From 8e5e79b92b97c6ad2dbc027fc1bc8db077e773a5 Mon Sep 17 00:00:00 2001
From: Fredrik Wahlberg <fredrik@wahlberg.se>
Date: Sat, 10 Mar 2018 13:46:46 +0100
Subject: [PATCH] Nya regler

---
 logcheck_debian | 21 ++++++++++++++++++---
 logcheck_ubuntu |  5 +++++
 testlog         | 12 ++++++++++++
 3 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/logcheck_debian b/logcheck_debian
index 5b1e913..d200b91 100644
--- a/logcheck_debian
+++ b/logcheck_debian
@@ -104,6 +104,13 @@
 #Nov  7 09:58:47 nada freshclam[304]: WARNING: Invalid DNS reply. Falling back to HTTP mode.
 \w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: WARNING: (DNS record is older than 3 hours.|Invalid DNS reply. Falling back to HTTP mode.)
 
+#Mar  9 23:47:14 nada freshclam[31063]: WARNING: Your ClamAV installation is OUTDATED!
+#Mar  9 23:47:14 nada freshclam[31063]: WARNING: Local version: 0.99.3 Recommended version: 0.99.4
+\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: WARNING: (Your ClamAV installation is OUTDATED!|Local version:)
+
+#Mar  9 23:47:14 nada freshclam[31063]: DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
+\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
+
 
 
 #
@@ -366,8 +373,8 @@
 #Mar 15 11:26:20 nada sm-mta[6679]: STARTTLS=client, relay=mail.compenta.se., version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA256, bits=128/128
 #Mar 30 20:47:04 nada sm-mta[9603]: STARTTLS=client, relay=mail-gw01.fsdata.se., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
 #Sep 11 00:02:05 cocacola sm-mta[4678]: STARTTLS=client, relay=mail.wahlberg.se., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
-#Mar 30 13:04:11 nada sm-mta[30164]: STARTTLS=client, relay=mailgw.swip.net., field=cn_subject, status=failed to extract CN
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, relay=[-.:[:alnum:]]+, (version=TLSv1/SSLv3, verify=FAIL, cipher=[-[:alnum:]]+, bits=[/[:digit:]]+|field=cn_subject, status=failed to extract CN)
+#Mar  9 00:02:06 cocacola sm-mta[30768]: STARTTLS=client, relay=mail.wahlberg.se., version=TLSv1.2, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, relay=[-.:[:alnum:]]+, (version=TLSv1(.2)?(/SSLv3)?, verify=FAIL, cipher=[-[:alnum:]]+, bits=[/[:digit:]]+|field=cn_subject, status=failed to extract CN)
 
 #Mar 22 13:31:42 nada sendmail[24653]: gethostbyaddr(127.0.0.2) failed: 1
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sendmail\[[[:digit:]]+\]: gethostbyaddr\(127.0.0.2\) failed: 1
@@ -497,6 +504,14 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: (.|Y) [-[:digit:]]+
 
 
+#Mar  9 06:51:00 nada spamd[29947]: spamd: server socket closed, type IO::Socket::IP
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server socket closed, type IO::Socket::IP
+
+Mar  9 06:51:04 nada spamd[31055]: spamd: server started on IO::Socket::IP [127.0.0.1]:783 (running version 3.4.0)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server started on IO::Socket::IP \[127.0.0.1\]:783 \(running version 3.4.0\)
+
+#Mar  9 06:51:02 nada spamd[31055]: zoom: able to use 345/345 'body_0' compiled rules (100%)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: zoom: able to use 345/345 'body_0' compiled rules \(100%\)
 
 
 
@@ -619,7 +634,7 @@
 \w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [.:[:digit:]]+(:)? (port [[:digit:]]+:)?(11|2): (Client disconnecting normally|ok|Handshake failed) \[preauth\]
 
 #Sep  9 06:55:41 marconi sshd[11486]: Invalid user  0101 from 91.197.232.109
-\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user [ -@.[:alnum:]]+ from [.:[:digit:]]+
+\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user ([ -@.[:alnum:]]+)? from [.:[:digit:]]+
 
 #Sep 11 11:32:09 cocacola sshd[5924]: Received disconnect from 5.189.139.2: 11: Normal Shutdown, Thank you for playing [preauth]
 #Sep  8 13:32:49 marconi sshd[20127]: Received disconnect from 103.27.239.143 port 40512:11: Normal Shutdown, Thank you for playing [preauth]
diff --git a/logcheck_ubuntu b/logcheck_ubuntu
index aff8592..b121da7 100644
--- a/logcheck_ubuntu
+++ b/logcheck_ubuntu
@@ -271,3 +271,8 @@ OA
 
 #Mar  2 15:55:13 marconi smartd[17895]: Device: /dev/sdc
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/sdc
+
+
+#Mar 10 00:04:24 marconi platform[16851]: [2018/03/10 00:04:24 CET] [INFO] Incoming webhook received. Content={"text": "Daglig backup klar
+#Mar 10 00:04:24 marconi platform[16851]: Daglig backup klar"}
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ platform\[[[:digit:]]+\]
\ No newline at end of file
diff --git a/testlog b/testlog
index a4b9af2..851bdc1 100644
--- a/testlog
+++ b/testlog
@@ -632,6 +632,18 @@ Feb  5 05:36:40 marconi sshd[12309]: Unable to negotiate with 36.255.159.233 por
 Feb  5 07:17:24 marconi sshd[31872]: Connection closed by invalid user sap_user 47.205.250.5 port 33272 [preauth]
 Feb  5 14:59:07 marconi sshd[21801]: Connection closed by invalid user  0101 5.188.10.179 port 60847 [preauth]
 Feb  6 02:20:14 nada saslauthd[610]: do_auth         : auth failure: [user=Adm1n!] [service=smtp] [realm=#] [mech=shadow] [reason=Invalid username]
+Mar 10 00:04:24 marconi platform[16851]: [2018/03/10 00:04:24 CET] [INFO] Incoming webhook received. Content={"text": "Daglig backup klar
+Mar 10 00:04:24 marconi platform[16851]: Daglig backup klar"}
+Mar  9 00:02:06 cocacola sm-mta[30768]: STARTTLS=client, relay=mail.wahlberg.se., version=TLSv1.2, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
+Mar  9 05:03:24 cocacola sshd[31876]: Unable to negotiate with 81.3.154.136 port 49595: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc [preauth]
+Mar  9 22:51:13 cocacola sshd[1575]: Invalid user  from 139.162.122.110 port 47280
+Mar  9 23:47:14 nada freshclam[31063]: WARNING: Your ClamAV installation is OUTDATED!
+Mar  9 23:47:14 nada freshclam[31063]: WARNING: Local version: 0.99.3 Recommended version: 0.99.4
+Mar  9 23:47:14 nada freshclam[31063]: DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
+Mar  9 06:51:00 nada spamd[29947]: spamd: server socket closed, type IO::Socket::IP
+Mar  9 06:51:00 nada spamassassin.pid --create-prefs --max-children 5 --helper-home-dir --user-config: spamd: restarting using '/usr/sbin/spamd -d --pidfile=/var/run/spamassassin.pid --create-prefs --max-children 5 --helper-home-dir --user-config'
+Mar  9 06:51:02 nada spamd[31055]: zoom: able to use 345/345 'body_0' compiled rules (100%)
+Mar  9 06:51:04 nada spamd[31055]: spamd: server started on IO::Socket::IP [127.0.0.1]:783 (running version 3.4.0)
 
 
 Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...