From 286ac6ecc3789d049366b6a68dfb547c3548d5fb Mon Sep 17 00:00:00 2001
From: Fredrik Wahlberg <fredrik@kvarnen.wahlberg.se>
Date: Fri, 1 Apr 2016 12:53:40 +0200
Subject: [PATCH] =?UTF-8?q?Ett=20antal=20sm=C3=A5=20regler=20till?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 logcheck_ignore | 22 +++++++++++++++++++---
 testlog         | 13 ++++++++++++-
 2 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/logcheck_ignore b/logcheck_ignore
index a54e5d6..d6afce1 100644
--- a/logcheck_ignore
+++ b/logcheck_ignore
@@ -138,6 +138,9 @@
 #Mar 26 22:10:17 nada dovecot: pop3(ammis): Connection closed top=0/0, retr=29/1819516, del=0/73, size=4433634
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3\([[:alnum:]]+\): Connection closed top=[/[:digit:]]+, retr=[/[:digit:]]+, del=[/[:digit:]]+, size=[[:digit:]]+
 
+#Mar 30 20:59:38 nada dovecot: imap(katarina): Disconnected: Disconnected in=139 out=8902
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected: Disconnected in=[[:digit:]]+ out=[[:digit:]]+
+
 
 
 #
@@ -218,7 +221,8 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=<[-_.@[:alnum:]]+>, relay=\[[.:[:digit:]]+\], reject=550 5.7.1 <[-_.@[:alnum:]]+>... Relaying denied. IP name lookup failed \[[.:[:digit:]]+\]
 
 #Mar 11 13:55:34 nada sm-mta[10612]: u2BCtW1I010612: ruleset=check_rcpt, arg1=<star.pop3@hotmail.com>, relay=rdns2.fastmkt.xyz [177.11.51.157] (may be forged), reject=550 5.7.1 <star.pop3@hotmail.com>... Relaying denied. IP name possibly forged [177.11.51.157]
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=<[-_.@[:alnum:]]+>, relay=[-.[:alnum:]]+ \[[.:[:digit:]]+\] \(may be forged\), reject=550 5.7.1 <[-_.@[:alnum:]]+>... Relaying denied. IP name possibly forged \[[.:[:digit:]]+\]
+#Mar 27 22:21:47 nada sm-mta[3607]: u2RKLiXq003607: ruleset=check_rcpt, arg1=eax_64@yahoo.com, relay=125-227-60-218.HINET-IP.hinet.net [125.227.60.218] (may be forged), reject=550 5.7.1 eax_64@yahoo.com... Relaying denied. IP name possibly forged [125.227.60.218]
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=(<)?[-_.@[:alnum:]]+(>)?, relay=[-.[:alnum:]]+ \[[.:[:digit:]]+\] \(may be forged\), reject=550 5.7.1 (<)?[-_.@[:alnum:]]+(>)?... Relaying denied. IP name possibly forged \[[.:[:digit:]]+\]
 
 #Mar  9 07:33:07 nada sm-mta[24033]: u296N4QZ024033: collect: premature EOM: Connection reset by [208.87.25.77]
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: collect: premature EOM: Connection reset by \[[.:[:digit:]]+\]
@@ -237,7 +241,9 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=[-_.@[:alnum:]]+, relay=\[[.:[:digit:]]+\], reject=550 5.7.1 [-_.@[:alnum:]]+ Relaying denied. IP name lookup failed \[[.:[:digit:]]+\]
 
 #Mar 15 11:26:20 nada sm-mta[6679]: STARTTLS=client, relay=mail.compenta.se., version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA256, bits=128/128
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, relay=[-.:[:alnum:]]+, version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA256, bits=128/128
+#Mar 30 20:47:04 nada sm-mta[9603]: STARTTLS=client, relay=mail-gw01.fsdata.se., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
+#Mar 30 13:04:11 nada sm-mta[30164]: STARTTLS=client, relay=mailgw.swip.net., field=cn_subject, status=failed to extract CN
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, relay=[-.:[:alnum:]]+, (version=TLSv1/SSLv3, verify=FAIL, cipher=[-[:alnum:]]+, bits=128/128|field=cn_subject, status=failed to extract CN)
 
 #Mar 22 13:31:42 nada sendmail[24653]: gethostbyaddr(127.0.0.2) failed: 1
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sendmail\[[[:digit:]]+\]: gethostbyaddr\(127.0.0.2\) failed: 1
@@ -250,6 +256,11 @@
 # Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (clamav): to error state
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: Milter \([[:alnum:]]+\): (to error state|write\(Q\) returned -1, expected 5: Broken pipe)
 
+#Mar 30 15:36:53 nada sm-mta[12291]: u2U9XkgT020620: u2UDarTR012291: sender notify: Warning: could not send message for past 4 hours
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: [[:alnum:]]+: sender notify: Warning: could not send message for past 4 hours
+
+#Mar 30 19:01:40 nada sm-mta[30590]: u2UGiH7o030590: collect: premature EOM: No route to host
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: collect: premature EOM: No route to host
 
 
 
