fredrik/logcheck
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Nya regler för Debian 11

Browse Source
This commit is contained in:
fredrik
2021-10-28 08:21:27 +02:00
parent 526a7c8c97
commit ae1b9291dc
5 changed files with 75 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
logcheck-fw-dovecot
View File

@@ -1,5 +1,8 @@
#Oct 25 06:13:28 nada dovecot: imap(fredrik)<24465><CRYxlSXPtyEuOxpv>: Connection closed (LIST finished 0.620 secs ago) in=50 out=4460 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
#Oct 25 11:10:57 nada dovecot: imap(cali)<31529><VbkTvSnPOGtU2IAZ>: Connection closed (LIST finished 0.658 secs ago) in=50 out=4627 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
#Oct 25 11:11:00 nada dovecot: imap(cali)<31531><bys4vSnPNGtU2IAZ>: Connection closed (UID FETCH finished 0.341 secs ago) in=2206 out=17894 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
#Oct 25 16:09:13 nada dovecot: imap(cali)<6202><AQ2/5y3PR2tU2IAZ>: Connection closed (UID FETCH finished 0.248 secs ago) in=1645 out=14821 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
#Oct 25 16:12:05 nada dovecot: imap(birgitta)<6236><V/gC8i3PKJmwCoeK>: Connection closed (UID FETCH finished 0.295 secs ago) in=1906 out=15850 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
#Oct 25 16:13:00 nada dovecot: imap(fredrik)<6240><99Nk8i3P18suOxpv>: Logged out in=2119 out=386189 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=26072
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\):\<[[:alnum:]]+\>\<[[:alnum:]]+\>: Connection closed.*
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\)<[[:alnum:]]+><[\/[:alnum:]]+>: (Connection closed|Logged out in).*

43
logcheck-fw-opendkim Normal file
View File

@@ -0,0 +1,43 @@
#
# OPENDKIM
#
#Sep 14 02:16:29 nada opendkim[21955]: x8E0GOqX026235: mta15.achatdesoffres.be [149.202.159.102] not internal
#Sep 14 02:20:37 nada opendkim[21955]: x8E0KXlB026281: [194.36.142.89] [194.36.142.89] not internal
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: ([-._[:alnum:]]+|\[[.[:digit:]]+\]) \[[.[:digit:]]+\] not internal
#Sep 14 02:16:29 nada opendkim[21955]: x8E0GOqX026235: not authenticated
#Sep 14 10:10:49 nada opendkim[21955]: x8E8AjNd008607: no signature data
#Sep 15 09:59:26 nada opendkim[21955]: x8F7xMhM010212: bad signature data
#Sep 14 11:30:22 nada opendkim[21955]: x8E9UENg009655: failed to parse Authentication-Results: header field
#Sep 15 13:25:02 nada opendkim[21955]: x8FBOtch014266: failed to parse authentication-results: header field
