diff --git a/logcheck_ignore b/logcheck_ignore index b03ba57..2d4b1d0 100644 --- a/logcheck_ignore +++ b/logcheck_ignore @@ -19,12 +19,16 @@ # ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: ClamAV update process started at .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Received signal: (wake up|re-opening log file)$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (daily|main)\.c(l|v)d (is up to date|updated) \(version: [0-9]+, sigs: [0-9]+, f-level: [0-9]+, builder: \w+\)$ + +#Apr 8 19:43:15 kvarnen freshclam[485]: bytecode.cvd updated (version: 276, sigs: 46, f-level: 63, builder: amishhammer) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (bytecode|daily|main)\.c(l|v)d (is up to date|updated) \(version: [0-9]+, sigs: [0-9]+, f-level: [0-9]+, builder: \w+\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Clamd successfully notified about the update\.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: --------------------------------------$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Database updated \([0-9]+ signatures\) from .* \(IP: [0-9.]+\)$ + #Mar 17 06:27:00 kvarnen freshclam[485]: Downloading main.cvd [100%] -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Downloading (daily-[0-9]+.cdiff|main.cvd) \[100%\] ?$ +#Apr 8 19:43:15 kvarnen freshclam[485]: Downloading bytecode.cvd [100%] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Downloading (daily-[0-9]+.cdiff|main.cvd|bytecode.cvd) \[100%\] ?$ # Mar 11 07:30:29 kvarnen freshclam[485]: nonblock_connect: connect timing out (30 secs) ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: nonblock_connect: connect timing out \(30 secs\) @@ -46,7 +50,6 @@ #Mar 17 06:27:06 kvarnen freshclam[485]: WARNING: getfile: Unknown response from remote server (IP: 145.58.29.83) ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (ERROR|WARNING): getfile: Unknown response from remote server \(IP: [.[:digit:]]+\) - # Mar 11 07:30:29 kvarnen freshclam[485]: Trying host db.local.clamav.net (145.58.29.83)... ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Trying host db.local.clamav.net \([.[:digit:]]+\)... @@ -78,7 +81,8 @@ \w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: WARNING: getfile: Error while reading database from [.[:alnum:]]+ \(IP: [.[:digit:]]+\): (Connection reset by peer|Operation now in progress) #Mar 17 04:52:54 kvarnen freshclam[485]: Empty script main-56.cdiff, need to download entire database -\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Empty script main-[[:digit:]]+.cdiff, need to download entire database +#Apr 8 19:43:15 kvarnen freshclam[485]: Empty script bytecode-276.cdiff, need to download entire database +\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Empty script (main|bytecode)-[[:digit:]]+.cdiff, need to download entire database #Mar 21 02:52:56 kvarnen freshclam[485]: bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer) \w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: bytecode.cvd is up to date \(version: [[:digit:]]+, sigs: [[:digit:]]+, f-level: [[:digit:]]+, builder: amishhammer\) @@ -86,6 +90,10 @@ #Mar 17 06:30:26 kvarnen freshclam[485]: Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons. \w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Update failed. Your network may be down or none of the mirrors listed in \/etc\/clamav\/freshclam.conf is working. Check http:\/\/www.clamav.net\/doc\/mirrors-faq.html for possible reasons. + + + + # # DOVECOT # @@ -141,6 +149,8 @@ #Mar 30 20:59:38 nada dovecot: imap(katarina): Disconnected: Disconnected in=139 out=8902 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected: Disconnected in=[[:digit:]]+ out=[[:digit:]]+ +#Apr 6 17:17:53 nada dovecot: imap(gertie): Disconnected in APPEND (1 msgs, 0 secs, 0/44908 bytes) in=884034 out=368982 +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected in APPEND \([[:digit:]]+ msgs, [[:digit:]]+ secs, [[:digit:]]+/[[:digit:]]+ bytes\) in=[[:digit:]]+ out=[[:digit:]]+ # @@ -205,7 +215,9 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone ./IN: Unable to fetch DNSKEY set '[.