usbaudio: warning: found [0-9] of [0-9] logical channels\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usb [0-9]-[0-9]: configuration #[0-9]+ chosen from [0-9]+ choices?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? sd[a-z]: Write Protect is off$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? sd[a-z]: assuming (Write Enabled|drive cache: write through)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? sd[a-z]: Mode Sense: [[:alnum:]]{2} [[:alnum:]]{2} [[:alnum:]]{2} [[:alnum:]]{2}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? nfs warning: mount version (older|newer) than kernel$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Device not ready. Make sure there is a disc in the drive.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? intel8x0_measure_ac97_clock: measured [[:digit:]]+ usecs$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? intel8x0: clocking to [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? \[drm\] Initialized card for PCI DMA\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? \[drm\] Setting GART location based on new memory map$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? \[drm\] Loading R[23]00 Microcode$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? \[drm\] writeback test succeeded in [[:digit:]]+ usecs$
+# this stuff is from pmounts autodetection
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? UDF-fs: No (VRS|partition) found( \([[:digit:]]+\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Unable to identify CD-ROM format\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? FAT: Did not find valid FSINFO signature\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])?      Found signature1 0x[[:xdigit:]]+ signature2 0x[[:xdigit:]]+ \(sector = [[:digit:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? FAT: bogus number of reserved sectors$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? FAT: utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? VFS: Can't find a valid FAT filesystem on dev [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? VFS: Can't find ext[234] filesystem on dev [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? NTFS driver [.[:digit:]]+ \[Flags: R/W MODULE\]\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? NTFS-fs error \(device [^[:space:]]+\): read_ntfs_boot_sector\(\): Primary boot sector is invalid\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? NTFS-fs error \(device [^[:space:]]+\): read_ntfs_boot_sector\(\): Mount option [^[:space:]]+ not used\. Aborting without trying to recover\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? NTFS-fs error \(device [^[:space:]]+\): ntfs_fill_super\(\): Not an NTFS volume\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? hfs: unable to find HFS\+ superblock$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? hfs: can't find a HFS filesystem on dev [^[:space:]]+\.$
+# connection of usb devices
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usb [-.[:digit:]]+: reset (full|high) speed USB device using [oe]hci_hcd and address [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usb [-.[:digit:]]+: not running at top speed; connect to a high speed hub$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usb-storage: device found at [[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:space:]]*Vendor: [-_. [:alnum:]]+Model: [-_. [:alnum:]]+Rev: [-_. [:alnum:]]+$
+# for sun machines
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? sunmouse: Successfully adjusted to [0-9]+ baud\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? btaudio: driver version [0-9.]+ loaded \[digital\+analog\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? eth[0-9]: tx interrupt but no status$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? CSLIP: code copyright 1989 Regents of the University of California$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? atkbd\.c: Keyboard on isa0060/serio0 reports too many keys pressed\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? atkbd\.c: Unknown key released \(translated set [[:digit:]]+, code 0x[[:xdigit:]]+ on isa0060/serio0\)\.
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? atkbd\.c: Use 'setkeycodes [[:xdigit:]]+ <keycode>' to make it known\.
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? swsusp: Need to copy [0-9]+ pages$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? swsusp: Restoring Highmem$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ACPI: PCI Interrupt [[:alnum:]:.]+\[[[:upper:]]\] -> GSI [0-9]+ \(level, low\) -> IRQ [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? PM: Writing back config space on device [[:alnum:]:.]+ at offset [0-9] \(was [0-9]+, writing [0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? loop: loaded \(max [0-9]+ devices\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? oprofile: using NMI interrupt\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: bttv[[:digit:]]+: PLL: 28636363 => 35468950 \.\. ok$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: bttv[[:digit:]]+: PLL can sleep, using XTAL \(28636363\)\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: usb[[:digit:]]+: register 'zaurus' at usb-[0-9:.-]+, (Sharp Zaurus SL-5x00|Sharp Zaurus, PXA-2xx based|Olympus R1000|pseudo-MDLM =\(BLAN\) device), [0-9a-f:]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: usb[[:digit:]]+: unregister 'zaurus' usb-[0-9:.-]+, (Sharp Zaurus SL-5x00|Sharp Zaurus, PXA-2xx based|Olympus R1000|pseudo-MDLM =\(BLAN\) device)$
diff --git a/etc/logcheck/ignore.d.workstation/logcheck b/etc/logcheck/ignore.d.workstation/logcheck
new file mode 100644 (file)
index 0000000..3bc14db
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ Login.app: \(\w+\) session opened for user [-[:alnum:]_]+ by \(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cardmgr\[[0-9]+\]: no sockets found!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ Xprt_64: Xprint server pid=[0-9]+ done, exitcode=0\.$
diff --git a/etc/logcheck/ignore.d.workstation/net-acct b/etc/logcheck/ignore.d.workstation/net-acct
new file mode 100644 (file)
index 0000000..1926c8e
--- /dev/null
@@ -0,0 +1,5 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nacctd: config:$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nacctd: no old dumpfile \(/var/log/net-acct/dump\) exists$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nacctd: net accounting daemon forked$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nacctd: net accounting daemon terminating$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nacctd: net accounting daemon started$
diff --git a/etc/logcheck/ignore.d.workstation/nntpcache b/etc/logcheck/ignore.d.workstation/nntpcache
new file mode 100644 (file)
index 0000000..66452c1
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nntpcache-(client|update|nocem)\[[0-9]+\]: clean shutdown$
diff --git a/etc/logcheck/ignore.d.workstation/nullmailer b/etc/logcheck/ignore.d.workstation/nullmailer
new file mode 100644 (file)
index 0000000..80e069f
--- /dev/null
@@ -0,0 +1,7 @@
+nullmailer\[[0-9]+\]: Rescanning queue\.