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: (not authenticated|(bad|no) signature data|failed to parse [aA]uthentication-[rR]esults: header field)
#Sep 14 02:16:32 nada opendkim[21955]: x8E0GOqX026235: s=default d=achatdesoffres.be SSL
#Sep 14 11:30:25 nada opendkim[21955]: x8E9UENg009655: s=selector2-synsam-onmicrosoft-com d=synsam.onmicrosoft.com SSL
#Sep 14 13:12:07 nada opendkim[21955]: x8EBC3io011931: s=d2048-201806-01 d=linkedin.com SSL
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: s=[-._[:alnum:]]+ d=[-._[:alnum:]]+ SSL
#Sep 14 09:09:27 nada opendkim[21955]: x8E79KnS021433: message has signatures from duolingo.com, amazonses.com
#Sep 14 13:12:07 nada opendkim[21955]: x8EBC3io011931: message has signatures from linkedin.com, maile.linkedin.com
#Sep 14 13:47:35 nada opendkim[21955]: x8EBlUbo012372: message has signatures from dezeen.com, cmail2.com
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: message has signatures from [-._[:alnum:]]+, [-._[:alnum:]]+
#Sep 14 14:49:02 nada opendkim[21955]: x8ECmqeD013147: key retrieval failed (s=s1, d=autopay.io): 's1._domainkey.autopay.io' query timed out
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: key retrieval failed.*$
#Sep 14 02:16:32 nada sm-mta[26235]: x8E0GOqX026235: Milter insert (1): header: Authentication-Results: nada.wahlberg.se; dkim=pass\n\treason="1024-bit key; unprotected key"\n\theader.d=achatdesoffres.be header.i=@achatdesoffres.be\n\theader.b=IesLqRjT; dkim-adsp=pass; dkim-atps=neutral
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sm-mta\[[[:digit:]]+\]: [[:alnum:]]+: Milter insert.*$
#Nov 20 09:20:12 nada opendkim[504]: xAK8K5B8032017: no signing table match for 'gregory@mc-cabe.com'
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: no signing table match for '.*'
#Oct 26 08:00:43 nada opendkim[452]: 19Q60b6K009441: s=smtpapi d=sendgrid.net a=rsa-sha256 SSL
#Oct 26 08:00:58 nada opendkim[452]: 19Q60oUL009449: s=s1 d=alloffice.se a=rsa-sha256 SSL
#Oct 26 08:02:39 nada opendkim[452]: 19Q62XN9009466: s=dk d=s6.csa2.acemsa2.com a=rsa-sha256 SSL
#Oct 26 08:03:24 nada opendkim[452]: 19Q63GTn009473: s=neolane d=email.hm.com a=rsa-sha256 SSL
#Oct 26 08:05:29 nada opendkim[452]: 19Q65Jlq009498: s=bedrock d=lrfsamkop.se a=rsa-sha1 SSL
#Oct 26 08:07:42 nada opendkim[452]: 19Q67at9009525: s=key1 d=s8.uwentos.ru a=rsa-sha1 SSL
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: s=[-.[:alnum:]]+ d=[-.[:alnum:]]+ a=[-.[:alnum:]]+ SSL

