diff --git a/logcheck_debian b/logcheck_debian
index e9d5582..97dea11 100644
--- a/logcheck_debian
+++ b/logcheck_debian
@@ -187,7 +187,9 @@
 #Apr  2 18:36:37 nada milter-greylist: DKIM failed: Key retrieval failed
 #Apr  2 18:36:58 nada milter-greylist: DKIM failed: Invalid parameter
 #Apr  2 20:02:18 nada milter-greylist: DKIM failed: No key
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ milter-greylist: DKIM failed: (No signature|Unable to verify|Key retrieval failed|Invalid parameter|No key)
+#Apr 11 17:47:56 nada milter-greylist: DKIM failed: Syntax error
+#Apr 11 23:02:34 nada milter-greylist: DKIM failed: Bad signature
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ milter-greylist: DKIM failed: (No signature|Unable to verify|Key retrieval failed|Invalid parameter|No key|Syntax error|Bad signature)
 
 #
 #  MONIT
@@ -251,7 +253,8 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone( ./IN)?: No DNSKEY RRSIGs found for '.': success
 
 #Apr  2 22:49:14 nada named[5002]: managed-keys-zone ./IN: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone ./IN: Unable to fetch DNSKEY set '[.[:alnum:]]+': SERVFAIL
+#Apr 13 16:22:06 nada named[296]: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone( ./IN)?: Unable to fetch DNSKEY set '[.[:alnum:]]+': SERVFAIL
 
 #Mar 26 21:45:26 nada named[5002]: validating @0xb82ba940: . NS: got insecure response; parent indicates it should be secure
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: validating [@[:alnum:]]+: . NS: got insecure response; parent indicates it should be secure
@@ -281,6 +284,8 @@
 #Apr 11 06:48:06 nada rndc[15568]: server reload successful
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rndc\[[[:digit:]]+\]: server reload successful
 
+#Apr 13 00:24:51 marconi named[7781]: DNS format error from 8.8.8.8#53 resolving slashdot.org/DS: Name . (SOA) not subdomain of zone org -- invalid response
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: DNS format error from [\#.[:digit:]]+ resolving [-_.[:alnum:]]+/DS: Name . \(SOA\) not subdomain of zone org -- invalid response
 
 #
 # SASLAUTHD
@@ -375,7 +380,8 @@
 #Apr 14 11:05:05 nada sm-mta[15662]: u3E955KV015662: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET http://www.ipip.net/ HTTP/1.1\r\n
 #Apr 20 15:10:44 nada sm-mta[5182]: u3KDAiZT005182: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET / HTTP/1.1\r\n
 #Mar 20 04:00:44 nada sm-mta[21983]: v2K30iPx021983: [180.163.2.117]: probable open proxy: command=GET / HTTP/1.1\r\n
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: ([-.[:alnum:]]+ )?\[[.[:digit:]]+\]: probable open proxy: command=GET (http://www.ipip.net)?/ HTTP/1.1\\r\\n
+#Apr 12 15:05:34 nada sm-mta[20644]: v3CD5WoV020644: [60.191.40.195]: probable open proxy: command=GET / HTTP/1.0\r\n
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: ([-.[:alnum:]]+ )?\[[.[:digit:]]+\]: probable open proxy: command=GET (http://www.ipip.net)?/ HTTP/1.(0|1)\\r\\n
 
 #Oct 24 06:04:11 nada sm-mta[7813]: STARTTLS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1
@@ -450,12 +456,14 @@
 #Apr  2 20:37:14 nada spamd[12078]: dns: reply to 52792/IN/TXT/freemediainternet.com truncated (EDNS 4096 bytes), 2 answer records
 #Apr  2 21:13:53 nada spamd[12078]: dns: reply to 28509/IN/TXT/bronto.com truncated (EDNS 4096 bytes), 13 answer records
 #Apr 11 00:55:11 nada spamd[13608]: dns: reply to 34774/IN/A/relayhi2.mysmtp.com truncated (EDNS 4096 bytes), 120 answer records
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: reply to [[:digit:]]+\/IN\/(A|TXT)\/[.[:alnum:]]+ truncated \(EDNS 4096 bytes\), [[:digit:]]+ answer records
+#Apr 16 16:46:57 nada spamd[17910]: dns: reply to 27982/IN/TXT/micro-campus.com truncated (EDNS 4096 bytes), 1 answer records
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: reply to [[:digit:]]+\/IN\/(A|TXT)\/[-_.[:alnum:]]+ truncated \(EDNS 4096 bytes\), [[:digit:]]+ answer records
 
