fredrik/logcheck
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Diverse uppdaterade regler

Browse Source
This commit is contained in:
fredrik
2017-03-26 21:22:25 +02:00
parent c287979a0e
commit 9ff928d1d5
3 changed files with 83 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
logcheck_debian
View File

@@ -90,8 +90,8 @@
#Mar 17 06:30:26 kvarnen freshclam[485]: Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Update failed. Your network may be down or none of the mirrors listed in \/etc\/clamav\/freshclam.conf is working. Check http:\/\/www.clamav.net\/doc\/mirrors-faq.html for possible reasons.
#Mar 19 06:47:45 nada clamav-milter: ClamAV: mi_stop=1
\w{3} [ :0-9]{11} [._[:alnum:]-]+ clamav-milter: ClamAV: mi_stop=1
#
@@ -183,7 +183,7 @@
#Mar 11 06:34:44 nada named[1771]: reading built-in trusted keys from file '/etc/bind/bind.keys'
#Mar 11 06:34:44 nada named[1771]: sizing zone task pool based on 21 zones
#Mar 11 06:34:44 nada named[1771]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: (Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones|sizing zone task pool based on [[:digit:]]+ zones|received control channel command 'reload'|reading built-in trusted keys from file '/etc/bind/bind.keys')
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: (Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones|sizing zone task pool based on [[:digit:]]+ zones|received control channel command 'reload( [.[:alnum:]]+)?'|reading built-in trusted keys from file '/etc/bind/bind.keys')
#Mar 10 06:43:39 nada named[1771]: client 95.170.86.14#50337: received notify for zone 'happysthlm.com'
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [.:[:xdigit:]]+\#[[:digit:]]+: received notify for zone '[-.[:alnum:]]+'
@@ -191,7 +191,7 @@
#Mar 13 19:06:05 nada named[1771]: client 95.170.86.14#54781: transfer of 'stiy.com/IN': IXFR ended
#Mar 3 18:45:43 nada named[31321]: client 46.21.104.9#48923: transfer of 'wahlberg.se/IN': AXFR-style IXFR started
#Mar 3 18:45:43 nada named[31321]: client 46.21.104.9#48923: transfer of 'wahlberg.se/IN': AXFR-style IXFR ended
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [.:[:xdigit:]]+\#[[:digit:]]+: transfer of '[-.[:alnum:]]+/IN': (IXFR|AXFR-style) (started|ended)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [.:[:xdigit:]]+\#[[:digit:]]+: transfer of '[-.[:alnum:]]+/IN':( AXFR-style) IXFR (started|ended)
#Mar 11 06:34:44 nada named[1771]: reloading configuration succeeded
#Mar 11 06:34:44 nada named[1771]: reloading zones succeeded
@@ -230,6 +230,10 @@
#Mar 4 15:06:28 marconi named[27570]: client 113.240.250.154#43169: message parsing failed: bad compression pointer
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [#.[:digit:]]+: message parsing failed: bad compression pointer
#Mar 16 10:33:41 nada named[31321]: zone happysthlm.se/IN: loaded serial 2017031600
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: zone [-.[:alnum:]]+/IN: loaded serial [[:digit:]]+
#
# SASLAUTHD
@@ -304,14 +308,22 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: Milter: to=[.@%[:alnum:]]+, reject=451 4.7.1 Greylisting in action, please come back later
#Apr 9 09:51:26 nada sm-mta[6169]: u397pP13006169: rejecting commands from [113.240.250.156] [113.240.250.156] due to pre-greeting traffic after 1 seconds
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: rejecting commands from \[[.[:digit:]]+\] \[[.[:digit:]]+\] due to pre-greeting traffic after [[:digit:]]+ seconds
#Mar 23 19:07:02 nada sm-mta[20228]: v2NI71CW020228: rejecting commands from ec2-35-165-194-208.us-west-2.compute.amazonaws.com [35.165.194.208] due to pre-greeting traffic after 1 seconds
#Mar 23 23:44:38 nada sm-mta[17761]: v2NMibVZ017761: rejecting commands from ecs-160-44-202-130.reverse.open-telekom-cloud.com [160.44.202.130] due to pre-greeting traffic after 1 seconds
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: rejecting commands from (\[[.[:digit:]]+\]|[-.[:alnum:]]+) \[[.[:digit:]]+\] due to pre-greeting traffic after [[:digit:]]+ seconds
#Apr 15 10:25:06 nada sm-mta[23906]: u3F8P26J023665: u3F8P66I023906: DSN: Service unavailable
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [[:alnum:]]+: DSN: Service unavailable
#Mar 17 11:32:29 nada sm-mta[775]: v2HAWQ2g000768: v2HAWT2f000775: DSN: Host unknown (Name server: hgadvokat.se: host not found)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [[:alnum:]]+: DSN: Host unknown \(Name server:
#[-.[:alnum:]]+: host not found\)
#Apr 14 11:05:05 nada sm-mta[15662]: u3E955KV015662: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET http://www.ipip.net/ HTTP/1.1\r\n
#Apr 20 15:10:44 nada sm-mta[5182]: u3KDAiZT005182: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET / HTTP/1.1\r\n
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [-.[:alnum:]]+ \[[.[:digit:]]+\]: probable open proxy: command=GET (http://www.ipip.net)?/ HTTP/1.1\\r\\n
#Mar 20 04:00:44 nada sm-mta[21983]: v2K30iPx021983: [180.163.2.117]: probable open proxy: command=GET / HTTP/1.1\r\n