2
logcheck-fw-saslauthd
View File

@@ -9,3 +9,5 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: (do_auth)?[[:blank:]]+: auth failure: \[user=([[:print:]]+)?\] \[service=(smtp)?\] \[realm=([[:print:]]+)?\] \[mech=(pam|shadow)\] \[reason=(Unknown|PAM auth error|Invalid username|Incorrect password)\]
#Oct 26 09:44:50 nada saslauthd[275]: : NULL password received
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: (do_auth)?[[:blank:]]+: NULL password received

38
logcheck_debian
View File

@@ -8,7 +8,8 @@
# Mar 24 18:13:26 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredmiranda@mc-cabe.com uid=0 euid=0 tty=dovecot ruser=fredmiranda@mc-cabe.com rhost=41.105.13.141
# Mar 24 18:13:26 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=fredmiranda@mc-cabe.com rhost=41.105.13.141
# Mar 7 21:39:47 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=jras_81 uid=0 euid=0 tty=dovecot ruser=jras_81 rhost=177.101.130.43
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_(krb5|unix)\((dovecot)?:auth\): authentication failure\; logname=([_-.@[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=(dovecot)? ruser=([_-.@[:alnum:]]+)? rhost=([.:[:xdigit:]]+)?
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_(krb5|unix)\((dovecot)?:auth\): authentication failure
#\; logname=([_-.@[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=(dovecot)? ruser=([_-.@[:alnum:]]+)? rhost=([.:[:xdigit:]]+)?
# Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): check pass; user unknown
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_unix\(dovecot:auth\): check pass; user unknown
@@ -331,41 +332,6 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: DNS format error from [\#.[:digit:]]+ resolving [-_.[:alnum:]]+/DS: Name . \(SOA\) not subdomain of zone org -- invalid response
#
# OPENDKIM
#
#Sep 14 02:16:29 nada opendkim[21955]: x8E0GOqX026235: mta15.achatdesoffres.be [149.202.159.102] not internal
#Sep 14 02:20:37 nada opendkim[21955]: x8E0KXlB026281: [194.36.142.89] [194.36.142.89] not internal
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: ([-._[:alnum:]]+|\[[.[:digit:]]+\]) \[[.[:digit:]]+\] not internal
#Sep 14 02:16:29 nada opendkim[21955]: x8E0GOqX026235: not authenticated
#Sep 14 10:10:49 nada opendkim[21955]: x8E8AjNd008607: no signature data
#Sep 15 09:59:26 nada opendkim[21955]: x8F7xMhM010212: bad signature data
#Sep 14 11:30:22 nada opendkim[21955]: x8E9UENg009655: failed to parse Authentication-Results: header field
#Sep 15 13:25:02 nada opendkim[21955]: x8FBOtch014266: failed to parse authentication-results: header field
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: (not authenticated|(bad|no) signature data|failed to parse [aA]uthentication-[rR]esults: header field)
#Sep 14 02:16:32 nada opendkim[21955]: x8E0GOqX026235: s=default d=achatdesoffres.be SSL
#Sep 14 11:30:25 nada opendkim[21955]: x8E9UENg009655: s=selector2-synsam-onmicrosoft-com d=synsam.onmicrosoft.com SSL
#Sep 14 13:12:07 nada opendkim[21955]: x8EBC3io011931: s=d2048-201806-01 d=linkedin.com SSL
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: s=[-._[:alnum:]]+ d=[-._[:alnum:]]+ SSL
#Sep 14 09:09:27 nada opendkim[21955]: x8E79KnS021433: message has signatures from duolingo.com, amazonses.com
#Sep 14 13:12:07 nada opendkim[21955]: x8EBC3io011931: message has signatures from linkedin.com, maile.linkedin.com
#Sep 14 13:47:35 nada opendkim[21955]: x8EBlUbo012372: message has signatures from dezeen.com, cmail2.com
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: message has signatures from [-._[:alnum:]]+, [-._[:alnum:]]+
#Sep 14 14:49:02 nada opendkim[21955]: x8ECmqeD013147: key retrieval failed (s=s1, d=autopay.io): 's1._domainkey.autopay.io' query timed out
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: key retrieval failed.*$
#Sep 14 02:16:32 nada sm-mta[26235]: x8E0GOqX026235: Milter insert (1): header: Authentication-Results: nada.wahlberg.se; dkim=pass\n\treason="1024-bit key; unprotected key"\n\theader.d=achatdesoffres.be header.i=@achatdesoffres.be\n\theader.b=IesLqRjT; dkim-adsp=pass; dkim-atps=neutral
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sm-mta\[[[:digit:]]+\]: [[:alnum:]]+: Milter insert.*$
#Nov 20 09:20:12 nada opendkim[504]: xAK8K5B8032017: no signing table match for 'gregory@mc-cabe.com'
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: no signing table match for '.*'
#
# SASLAUTHD
#