 #Apr  2 19:45:30 nada spamd[12078]: spamd: result: Y 17 - BAYES_50,DATE_IN_PAST_96_XX,HTML_MESSAGE,MIMEOLE_DIRECT_TO_MX,MISSING_MID,PYZOR_CHECK,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_SBL_CSS,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK scantime=1.8,size=1914,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=33068,mid=(unknown),bayes=0.499958,autolearn=no autolearn_force=no
 #Apr  2 19:49:28 nada spamd[12078]: spamd: result: Y 11 - BAYES_50,DATE_IN_FUTURE_24_48,MISSING_MID,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_BRBL_LASTEXT,SPF_HELO_SOFTFAIL,URIBL_DBL_SPAM,URIBL_SBL_A scantime=2.5,size=3208,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=39030,mid=(unknown),bayes=0.508483,autolearn=no autolearn_force=no
 #Apr  9 22:13:12 nada spamd[15599]: spamd: result: . 4 - BAYES_50,DATE_IN_FUTURE_96_Q,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,MISSING_MID,RP_MATCHES_RCVD,SPF_PASS scantime=2.6,size=11507,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45326,mid=(unknown),bayes=0.485144,autolearn=no autolearn_force=no
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: (.|Y) [[:digit:]]+
+#Apr 14 13:41:44 nada spamd[3869]: spamd: result: . -2 - BAYES_00,DATE_IN_FUTURE_48_96,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FROM_EXCESS_BASE64,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_MID,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,SPF_HELO_PASS scantime=2.1,size=34843,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=60296,mid=(unknown),bayes=0.000000,autolearn=ham autolearn_force=no
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: (.|Y) [-[:digit:]]+
 
 
 
@@ -573,8 +581,12 @@ Mar  4 07:38:01 nada sshd[15794]: input_userauth_request: invalid user  [preauth
 #Mar  7 19:37:07 nada sshd[9647]: Received disconnect from 91.195.103.173: 11: Client disconnecting normally [preauth]
 #Mar  9 15:08:55 marconi sshd[25800]: Received disconnect from 61.158.188.21 port 59944:11: ok [preauth]
 #Mar  9 15:22:40 marconi sshd[29305]: Received disconnect from 202.163.123.135 port 59164:11: ok [preauth]
+#Apr 16 07:45:39 nada sshd[31491]: error: Received disconnect from 37.229.184.255: 2: Handshake failed [preauth]
+#Apr 13 09:47:05 marconi sshd[695]: error: Received disconnect from 37.229.184.255 port 61294:2: Handshake failed [preauth]
+\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [.:[:digit:]]+(:)? (port [[:digit:]]+:)?(11|2): (Client disconnecting normally|ok|Handshake failed) \[preauth\]
+
+
 
-\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+(:)? (port [[:digit:]]+:)?11: (Client disconnecting normally|ok) \[preauth\]
 
 
 
@@ -614,8 +626,10 @@ Mar  4 07:38:01 nada sshd[15794]: input_userauth_request: invalid user  [preauth
 
 #Apr 11 06:47:59 nada systemd-logind[306]: New session c12 of user nobody.
 #Apr 11 06:47:59 nada systemd-logind[306]: Removed session c12.
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: (Removed session c12.|New session c12 of user nobody.)
-
+#Apr 11 10:58:01 nada systemd-logind[306]: New session c14 of user fredrik.
+#Apr 11 11:04:24 nada systemd-logind[306]: New session c15 of user fredrik.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: (Removed session [[:alnum:]]+.|New session [[:alnum:]]+ of user (nobody|fredrik).)
+Apr 11 15:12:51 nada systemd: pam_unix(systemd-user:session): session closed for user fredrik
 
 
 
diff --git a/logcheck_ubuntu b/logcheck_ubuntu
index fe61b8a..493811a 100644
--- a/logcheck_ubuntu
+++ b/logcheck_ubuntu
@@ -129,8 +129,8 @@
 
 #Feb 28 03:17:11 marconi systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
 #Feb 28 03:17:18 marconi systemd: pam_unix(systemd-user:session): session closed for user root
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user root( by \(uid=0\))?
-
+#Apr 11 15:12:51 nada systemd: pam_unix(systemd-user:session): session closed for user fredrik
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user (root|fredrik)( by \(uid=0\))?
 
