From bc04dc73062a5193a8ac637770f8c6465171813b Mon Sep 17 00:00:00 2001
From: Fredrik Wahlberg <fredrik@wahlberg.se>
Date: Tue, 19 May 2026 19:44:51 +0200
Subject: [PATCH] Nya uppdateringar

---
 #logcheck-fw-dovecot# |  12 +++++
 #logcheck-fw-named#   | 123 ++++++++++++++++++++++++++++++++++++++++++
 logcheck-fw-named     |   9 +++-
 logcheck-fw-saslauthd |   5 +-
 logcheck_debian       | 114 +++++++++++++++++++++++++++++++++++++++
 testlog               |   7 ++-
 6 files changed, 267 insertions(+), 3 deletions(-)
 create mode 100644 #logcheck-fw-dovecot#
 create mode 100644 #logcheck-fw-named#

diff --git a/#logcheck-fw-dovecot# b/#logcheck-fw-dovecot#
new file mode 100644
index 0000000..450957d
--- /dev/null
+++ b/#logcheck-fw-dovecot#
@@ -0,0 +1,12 @@
+#Oct 25 06:13:28 nada dovecot: imap(fredrik)<24465><CRYxlSXPtyEuOxpv>: Connection closed (LIST finished 0.620 secs ago) in=50 out=4460 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+#Oct 25 11:10:57 nada dovecot: imap(cali)<31529><VbkTvSnPOGtU2IAZ>: Connection closed (LIST finished 0.658 secs ago) in=50 out=4627 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+#Oct 25 11:11:00 nada dovecot: imap(cali)<31531><bys4vSnPNGtU2IAZ>: Connection closed (UID FETCH finished 0.341 secs ago) in=2206 out=17894 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+#Oct 25 16:09:13 nada dovecot: imap(cali)<6202><AQ2/5y3PR2tU2IAZ>: Connection closed (UID FETCH finished 0.248 secs ago) in=1645 out=14821 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+#Oct 25 16:12:05 nada dovecot: imap(birgitta)<6236><V/gC8i3PKJmwCoeK>: Connection closed (UID FETCH finished 0.295 secs ago) in=1906 out=15850 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+#Oct 25 16:13:00 nada dovecot: imap(fredrik)<6240><99Nk8i3P18suOxpv>: Logged out in=2119 out=386189 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=26072
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\)<[[:alnum:]]+><[\/[:alnum:]]+>: (Connection closed|Logged out in).*
+
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sendmail\[[[:digit:]]+\]: STARTTLS=client(:|,) 
+
diff --git a/#logcheck-fw-named# b/#logcheck-fw-named#
new file mode 100644
index 0000000..138e99f
--- /dev/null
+++ b/#logcheck-fw-named#
@@ -0,0 +1,123 @@
+# 
+# NAMED
+#
+#Mar 11 06:34:44 nada named[1771]: received control channel command 'reload'
+#Mar 11 06:34:44 nada named[1771]: reading built-in trusted keys from file '/etc/bind/bind.keys'
+#Mar 11 06:34:44 nada named[1771]: sizing zone task pool based on 21 zones
+#Mar 11 06:34:44 nada named[1771]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: (Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones|sizing zone task pool based on [[:digit:]]+ zones|received control channel command 'reload( [.[:alnum:]]+)?'|reading built-in trusted keys from file '/etc/bind/bind.keys')
+
+#Mar 10 06:43:39 nada named[1771]: client 95.170.86.14#50337: received notify for zone 'happysthlm.com'
+#Feb  6 01:00:04 nada named[2607]: client @0xf25c9754 46.21.104.9#50736: received notify for zone 'thulin.info'
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client( .*)? [.:[:xdigit:]]+\#[[:digit:]]+: received notify for zone '[-.[:alnum:]]+'
+
+#Mar 13 19:06:05 nada named[1771]: client 95.170.86.14#54781: transfer of 'stiy.com/IN': IXFR ended
+#Mar  3 18:45:43 nada named[31321]: client 46.21.104.9#48923: transfer of 'wahlberg.se/IN': AXFR-style IXFR started
+#Mar  3 18:45:43 nada named[31321]: client 46.21.104.9#48923: transfer of 'wahlberg.se/IN': AXFR-style IXFR ended