@@ -280,6 +291,10 @@
 #Mar 26 06:57:05 nada spamd.pid[10050]: spamd: restarting using '/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir --user-config -d --pidfile=/var/run/spamd.pid'
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd.pid\[[0-9]+\]: spamd: restarting using '/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir --user-config -d --pidfile=/var/run/spamd.pid'
 
+#Mar 28 10:48:05 nada spamd[17905]: prefork: server reached --max-children setting, consider raising it
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: server reached --max-children setting, consider raising it
+
+
 
 
 #
@@ -300,8 +315,9 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: channel [[:digit:]]: open failed: administratively prohibited: open failed
 
 #Mar 10 11:22:52 kvarnen sshd[12813]: error: PAM: Cannot make/remove an entry for the specified session for illegal user support from 40.76.54.16
+#Mar 30 14:57:07 nada sshd[8420]: error: PAM: Cannot make/remove an entry for the specified session for illegal user admin from d5152db40.static.telenet.be
 #Mar 14 01:39:26 nada sshd[14346]: error: PAM: Cannot make/remove an entry for the specified session for root from 6e.a0.caa1.ip4.static.sl-reverse.com
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Cannot make/remove an entry for the specified session for (illegal user )?[[:alnum:]]+ from [.:[:digit:]]+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Cannot make/remove an entry for the specified session for (illegal user )?[[:alnum:]]+ from [-.:[:alnum:]]+
 
 #Mar 14 02:25:08 nada sshd[18347]: fatal: Read from socket failed: Connection reset by peer [preauth]
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Read from socket failed: Connection reset by peer \[preauth\]
diff --git a/testlog b/testlog
index ba18eaf..3dd980c 100644
--- a/testlog
+++ b/testlog
@@ -117,7 +117,6 @@ Mar 26 06:57:13 nada spamd[17910]: server socket setup failed, retry 8: spamd: c
 Mar 26 06:57:14 nada spamd[17910]: server socket setup failed, retry 9: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
 Mar 26 06:57:15 nada spamd[17910]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
 Mar 26 16:18:46 nada sshd[3298]: Received disconnect from 91.193.74.33: 11: Bye [preauth]
-Mar 26 17:21:15 kvarnen epmd: epmd: invalid packet size (18245)
 Mar 26 18:09:14 nada monit[5075]: 'localhost' 'localhost' cpu wait usage check succeeded [current cpu wait usage=0.0%]
 Mar 26 21:45:26 nada named[5002]: validating @0xb82ba940: . NS: got insecure response; parent indicates it should be secure
 Mar 26 21:45:26 nada named[5002]: managed-keys-zone ./IN: No DNSKEY RRSIGs found for '.': success
@@ -130,5 +129,17 @@ Mar 27 06:31:18 nada monit[5075]: 'clamav-milter' process PID changed from 26461
 Mar 27 06:33:18 nada monit[5075]: 'clamav-milter' process PID has not changed since last cycle
 Mar 27 10:28:35 nada sshd[2326]: Received disconnect from 91.193.74.33: 11: Bye [preauth]
 Mar 27 10:28:38 nada sshd[2328]: Received disconnect from 91.193.74.33: 11: Bye [preauth]
+Mar 27 22:21:47 nada sm-mta[3607]: u2RKLiXq003607: ruleset=check_rcpt, arg1=eax_64@yahoo.com, relay=125-227-60-218.HINET-IP.hinet.net [125.227.60.218] (may be forged), reject=550 5.7.1 eax_64@yahoo.com... Relaying denied. IP name possibly forged [125.227.60.218]
+Mar 28 06:34:18 nada sshd[16291]: Received disconnect from 91.193.74.33: 11: Bye [preauth]
+Mar 28 10:48:05 nada spamd[17905]: prefork: server reached --max-children setting, consider raising it
+Mar 30 03:49:50 nada sshd[9974]: Received disconnect from 125.212.232.159: 11: Closed due to user request. [preauth]
+Mar 30 13:04:11 nada sm-mta[30164]: STARTTLS=client, relay=mailgw.swip.net., field=cn_subject, status=failed to extract CN
+Mar 30 14:57:07 nada sshd[8420]: error: PAM: Cannot make/remove an entry for the specified session for illegal user admin from d5152db40.static.telenet.be
+Mar 30 14:57:09 nada sshd[8420]: error: PAM: Cannot make/remove an entry for the specified session for illegal user admin from d5152db40.static.telenet.be
+Mar 30 15:36:53 nada sm-mta[12291]: u2U9XkgT020620: u2UDarTR012291: sender notify: Warning: could not send message for past 4 hours
+Mar 30 19:01:40 nada sm-mta[30590]: u2UGiH7o030590: collect: premature EOM: No route to host
+Mar 30 20:47:04 nada sm-mta[9603]: STARTTLS=client, relay=mail-gw01.fsdata.se., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
+Mar 30 20:59:38 nada dovecot: imap(katarina): Disconnected: Disconnected in=139 out=8902
+Apr  1 06:03:28 nada dovecot: imap(gregory): Disconnected: Disconnected in=219 out=22999