+nullmailer\[[0-9]+\]: Trigger pulled\.
+nullmailer\[[0-9]+\]: Starting delivery, [0-9]+ message\(s\) in queue\.
+nullmailer\[[0-9]+\]: Starting delivery: protocol: [a-z]+ host: .+ file: [0-9\.]+
+nullmailer\[[0-9]+\]: Sent file\.
+nullmailer\[[0-9]+\]: Delivery complete, 0 message\(s\) remain\.
+nullmailer\[[0-9]+\]: smtp: Succeeded:
diff --git a/etc/logcheck/ignore.d.workstation/polypaudio b/etc/logcheck/ignore.d.workstation/polypaudio
new file mode 100644 (file)
index 0000000..929fa02
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ polypaudio\[[0-9]+\]: module-alsa-sink.c: using [0-9]+ fragments of size [0-9]+ bytes.$
diff --git a/etc/logcheck/ignore.d.workstation/postfix b/etc/logcheck/ignore.d.workstation/postfix
new file mode 100644 (file)
index 0000000..7f791d0
--- /dev/null
@@ -0,0 +1,16 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/postfix-script: (starting|stopping) the Postfix mail system$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/postfix-script: refreshing the Postfix mail system$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/master\[[0-9]+\]: terminating on signal 15$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/master\[[0-9]+\]: daemon started -- version [.[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/master\[[0-9]+\]: reload configuration$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/virtual\[[0-9]+\]: [[:alnum:]]+: to=[^[:space:]]+, relay=[^[:space:]]+, delay=[0-9]+, status=[[:alnum:]]+ \(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/virtual\[[0-9]+\]: [[:alnum:]]+: to=[^[:space:]]+, orig_to=[^[:space:]]+, relay=[^[:space:]]+, delay=[0-9]+, status=[[:alnum:]]+ \(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: starting TLS engine$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: SSL_accept:before/accept initialization$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: SSL_accept:before/accept initialization$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: SSL_accept:(error in )?SSL(v2/v3|v3) read client (hello|certificate) (A|B)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: SSL_accept:error in SSL(v2/v3|v3) read certificate verify A$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: SSL_accept:SSLv3 read client (hello|key exchange) A$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: SSL_accept:SSLv3 write (certificate|server hello|key exchange|server done|change cipher spec) A$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: SSL_accept:SSLv3 flush data$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: SSL_accept:SSLv3 (read|write) finished A$
diff --git a/etc/logcheck/ignore.d.workstation/ppp b/etc/logcheck/ignore.d.workstation/ppp
new file mode 100644 (file)
index 0000000..4b07550
--- /dev/null
@@ -0,0 +1,25 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: Connect: ppp[[:digit:]]+ <--> [[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: (CH|P)AP authentication succeeded(: (CH|P)AP authentication success, unit [[:digit:]]+)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Connection terminated\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Device ttyS1 is locked by pid [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Exit\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Hangup \(SIGHUP\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Remote message: .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Sent [0-9]+ bytes, received [0-9]+ bytes\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Serial connection established\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Terminating on signal 15\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Using interface [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: kernel does not support PPP filtering$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Waiting for 1 child processes\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: local  IP address [.0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: pppd [^[:space:]]+ started by [^[:space:]]+, uid [0-9]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: (remote|local ) IP address [.[:digit:]]{7,15}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: (primary  |secondary) DNS address [.[:digit:]]{7,15}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: Plugin pppoatm.so loaded\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppd\[[0-9]+\]: PPPoATM plugin_init$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: peer from calling number [:[:xdigit:]]+ authorized$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pppd\[[[:digit:]]{1,5}\]: Cannot determine ethernet address for proxy ARP$
+# pppoa support
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppoa3\[[0-9]+\]: pppoa3 version [.[:alnum:]-]+ started by [_[:alnum:]-]+ \(uid [0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppoa3\[[0-9]+\]: Control thread ready$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pppoa3\[[0-9]+\]: (host |modem) --> pppoa3 --> (host |modem) stream ready$
diff --git a/etc/logcheck/ignore.d.workstation/proftpd b/etc/logcheck/ignore.d.workstation/proftpd
new file mode 100644 (file)
index 0000000..c1133bc
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) Maximum login attempts \([[:digit:]]+\) exceeded$
diff --git a/etc/logcheck/ignore.d.workstation/pump b/etc/logcheck/ignore.d.workstation/pump
new file mode 100644 (file)
index 0000000..57fb13e
--- /dev/null