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [.:[:xdigit:]]+\#[[:digit:]]+: transfer of '[-.[:alnum:]]+/IN':( AXFR-style) IXFR (started|ended)
+
+#Mar 11 06:34:44 nada named[1771]: reloading configuration succeeded
+#Mar 11 06:34:44 nada named[1771]: reloading zones succeeded
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: reloading (configuration|zones) succeeded
+
+#Mar 11 06:34:44 nada named[1771]: using default UDP/IPv4 port range: [1024, 65535]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: using default UDP/IPv(4|6) port range: \[[[:digit:]]+, [[:digit:]]+\]
+
+#Mar 13 19:02:30 kvarnen named[8896]: transfer of 'acroyoga.se/IN' from 66.23.226.92#53: Transfer completed: 0 messages, 0 records, 0 bytes, 127.193 secs (0 bytes/sec)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: transfer of '[-.[:alnum:]]+/IN' from [.[:digit:]]+#[[:digit:]]+: Transfer completed: [[:digit:]]+ messages, [[:digit:]]+ records, [[:digit:]]+ bytes, [.[:digit:]]+ secs \([[:digit:]]+ bytes/sec\)
+
+#Mar 21 05:58:39 kvarnen named[8896]: transfer of 'happysthlm.se/IN' from 66.23.226.92#53: connected using 95.170.86.14#33872
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: transfer of '[-.[:alnum:]]+/IN' from [.[:digit:]]+#[[:digit:]]+: connected using [.[:digit:]]+#[[:digit:]]+
+
+#Mar 21 05:58:32 kvarnen named[8896]: zone happysthlm.se/IN: refresh: retry limit for master 66.23.226.92#53 exceeded (source 0.0.0.0#0)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: zone [-.[:alnum:]]+/IN: refresh: retry limit for master [.[:digit:]]+#[[:digit:]]+ exceeded \(source [.[:digit:]]+#[[:digit:]]+\)
+
+#Mar 16 21:43:05 kvarnen named[8896]: master 66.23.226.92#53 (source 0.0.0.0#0) deleted from unreachable cache
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: master [.[:digit:]]+#[[:digit:]]+ \(source [.[:digit:]]+#[[:digit:]]+\) deleted from unreachable cache
+
+#Mar 24 02:08:41 nada named[5002]: client 192.42.132.103#45345: notify question section contains no SOA
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [#.[:digit:]]+: notify question section contains no SOA
+
+#Mar 26 21:45:26 nada named[5002]: managed-keys-zone ./IN: No DNSKEY RRSIGs found for '.': success
+#Apr  2 22:17:28 nada named[300]: managed-keys-zone: No DNSKEY RRSIGs found for '.': succes
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone( ./IN)?: No DNSKEY RRSIGs found for '.': success
+
+#Apr  2 22:49:14 nada named[5002]: managed-keys-zone ./IN: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
+#Apr 13 16:22:06 nada named[296]: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone( ./IN)?: Unable to fetch DNSKEY set '[.[:alnum:]]+': SERVFAIL
+
+#Dec 19 17:32:19 nada named[5082]: managed-keys-zone: Active key unexpectedly missing from dlv.isc.org
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone: Active key unexpectedly missing from dlv.isc.org
+
+#Feb  5 21:24:45 nada named[2607]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone: Key [[:digit:]]+ for zone . is now trusted \(acceptance timer complete\)
+
+
+#Mar 26 21:45:26 nada named[5002]: validating @0xb82ba940: . NS: got insecure response; parent indicates it should be secure
+#Jan 22 00:09:11 nada named[5354]: validating ns2.ninjashost.net.br/A: got insecure response; parent indicates it should be secure
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: validating [.@\/[:alnum:]]+(: . NS)?: got insecure response; parent indicates it should be secure
+
+#Apr 10 05:59:24 marconi named[7781]:   validating formelracing.se/SOA: no valid signature found
