Fler regler tillagda

logcheck_ignore

@@ -7,13 +7,16 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Clamd successfully notified about the update\.$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: --------------------------------------$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Database updated \([0-9]+ signatures\) from .* \(IP: [0-9.]+\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Downloading daily-[0-9]+.cdiff \[100%\] ?$
+#Mar 17 06:27:00 kvarnen freshclam[485]: Downloading main.cvd [100%]
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Downloading (daily-[0-9]+.cdiff|main.cvd) \[100%\] ?$
 
 # Mar 11 07:30:29 kvarnen freshclam[485]: nonblock_connect: connect timing out (30 secs)
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: nonblock_connect: connect timing out \(30 secs\)
 
 # Mar 10 23:29:42 kvarnen freshclam[485]: Can't connect to port 80 of host db.local.clamav.net (IP: 213.73.255.243)
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Can't connect to port 80 of host db.local.clamav.net \(IP: [.[:digit:]]+\)
+# Mar 17 05:07:52 kvarnen freshclam[485]: Can't connect to port 80 of host database.clamav.net (IP: 213.73.255.243)
+# Mar 17 05:07:22 kvarnen freshclam[485]: Can't connect to port 80 of host database.clamav.net (IP: 145.58.29.83)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Can't connect to port 80 of host (db.local|database).clamav.net \(IP: [.[:digit:]]+\)
 
 # Mar 10 23:29:42 kvarnen freshclam[485]: WARNING: getfile: daily-21460.cdiff not found on remote server (IP: 217.19.16.188)
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: WARNING: getfile: daily-[[:digit:]]+.cdiff not found on remote server \(IP: [.[:digit:]]+\)
@@ -22,7 +25,11 @@
 #Mar 17 05:07:22 kvarnen freshclam[485]: WARNING: getpatch: Can't download main-56.cdiff from database.clamav.net
 #Mar 17 05:07:22 kvarnen freshclam[485]: ERROR: getpatch: Can't download main-56.cdiff from database.clamav.net
 #Mar 17 05:07:52 kvarnen freshclam[485]: ERROR: Can't download main.cvd from database.clamav.net
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (ERROR|WARNING): (getpatch: )?Can't download ((main|daily)-[[:digit:]]+.cdiff|main.cvd) from (db.local.clamav.net|database.clamav.net)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (ERROR|WARNING): (getpatch: )?Can't download ((main|daily)-[[:digit:]]+.cdiff|main.cvd) from (db.local|database).clamav.net
+
+#Mar 17 06:27:06 kvarnen freshclam[485]: WARNING: getfile: Unknown response from remote server (IP: 145.58.29.83)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (ERROR|WARNING): getfile: Unknown response from remote server \(IP: [.[:digit:]]+\)
+
 
 # Mar 11 07:30:29 kvarnen freshclam[485]: Trying host db.local.clamav.net (145.58.29.83)...
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Trying host db.local.clamav.net \([.[:digit:]]+\)...
@@ -37,7 +44,7 @@
 
 #Mar 17 05:07:22 kvarnen freshclam[485]: Can't connect to port 80 of host database.clamav.net (IP: 145.58.29.83)
 #Mar 17 05:07:52 kvarnen freshclam[485]: Can't connect to port 80 of host database.clamav.net (IP: 213.73.255.243)
-\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Can't connect to port 80 of host database.clamav.net \(IP: [.[:digit:]]+\)
+\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Can\'t connect to port 80 of host database.clamav.net \(IP: [.[:digit:]]+\)
 
 #Mar 17 05:07:22 kvarnen freshclam[485]: Trying host database.clamav.net (213.73.255.243)...
 \w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Trying host database.clamav.net \([.[:digit:]]+\)...
@@ -57,6 +64,11 @@
 #Mar 17 04:52:54 kvarnen freshclam[485]: Empty script main-56.cdiff, need to download entire database
 \w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Empty script main-[[:digit:]]+.cdiff, need to download entire database
 
+#Mar 21 02:52:56 kvarnen freshclam[485]: bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer)
+\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: bytecode.cvd is up to date \(version: [[:digit:]]+, sigs: [[:digit:]]+, f-level: [[:digit:]]+, builder: amishhammer\)
+
+#Mar 17 06:30:26 kvarnen freshclam[485]: Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
+\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Update failed. Your network may be down or none of the mirrors listed in \/etc\/clamav\/freshclam.conf is working. Check http:\/\/www.clamav.net\/doc\/mirrors-faq.html for possible reasons.
 
 #
 # DOVECOT
@@ -83,7 +95,7 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-params: (Generating SSL parameters|SSL parameters regeneration completed)
 
 #Mar 15 14:03:51 nada dovecot: pop3-login: Disconnected (client didn't finish SASL auth, waited 0 secs): user=<>, method=PLAIN, rip=213.112.7.21, lip=66.23.226.92, TLS, session=<dEpiBxYuHQDVcAcV>
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: Disconnected \(client didn't finish SASL auth, waited [[:digit:]]+ secs\): user=<>, method=PLAIN, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS, session=<[[:alnum:]]+>
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: Disconnected \(client didn\'t finish SASL auth, waited [[:digit:]]+ secs\): user=<>, method=PLAIN, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS, session=<[[:alnum:]]+>
 
 #Mar 16 01:47:24 kvarnen dovecot: pop3-login: Aborted login (no auth attempts in 3 secs): user=<>, rip=66.240.219.146, lip=95.170.86.14, TLS, session=<bSZ62x8uaQBC8NuS>
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: Aborted login \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS, session=<[[:alnum:]]+>
@@ -91,6 +103,9 @@
 #Mar 14 18:40:24 nada dovecot: imap(johan): Disconnected for inactivity in reading our output in=603 out=253156
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected for inactivity in reading our output in=[[:digit:]]+ out=[[:digit:]]+
 