@@ -0,0 +1,14 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: PUMP: sending discover$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: got dhcp offer$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: PUMP: sending second discover$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: PUMP: got (an offer|lease)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: intf: (bootServer|ip|next server|netmask|broadcast|network|dnsServers\[[0-9]+\]|gateways\[[0-9]+\]): [0-9.]{7,15}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: intf: (set|reqLease|numGateways|numDns): [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: intf: device: eth[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: intf: domain: [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: breq: (opcode|hw|hwlength|hopcount|secs): [0-9]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: breq: (hwaddr|servername|bootfile):$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: bresp: (opcode|hw|hwlength|hopcount|secs): [0-9]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: bresp: (hwaddr|servername|bootfile):$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: configured interface eth[0-9]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: renewed lease for interface eth[0-9]$
diff --git a/etc/logcheck/ignore.d.workstation/sendfile b/etc/logcheck/ignore.d.workstation/sendfile
new file mode 100644 (file)
index 0000000..f33934c
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sendfiled\[[0-9]+\]: connect from [._[:alnum:]-]+ \([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\)$
diff --git a/etc/logcheck/ignore.d.workstation/squid b/etc/logcheck/ignore.d.workstation/squid
new file mode 100644 (file)
index 0000000..e2fd97b
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Squid Cache \(Version [0-9.]+(STABLE)*[0-9]+\): Exiting normally\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Starting Squid Cache version [0-9.]+(STABLE)*[0-9]+ for [[:alnum:]-]+\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: Reconfiguring Squid Cache \(version [.[:alnum:]]+\)\.\.\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: squidaio_queue_request: WARNING - Queue congestion$
diff --git a/etc/logcheck/ignore.d.workstation/udev b/etc/logcheck/ignore.d.workstation/udev
new file mode 100644 (file)
index 0000000..c82b875
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ udev\[[0-9]+\]: (creating|removing) device node '/dev(/[[:alnum:]]+)+'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ udev\[[0-9]+\]: configured rule in '[\./:[:alnum:]-]+\[[0-9]+\]' applied, (added symlink )?'[[:alnum:]]+'( becomes '([[:alpha:]]+/)?%k')?$
diff --git a/etc/logcheck/ignore.d.workstation/wdm b/etc/logcheck/ignore.d.workstation/wdm
new file mode 100644 (file)
index 0000000..8527bb5
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: :0\[[0-9]+\]: pam_[[:alnum:]]+\(wdm:session\): session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: :0\[[0-9]+\]: pam_[[:alnum:]]+\(wdm:session\): session closed for user [[:alnum:]-]+$
diff --git a/etc/logcheck/ignore.d.workstation/winbind b/etc/logcheck/ignore.d.workstation/winbind
new file mode 100644 (file)
index 0000000..c261491
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pam_winbind\[[0-9]+\]: user '[._[:alnum:]-]+' granted access$
diff --git a/etc/logcheck/ignore.d.workstation/xdm b/etc/logcheck/ignore.d.workstation/xdm
new file mode 100644 (file)
index 0000000..3ed4900
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+[[:space:]]+: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+[[:space:]]+: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xdm: :0\[[0-9]+\]: pam_[[:alnum:]]+\(xdm:session\): session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xdm: :0\[[0-9]+\]: pam_[[:alnum:]]+\(xdm:session\): session closed for user [[:alnum:]-]+$
diff --git a/etc/logcheck/ignore.d.workstation/xlockmore b/etc/logcheck/ignore.d.workstation/xlockmore
new file mode 100644 (file)
index 0000000..015f1f0
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xlock\[[0-9]+\]: Start: [._[:alnum:]-]+, [._[:alnum:]-]+, [._[:alnum:]-]*:[[:digit:]]+(\.[[:digit:]]+)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xlock\[[0-9]+\]: Stop: [._[:alnum:]-]+, [._[:alnum:]-]+, [._[:alnum:]-]*:[[:digit:]]+(\.[[:digit:]]+), [[:digit:]]+m [[:digit:]]+s$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xlock\[[0-9]+\]: xlock: expired\. closing down \(uid [[:digit:]]+\) on [._[:alnum:]-]*:[[:digit:]]+(\.[[:digit:]]+)$
diff --git a/etc/logcheck/logcheck.conf b/etc/logcheck/logcheck.conf
new file mode 100644 (file)
index 0000000..d0ddb1b
--- /dev/null
@@ -0,0 +1,84 @@
+# The following variable settings are the initial default values,
+# which can be uncommented and modified to alter logcheck's behaviour
+
+# Controls the format of date-/time-stamps in subject lines:
+# Alternatively, set the format to suit your locale
+
+#DATE="$(date +'%Y-%m-%d %H:%M')"
+
+# Controls the presence of boilerplate at the top of each message:
+# Alternatively, set to "0" to disable the introduction.
+#
+# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt
+# are present their contents will be read and used as the header and
+# footer of any generated mails.
+
+#INTRO=1
+
+# Controls the level of filtering: 
+# Can be Set to "workstation", "server" or "paranoid" for different
+# levels of filtering. Defaults to server if not set.
+
+REPORTLEVEL="server"
+
+# Controls the address mail goes to:
+# *NOTE* the script does not set a default value for this variable!
+# Should be set to an offsite "emailaddress@some.domain.tld"
+
+SENDMAILTO="logcheck"
+
+# Send the results as attachment or not.
+# 0=not as attachment; 1=as attachment
+# Default is 0
+
+MAILASATTACH=0
+
+# Should the hostname in the subject of generated mails be fully qualified?
+
+FQDN=1
+
+# Controls whether "sort -u" is used on log entries (which will
+# eliminate duplicates but destroy the original ordering); the
+# default is to use "sort -k 1,3 -s":
+# Alternatively, set to "1" to enable unique sorting
+
+#SORTUNIQ=0
+
+# Controls whether /etc/logcheck/cracking.ignore.d is scanned for
+# exceptions to the rules in /etc/logcheck/cracking.d:
+# Alternatively, set to "1" to enable cracking.ignore support
+
+#SUPPORT_CRACKING_IGNORE=0
+
+# Controls the base directory for rules file location
+# This must be an absolute path
+
+#RULEDIR="/etc/logcheck"
+
+# Controls if syslog-summary is run over each section.
+# Alternatively, set to "1" to enable extra summary.