+#Apr 10 05:59:24 marconi named[7781]: validating formelracing.se/A: no valid signature found
+#Apr 10 05:59:24 marconi named[7781]:   validating cmqpg0nlq5bi4s4ucti6jj2avrd7mhtj.formelracing.se/NSEC3: no valid signature found
+#Dec  2 12:09:09 nada named[256]: validating shsye.org/NS: no valid signature found
+#Dec  2 12:09:09 nada named[256]:   validating 20150901._domainkey.smgrid.com/NSEC: no valid signature found
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]:[[:space:]]+validating [-_.[:alnum:]]+/[[:alnum:]]+: no valid signature found
+
+#Mar  3 18:03:34 marconi named[27570]: transfer of 'wahlberg.se/IN' from 66.23.226.92#53: Transfer status: success
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: transfer of '[-.[:alnum:]]+/IN' from [#.[:digit:]]+: Transfer status: success
+
+#Mar  4 15:06:28 marconi named[27570]: client 113.240.250.154#43169: message parsing failed: bad compression pointer
+#Apr 20 20:40:11 marconi named[11602]: client 125.64.94.201#52717: message parsing failed: bad label type
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [#.[:digit:]]+: message parsing failed: bad (compression pointer|label type)
+
+#Mar 16 10:33:41 nada named[31321]: zone happysthlm.se/IN: loaded serial 2017031600
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: zone [-.[:alnum:]]+/IN: loaded serial [[:digit:]]+
+
+#Apr 10 06:49:43 nada named[297]: automatic empty zone: 10.IN-ADDR.ARPA
+#Apr 10 06:49:43 nada named[297]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: automatic empty zone: [.[:alnum:]]+(IN-ADDR|IP6).ARPA
+
+#Apr 11 06:48:06 nada named[297]: all zones loaded
+#Apr 11 06:48:06 nada named[297]: running
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: (all zones loaded|running)
+
+#Apr 11 06:48:06 nada rndc[15568]: server reload successful
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rndc\[[[:digit:]]+\]: server reload successful
+
+#Apr 13 00:24:51 marconi named[7781]: DNS format error from 8.8.8.8#53 resolving slashdot.org/DS: Name . (SOA) not subdomain of zone org -- invalid response
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: DNS format error from [\#.[:digit:]]+ resolving [-_.[:alnum:]]+/DS: Name . \(SOA\) not subdomain of zone org -- invalid response
+
+#Oct 28 07:54:13 nada named[368]: client @0xf242cb64 104.180.184.102#80 (.): query failed (REFUSED) for ./IN/RRSIG at query.c:5498
+#Oct 28 06:17:36 nada named[368]: client @0xf2443044 205.185.124.172#52570 (pizzaseo.com): query failed (REFUSED) for pizzaseo.com/IN/RRSIG at query.c:5498
+#Oct 28 18:02:12 nada named[368]: client @0xf243df14 146.88.240.4#52092 (4217e25c.asert-dns-research.com): query failed (REFUSED) for 4217e25c.asert-dns-research.com/IN/A at query.c:5498
+#Dec  2 12:09:09 nada named[256]: client @0xf25d0a70 127.0.0.1#33754 (mail._domainkey.ahrenbecks.se): query failed (failure) for mail._domainkey.ahrenbecks.se/IN/A at query.c:7465
+#Jan 20 19:12:46 nada named[256]: client @0xf20be340 45.148.10.241#23353 (e\003co): query failed (REFUSED) for e\003co/IN/ANY at query.c:5560
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [@[:alnum:]]+ [\#.[:digit:]]+ \([-_.\\[:alnum:]]+\):
+
+#Feb  2 14:16:36 nada named[11745]: _default: sending trust-anchor-telemetry query '_ta-4f66/NULL'
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: _default: sending trust-anchor-telemetry query '_ta-4f66/NULL'
+
+
+#Dec  1 18:09:32 nada named[256]: checkhints: b.root-servers.net/A (170.247.170.2) missing from hints
