#
# CLAMAV
#
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: ClamAV update process started at .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Received signal: (wake up|re-opening log file)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (daily|main)\.c(l|v)d (is up to date|updated) \(version: [0-9]+, sigs: [0-9]+, f-level: [0-9]+, builder: \w+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Clamd successfully notified about the update\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: --------------------------------------$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Database updated \([0-9]+ signatures\) from .* \(IP: [0-9.]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Downloading daily-[0-9]+.cdiff \[100%\] ?$

# Mar 11 07:30:29 kvarnen freshclam[485]: nonblock_connect: connect timing out (30 secs)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: nonblock_connect: connect timing out \(30 secs\)

# Mar 10 23:29:42 kvarnen freshclam[485]: Can't connect to port 80 of host db.local.clamav.net (IP: 213.73.255.243)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Can't connect to port 80 of host db.local.clamav.net \(IP: [.[:digit:]]+\)

# Mar 10 23:29:42 kvarnen freshclam[485]: WARNING: getfile: daily-21460.cdiff not found on remote server (IP: 217.19.16.188)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: WARNING: getfile: daily-[[:digit:]]+.cdiff not found on remote server \(IP: [.[:digit:]]+\)

# Mar 10 23:29:42 kvarnen freshclam[485]: WARNING: getpatch: Can't download daily-21460.cdiff from db.local.clamav.net
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: WARNING: getpatch: Can't download daily-[[:digit:]]+.cdiff from db.local.clamav.net

# Mar 11 07:30:29 kvarnen freshclam[485]: Trying host db.local.clamav.net (145.58.29.83)...
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Trying host db.local.clamav.net \([.[:digit:]]+\)...


#
# DOVECOT
#
#Mar  9 07:05:01 nada dovecot: imap(katarina): Connection closed: Connection reset by peer in=2733 out=436379
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Connection closed(: Connection reset by peer)? in=[[:digit:]]+ out=[[:digit:]]+

#Mar  9 16:48:53 nada dovecot: imap-login: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=10): user=<birgitta>, method=PLAIN, rip=155.4.128.66, lip=66.23.226.92, TLS, session=<EbCHop8txQCbBIBC>
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Maximum number of connections from user\+IP exceeded \(mail_max_userip_connections=[[:digit:]]+\): user=<[[:alnum:]]+>, method=PLAIN, rip=[.:[:digit:]]+, lip=[.:[:digit:]]+, TLS, session=<[[:alnum:]]+>

# Mar  8 14:08:09 nada dovecot: imap-login: Disconnected (no auth attempts in 28 secs): user=<>, rip=83.185.81.166, lip=66.23.226.92, TLS handshaking: Disconnected, session=<BNTkRYktuwBTuVGm>
# Mar  8 14:10:01 nada dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=155.4.128.66, lip=66.23.226.92, TLS: Disconnected, session=<bXSMTIktugCbBIBC>
# Mar  8 15:42:52 nada dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=141.212.122.129, lip=66.23.226.92, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<M0mYmIotEACN1HqB>
# Mar  8 09:55:24 nada dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=213.153.113.1, lip=66.23.226.92, TLS, session=<tGj3vYUtSgDVmXEB>
#Mar 10 21:31:07 nada dovecot: imap-login: Disconnected (auth failed, 1 attempts in 4 secs): user=<katarina>, method=PLAIN, rip=66.23.226.92, lip=66.23.226.92, TLS, session=<qnd3sbctoABCF+Jc>
#Mar 10 23:23:14 kvarnen dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=85.25.43.94, lip=95.170.86.14, session=<OuW1QrktjABVGSte>
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected(: Inactivity)? \((auth failed, [[:digit:]]+|no auth) attempts in [[:digit:]]+ secs\): user=<([[:alnum:]]+)?>,( method=PLAIN,)? rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS)?(, session=<[+/[:alnum:]]+>)?

#Mar 10 12:53:41 kvarnen dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=141.212.122.64, lip=95.170.86.14, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<1cA1d7AtxACN1HpA>
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \(disconnected before auth was ready, waited 0 secs\): user=<>, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS handshaking: SSL_accept\(\) failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<[/+[:alnum:]]+>

#Mar 13 02:55:07 nada dovecot: ssl-params: Generating SSL parameters
#Mar 13 02:55:16 nada dovecot: ssl-params: SSL parameters regeneration completed
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-params: (Generating SSL parameters|SSL parameters regeneration completed)

#
#  MONIT
#
#Mar 10 15:21:02 nada monit[5075]: 'localhost' loadavg(5min) of 2.3 matches resource limit [loadavg(5min)>2.0]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ monit\[[[:digit:]]+\]: 'localhost' loadavg\([[:digit:]]+min\) of [.[:digit:]]+ matches resource limit \[loadavg\([[:digit:]]+min\)>[.[:digit:]]+\]

#Mar 10 15:23:02 nada monit[5075]: 'localhost' 'localhost' loadavg(5min) check succeeded [current loadavg(5min)=1.8]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ monit\[[[:digit:]]+\]: 'localhost' 'localhost' loadavg\([[:digit:]]+min\) check succeeded \[current loadavg\([[:digit:]]+min\)=[.[:digit:]]+\]