+
+#SYSLOGSUMMARY=0
+
+# Controls Subject: lines on logcheck reports:
+
+#ATTACKSUBJECT="Security Alerts"
+#SECURITYSUBJECT="Security Events"
+#EVENTSSUBJECT="System Events"
+
+# Controls [logcheck] prefix on Subject: lines
+
+#ADDTAG="no"
+
+# Set a different location for temporary files than /tmp
+# this is useful if your /tmp is small and you are getting
+# errors such as:
+# cp: writing `/tmp/logcheck.y12449/checked': No space left on device
+# /usr/sbin/logcheck: line 161: cannot create temp file for here document: No space left on device
+# mail: /tmp/mail.RsXXXXpc2eAx: No space left on device
+# Null message body; hope that's ok
+# 
+# If this is happening, likely you will want to change the following to be some other 
+# location, such as /var/tmp
+
+TMP="/tmp"
diff --git a/etc/logcheck/logcheck.logfiles b/etc/logcheck/logcheck.logfiles
new file mode 100644 (file)
index 0000000..e5c5b3f
--- /dev/null
@@ -0,0 +1,4 @@
+# these files will be checked by logcheck
+# This has been tuned towards a default syslog install
+/var/log/syslog
+/var/log/auth.log
diff --git a/etc/logcheck/violations.d/kernel b/etc/logcheck/violations.d/kernel
new file mode 100644 (file)
index 0000000..3573977
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:alnum:]]+: media error \(bad sector\): status=0x[[:xdigit:]]+ { DriveReady SeekComplete Error }$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? end_request: I/O error, dev [[:alnum:]]+, sector [[:digit:]]+
diff --git a/etc/logcheck/violations.d/logcheck b/etc/logcheck/violations.d/logcheck
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/etc/logcheck/violations.d/smartd b/etc/logcheck/violations.d/smartd
new file mode 100644 (file)
index 0000000..ad8ef65
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, [[:digit:]]+ Currently unreadable \(pending\) sectors$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, [[:digit:]]+ Offline uncorrectable sectors$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, Temperature [[:digit:]]+ Celsius reached critical limit of [[:digit:]]+ Celsius \(Min/Max [[:digit:]]+!?/[[:digit:]]+!?\)$
diff --git a/etc/logcheck/violations.d/su b/etc/logcheck/violations.d/su
new file mode 100644 (file)
index 0000000..a8d5889
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+ [[:alnum:]]+[-:]root$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root[-:][[:alnum:]]+$
diff --git a/etc/logcheck/violations.d/sudo b/etc/logcheck/violations.d/sudo
new file mode 100644 (file)
index 0000000..c0af733
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_[[:alnum:]]+\(sudo:[[:alnum:]]+\): .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: .*$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-bind b/etc/logcheck/violations.ignore.d/logcheck-bind
new file mode 100644 (file)
index 0000000..5da1945
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone [._[:alnum:]-]+/IN: refresh: failure trying master [._[:alnum:]-]+#53: .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: unexpected RCODE \((REFUSED|SERVFAIL|15)\) resolving '[^[:space:]]+': [.[:digit:]]+#[0-9]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [[:digit:].]+#[[:digit:]]+: query (\(cache\) )?'.*' denied$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-bluez-utils b/etc/logcheck/violations.ignore.d/logcheck-bluez-utils
new file mode 100644 (file)
index 0000000..c9f2ffc
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dund\[[[:digit:]]+\]: Accept failed\. Interrupted system call\([[:digit:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dund\[[[:digit:]]+\]: Service record unregistration failed\.$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-courier b/etc/logcheck/violations.ignore.d/logcheck-courier
new file mode 100644 (file)
index 0000000..60f4255
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ((imap|pop3)(login|d-ssl)|couriertcpd): Unexpected SSL connection shutdown\.$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-cron-apt b/etc/logcheck/violations.ignore.d/logcheck-cron-apt
new file mode 100644 (file)
index 0000000..42d0c22
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron-apt: E: Some index files failed to download, they have been ignored, or old ones used instead\.$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-cyrus b/etc/logcheck/violations.ignore.d/logcheck-cyrus
new file mode 100644 (file)
index 0000000..2fa846a
--- /dev/null
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/imapd\[[0-9]+\]: SQUAT failed to open index file$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/imapd\[[0-9]+\]: SQUAT failed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/lmtpd\[[0-9]+\]: DBERROR db3: [12] lockers$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-dcc b/etc/logcheck/violations.ignore.d/logcheck-dcc
new file mode 100644 (file)
index 0000000..a6ccfc9
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dccifd\[[0-9]+\]: [.0-9]+ rejected messages to [0-9]+ targets and discarded messages to [0-9]+ targets among [0-9]+ total since [/0-9]{8} [:0-9]{8}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dccproc\[[0-9]+\]: continue not asking DCC [[:digit:]]+ seconds after failure$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-dovecot b/etc/logcheck/violations.ignore.d/logcheck-dovecot
new file mode 100644 (file)
index 0000000..d286734
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: pam_unix\(dovecot:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-hylafax b/etc/logcheck/violations.ignore.d/logcheck-hylafax
new file mode 100644 (file)
index 0000000..a04274c
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: NOTIFY: bin/notify \"doneq/q[[:digit:]]+\" \"failed\" \"[:0-9]{4,5}\"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ FaxQueuer\[[0-9]+\]: JOB [0-9]+ \(failed dest \+[[:digit:]]+ pri [0-9]+ tts [:0-9]{4,5} killtime [:0-9]{7,8}\): (DEAD|DELETE|SEND DONE: [:0-9]{4,5})$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-innd b/etc/logcheck/violations.ignore.d/logcheck-innd
new file mode 100644 (file)
index 0000000..4dc7ef7
--- /dev/null