+#Dec  1 00:38:25 nada named[256]: checkhints: l.root-servers.net/AAAA (2001:500:3::42) extra record in hints
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: checkhints: [-_.[:alnum:]]+/[[:alnum:]]+
+
+
+#Jan 20 06:49:10 nada named[256]: client @0xf1e2aeb0 155.4.86.220#37125/key fredrik.wahlberg.se: signer "fredrik.wahlberg.se" approved
+#Jan 20 06:49:10 nada named[256]: client @0xf1e2aeb0 155.4.86.220#37125/key fredrik.wahlberg.se: updating zone 'wahlberg.se/IN': deleting rrset at 'casanegra.wahlberg.se' A
+#Jan 20 06:49:10 nada named[256]: client @0xf1e2aeb0 155.4.86.220#37125/key fredrik.wahlberg.se: updating zone 'wahlberg.se/IN': adding an RR at 'casanegra.wahlberg.se' A 155.4.86.220
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [@[:alnum:]]+ [\#.[:digit:]]+/key fredrik.wahlberg.se
+
+#Jan 20 06:09:13 nada named[256]: skipping nameserver 'ns2.seotraininghut.com' because it is a CNAME, while resolving 'root._domainkey.bbchempack.com/A'
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: skipping nameserver
+
+#Jun  8 01:01:04 nada nscd: 28428 den övervakade filen ”/etc/resolv.conf” var moved into place, lägger till vakt
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nscd: [[:digit:]]+ den övervakade filen ”/etc/resolv.conf” var moved into place, lägger till vakt
+
+#May 17 14:53:36 nada named[5062]: missing expected cookie from 211.216.50.150#53
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: missing expected cookie from [#.[:digit:]]+
+
+#May 17 19:22:07 nada named[5062]: clients-per-query decreased to 27
+#May 17 19:42:07 nada named[5062]: clients-per-query decreased to 26
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: clients-per-query decreased to [[:digit:]]+
diff --git a/logcheck-fw-named b/logcheck-fw-named
index 65f4c48..200b8ec 100644
--- a/logcheck-fw-named
+++ b/logcheck-fw-named
@@ -113,4 +113,11 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: skipping nameserver
 
 #Jun  8 01:01:04 nada nscd: 28428 den övervakade filen ”/etc/resolv.conf” var moved into place, lägger till vakt
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nscd: [[:digit:]]+ den övervakade filen ”/etc/resolv.conf” var moved into place, lägger till vakt
\ No newline at end of file
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nscd: [[:digit:]]+ den övervakade filen ”/etc/resolv.conf” var moved into place, lägger till vakt
+
+#May 17 14:53:36 nada named[5062]: missing expected cookie from 211.216.50.150#53
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: missing expected cookie from [#.[:digit:]]+
+
+#May 17 19:22:07 nada named[5062]: clients-per-query decreased to 27
+#May 17 19:42:07 nada named[5062]: clients-per-query decreased to 26
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: clients-per-query decreased to [[:digit:]]+
\ No newline at end of file
diff --git a/logcheck-fw-saslauthd b/logcheck-fw-saslauthd
index 62a6a74..ccf1a8d 100644
--- a/logcheck-fw-saslauthd
+++ b/logcheck-fw-saslauthd
@@ -10,4 +10,7 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: (do_auth)?[[:blank:]]+: auth failure: \[user=([[:print:]]+)?\] \[service=(smtp)?\] \[realm=([[:print:]]+)?\] \[mech=(pam|shadow)\] \[reason=(Unknown|PAM auth error|Invalid username|Incorrect password)\]
 
 #Oct 26 09:44:50 nada saslauthd[275]:                 : NULL password received
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: (do_auth)?[[:blank:]]+: NULL password received
+#May 16 23:23:44 nada saslauthd[18364]:                 : NULL login received
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: (do_auth)?[[:blank:]]+: NULL (password|login) received