 
 
@@ -170,6 +170,12 @@
 
 
 
+#
+# Desktop
+#
+
+# Ignorera gnome etc..
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ org.gnome
 
 
 #
diff --git a/testlog b/testlog
index 3402856..c7483aa 100644
--- a/testlog
+++ b/testlog
@@ -510,6 +510,22 @@ Apr 10 20:31:42 nada sendmail[24393]: v3AIVgPU024393: Authentication-Warning: na
 Apr 10 21:18:28 nada HORDE: User is not authorized for horde [pid 28010 on line 324 of "/usr/share/php/Horde/Registry.php"]
 Apr 10 21:57:16 nada spamd[19842]: dns: reply to 60884/IN/A/relayhi2.mysmtp.com truncated (EDNS 4096 bytes), 120 answer records
 Apr 10 21:57:16 nada spamd[19842]: dns: reply to 43885/IN/A/relayhi3.euro.email truncated (EDNS 4096 bytes), 34 answer records
+Apr 11 10:58:01 nada systemd-logind[306]: New session c14 of user fredrik.
+Apr 11 11:04:24 nada systemd-logind[306]: New session c15 of user fredrik.
+Apr 11 17:47:56 nada milter-greylist: DKIM failed: Syntax error
+Apr 11 23:02:34 nada milter-greylist: DKIM failed: Bad signature
+Apr 13 16:22:06 nada named[296]: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
+Apr 13 05:20:04 nada spamd[4701]: spamd: result: . -1 - ALL_TRUSTED,BAYES_00,MISSING_DATE,MISSING_MID scantime=2.4,size=697,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=59968,mid=(unknown),bayes=0.000000,autolearn=no autolearn_force=no
+Apr 13 00:24:51 marconi named[7781]: DNS format error from 8.8.8.8#53 resolving slashdot.org/DS: Name . (SOA) not subdomain of zone org -- invalid response
+Apr 12 14:10:54 nada sshd[15793]: error: Received disconnect from 37.229.184.255: 2: Handshake failed [preauth]
+Apr 16 07:45:39 nada sshd[31491]: error: Received disconnect from 37.229.184.255: 2: Handshake failed [preauth]
+Apr 13 09:47:05 marconi sshd[695]: error: Received disconnect from 37.229.184.255 port 61294:2: Handshake failed [preauth]
+Apr 12 15:05:34 nada sm-mta[20644]: v3CD5WoV020644: [60.191.40.195]: probable open proxy: command=GET / HTTP/1.0\r\n
+Apr 12 09:45:33 marconi org.gnome.evolution.dataserver.Sources5[25620]: ** (evolution-source-registry:26188): WARNING **: secret_service_search_sync: must specify at least one attribute to match
+Apr 13 09:45:33 marconi org.gnome.evolution.dataserver.Sources5[25620]: ** (evolution-source-registry:26188): WARNING **: secret_service_search_sync: must specify at least one attribute to match
+Apr 16 16:46:57 nada spamd[17910]: dns: reply to 27982/IN/TXT/micro-campus.com truncated (EDNS 4096 bytes), 1 answer records
+Apr 16 00:00:02 marconi sudo:  fredrik : TTY=unknown ; PWD=/home/fredrik ; USER=root ; COMMAND=/home/fredrik/bin/kdbx_backup.sh
+Apr 14 13:41:44 nada spamd[3869]: spamd: result: . -2 - BAYES_00,DATE_IN_FUTURE_48_96,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FROM_EXCESS_BASE64,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_MID,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,SPF_HELO_PASS scantime=2.1,size=34843,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=60296,mid=(unknown),bayes=0.000000,autolearn=ham autolearn_force=no