25
testlog
View File

@@ -1,5 +1,6 @@
första raden i loggen
Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...
Oct 26 09:44:50 nada saslauthd[275]: : NULL password received
Mar 16 21:43:05 kvarnen named[8896]: master 66.23.226.92#53 (source 0.0.0.0#0) deleted from unreachable cache
Mar 16 21:43:05 kvarnen named[8896]: transfer of 'wahlberg.se/IN' from 66.23.226.92#53: connected using 95.170.86.14#37390
Mar 17 04:51:05 kvarnen freshclam[485]: Empty script main-56.cdiff, need to download entire database
@@ -677,9 +678,31 @@ Sep 14 12:11:07 nada sm-mta[11236]: x8EAB551011236: Milter insert (1): header: D
Sep 15 13:25:02 nada opendkim[21955]: x8FBOtch014266: failed to parse authentication-results: header field
Sep 15 09:59:26 nada opendkim[21955]: x8F7xMhM010212: bad signature data
Oct 29 09:03:40 nada spamd[11605]: spamd: connection from ::1 [::1]:33100 to port 783, fd 5
Oct 29 09:08:44 nada spamd[11605]: spamd: connection from ::1 [::1]:38096 to port 783, fd 5
Nov 20 09:20:12 nada opendkim[504]: xAK8K5B8032017: no signing table match for 'gregory@mc-cabe.com'
Dec 19 17:32:19 nada named[5082]: managed-keys-zone: Active key unexpectedly missing from dlv.isc.org
Oct 25 16:09:06 nada sendmail[6185]: STARTTLS=client: file /etc/letsencrypt/live/wahlberg.se-0005/cert.pem unsafe: Permission denied
Oct 25 16:09:06 nada sendmail[6185]: STARTTLS=client: file /etc/letsencrypt/live/wahlberg.se-0005/privkey.pem unsafe: Permission denied
Oct 25 16:09:06 nada sendmail[6185]: STARTTLS=client: file /etc/letsencrypt/live/wahlberg.se-0005/chain.pem unsafe: Permission denied
Oct 25 16:09:06 nada sendmail[6185]: STARTTLS=client, error: load verify locs /etc/letsencrypt/live/wahlberg.se, /etc/letsencrypt/live/wahlberg.se-0005/chain.pem failed: 0
Oct 25 16:09:06 nada sendmail[6185]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Oct 25 16:09:07 nada dovecot: imap(cali)<6187><VJ9j5y3PLGtU2IAZ>: Connection closed (LIST finished 0.681 secs ago) in=50 out=4627 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct 25 16:09:11 nada dovecot: imap(cali)<6191><0YeK5y3POWtU2IAZ>: Connection closed (UID FETCH finished 0.414 secs ago) in=2469 out=29554 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=815 body_count=1 body_bytes=10219
Oct 25 16:09:13 nada dovecot: imap(cali)<6202><AQ2/5y3PR2tU2IAZ>: Connection closed (UID FETCH finished 0.248 secs ago) in=1645 out=14821 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct 25 16:11:22 nada dovecot: imap(birgitta)<6227><UsN17y3PIZmwCoeK>: Connection closed (LIST finished 0.267 secs ago) in=50 out=1686 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct 25 16:11:25 nada dovecot: imap(birgitta)<6229><hy6R7y3PIpmwCoeK>: Connection closed (UID FETCH finished 0.651 secs ago) in=2167 out=75936 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=371 body_count=1 body_bytes=59017
Oct 25 16:11:28 nada dovecot: imap(birgitta)<6231><EUrG7y3PI5mwCoeK>: Connection closed (UID FETCH finished 0.308 secs ago) in=1343 out=13798 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct 25 16:12:03 nada dovecot: imap(birgitta)<6234><FIzn8S3PJ5mwCoeK>: Connection closed (LIST finished 0.427 secs ago) in=50 out=1686 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct 25 16:12:05 nada dovecot: imap(birgitta)<6236><V/gC8i3PKJmwCoeK>: Connection closed (UID FETCH finished 0.295 secs ago) in=1906 out=15850 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct 25 16:12:08 nada dovecot: imap(birgitta)<6238><HrMj8i3PKZmwCoeK>: Connection closed (UID FETCH finished 0.351 secs ago) in=1343 out=13806 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct 25 16:12:10 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredrik uid=0 euid=0 tty=dovecot ruser=fredrik rhost=46.59.26.111
Oct 25 16:13:00 nada dovecot: imap(fredrik)<6240><99Nk8i3P18suOxpv>: Logged out in=2119 out=386189 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=26072
Oct 26 08:00:43 nada opendkim[452]: 19Q60b6K009441: s=smtpapi d=sendgrid.net a=rsa-sha256 SSL
Oct 26 08:00:58 nada opendkim[452]: 19Q60oUL009449: s=s1 d=alloffice.se a=rsa-sha256 SSL
Oct 26 08:02:39 nada opendkim[452]: 19Q62XN9009466: s=dk d=s6.csa2.acemsa2.com a=rsa-sha256 SSL
Oct 26 08:03:24 nada opendkim[452]: 19Q63GTn009473: s=neolane d=email.hm.com a=rsa-sha256 SSL
Oct 26 08:05:29 nada opendkim[452]: 19Q65Jlq009498: s=bedrock d=lrfsamkop.se a=rsa-sha1 SSL
Oct 26 08:07:42 nada opendkim[452]: 19Q67at9009525: s=key1 d=s8.uwentos.ru a=rsa-sha1 SSL
Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...
Aug 23 18:39:24 nada fredrik[1713]: Sista raden