+
+
diff --git a/logcheck_debian b/logcheck_debian
index dd8eb34..426e3a7 100644
--- a/logcheck_debian
+++ b/logcheck_debian
@@ -410,3 +410,117 @@
 #Jan 22 00:01:04 nada nscd: 271 den övervakade filen ”/etc/resolv.conf” var moved into place, lägger till vakt
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nscd: 271 den övervakade filen ”/etc/resolv.conf” var moved into place, lägger till vakt
 
+#May 17 21:16:19 nada sm-mta[13757]: 64HJGGtv013757: Milter: data, reject=554 5.7.1 Spam message rejected
+#May 17 21:16:28 nada sm-mta[13759]: 64HJGQIQ013759: Milter: data, reject=554 5.7.1 Spam message rejected
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: Milter: data, reject=451 4.3.2 Please try again later
+
+#Apr  9 09:51:26 nada sm-mta[6169]: u397pP13006169: rejecting commands from [113.240.250.156] [113.240.250.156] due to pre-greeting traffic after 1 seconds
+#Mar 23 19:07:02 nada sm-mta[20228]: v2NI71CW020228: rejecting commands from ec2-35-165-194-208.us-west-2.compute.amazonaws.com [35.165.194.208] due to pre-greeting traffic after 1 seconds
+#Mar 23 23:44:38 nada sm-mta[17761]: v2NMibVZ017761: rejecting commands from ecs-160-44-202-130.reverse.open-telekom-cloud.com [160.44.202.130] due to pre-greeting traffic after 1 seconds
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: rejecting commands from (\[[.[:digit:]]+\]|[-.[:alnum:]]+) \[[.[:digit:]]+\] due to pre-greeting traffic after [[:digit:]]+ seconds
+
+#Apr 15 10:25:06 nada sm-mta[23906]: u3F8P26J023665: u3F8P66I023906: DSN: Service unavailable
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [[:alnum:]]+: DSN: Service unavailable
+
+#Mar 17 11:32:29 nada sm-mta[775]: v2HAWQ2g000768: v2HAWT2f000775: DSN: Host unknown (Name server: hgadvokat.se: host not found)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [[:alnum:]]+: DSN: Host unknown \(Name server:
+#[-.[:alnum:]]+: host not found\)
+
+
+#Apr 14 11:05:05 nada sm-mta[15662]: u3E955KV015662: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET http://www.ipip.net/ HTTP/1.1\r\n
+#Apr 20 15:10:44 nada sm-mta[5182]: u3KDAiZT005182: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET / HTTP/1.1\r\n
+#Mar 20 04:00:44 nada sm-mta[21983]: v2K30iPx021983: [180.163.2.117]: probable open proxy: command=GET / HTTP/1.1\r\n
+#Apr 12 15:05:34 nada sm-mta[20644]: v3CD5WoV020644: [60.191.40.195]: probable open proxy: command=GET / HTTP/1.0\r\n
+#Jan 20 20:45:31 nada sm-mta[27401]: 40KJjVOo027401: ec2-13-40-30-39.eu-west-2.compute.amazonaws.com [13.40.30.39]: probable open proxy: command=GET /logon.htm HTTP/1.1\r\n
+#Jan 20 20:50:45 nada sm-mta[27482]: 40KJojHp027482: ec2-13-40-30-39.eu-west-2.compute.amazonaws.com [13.40.30.39]: probable open proxy: command=GET /login.jsp HTTP/1.1\r\n
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: .*: probable open proxy: command=GET (http://www.ipip.net)?/ HTTP/1.(0|1)\\r\\n
+
+#Oct 24 06:04:11 nada sm-mta[7813]: STARTTLS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1
+
+#Oct 24 06:04:11 nada sm-mta[7813]: STARTTLS=client: 7813:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:757:
+#Oct 24 17:54:12 nada sm-mta[11900]: STARTTLS=client: 11900:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:757:
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client: [[:digit:]]+:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:757:
+
+#Oct 24 06:04:11 nada sm-mta[7813]: ruleset=tls_server, arg1=SOFTWARE, relay=mail.adlibris.com, reject=403 4.7.0 TLS handshake failed.