@@ -0,0 +1,10 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: [-[:alnum:].]+:[0-9]+ (closed|checkpoint) seconds [0-9]+ accepted [0-9]+ refused [0-9]+ rejected [0-9]+ duplicate [0-9]+ accepted size [0-9]+ duplicate size [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innd: rejecting\[perl\] <[[:alnum:][:punct:]]+@[.[:alnum:]-]+> [0-9]+ [[:alnum:] ]+( \([._[:alnum:]-]+\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rnews: rejected [0-9]+ Unwanted (newsgroup|distribution) "[._,[:alnum:]-]+"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rnews: rejected [0-9]+ Too old -- "\w{3}, [0-9 ]+ \w{3} [0-9]{4} [0-9:]{8} (\+|-)[0-9]{4}"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rnews: rejected [0-9]+ Too old -- "[0-9]+ \w{3} [0-9]{4} [0-9:]{8} ([[:upper:]]+|(\+|-)[0-9]{4})"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rnews: rejected [0-9]+ No colon-space in "("|x-no-archive:yes)" header$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rnews: offered <[^[:space:]]+> [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: [^[:space:]]+ posts received [0-9]+ rejected [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nnrpd\[[0-9]+\]: \? reverse lookup for [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} failed: Unknown host -- using IP address for access$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ innfeed\[[0-9]+\]: [._[:alnum:]-]+(:[0-9]+)? (final|global|checkpoint) seconds [0-9]+ offered [0-9]+ accepted [0-9]+ refused [0-9]+ rejected [0-9]+ (missing [0-9]+ )?accsize [0-9]+ rejsize [0-9]+( spooled [0-9]+ (on_close [0-9]+ )?unspooled [0-9]+)?( deferred [0-9]+/[0-9.]+ requeued [0-9]+ queue [0-9.]+/[0-9\:\,]+)?$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-kernel b/etc/logcheck/violations.ignore.d/logcheck-kernel
new file mode 100644 (file)
index 0000000..fdff020
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? usbmon: debugfs is not available$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:alnum:][:space:]]+: probe of [:.[:xdigit:]]+ failed with error [-[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? \[drm:mga_do_agp_dma_bootstrap\] \*ERROR\* Unable to acquire AGP: [-[:digit:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:lower:]]+: test WP failed, assume Write Enabled$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-login b/etc/logcheck/violations.ignore.d/logcheck-login
new file mode 100644 (file)
index 0000000..f644c91
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ login\[[0-9]+\]: ROOT LOGIN  on 'tty[0-9]'$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-mon b/etc/logcheck/violations.ignore.d/logcheck-mon
new file mode 100644 (file)
index 0000000..2136310
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mon\[[0-9]+\]: client command "list failures"$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-nagios b/etc/logcheck/violations.ignore.d/logcheck-nagios
new file mode 100644 (file)
index 0000000..0f3b464
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nagios(2|3)?: SERVICE NOTIFICATION: [._[:alnum:]-]+;[._[:alnum:]-]+;[^;]+;CRITICAL;.*$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-openvpn b/etc/logcheck/violations.ignore.d/logcheck-openvpn
new file mode 100644 (file)
index 0000000..8dee81b
--- /dev/null
@@ -0,0 +1,6 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS Error: TLS key negotiation failed to occur within [[:digit:]]+ seconds( \(check your network connectivity\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS Error: TLS handshake failed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? WARNING: Bad encapsulated packet length from peer \([[:digit:]]+\), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- \[Attempt?ing restart\.\.\.\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: read UDPv4 \[ECONNREFUSED\]: Connection refused \(code=111\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: read UDPv4 \[ECONNREFUSED\|ECONNREFUSED\]: Connection refused \(code=111\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: read UDPv4 \[ECONNREFUSED\|ECONNREFUSED\|ECONNREFUSED\]: Connection refused \(code=111\)$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-passwd b/etc/logcheck/violations.ignore.d/logcheck-passwd
new file mode 100644 (file)
index 0000000..087ea62
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ passwd\[[[:digit:]]+\]: \(pam_unix\) authentication failure; logname=[-._[:alnum:]]+ uid=[[:digit:]]+ euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ passwd\[[[:digit:]]+\]: pam_unix\(passwd:[[:alnum:]]+\): authentication failure; logname=[-._[:alnum:]]+ uid=[[:digit:]]+ euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-pdns b/etc/logcheck/violations.ignore.d/logcheck-pdns
new file mode 100644 (file)
index 0000000..5a6257c
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdns\[[[:digit:]]+\]: AXFR of domain '[-_.[:alnum:]]+' denied to [.[:digit:]]{7,15}$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-postfix b/etc/logcheck/violations.ignore.d/logcheck-postfix
new file mode 100644 (file)
index 0000000..72ac63d
--- /dev/null
@@ -0,0 +1,56 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: from=<.*>, status=expired, returned to sender$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [.[:digit:]]+: hostname [^[:space:]]+ verification failed: (Host not found|Host name has no address|Name or service not known|Temporary failure in name resolution)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:alnum:]]+: reject: (CONNECT|RCPT) from [^[:space:]]+: [45][0-9][0-9]( [0-9]\.[0-9]\.[0-9])? Client host rejected: cannot find your hostname, [^[:space:]]+; (from=[^[:space:]]+ to=[^[:space:]]+ )?proto=E?SMTP( helo=[^[:space:]]+)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+: reject: (MAIL|RCPT) from [^[:space:]]+: [45][0-9][0-9]( [45](\.[[:digit:]]){2})? <[^[:space:]]+>: (Sender|Recipient) address rejected: .+; from=<[^[:space:]]*>( to=<[^[:space:]]+>)? proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+: reject: RCPT from [^[:space:]]+: [45][0-9][0-9]( [45](\.[[:digit:]]){2})? <[^[:space:]]+>: Helo command rejected: .+; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+: reject: RCPT from [^[:space:]]+: [0-9]{3}( [45](\.[[:digit:]]){2})? <[^[:space:]]+>: Relay access denied; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+: reject: RCPT from [^[:space:]]+: [45][0-9][0-9]( [45](\.[[:digit:]]){2})? Service unavailable; Sender address \[[^[:space:]]+\] blocked using [._[:alnum:]-]+;( .*;)? from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+: reject: (CONNECT|RCPT) from [^[:space:]]+: [45][0-9][0-9]( [45](\.[[:digit:]]){2})? Service unavailable; Client host \[([0-9.]{7,15}|[-._[:alnum:]]+)\] blocked using [._[:alnum:]-]+;( .+;)? (from=<[^[:space:]]*> to=<[^[:space:]]+> )?proto=E?SMTP( helo=<[^[:space:]]+>)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+: reject: RCPT from [^[:space:]]+\[[0-9.]{7,15}\]: [45][0-9][0-9] <.+>: User unknown in local recipient table; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+: reject: [[:upper:]]+ from [^[:space:]]+\[[0-9.]{7,15}\]: 503 5\.5\.0 <[[:upper:]]+>: [[:alnum:]]+ command rejected: Improper use of SMTP command pipelining; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject: [[:upper:]]+ from [^[:space:]]+\[[0-9.]{7,15}\]: 503 5\.5\.0 <[^[:space:]]+>: Client host rejected: Improper use of SMTP command pipelining; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: (NOQUEUE|[[:xdigit:]]+): reject: (HE|EH)LO from [^[:space:]]+\[[0-9.]{7,15}\]: [45][0-9]{2}( [45](\.[0-9]){2})? <[^[:space:]]+>: Helo command rejected: .+; proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning:( smtpd_peer_init:)? [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+: hostname [^[:space:]]+ verification failed: (Temporary failure in name resolution|Name or service not known|No address associated with hostname)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: Peer verification: CommonName in certificate does not match: [._*[:alnum:]-]+ != [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: host [^[:space:]]+ said: [45][0-9][0-9][- ]+.* \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|(end of )?DATA) command\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: to=<[^[:space:]]+>(, orig_to=<[^[:space:]]+>)?, relay=[._[:alnum:]-]+\[[0-9.]{7,15}\](:[[:digit:]]{1,5})?,( conn_use=[0-9]+,)? delay=[.0-9]+(, delays=([.0-9]+/){3}[.0-9]+)?(, dsn=[45](\.[0-9]+){2})?, status=(deferred|bounced|undeliverable|SOFTBOUNCE) \(host [._[:alnum:]-]+\[[0-9.]{7,15}\] said: [45][0-9][0-9][- ]+.* \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|DATA|end of DATA) command\)\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:upper:]0-9]+: to=<[^[:space:]]+>, relay=[._[:alnum:]-]+\[[0-9.]{7,15}\](:[[:digit:]]{1,5})?, delay=[.0-9]+(, delays=([.0-9]+/){3}[.0-9]+)?(, dsn=2(\.[0-9]+){2})?, status=deliverable \(2[0-9][0-9] .*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [A-Z0-9]+: to=<[^[:space:]]+>, relay=[^[:space:]]+, delay=[0-9]+, status=deferred \(host [^[:space:]]+ refused to talk to me: [^[:space:]]+ 554 Access denied\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [A-Z0-9]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,) relay=[^[:space:]]+, delay=[0-9]+, status=deferred \(host [^[:space:]]+ said: [45][0-9]{2} <[^[:space:]]+>: Recipient address rejected: Greylisted for [0-9]+ (seconds|minutes)( \(see http://isg.ee.ethz.ch/tools/postgrey/help/[.[:alnum:]-]+.html\))? \(in reply to (HELO|EHLO|MAIL FROM|RCPT TO|DATA|end of DATA) command\)\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Read failed in network_biopair_interop with errno=[0-9]+: num_read=[-0-9]+, want_read=[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler sender_permitted_from: DUNNO$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: : SPF none: smtp_comment=SPF: domain of sender [^[:space:]]+ does not designate mailers, header_comment=[.[:lower:]]+: domain of [^[:space:]]+ does not designate permitted sender hosts$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: certificate verification failed for [^[:space:]]+: (num=10:)?certificate has expired$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: certificate verification failed for [^[:space:]]+: (num=18:)?self[- ]signed certificate$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: certificate verification failed for [^[:space:]]+: (num=19:)?self[- ]signed certificate in certificate chain$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: certificate verification failed for [^[:space:]]+: (num=20:)?unable to get local issuer certificate$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: certificate verification failed for [^[:space:]]+: (num=21:)?unable to verify the first certificate$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: certificate verification failed for [^[:space:]]+: (num=24:)?invalid CA certificate$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: certificate verification failed for [^[:space:]]+: (num=26:)?unsupported certificate purpose$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: certificate verification failed for [^[:space:]]+: (num=27:)?certificate not trusted$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: certificate verification failed for [^[:space:]]+: untrusted issuer [-@._/=[:space:][:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: certificate peer name verification failed for [^[:space:]]+: [[:digit:]]+ dNSNames in certificate found, but none matches
