Uppdaterade regler

logcheck_ignore

@@ -1,3 +1,30 @@
+#
+# CLAMAV
+#
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: ClamAV update process started at .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Received signal: (wake up|re-opening log file)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (daily|main)\.c(l|v)d (is up to date|updated) \(version: [0-9]+, sigs: [0-9]+, f-level: [0-9]+, builder: \w+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Clamd successfully notified about the update\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: --------------------------------------$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Database updated \([0-9]+ signatures\) from .* \(IP: [0-9.]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Downloading daily-[0-9]+.cdiff \[100%\] ?$
+
+# Mar 11 07:30:29 kvarnen freshclam[485]: nonblock_connect: connect timing out (30 secs)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: nonblock_connect: connect timing out \(30 secs\)
+
+# Mar 10 23:29:42 kvarnen freshclam[485]: Can't connect to port 80 of host db.local.clamav.net (IP: 213.73.255.243)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Can't connect to port 80 of host db.local.clamav.net \(IP: [.[:digit:]]+\)
+
+# Mar 10 23:29:42 kvarnen freshclam[485]: WARNING: getfile: daily-21460.cdiff not found on remote server (IP: 217.19.16.188)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: WARNING: getfile: daily-[[:digit:]]+.cdiff not found on remote server \(IP: [.[:digit:]]+\)
+
+# Mar 10 23:29:42 kvarnen freshclam[485]: WARNING: getpatch: Can't download daily-21460.cdiff from db.local.clamav.net
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: WARNING: getpatch: Can't download daily-[[:digit:]]+.cdiff from db.local.clamav.net
+
+# Mar 11 07:30:29 kvarnen freshclam[485]: Trying host db.local.clamav.net (145.58.29.83)...
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Trying host db.local.clamav.net \([.[:digit:]]+\)...
+
+
 #
 # DOVECOT
 #
@@ -12,8 +39,11 @@
 # Mar  8 15:42:52 nada dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=141.212.122.129, lip=66.23.226.92, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<M0mYmIotEACN1HqB>
 # Mar  8 09:55:24 nada dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=213.153.113.1, lip=66.23.226.92, TLS, session=<tGj3vYUtSgDVmXEB>
 #Mar 10 21:31:07 nada dovecot: imap-login: Disconnected (auth failed, 1 attempts in 4 secs): user=<katarina>, method=PLAIN, rip=66.23.226.92, lip=66.23.226.92, TLS, session=<qnd3sbctoABCF+Jc>
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected(: Inactivity)? \((auth failed, [[:digit:]]+|no auth) attempts in [[:digit:]]+ secs\): user=<([[:alnum:]]+)?>,( method=PLAIN,)? rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS(, session=<[+/[:alnum:]]+>)?
+#Mar 10 23:23:14 kvarnen dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=85.25.43.94, lip=95.170.86.14, session=<OuW1QrktjABVGSte>
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected(: Inactivity)? \((auth failed, [[:digit:]]+|no auth) attempts in [[:digit:]]+ secs\): user=<([[:alnum:]]+)?>,( method=PLAIN,)? rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS)?(, session=<[+/[:alnum:]]+>)?
 
+#Mar 10 12:53:41 kvarnen dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=141.212.122.64, lip=95.170.86.14, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<1cA1d7AtxACN1HpA>
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \(disconnected before auth was ready, waited 0 secs\): user=<>, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS handshaking: SSL_accept\(\) failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<[/+[:alnum:]]+>
 
 #
 #  MONIT
@@ -76,7 +106,6 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: Invalid verification code
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: Failed to read \"[/[:alnum:]]+\/.google_authenticator\"
 
-
 # Mar 10 11:12:56 nada sshd[26548]: Received disconnect from 94.102.49.198: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
 # Mar  8 12:09:30 nada sshd[26267]: Received disconnect from 199.91.135.158: 3: com.jcraft.jsch.JSchException: reject HostKey: 66.23.226.92 [preauth]
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: 3: com.jcraft.jsch.JSchException: (reject HostKey: [.:[:digit:]]+|Auth fail) \[preauth\]
@@ -85,3 +114,5 @@
 # Mar  8 18:05:09 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredrik uid=0 euid=0 tty=dovecot ruser=fredrik rhost=::1
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_(krb5|unix)\(dovecot:auth\): authentication failure\; logname=([[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=dovecot ruser=[[:alnum:]]+ rhost=[.:[:xdigit:]]+
 
+#Mar 10 11:22:52 kvarnen sshd[12813]: error: PAM: Cannot make/remove an entry for the specified session for illegal user support from 40.76.54.16
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Cannot make/remove an entry for the specified session for illegal user [[:alnum:]]+ from [.:[:digit:]]+