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: ruleset=tls_server, arg1=SOFTWARE, relay=[.[:alnum:]]+, reject=403 4.7.0 TLS handshake failed.
+
+#Mar  4 09:14:31 nada sm-mta[25219]: v248EUKL025219: AUTH decode64 error [-5 for "Y2FzdG9yQHdhaGxiZXJnLnNlAGNhc3RvckB3YWhsYmVyZy5zZQBwb2tlbW9uDQ==\r"], relay=[156.67.106.207]
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: AUTH decode64 error \[-5 for "Y2FzdG9yQHdhaGxiZXJnLnNlAGNhc3RvckB3YWhsYmVyZy5zZQBwb2tlbW9uDQ==\\r"\], relay=\[[.:[:digit:]]+\]
+
+#Mar  6 23:47:37 nada sm-mta[11119]: v26MlObG011113: Fixed MIME Content-Type header field (possible attack)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: Fixed MIME Content-Type header field \(possible attack\)
+
+#Mar  8 07:31:45 nada sm-mta[16598]: v286VitB016598: AUTH decode64 error [-5 for "Y2FzdG9yAGNhc3RvcgBwb2tlbW9uDQ==\r"], relay=[156.67.106.207]
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: AUTH decode64 error \[-5 for "[=\\[:alnum:]]+"\], relay=\[[.:[:digit:]]+\]
+
+#Mar 16 03:41:06 nada sm-mta[28708]: STARTTLS: write error=syscall error (-1), errno=32, get_error=error:00000000:lib(0):func(0):reason(0), retry=99, ssl_err=5
+#Sep 12 10:27:41 nada sm-mta[4522]: STARTTLS: read error=syscall error (-1), errno=104, get_error=error:00000000:lib(0):func(0):reason(0), retry=1, ssl_err=5
+#Sep  8 20:49:21 nada sm-mta[14243]: STARTTLS: read error=syscall error (-1), errno=110, get_error=error:00000000:lib(0):func(0):reason(0), retry=1, ssl_err=5
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS: (read|write) error=syscall error \(-1\), errno=[[:digit:]]+, get_error=error:00000000:lib\(0\):func\(0\):reason\(0\), retry=(1|99), ssl_err=5
+
+#Apr 10 19:18:06 nada sendmail[17597]: v3AHI6dq017597: Authentication-Warning: nada.wahlberg.se: www-data set sender to katarina@happysthlm.se using -f
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sendmail\[[0-9]+\]: [[:alnum:]]+: Authentication-Warning: nada.wahlberg.se: www-data set sender to [.@[:alnum:]]+ using -f
+
+
+
+#
+# SUHOSIN
+#
+
+#Mar 11 21:08:21 nada suhosin[30831]: ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker '91.121.230.152', file '/home/happysthlm/www.happysthlm.se/wp/xmlrpc.php')
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - dropped [[:digit:]]+ request variables - \([[:digit:]]+ in GET, [[:digit:]]+ in POST, [[:digit:]]+ in COOKIE\) \(attacker '[.[:digit:]]+', file '.*'\)
+
+#Mar 11 21:10:17 nada suhosin[30832]: ALERT - configured request variable name length limit exceeded - dropped variable 
+#Aug 23 06:06:16 nada suhosin[4003]: ALERT - configured GET variable value length limit exceeded - dropped variable 'page' (attacker '216.172.189.152', file '/home/fredrik/www.wahlis.com/dnsupdate/man.php')
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - configured (GET|request) variable (value|name) length limit exceeded - dropped variable 
+
+#Apr 19 21:14:31 nada suhosin[28060]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'file' (attacker '62.210.203.159', file '/home/happysthlm/www.happysthlm.se/index.php')
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'file' \(attacker '[.[:digit:]]+', file '.*'\)
+
+
+
+#
+# Systemd
+#
+
+#Oct 13 08:31:17 kvarnen systemd[1]: Starting Cleanup of Temporary Directories...
