diff --git a/logcheck-fw-dovecot b/logcheck-fw-dovecot index 2507d38..4e1f2b0 100644 --- a/logcheck-fw-dovecot +++ b/logcheck-fw-dovecot @@ -1,5 +1,8 @@ #Oct 25 06:13:28 nada dovecot: imap(fredrik)<24465>: Connection closed (LIST finished 0.620 secs ago) in=50 out=4460 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 #Oct 25 11:10:57 nada dovecot: imap(cali)<31529>: Connection closed (LIST finished 0.658 secs ago) in=50 out=4627 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 #Oct 25 11:11:00 nada dovecot: imap(cali)<31531>: Connection closed (UID FETCH finished 0.341 secs ago) in=2206 out=17894 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +#Oct 25 16:09:13 nada dovecot: imap(cali)<6202>: Connection closed (UID FETCH finished 0.248 secs ago) in=1645 out=14821 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +#Oct 25 16:12:05 nada dovecot: imap(birgitta)<6236>: Connection closed (UID FETCH finished 0.295 secs ago) in=1906 out=15850 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +#Oct 25 16:13:00 nada dovecot: imap(fredrik)<6240><99Nk8i3P18suOxpv>: Logged out in=2119 out=386189 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=26072 -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\):\<[[:alnum:]]+\>\<[[:alnum:]]+\>: Connection closed.* +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\)<[[:alnum:]]+><[\/[:alnum:]]+>: (Connection closed|Logged out in).* diff --git a/logcheck-fw-opendkim b/logcheck-fw-opendkim new file mode 100644 index 0000000..c91ffc0 --- /dev/null +++ b/logcheck-fw-opendkim @@ -0,0 +1,43 @@ + +# +# OPENDKIM +# +#Sep 14 02:16:29 nada opendkim[21955]: x8E0GOqX026235: mta15.achatdesoffres.be [149.202.159.102] not internal +#Sep 14 02:20:37 nada opendkim[21955]: x8E0KXlB026281: [194.36.142.89] [194.36.142.89] not internal +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: ([-._[:alnum:]]+|\[[.[:digit:]]+\]) \[[.[:digit:]]+\] not internal + +#Sep 14 02:16:29 nada opendkim[21955]: x8E0GOqX026235: not authenticated +#Sep 14 10:10:49 nada opendkim[21955]: x8E8AjNd008607: no signature data +#Sep 15 09:59:26 nada opendkim[21955]: x8F7xMhM010212: bad signature data +#Sep 14 11:30:22 nada opendkim[21955]: x8E9UENg009655: failed to parse Authentication-Results: header field +#Sep 15 13:25:02 nada opendkim[21955]: x8FBOtch014266: failed to parse authentication-results: header field +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: (not authenticated|(bad|no) signature data|failed to parse [aA]uthentication-[rR]esults: header field) + +#Sep 14 02:16:32 nada opendkim[21955]: x8E0GOqX026235: s=default d=achatdesoffres.be SSL +#Sep 14 11:30:25 nada opendkim[21955]: x8E9UENg009655: s=selector2-synsam-onmicrosoft-com d=synsam.onmicrosoft.com SSL +#Sep 14 13:12:07 nada opendkim[21955]: x8EBC3io011931: s=d2048-201806-01 d=linkedin.com SSL +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: s=[-._[:alnum:]]+ d=[-._[:alnum:]]+ SSL + +#Sep 14 09:09:27 nada opendkim[21955]: x8E79KnS021433: message has signatures from duolingo.com, amazonses.com +#Sep 14 13:12:07 nada opendkim[21955]: x8EBC3io011931: message has signatures from linkedin.com, maile.linkedin.com +#Sep 14 13:47:35 nada opendkim[21955]: x8EBlUbo012372: message has signatures from dezeen.com, cmail2.com +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: message has signatures from [-._[:alnum:]]+, [-._[:alnum:]]+ + +#Sep 14 14:49:02 nada opendkim[21955]: x8ECmqeD013147: key retrieval failed (s=s1, d=autopay.io): 's1._domainkey.autopay.io' query timed out +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: key retrieval failed.