fredrik/logcheck
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Ytterligare några rader

Browse Source
This commit is contained in:
Fredrik Wahlberg
2016-03-27 16:46:31 +02:00
parent af17a50de9
commit f81fba1f33
2 changed files with 120 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
logcheck_ignore
View File

@@ -1,3 +1,19 @@
#
# AUTH
#
# Mar 10 21:31:03 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=katarina rhost=66.23.226.92 user=katarina
# Mar 8 18:05:09 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredrik uid=0 euid=0 tty=dovecot ruser=fredrik rhost=::1
# Mar 23 19:49:48 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=petter@lidberg.se uid=0 euid=0 tty=dovecot ruser=petter@lidberg.se rhost=187.131.22.215
# Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=petter@lidberg.se rhost=187.131.22.215
# Mar 24 18:13:26 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredmiranda@mc-cabe.com uid=0 euid=0 tty=dovecot ruser=fredmiranda@mc-cabe.com rhost=41.105.13.141
# Mar 24 18:13:26 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=fredmiranda@mc-cabe.com rhost=41.105.13.141
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_(krb5|unix)\(dovecot:auth\): authentication failure\; logname=([-.@[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=dovecot ruser=[-.@[:alnum:]]+ rhost=[.:[:xdigit:]]+
# Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): check pass; user unknown
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_unix\(dovecot:auth\): check pass; user unknown
#
# CLAMAV
#
@@ -113,6 +129,16 @@
#Mar 22 13:03:22 kvarnen dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=218.29.231.21, lip=95.170.86.14, session=<zjjk/6EudwDaHecV>
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: (Disconnected|Aborted login) \(tried to use disallowed plaintext auth\): user=<>, rip=[.:[:digit:]]+, lip=[.:[:digit:]]+, session=<[+/[:alnum:]]+>
#Mar 24 13:04:10 nada dovecot: imap(ninnie): Warning: Subscriptions file /home/ninnie/Maildir/subscriptions: Removing invalid entry: mail/sent-mail
#Mar 24 13:04:10 nada dovecot: imap(ninnie): Warning: Subscriptions file /home/ninnie/Maildir/subscriptions: Removing invalid entry: mail/Trash
#Mar 24 13:04:10 nada dovecot: imap(ninnie): Warning: Subscriptions file /home/ninnie/Maildir/subscriptions: Removing invalid entry: mail/Drafts
#Mar 24 13:04:10 nada dovecot: imap(ninnie): Warning: Subscriptions file /home/ninnie/Maildir/subscriptions: Removing invalid entry: mail/mormors 100-&AOU-rsdag
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Warning: Subscriptions file [/[:alnum:]]+: Removing invalid entry:
#Mar 26 22:10:17 nada dovecot: pop3(ammis): Connection closed top=0/0, retr=29/1819516, del=0/73, size=4433634
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3\([[:alnum:]]+\): Connection closed top=[/[:digit:]]+, retr=[/[:digit:]]+, del=[/[:digit:]]+, size=[[:digit:]]+
#
# MONIT
@@ -120,8 +146,16 @@
#Mar 10 15:21:02 nada monit[5075]: 'localhost' loadavg(5min) of 2.3 matches resource limit [loadavg(5min)>2.0]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ monit\[[[:digit:]]+\]: 'localhost' loadavg\([[:digit:]]+min\) of [.[:digit:]]+ matches resource limit \[loadavg\([[:digit:]]+min\)>[.[:digit:]]+\]
#Mar 26 18:09:14 nada monit[5075]: 'localhost' 'localhost' cpu wait usage check succeeded [current cpu wait usage=0.0%]
#Mar 10 15:23:02 nada monit[5075]: 'localhost' 'localhost' loadavg(5min) check succeeded [current loadavg(5min)=1.8]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ monit\[[[:digit:]]+\]: 'localhost' 'localhost' loadavg\([[:digit:]]+min\) check succeeded \[current loadavg\([[:digit:]]+min\)=[.[:digit:]]+\]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ monit\[[[:digit:]]+\]: 'localhost' 'localhost' (loadavg\([[:digit:]]+min\)|cpu wait usage) check succeeded \[current (loadavg\([[:digit:]]+min\)|cpu wait usage)=[%.[:digit:]]+\]
#Mar 27 06:31:18 nada monit[5075]: 'clamav-milter' process PID changed from 26461 to 14050
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ monit\[[[:digit:]]+\]: '[-[:alnum:]]+' process PID changed from [[:digit:]]+ to [[:digit:]]+
#Mar 27 06:33:18 nada monit[5075]: 'clamav-milter' process PID has not changed since last cycle
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ monit\[[[:digit:]]+\]: '[-[:alnum:]]+' process PID has not changed since last cycle
#
@@ -161,6 +195,12 @@
#Mar 24 02:08:41 nada named[5002]: client 192.42.132.103#45345: notify question section contains no SOA
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [#.[:digit:]]+: notify question section contains no SOA
#Mar 26 21:45:26 nada named[5002]: managed-keys-zone ./IN: No DNSKEY RRSIGs found for '.': success
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone ./IN: No DNSKEY RRSIGs found for '.': success
#Mar 26 21:45:26 nada named[5002]: validating @0xb82ba940: . NS: got insecure response; parent indicates it should be secure