+#Oct 13 08:31:17 kvarnen systemd[1]: Started Cleanup of Temporary Directories.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: (Started|Starting) Cleanup of Temporary Directories.{1,3}
+
+#Apr 11 06:47:59 nada systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
+#Apr 11 06:48:04 nada systemd: pam_unix(systemd-user:session): session closed for user nobody
+#Apr 18 17:29:30 nada systemd: pam_unix(systemd-user:session): session opened for user petter by (uid=0)
+#Apr 18 17:33:38 nada systemd: pam_unix(systemd-user:session): session closed for user petter
+#Apr 11 15:12:51 nada systemd: pam_unix(systemd-user:session): session closed for user fredrik
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user (nobody|fredrik|petter)( by \(uid=0\))?
+
+
+
+#Apr 11 06:47:59 nada systemd-logind[306]: Existing logind session ID 264242 used by new audit session, ignoring
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Existing logind session ID [[:digit:]]+ used by new audit session, ignoring
+
+#Apr 11 06:47:59 nada systemd-logind[306]: New session c12 of user nobody.
+#Apr 11 06:47:59 nada systemd-logind[306]: Removed session c12.
+#Apr 11 10:58:01 nada systemd-logind[306]: New session c14 of user fredrik.
+#Apr 11 11:04:24 nada systemd-logind[306]: New session c15 of user fredrik.
+#Apr 18 17:29:30 nada systemd-logind[305]: New session c36 of user petter.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: (Removed session [[:alnum:]]+.|New session [[:alnum:]]+ of user (nobody|fredrik|petter).)
+
+
+#Jan 20 08:06:05 nada dbus-daemon[240]: [system] Reloaded configuration
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dbus-daemon\[[[:digit:]]+\]: \[system\] Reloaded configuration
+
+
+#Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fredrik\[[[:digit:]]+\]: Kontrollrad. Syns detta har vi problem...
+
+#Jan 22 00:01:04 nada nscd: 271 den övervakade filen ”/etc/resolv.conf” var moved into place, lägger till vakt
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nscd: 271 den övervakade filen ”/etc/resolv.conf” var moved into place, lägger till vakt
+
+#May 17 21:16:19 nada sm-mta[13757]: 64HJGGtv013757: Milter: data, reject=554 5.7.1 Spam message rejected
+#May 17 21:16:28 nada sm-mta[13759]: 64HJGQIQ013759: Milter: data, reject=554 5.7.1 Spam message rejected
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: Milter: data, reject=554 5.7.1 Spam message rejected
+
+
diff --git a/testlog b/testlog
index 002077d..00b3215 100644
--- a/testlog
+++ b/testlog
@@ -795,7 +795,12 @@ Jun  8 01:01:04 nada nscd: 28428 den övervakade filen ”/etc/resolv.conf” va
 Mar 20 18:03:13 nada pyspf-milter[30540]: connect from aws-45.mta.apsis1.com at ('185.64.73.45', 54529) EXTERNAL
 Mar 20 18:06:37 nada pyspf-milter[30540]: connect from s1-b441.socketlabs.email-od.com at ('142.0.180.65', 49374) EXTERNAL
 Mar 20 18:08:44 nada pyspf-milter[30540]: connect from [111.26.95.254] at ('111.26.95.254', 44678) EXTERNAL
-
+May 17 19:22:07 nada named[5062]: clients-per-query decreased to 27
+May 17 19:42:07 nada named[5062]: clients-per-query decreased to 26
+May 17 21:16:19 nada sm-mta[13757]: 64HJGGtv013757: Milter: data, reject=554 5.7.1 Spam message rejected
+May 17 21:16:28 nada sm-mta[13759]: 64HJGQIQ013759: Milter: data, reject=554 5.7.1 Spam message rejected
+May 17 14:53:36 nada named[5062]: missing expected cookie from 211.216.50.150#53
+May 16 23:23:44 nada saslauthd[18364]:                 : NULL login received
 
 Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...
 Aug 23 18:39:24 nada fredrik[1713]: Sista raden