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: certificate peer name verification failed for [^[:space:]]+: CommonName mis-match:( [._[:alnum:]-]+)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+: reject: RCPT from [^[:space:]]+: [45][0-9][0-9]( [45](\.[[:digit:]]){2})? <[^[:space:]]+>: Client host rejected: Greylisted( for [0-9]+ (seconds|minutes))?,?( \(?see http://isg\.ee\.ethz\.ch/tools/postgrey/help/[.[:alnum:]-]+\.html\)?;)? from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:alnum:]]+: from=<[^[:space:]]*>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)* relay=local, delay=[0-9]+, status=sent \(delivered to command: /var/lib/mailman/mail/mailman admin [._[:alnum:]-]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject: [[:upper:]]+ from [^[:space:]]+: 554( [0-9]\.[0-9]\.[0-9])? <[^[:space:]]+>: Client host rejected: Access denied;( from=<[^[:space:]]*> to=<[^[:space:]]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject: [[:upper:]]+ from [^[:space:]]+: 554( 5\.7\.1)? <[^[:space:]]+>: Relay access denied;( from=<[^[:space:]]*> to=<[^[:space:]]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: (NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 550( 5\.1\.[01])? <[^[:space:]]+>: (Sender|Recipient) address rejected: User unknown in ((local|relay) recipient|virtual alias) table;( from=<[^[:space:]]*> to=<[^[:space:]]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=[^[:space:]]+,( conn_use=[[:digit:]]+,)? delay=[.0-9]+,( delays=[.0-9/]+, dsn=[0-9.]+,)? status=sent \(250 [0-9.]+ Ok((, id=[-0-9]+, from MTA(\([^[:space:]]+\))?: 250 ([0-9.]+ )?Ok)?: queued as [0-9A-F]+|, discarded, UBE, id=[-0-9]+)*|, DSN muted \([45][0-9][0-9] [45](\.[0-9]){2} .+\)\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)* relay=[^[:space:]]+,( conn_use=[[:digit:]]+,)? delay=[.0-9]+,( delays=[.0-9/]+, dsn=[0-9.]+,)? status=sent \(250 Ok: queued as [0-9A-F]+\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[[.[:digit:]]+\]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed(:[ [:alnum:]]*)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: SASL authentication failure: .+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/local\[[[:digit:]]+\]: warning: maildir access problem for UID/GID=[[:digit:]]+/[[:digit:]]+: create [/.[:alnum:]]+: Permission denied$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=local, delay=[0-9.]+(, delays=([.0-9]+/){3}[.0-9]+)?(, dsn=[45](\.[0-9]+){2})?, status=(deferred|bounced) \(.+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:upper:]0-9]+: reject: header [^[:space:]]+:.+ from=<[^[:space:]]*>( to=<[^[:space:]]+>)? proto=E?SMTP helo=<[^[:space:]]+>: .+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: (resent-|)message-id=<?[^>]+>?( \(added by [^[:space:]]+\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/pickup\[[0-9]+\]: [[:alnum:]]+: uid=[[:digit:]]+ from=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:xdigit:]]+: milter-reject: END-OF-MESSAGE from [-._[:alnum:]]+\[[.[:digit:]]+\]: [45]\.7\.1 virus [-._/[:alnum:]]+ detected by ClamAV - http://www\.clamav\.net; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: milter-reject: MAIL from [-._[:alnum:]]+\[[.[:digit:]]+\]: 451 4\.(7\.1 Service unavailable|3\.2 AV system temporarily overloaded) - (please )?try (again )?later; proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: milter-reject: RCPT from [-._[:alnum:]]+\[[.[:digit:]]+\]: 554 5\.7\.1 Suspicious recipient address blocked; from=<[^[:space:]]*> proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: reject: ETRN [._[:alnum:]-]+\.\.\. from [._[:alnum:]-]+\[[0-9.]{7,15}\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Unable to look up MX host [._[:alnum:]-]+ for Sender address [^[:space:]]+: Temporary failure in name resolution$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: (dis)?connect from [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:alnum:]]+: client=[._[:alnum:]-]+\[[0-9a-f.:]{3,39}\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: milter-discard: END-OF-MESSAGE from [-._[:alnum:]]+\[[.[:digit:]]+\]: milter triggers DISCARD action; from=<[^[:space:]]*> to=<[^[:space:]]*> proto=E?SMTP helo=<[^[:space:]]+>$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-proftpd b/etc/logcheck/violations.ignore.d/logcheck-proftpd
new file mode 100644 (file)
index 0000000..93e9837
--- /dev/null
@@ -0,0 +1,6 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+  user=[-_.[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd: pam_unix\(proftpd:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+  user=[-_.[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) PAM\([-_.[:alnum:]]+\): Authentication failure\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) Connection from [._[:alnum:]-]+ \[[.:[:xdigit:]]+\] denied\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) USER [-._[:alnum:]]+ \(Login failed\): (Limit access denies login|Incorrect password\.)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) SECURITY VIOLATION: root login attempted\.$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-pureftp b/etc/logcheck/violations.ignore.d/logcheck-pureftp
new file mode 100644 (file)
index 0000000..3e4adec
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\] Can't open .+: No such file or directory$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\] Can't remove directory: No such file or directory$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \(\?@[._[:alnum:]-]+\) \[DEBUG\] This is a private system - No anonymous login$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\] .+ (up|down)loaded  \([0-9]+ bytes, [0-9]+.[0-9]+KB/sec\)$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-samba b/etc/logcheck/violations.ignore.d/logcheck-samba
new file mode 100644 (file)
index 0000000..3f4633f
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ nmbd\[[[:digit:]]+\]:[[:space:]]+Got SIGHUP dumping debug info\.$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-sasl2-bin b/etc/logcheck/violations.ignore.d/logcheck-sasl2-bin
new file mode 100644 (file)
index 0000000..24596fe
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saslpasswd2: setpass failed for [-._[:alnum:]]+: user not found$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-saslauthd b/etc/logcheck/violations.ignore.d/logcheck-saslauthd
new file mode 100644 (file)
index 0000000..c8f8e47
--- /dev/null
@@ -0,0 +1,5 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd: pam_unix\([[:alnum:]]+:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+  user=[-_.[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_auth[[:space:]]*: auth failure: \[user=[._[:alnum:]-]+\] \[service=smtp\] \[realm=[._[:alnum:]-]+\] \[mech=pam\] \[reason=PAM auth error\]$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-sendmail_tmp b/etc/logcheck/violations.ignore.d/logcheck-sendmail_tmp