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: validating @0xb82ba940: . NS: got insecure response; parent indicates it should be secure
#
# SASLAUTHD
#
@@ -202,6 +242,17 @@
#Mar 22 13:31:42 nada sendmail[24653]: gethostbyaddr(127.0.0.2) failed: 1
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sendmail\[[[:digit:]]+\]: gethostbyaddr\(127.0.0.2\) failed: 1
# Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (greylist): write(Q) returned -1, expected 5: Broken pipe
# Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (spamassassin): write(Q) returned -1, expected 5: Broken pipe
# Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (clamav): write(Q) returned -1, expected 5: Broken pipe
# Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (greylist): to error state
# Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (spamassassin): to error state
# Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (clamav): to error state
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: Milter \([[:alnum:]]+\): (to error state|write\(Q\) returned -1, expected 5: Broken pipe)
#
# SPAMD
#
@@ -211,6 +262,26 @@
#Mar 23 13:36:12 nada spamd[3731]: pyzor: check failed: internal error, python traceback seen in response
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: pyzor: check failed: internal error, python traceback seen in response
#Mar 26 06:57:06 nada spamd[17910]: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: server socket setup failed, retry [[:digit:]]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
#Mar 26 06:57:15 nada spamd[17910]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
#Mar 26 06:57:09 nada spamd[17905]: spamd: server started on port 783/tcp (running version 3.3.2)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server started on port 783/tcp \(running version [.[:digit:]]+\)
#Mar 26 06:57:05 nada spamd[10050]: spamd: server hit by SIGHUP, restarting
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server hit by SIGHUP, restarting
#Mar 26 06:57:05 nada spamd[10050]: spamd: child [23926] killed successfully: interrupted, signal 2 (0002)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: child \[[[:digit:]]+\] killed successfully: interrupted, signal 2 \(0002\)
#Mar 26 06:57:05 nada spamd.pid[10050]: spamd: restarting using '/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir --user-config -d --pidfile=/var/run/spamd.pid'
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd.pid\[[0-9]+\]: spamd: restarting using '/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir --user-config -d --pidfile=/var/run/spamd.pid'
#
# SSHD
#
@@ -225,15 +296,8 @@
# Mar 8 12:09:30 nada sshd[26267]: Received disconnect from 199.91.135.158: 3: com.jcraft.jsch.JSchException: reject HostKey: 66.23.226.92 [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: 3: (java.net.SocketTimeoutException|com.jcraft.jsch.JSchException): (reject HostKey: [.:[:digit:]]+|Auth fail|Read timed out) \[preauth\]
# Mar 10 21:31:03 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=katarina rhost=66.23.226.92 user=katarina
# Mar 8 18:05:09 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredrik uid=0 euid=0 tty=dovecot ruser=fredrik rhost=::1
# Mar 23 19:49:48 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=petter@lidberg.se uid=0 euid=0 tty=dovecot ruser=petter@lidberg.se rhost=187.131.22.215
# Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=petter@lidberg.se rhost=187.131.22.215
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_(krb5|unix)\(dovecot:auth\): authentication failure\; logname=([.@[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=dovecot ruser=[.@[:alnum:]]+ rhost=[.:[:xdigit:]]+
# Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): check pass; user unknown
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_unix\(dovecot:auth\): check pass; user unknown
#Mar 24 11:06:21 kvarnen sshd[5495]: channel 4: open failed: administratively prohibited: open failed
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: channel [[:digit:]]: open failed: administratively prohibited: open failed
#Mar 10 11:22:52 kvarnen sshd[12813]: error: PAM: Cannot make/remove an entry for the specified session for illegal user support from 40.76.54.16
#Mar 14 01:39:26 nada sshd[14346]: error: PAM: Cannot make/remove an entry for the specified session for root from 6e.a0.caa1.ip4.static.sl-reverse.com

46
testlog
View File

@@ -85,4 +85,50 @@ Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): check pass; user unknown
Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=petter@lidberg.se rhost=187.131.22.215
Mar 23 19:49:52 nada dovecot: imap-login: Aborted login (auth failed, 1 attempts in 4 secs): user=<petter@lidberg.se>, method=PLAIN, rip=187.131.22.215, lip=66.23.226.92, TLS, session=<K0NMy7sukQC7gxbX>
Mar 24 02:08:41 nada named[5002]: client 192.42.132.103#45345: notify question section contains no SOA