*$ + +#Sep 14 02:16:32 nada sm-mta[26235]: x8E0GOqX026235: Milter insert (1): header: Authentication-Results: nada.wahlberg.se; dkim=pass\n\treason="1024-bit key; unprotected key"\n\theader.d=achatdesoffres.be header.i=@achatdesoffres.be\n\theader.b=IesLqRjT; dkim-adsp=pass; dkim-atps=neutral +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sm-mta\[[[:digit:]]+\]: [[:alnum:]]+: Milter insert.*$ + +#Nov 20 09:20:12 nada opendkim[504]: xAK8K5B8032017: no signing table match for 'gregory@mc-cabe.com' +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: no signing table match for '.*' + + +#Oct 26 08:00:43 nada opendkim[452]: 19Q60b6K009441: s=smtpapi d=sendgrid.net a=rsa-sha256 SSL +#Oct 26 08:00:58 nada opendkim[452]: 19Q60oUL009449: s=s1 d=alloffice.se a=rsa-sha256 SSL +#Oct 26 08:02:39 nada opendkim[452]: 19Q62XN9009466: s=dk d=s6.csa2.acemsa2.com a=rsa-sha256 SSL +#Oct 26 08:03:24 nada opendkim[452]: 19Q63GTn009473: s=neolane d=email.hm.com a=rsa-sha256 SSL +#Oct 26 08:05:29 nada opendkim[452]: 19Q65Jlq009498: s=bedrock d=lrfsamkop.se a=rsa-sha1 SSL +#Oct 26 08:07:42 nada opendkim[452]: 19Q67at9009525: s=key1 d=s8.uwentos.ru a=rsa-sha1 SSL +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: s=[-.[:alnum:]]+ d=[-.[:alnum:]]+ a=[-.[:alnum:]]+ SSL + diff --git a/logcheck-fw-saslauthd b/logcheck-fw-saslauthd index f78f629..62a6a74 100644 --- a/logcheck-fw-saslauthd +++ b/logcheck-fw-saslauthd @@ -9,3 +9,5 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: (do_auth)?[[:blank:]]+: auth failure: \[user=([[:print:]]+)?\] \[service=(smtp)?\] \[realm=([[:print:]]+)?\] \[mech=(pam|shadow)\] \[reason=(Unknown|PAM auth error|Invalid username|Incorrect password)\] +#Oct 26 09:44:50 nada saslauthd[275]: : NULL password received +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: (do_auth)?[[:blank:]]+: NULL password received diff --git a/logcheck_debian b/logcheck_debian index 51124b4..ad8896b 100644 --- a/logcheck_debian +++ b/logcheck_debian @@ -8,7 +8,8 @@ # Mar 24 18:13:26 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredmiranda@mc-cabe.com uid=0 euid=0 tty=dovecot ruser=fredmiranda@mc-cabe.com rhost=41.105.13.141 # Mar 24 18:13:26 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=fredmiranda@mc-cabe.com rhost=41.105.13.141 # Mar 7 21:39:47 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=jras_81 uid=0 euid=0 tty=dovecot ruser=jras_81 rhost=177.101.130.43 -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_(krb5|unix)\((dovecot)?:auth\): authentication failure\; logname=([_-.@[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=(dovecot)? ruser=([_-.@[:alnum:]]+)? rhost=([.:[:xdigit:]]+)? +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_(krb5|unix)\((dovecot)?:auth\): authentication failure +#\; logname=([_-.@[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=(dovecot)? ruser=([_-.@[:alnum:]]+)? rhost=([.:[:xdigit:]]+)? # Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): check pass; user unknown ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_unix\(dovecot:auth\): check pass; user unknown @@ -331,41 +332,6 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: DNS format error from [\#.[:digit:]]+ resolving [-_.[:alnum:]]+/DS: Name . \(SOA\) not subdomain of zone org -- invalid response -# -# OPENDKIM -# -#Sep 14 02:16:29 nada opendkim[21955]: x8E0GOqX026235: mta15.achatdesoffres.be [149.202.159.102] not internal -#Sep 14 02:20:37 nada opendkim[21955]: x8E0KXlB026281: [194.36.142.89] [194.36.142.89] not internal -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: ([-._[:alnum:]]+|\[[.