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: ([-.[:alnum:]]+ )?\[[.[:digit:]]+\]: probable open proxy: command=GET (http://www.ipip.net)?/ HTTP/1.1\\r\\n
#Oct 24 06:04:11 nada sm-mta[7813]: STARTTLS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1
@@ -329,7 +341,11 @@
#Mar 6 23:47:37 nada sm-mta[11119]: v26MlObG011113: Fixed MIME Content-Type header field (possible attack)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: Fixed MIME Content-Type header field \(possible attack\)
#Mar 8 07:31:45 nada sm-mta[16598]: v286VitB016598: AUTH decode64 error [-5 for "Y2FzdG9yAGNhc3RvcgBwb2tlbW9uDQ==\r"], relay=[156.67.106.207]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: AUTH decode64 error \[-5 for "[=\\[:alnum:]]+"\], relay=\[[.:[:digit:]]+\]
#Mar 16 03:41:06 nada sm-mta[28708]: STARTTLS: write error=syscall error (-1), errno=32, get_error=error:00000000:lib(0):func(0):reason(0), retry=99, ssl_err=5
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS: write error=syscall error \(-1\), errno=32, get_error=error:00000000:lib\(0\):func\(0\):reason\(0\), retry=99, ssl_err=5
@@ -389,14 +405,16 @@
# Mar 8 12:09:30 nada sshd[26267]: Received disconnect from 199.91.135.158: 3: com.jcraft.jsch.JSchException: reject HostKey: 66.23.226.92 [preauth]
# Feb 28 03:09:57 nada sshd[30462]: Received disconnect from 47.89.188.218: 3: com.jcraft.jsch.JSchException: Auth cancel [preauth]
#Mar 3 21:19:31 marconi sshd[17576]: error: Received disconnect from 212.83.160.203 port 57458:3: com.jcraft.jsch.JSchException: Auth cancel [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:( error:)? Received disconnect from [.:[:digit:]]+( port [[:digit:]]+:|: )3: (java.net.SocketTimeoutException|com.jcraft.jsch.JSchException): (reject HostKey: [.:[:digit:]]+|Auth fail|Read timed out|Auth cancel) \[preauth\]
#Mar 19 04:36:45 marconi sshd[26598]: error: Received disconnect from 46.165.220.212 port 52999:13: User request [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:( error:)? Received disconnect from [.:[:digit:]]+( port [[:digit:]]+:|: )(3|13): (java.net.SocketTimeoutException|com.jcraft.jsch.JSchException|User request)(: )?(reject HostKey: [.:[:digit:]]+|Auth fail|Read timed out|Auth cancel)? \[preauth\]
#Mar 26 16:18:46 nada sshd[3298]: Received disconnect from 91.193.74.33: 11: Bye [preauth]
#Apr 7 13:59:42 nada sshd[19013]: Received disconnect from 2.234.148.20: 11: ok [preauth]
#Apr 3 12:26:03 nada sshd[15236]: Received disconnect from 125.212.232.83: 11: Closed due to user request. [preauth]
#May 14 10:15:47 nada sshd[26005]: Received disconnect from 115.239.230.223: 11: disconnect [preauth]
#Aug 17 10:52:11 nada sshd[24804]: Received disconnect from 89.97.55.33: 11: disconnected by user [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: 11: (disconnect(ed by user)?|ok|Bye|Closed due to user request.) \[preauth\]
#Mar 17 07:29:31 nada sshd[7692]: Received disconnect from 178.162.211.197: 13: User request [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: (11|13): (User request|disconnect(ed by user)?|ok|Bye|Closed due to user request.) \[preauth\]
#Mar 24 11:06:21 kvarnen sshd[5495]: channel 4: open failed: administratively prohibited: open failed
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: channel [[:digit:]]: open failed: administratively prohibited: open failed
@@ -435,6 +453,9 @@
#May 11 01:17:42 kvarnen sshd[14739]: fatal: Unable to negotiate a key exchange method [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]
#Mar 17 09:44:38 marconi sshd[27920]: fatal: Unable to negotiate with 212.129.20.230 port 51562: no matching cipher found. Their offer: aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate with [.[:digit:]]+ port [[:alnum:]]+: no matching cipher found. Their offer: .* \[preauth\]
#Apr 27 12:36:56 kvarnen sshd[26293]: Bad protocol version identification 'GET http://clientapi.ipip.net/echo.php?info=20160427185402 HTTP/1.1' from 106.184.2.29 port 7680
#May 13 16:59:50 kvarnen sshd[21380]: Bad protocol version identification '' from 171.13.14.52 port 59637
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '.*' from [.:[:digit:]]+ port [[:digit:]]+
@@ -472,7 +493,10 @@ Mar 4 07:38:01 nada sshd[15794]: input_userauth_request: invalid user [preauth
#Mar 8 03:17:11 nada sshd[23415]: Received disconnect from 91.195.103.166: 11: Client disconnecting normally [preauth]
#Mar 7 19:37:07 nada sshd[9647]: Received disconnect from 91.195.103.173: 11: Client disconnecting normally [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: 11: Client disconnecting normally \[preauth\]
#Mar 9 15:08:55 marconi sshd[25800]: Received disconnect from 61.158.188.21 port 59944:11: ok [preauth]
#Mar 9 15:22:40 marconi sshd[29305]: Received disconnect from 202.163.123.135 port 59164:11: ok [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+(:)? (port [[:digit:]]+:)?11: (Client disconnecting normally|ok) \[preauth\]