new file mode 100644 (file)
index 0000000..62de437
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: ruleset=check_relay, arg1=[._[:alnum:]-]+, arg2=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}, relay=[._[:alnum:]-]+ \[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\], reject=[0-9]+ [0-9]\.[0-9]\.[0-9] [0-9]+Blocked by [._[:alnum:]:/-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_mail, arg1=<.*>, relay=([._[:alnum:]@-]+ )?\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]( \(may be forged\))?, reject=[0-9]+ [0-9]\.[0-9]\.[0-9] <.*>\.\.\. +[0-9]+Blocked by [._[:alnum:]:/-]+$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-smartd b/etc/logcheck/violations.ignore.d/logcheck-smartd
new file mode 100644 (file)
index 0000000..1eb176e
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/[^[:space:]]+( \[(3ware|cciss)_disk_[[:digit:]]+\])?, SMART Prefailure Attribute: [[:digit:]]+ [_[:alnum:]]+ changed from [[:digit:]]+ to [[:digit:]]+$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-spamd b/etc/logcheck/violations.ignore.d/logcheck-spamd
new file mode 100644 (file)
index 0000000..f52759a
--- /dev/null
@@ -0,0 +1,8 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: Cannot open bayes databases /home/[_[:alnum:]-]+/.spamassassin/bayes_\* R/W: lock failed: File exists$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: failed sanity check, [0-9]+ bytes claimed, [0-9-]+ bytes seen$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]:( spamd:)? (process|check)ing message <[^>]+>( aka <[^>]+>)? for [-._+=[:alnum:]]+(@[-.[:alnum:]]+:[[:digit:]]+|:[[:digit:]]+)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: (spamd: )?result: [.YN] [ [:digit:]-]+ - ([._[:alnum:],]+ )?scantime=[0-9.]+,size=[0-9]+,(user=[^,]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[._[:alnum:]-]+,raddr=[0-9.]+,rport=[0-9]+,)?mid=(<[^[:space:]]+>|\(unknown\))(rmid=(<[^[:space:]]+>|\(unknown\)),)?,(bayes=[.[:digit:]]+(e-[[:digit:]]+)?,)?autolearn=(ham|spam|no|disabled|unavailable) *$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ admin\[[0-9]+\]: \[ [[:digit:]]+\]  Razor-Agents v[.[:digit:]]+ starting razor-admin --(create|register)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[0-9]+\]: reporter: SpamCop report to [-._[:alnum:]]+ failed: Net::SMTP error$
+#temp razor rule:
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ re(voke|port)\[[0-9]+\]: reporter: razor2 re(voke|port) failed: No such file or directory re(voke|port) requires authentication at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2\.pm line [[:digit:]]+\. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2\.pm line [[:digit:]]+\.
diff --git a/etc/logcheck/violations.ignore.d/logcheck-squid b/etc/logcheck/violations.ignore.d/logcheck-squid
new file mode 100644 (file)
index 0000000..c9a0c91
--- /dev/null
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: sslReadServer: FD [[:digit:]]+: read failure: \([[:digit:]]+\) Connection reset by peer$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Preparing for shutdown after [0-9]+ requests$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-ssh b/etc/logcheck/violations.ignore.d/logcheck-ssh
new file mode 100644 (file)
index 0000000..56e5ed0
--- /dev/null
@@ -0,0 +1,13 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts\.(allow|deny), line [0-9]+: can't verify hostname: getaddrinfo\([._[:alnum:]-]+, AF_INET\) failed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts\.(allow|deny), line [0-9]+: host name/(name|address) mismatch: [._[:alnum:]-]+ != [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ (\[[:.[:xdigit:]]+\] )?failed - POSSIBLE BREAK-?IN ATTEMPT!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAK-?IN ATTEMPT!$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: Broken pipe$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: Connection (timed out|reset by peer)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: User not known to the underlying authentication module for i(llegal|nvalid) user [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Authentication failure for [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed (keyboard-interactive/pam|password|none) for (i(llegal|nvalid) user )?[^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+) port [[:digit:]]{1,5} ssh2?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd: pam_unix\(ssh:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+  user=[-_.[:alnum:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: recv_rexec_state: ssh_msg_recv failed$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-su b/etc/logcheck/violations.ignore.d/logcheck-su
new file mode 100644 (file)
index 0000000..f28373d
--- /dev/null
@@ -0,0 +1,8 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: (\+|-) (pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: pam_[[:alnum:]]+\(su:session\): session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: pam_[[:alnum:]]+\(su:session\): session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root:[_[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: Successful su for [[:alnum:]-]+ by [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: pam_authenticate: Authentication failure$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-sudo b/etc/logcheck/violations.ignore.d/logcheck-sudo
new file mode 100644 (file)
index 0000000..1b9413a
--- /dev/null
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$
diff --git a/etc/logcheck/violations.ignore.d/logcheck-usb b/etc/logcheck/violations.ignore.d/logcheck-usb
new file mode 100644 (file)
index 0000000..fcd5310
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: usb-uhci: interrupt, status [0-9], frame # [0-9]+
diff --git a/etc/logcheck/violations.ignore.d/logcheck-winbind b/etc/logcheck/violations.ignore.d/logcheck-winbind
new file mode 100644 (file)
index 0000000..c6f0a39
--- /dev/null
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pam_winbind\[[0-9]+\]: request failed: No such user, PAM error was [0-9]+, NT error was [_[:alpha:]]+$