+#Mar 21 02:40:04 kvarnen dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=200.68.99.217, lip=95.170.86.14, session=<7uj4LIUuMQDIRGPZ>
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: Aborted login \(tried to use disallowed plaintext auth\): user=<>, rip=[.:[:digit:]]+, lip=[.:[:digit:]]+, session=<[+/[:alnum:]]+>
+
 
 #
 #  MONIT
@@ -127,6 +142,16 @@
 #Mar 13 19:02:30 kvarnen named[8896]: transfer of 'acroyoga.se/IN' from 66.23.226.92#53: Transfer completed: 0 messages, 0 records, 0 bytes, 127.193 secs (0 bytes/sec)
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: transfer of '[-.[:alnum:]]+/IN' from [.[:digit:]]+#[[:digit:]]+: Transfer completed: [[:digit:]]+ messages, [[:digit:]]+ records, [[:digit:]]+ bytes, [.[:digit:]]+ secs \([[:digit:]]+ bytes/sec\)
 
+#Mar 21 05:58:39 kvarnen named[8896]: transfer of 'happysthlm.se/IN' from 66.23.226.92#53: connected using 95.170.86.14#33872
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: transfer of '[-.[:alnum:]]+/IN' from [.[:digit:]]+#[[:digit:]]+: connected using [.[:digit:]]+#[[:digit:]]+
+
+#Mar 21 05:58:32 kvarnen named[8896]: zone happysthlm.se/IN: refresh: retry limit for master 66.23.226.92#53 exceeded (source 0.0.0.0#0)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: zone [-.[:alnum:]]+/IN: refresh: retry limit for master [.[:digit:]]+#[[:digit:]]+ exceeded \(source [.[:digit:]]+#[[:digit:]]+\)
+
+#Mar 16 21:43:05 kvarnen named[8896]: master 66.23.226.92#53 (source 0.0.0.0#0) deleted from unreachable cache
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: master [.[:digit:]]+#[[:digit:]]+ \(source [.[:digit:]]+#[[:digit:]]+\) deleted from unreachable cache
+
+
 
 #
 # SASLAUTHD
@@ -214,8 +239,8 @@
 #
 
 #Mar 11 21:08:21 nada suhosin[30831]: ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker '91.121.230.152', file '/home/happysthlm/www.happysthlm.se/wp/xmlrpc.php')
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - dropped [[:digit:]]+ request variables - \([[:digit:]]+ in GET, [[:digit:]]+ in POST, [[:digit:]]+ in COOKIE\) \(attacker '[.[:digit:]]+', file '[/_-.[:alnum:]]+'\)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - dropped [[:digit:]]+ request variables - \([[:digit:]]+ in GET, [[:digit:]]+ in POST, [[:digit:]]+ in COOKIE\) \(attacker '[.[:digit:]]+', file '.*'\)
 
-#Mar 11 21:10:17 nada suhosin[30832]: ALERT - configured request variable name length limit exceeded - dropped variable '
+#Mar 11 21:10:17 nada suhosin[30832]: ALERT - configured request variable name length limit exceeded - dropped variable 
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - configured request variable name length limit exceeded - dropped variable 
 

testlog

@@ -52,8 +52,16 @@ Mar 17 06:27:00 kvarnen freshclam[485]: Downloading main.cvd [100%]
 Mar 17 06:27:00 kvarnen freshclam[485]: ERROR: Verification: Can't verify database integrity
 Mar 17 06:27:06 kvarnen freshclam[485]: WARNING: getfile: Unknown response from remote server (IP: 145.58.29.83)
 Mar 17 06:30:26 kvarnen freshclam[485]: Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
-Mar 17 07:33:54 kvarnen freshclam[485]: Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
+Mar 18 20:23:08 kvarnen dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=200.68.99.217, lip=95.170.86.14, session=<y+JQrVcuJwDIRGPZ>
-Mar 17 08:37:22 kvarnen freshclam[485]: Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
+Mar 20 11:52:56 kvarnen freshclam[485]: bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer)
-Mar 17 09:40:50 kvarnen freshclam[485]: Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
+Mar 21 00:52:56 kvarnen freshclam[485]: bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer)
-Mar 17 10:44:18 kvarnen freshclam[485]: Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
+Mar 21 01:52:56 kvarnen freshclam[485]: bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer)
-Mar 17 11:47:45 kvarnen freshclam[485]: Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
+Mar 21 02:40:01 kvarnen dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=200.68.99.217, lip=95.170.86.14, session=<ZBvPLIUufADIRGPZ>
+Mar 21 02:40:02 kvarnen dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=200.68.99.217, lip=95.170.86.14, session=<vA/kLIUuLADIRGPZ>
+Mar 21 02:40:04 kvarnen dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=200.68.99.217, lip=95.170.86.14, session=<7uj4LIUuMQDIRGPZ>
+Mar 21 02:52:56 kvarnen freshclam[485]: bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer)
+Mar 21 03:52:56 kvarnen freshclam[485]: bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer)
+Mar 21 04:52:56 kvarnen freshclam[485]: bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer)
+Mar 21 05:52:56 kvarnen freshclam[485]: bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer)
+Mar 21 05:58:32 kvarnen named[8896]: zone happysthlm.se/IN: refresh: retry limit for master 66.23.226.92#53 exceeded (source 0.0.0.0#0)
+Mar 21 05:58:39 kvarnen named[8896]: transfer of 'happysthlm.se/IN' from 66.23.226.92#53: connected using 95.170.86.14#33872