[:digit:]]+\]) \[[.[:digit:]]+\] not internal - -#Sep 14 02:16:29 nada opendkim[21955]: x8E0GOqX026235: not authenticated -#Sep 14 10:10:49 nada opendkim[21955]: x8E8AjNd008607: no signature data -#Sep 15 09:59:26 nada opendkim[21955]: x8F7xMhM010212: bad signature data -#Sep 14 11:30:22 nada opendkim[21955]: x8E9UENg009655: failed to parse Authentication-Results: header field -#Sep 15 13:25:02 nada opendkim[21955]: x8FBOtch014266: failed to parse authentication-results: header field -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: (not authenticated|(bad|no) signature data|failed to parse [aA]uthentication-[rR]esults: header field) - -#Sep 14 02:16:32 nada opendkim[21955]: x8E0GOqX026235: s=default d=achatdesoffres.be SSL -#Sep 14 11:30:25 nada opendkim[21955]: x8E9UENg009655: s=selector2-synsam-onmicrosoft-com d=synsam.onmicrosoft.com SSL -#Sep 14 13:12:07 nada opendkim[21955]: x8EBC3io011931: s=d2048-201806-01 d=linkedin.com SSL -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: s=[-._[:alnum:]]+ d=[-._[:alnum:]]+ SSL - -#Sep 14 09:09:27 nada opendkim[21955]: x8E79KnS021433: message has signatures from duolingo.com, amazonses.com -#Sep 14 13:12:07 nada opendkim[21955]: x8EBC3io011931: message has signatures from linkedin.com, maile.linkedin.com -#Sep 14 13:47:35 nada opendkim[21955]: x8EBlUbo012372: message has signatures from dezeen.com, cmail2.com -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: message has signatures from [-._[:alnum:]]+, [-._[:alnum:]]+ - -#Sep 14 14:49:02 nada opendkim[21955]: x8ECmqeD013147: key retrieval failed (s=s1, d=autopay.io): 's1._domainkey.autopay.io' query timed out -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: key retrieval failed.*$ - -#Sep 14 02:16:32 nada sm-mta[26235]: x8E0GOqX026235: Milter insert (1): header: Authentication-Results: nada.wahlberg.se; dkim=pass\n\treason="1024-bit key; unprotected key"\n\theader.d=achatdesoffres.be header.i=@achatdesoffres.be\n\theader.b=IesLqRjT; dkim-adsp=pass; dkim-atps=neutral -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sm-mta\[[[:digit:]]+\]: [[:alnum:]]+: Milter insert.*$ - -#Nov 20 09:20:12 nada opendkim[504]: xAK8K5B8032017: no signing table match for 'gregory@mc-cabe.com' -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: no signing table match for '.*' - - - # # SASLAUTHD # diff --git a/testlog b/testlog index 48c7848..d70cb63 100644 --- a/testlog +++ b/testlog @@ -1,5 +1,6 @@ första raden i loggen Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem... +Oct 26 09:44:50 nada saslauthd[275]: : NULL password received Mar 16 21:43:05 kvarnen named[8896]: master 66.23.226.92#53 (source 0.0.0.0#0) deleted from unreachable cache Mar 16 21:43:05 kvarnen named[8896]: transfer of 'wahlberg.se/IN' from 66.23.226.92#53: connected using 95.170.86.14#37390 Mar 17 04:51:05 kvarnen freshclam[485]: Empty script main-56.cdiff, need to download entire database @@ -677,9 +678,31 @@ Sep 14 12:11:07 nada sm-mta[11236]: x8EAB551011236: Milter insert (1): header: D Sep 15 13:25:02 nada opendkim[21955]: x8FBOtch014266: failed to parse authentication-results: header field Sep 15 09:59:26 nada opendkim[21955]: x8F7xMhM010212: bad signature data Oct 29 09:03:40 nada spamd[11605]: spamd: connection from ::1 [::1]:33100 to port 783, fd 5 -Oct 29 09:08:44 nada spamd[11605]: spamd: connection from ::1 [::1]:38096 to port 783, fd 5 Nov 20 09:20:12 nada opendkim[504]: xAK8K5B8032017: no signing table match for 'gregory@mc-cabe.com' Dec 19 17:32:19 nada named[5082]: managed-keys-zone: Active key unexpectedly missing from dlv.isc.org +Oct 25 16:09:06 nada sendmail[6185]: STARTTLS=client: file /etc/letsencrypt/live/wahlberg.se-0005/cert.pem unsafe: Permission denied +Oct 25 16:09:06 nada sendmail[6185]: STARTTLS=client: file /etc/letsencrypt/live/wahlberg.se-0005/privkey.pem unsafe: Permission denied +Oct 25 16:09:06 nada sendmail[6185]: STARTTLS=client: file /etc/letsencrypt/live/wahlberg.se-0005/chain.pem unsafe: Permission denied +Oct 25 16:09:06 nada sendmail[6185]: STARTTLS=client, error: load verify locs /etc/letsencrypt/live/wahlberg.se, /etc/letsencrypt/live/wahlberg.se-0005/chain.pem failed: 0 +Oct 25 16:09:06 nada sendmail[6185]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256 +Oct 25 16:09:07 nada dovecot: imap(cali)<6187>: Connection closed (LIST finished 0.681 secs ago) in=50 out=4627 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +Oct 25 16:09:11 nada dovecot: imap(cali)<6191><0YeK5y3POWtU2IAZ>: Connection closed (UID FETCH finished 0.414 secs ago) in=2469 out=29554 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=815 body_count=1 body_bytes=10219 +Oct 25 16:09:13 nada dovecot: imap(cali)<6202>: Connection closed (UID FETCH finished 0.248 secs ago) in=1645 out=14821 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +Oct 25 16:11:22 nada dovecot: imap(birgitta)<6227>: Connection closed (LIST finished 0.267 secs ago) in=50 out=1686 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +Oct 25 16:11:25 nada dovecot: imap(birgitta)<6229>: Connection closed (UID FETCH finished 0.651 secs ago) in=2167 out=75936 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=371 body_count=1 body_bytes=59017 +Oct 25 16:11:28 nada dovecot: imap(birgitta)<6231>: Connection closed (UID FETCH finished 0.308 secs ago) in=1343 out=13798 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +Oct 25 16:12:03 nada dovecot: imap(birgitta)<6234>: Connection closed (LIST finished 0.427 secs ago) in=50 out=1686 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +Oct 25 16:12:05 nada dovecot: imap(birgitta)<6236>: Connection closed (UID FETCH finished 0.295 secs ago) in=1906 out=15850 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +Oct 25 16:12:08 nada dovecot: imap(birgitta)<6238>: Connection closed (UID FETCH finished 0.351 secs ago) in=1343 out=13806 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +Oct 25 16:12:10 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredrik uid=0 euid=0 tty=dovecot ruser=fredrik rhost=46.59.26.111 +Oct 25 16:13:00 nada dovecot: imap(fredrik)<6240><99Nk8i3P18suOxpv>: Logged out in=2119 out=386189 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=26072 +Oct 26 08:00:43 nada opendkim[452]: 19Q60b6K009441: s=smtpapi d=sendgrid.net a=rsa-sha256 SSL +Oct 26 08:00:58 nada opendkim[452]: 19Q60oUL009449: s=s1 d=alloffice.se a=rsa-sha256 SSL +Oct 26 08:02:39 nada opendkim[452]: 19Q62XN9009466: s=dk d=s6.csa2.acemsa2.com a=rsa-sha256 SSL +Oct 26 08:03:24 nada opendkim[452]: 19Q63GTn009473: s=neolane d=email.hm.com a=rsa-sha256 SSL +Oct 26 08:05:29 nada opendkim[452]: 19Q65Jlq009498: s=bedrock d=lrfsamkop.se a=rsa-sha1 SSL +Oct 26 08:07:42 nada opendkim[452]: 19Q67at9009525: s=key1 d=s8.uwentos.ru a=rsa-sha1 SSL + Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem... Aug 23 18:39:24 nada fredrik[1713]: Sista raden