Mar 24 11:06:17 kvarnen sshd[5495]: channel 4: open failed: administratively prohibited: open failed
Mar 24 11:06:21 kvarnen sshd[5495]: channel 4: open failed: administratively prohibited: open failed
Mar 24 13:04:10 nada dovecot: imap(ninnie): Warning: Subscriptions file /home/ninnie/Maildir/subscriptions: Removing invalid entry: mail/sent-mail
Mar 24 13:04:10 nada dovecot: imap(ninnie): Warning: Subscriptions file /home/ninnie/Maildir/subscriptions: Removing invalid entry: mail/Trash
Mar 24 13:04:10 nada dovecot: imap(ninnie): Warning: Subscriptions file /home/ninnie/Maildir/subscriptions: Removing invalid entry: mail/Drafts
Mar 24 13:04:10 nada dovecot: imap(ninnie): Warning: Subscriptions file /home/ninnie/Maildir/subscriptions: Removing invalid entry: mail/mormors 100-&AOU-rsdag
Mar 24 14:05:39 nada sshd[16936]: Received disconnect from 91.193.74.7: 11: Bye [preauth]
Mar 24 18:13:26 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredmiranda@mc-cabe.com uid=0 euid=0 tty=dovecot ruser=fredmiranda@mc-cabe.com rhost=41.105.13.141
Mar 24 18:13:26 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=fredmiranda@mc-cabe.com rhost=41.105.13.141
Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (greylist): write(Q) returned -1, expected 5: Broken pipe
Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (greylist): to error state
Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (spamassassin): write(Q) returned -1, expected 5: Broken pipe
Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (spamassassin): to error state
Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (clamav): write(Q) returned -1, expected 5: Broken pipe
Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (clamav): to error state
Mar 25 19:44:04 nada sshd[20872]: Received disconnect from 91.193.74.33: 11: Bye [preauth]
Mar 26 06:57:05 nada spamd[10050]: spamd: server hit by SIGHUP, restarting
Mar 26 06:57:05 nada spamd[10050]: spamd: child [20105] killed successfully: interrupted, signal 2 (0002)
Mar 26 06:57:05 nada spamd[10050]: spamd: child [23926] killed successfully: interrupted, signal 2 (0002)
Mar 26 06:57:05 nada spamd.pid[10050]: spamd: restarting using '/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir --user-config -d --pidfile=/var/run/spamd.pid'
Mar 26 06:57:06 nada spamd[17910]: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Mar 26 06:57:07 nada spamd[17910]: server socket setup failed, retry 2: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Mar 26 06:57:08 nada spamd[17910]: server socket setup failed, retry 3: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Mar 26 06:57:09 nada spamd[17905]: spamd: server started on port 783/tcp (running version 3.3.2)
Mar 26 06:57:09 nada spamd[17910]: server socket setup failed, retry 4: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Mar 26 06:57:10 nada spamd[17910]: server socket setup failed, retry 5: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Mar 26 06:57:11 nada spamd[17910]: server socket setup failed, retry 6: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Mar 26 06:57:12 nada spamd[17910]: server socket setup failed, retry 7: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Mar 26 06:57:13 nada spamd[17910]: server socket setup failed, retry 8: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Mar 26 06:57:14 nada spamd[17910]: server socket setup failed, retry 9: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Mar 26 06:57:15 nada spamd[17910]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Mar 26 16:18:46 nada sshd[3298]: Received disconnect from 91.193.74.33: 11: Bye [preauth]
Mar 26 17:21:15 kvarnen epmd: epmd: invalid packet size (18245)
Mar 26 18:09:14 nada monit[5075]: 'localhost' 'localhost' cpu wait usage check succeeded [current cpu wait usage=0.0%]
Mar 26 21:45:26 nada named[5002]: validating @0xb82ba940: . NS: got insecure response; parent indicates it should be secure
Mar 26 21:45:26 nada named[5002]: managed-keys-zone ./IN: No DNSKEY RRSIGs found for '.': success
Mar 26 22:10:17 nada dovecot: pop3(ammis): Connection closed top=0/0, retr=29/1819516, del=0/73, size=4433634
Mar 26 18:09:14 nada monit[5075]: 'localhost' 'localhost' cpu wait usage check succeeded [current cpu wait usage=0.0%]
Mar 26 21:45:26 nada named[5002]: validating @0xb82ba940: . NS: got insecure response; parent indicates it should be secure
Mar 26 21:45:26 nada named[5002]: managed-keys-zone ./IN: No DNSKEY RRSIGs found for '.': success
Mar 26 22:10:17 nada dovecot: pop3(ammis): Connection closed top=0/0, retr=29/1819516, del=0/73, size=4433634
Mar 27 06:31:18 nada monit[5075]: 'clamav-milter' process PID changed from 26461 to 14050
Mar 27 06:33:18 nada monit[5075]: 'clamav-milter' process PID has not changed since last cycle
Mar 27 10:28:35 nada sshd[2326]: Received disconnect from 91.193.74.33: 11: Bye [preauth]
Mar 27 10:28:38 nada sshd[2328]: Received disconnect from 91.193.74.33: 11: Bye [preauth]