[:alnum:]]+': SERVFAIL #Mar 26 21:45:26 nada named[5002]: validating @0xb82ba940: . NS: got insecure response; parent indicates it should be secure -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: validating @0xb82ba940: . NS: got insecure response; parent indicates it should be secure +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: validating [@[:alnum:]]+: . NS: got insecure response; parent indicates it should be secure + + # # SASLAUTHD @@ -268,6 +280,9 @@ #Apr 4 01:58:18 nada sm-mta[23839]: u33Nw9KS023839: Milter: to=webmex@hotmail.com%nada.wahlberg.se, reject=451 4.7.1 Greylisting in action, please come back later ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: Milter: to=[.@%[:alnum:]]+, reject=451 4.7.1 Greylisting in action, please come back later +#Apr 9 09:51:26 nada sm-mta[6169]: u397pP13006169: rejecting commands from [113.240.250.156] [113.240.250.156] due to pre-greeting traffic after 1 seconds +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: rejecting commands from \[[.[:digit:]]+\] \[[.[:digit:]]+\] due to pre-greeting traffic after [[:digit:]]+ seconds + # @@ -316,13 +331,15 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: (Failed to read \"[/[:alnum:]]+\/.google_authenticator\"|Invalid verification code|Failed to compute location of secret file|Did not receive verification code from user) # Mar 10 11:12:56 nada sshd[26548]: Received disconnect from 94.102.49.198: 3: com.jcraft.jsch.JSchException: Auth fail [preauth] +# Apr 7 05:56:43 kvarnen sshd[2034]: error: Received disconnect from 212.83.191.8: 3: com.jcraft.jsch.JSchException: Auth fail [preauth] # Mar 12 04:09:09 nada sshd[23908]: Received disconnect from 195.154.52.9: 3: java.net.SocketTimeoutException: Read timed out [preauth] # Mar 8 12:09:30 nada sshd[26267]: Received disconnect from 199.91.135.158: 3: com.jcraft.jsch.JSchException: reject HostKey: 66.23.226.92 [preauth] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: 3: (java.net.SocketTimeoutException|com.jcraft.jsch.JSchException): (reject HostKey: [.:[:digit:]]+|Auth fail|Read timed out) \[preauth\] +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:( error:)? Received disconnect from [.:[:digit:]]+: 3: (java.net.SocketTimeoutException|com.jcraft.jsch.JSchException): (reject HostKey: [.:[:digit:]]+|Auth fail|Read timed out) \[preauth\] #Mar 26 16:18:46 nada sshd[3298]: Received disconnect from 91.193.74.33: 11: Bye [preauth] -Apr 3 12:26:03 nada sshd[15236]: Received disconnect from 125.212.232.83: 11: Closed due to user request. [preauth] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: 11: (Bye|Closed due to user request.) \[preauth\] +#Apr 7 13:59:42 nada sshd[19013]: Received disconnect from 2.234.148.20: 11: ok [preauth] +#Apr 3 12:26:03 nada sshd[15236]: Received disconnect from 125.212.232.83: 11: Closed due to user request. [preauth] +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: 11: (ok|Bye|Closed due to user request.) \[preauth\] #Mar 24 11:06:21 kvarnen sshd[5495]: channel 4: open failed: administratively prohibited: open failed ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: channel [[:digit:]]: open failed: administratively prohibited: open failed @@ -344,6 +361,12 @@ Apr 3 12:26:03 nada sshd[15236]: Received disconnect from 125.212.232.83: 11: C #Mar 15 09:24:00 kvarnen sshd[3572]: Protocol major versions differ for 40.76.48.189: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u1 vs. SSH-1.5-NmapNSE_1.0 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Protocol major versions differ for [.:[:digit:]]+: +#Apr 10 20:46:18 nada sshd[6046]: pam_unix(sshd:auth): conversation failed +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): conversation failed + +#Apr 10 20:50:19 nada sshd(pam_google_authenticator)[6490]: Trying to reuse a previously used time-based code. Retry again in 30 seconds. Warning! This might mean, you are currently subject to a man-in-the-middle attack +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: Trying to reuse a previously used time-based code. Retry again in 30 seconds. Warning! This might mean, you are currently subject to a man-in-the-middle attack + #