# 
# NAMED
#
#Mar 11 06:34:44 nada named[1771]: received control channel command 'reload'
#Mar 11 06:34:44 nada named[1771]: reading built-in trusted keys from file '/etc/bind/bind.keys'
#Mar 11 06:34:44 nada named[1771]: sizing zone task pool based on 21 zones
#Mar 11 06:34:44 nada named[1771]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: (Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones|sizing zone task pool based on [[:digit:]]+ zones|received control channel command 'reload'|reading built-in trusted keys from file '/etc/bind/bind.keys')

#Mar 10 06:43:39 nada named[1771]: client 95.170.86.14#50337: received notify for zone 'happysthlm.com'
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [.:[:xdigit:]]+\#[[:digit:]]+: received notify for zone '[-.[:alnum:]]+'

#Mar 13 19:06:05 nada named[1771]: client 95.170.86.14#54781: transfer of 'stiy.com/IN': IXFR ended
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [.:[:xdigit:]]+\#[[:digit:]]+: transfer of '[-.[:alnum:]]+/IN': IXFR ended

#Mar 11 06:34:44 nada named[1771]: reloading configuration succeeded
#Mar 11 06:34:44 nada named[1771]: reloading zones succeeded
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: reloading (configuration|zones) succeeded

#Mar 11 06:34:44 nada named[1771]: using default UDP/IPv4 port range: [1024, 65535]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: using default UDP/IPv(4|6) port range: \[[[:digit:]]+, [[:digit:]]+\]

#Mar 13 19:02:30 kvarnen named[8896]: transfer of 'acroyoga.se/IN' from 66.23.226.92#53: Transfer completed: 0 messages, 0 records, 0 bytes, 127.193 secs (0 bytes/sec)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: transfer of '[-.[:alnum:]]+/IN' from [.[:digit:]]+#[[:digit:]]+: Transfer completed: [[:digit:]]+ messages, [[:digit:]]+ records, [[:digit:]]+ bytes, [.[:digit:]]+ secs \([[:digit:]]+ bytes/sec\)


#
# SASLAUTHD
#

#Mar 11 16:25:32 nada saslauthd[1732]: do_auth         : auth failure: [user=no-reply] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
#Mar 11 16:27:11 nada saslauthd[1732]: do_auth         : auth failure: [user=Dr_Gonzo] [service=smtp] [realm=Challenge-UK.com] [mech=shadow] [reason=Unknown]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_auth[[:blank:]]+: auth failure: \[user=([-_.@[:alnum:]]+)?\] \[service=smtp\] \[realm=([-_.@[:alnum:]]+)?\] \[mech=shadow\] \[reason=Unknown\]



#
# SM-MTA
# 
#Mar  9 07:31:29 nada sm-mta[24919]: u296VPig024919: ruleset=check_rcpt, arg1=<netshopping@sanfo.com>, relay=[75.98.154.125], reject=550 5.7.1 <netshopping@sanfo.com>... Relaying denied. IP name lookup failed [75.98.154.125]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=<[-_.@[:alnum:]]+>, relay=\[[.:[:digit:]]+\], reject=550 5.7.1 <[-_.@[:alnum:]]+>... Relaying denied. IP name lookup failed \[[.:[:digit:]]+\]

#Mar 11 13:55:34 nada sm-mta[10612]: u2BCtW1I010612: ruleset=check_rcpt, arg1=<star.pop3@hotmail.com>, relay=rdns2.fastmkt.xyz [177.11.51.157] (may be forged), reject=550 5.7.1 <star.pop3@hotmail.com>... Relaying denied. IP name possibly forged [177.11.51.157]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=<[-_.@[:alnum:]]+>, relay=[-.[:alnum:]]+ \[[.:[:digit:]]+\] \(may be forged\), reject=550 5.7.1 <[-_.@[:alnum:]]+>... Relaying denied. IP name possibly forged \[[.:[:digit:]]+\]

#Mar  9 07:33:07 nada sm-mta[24033]: u296N4QZ024033: collect: premature EOM: Connection reset by [208.87.25.77]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: collect: premature EOM: Connection reset by \[[.:[:digit:]]+\]

#Mar  9 07:33:07 nada sm-mta[24033]: u296N4QZ024033: SYSERR(root): collect: I/O error on connection from [208.87.25.77], from=<noc@newwiiindows.com>
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: SYSERR\(root\): collect: I\/O error on connection from \[[.:[:digit:]]+\], from=<[-_.@[:alnum:]]+>

#Mar 13 20:32:32 nada sm-mta[19605]: u2DJWTDv019605: h87-96-164-121.dynamic.se.alltele.net [87.96.164.121]: possible SMTP attack: command=AUTH, count=5
#Mar 13 21:08:13 nada sm-mta[22820]: u2DK8AKe022820: h87-96-164-121.dynamic.se.alltele.net [87.96.164.121]: possible SMTP attack: command=AUTH, count=5
#Mar 19 17:55:33 nada sm-mta[7383]: q2JGtBif007383: [183.13.205.9]: possible SMTP attack: command=AUTH, count=5
#Mar 21 12:11:16 nada sm-mta[13902]: q2LBB9M2013902: [91.201.64.99]: possible SMTP attack: command=HELO/EHLO, count=3
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ([-.[:alnum:]]+ )?\[[.[:xdigit:]]+\]: possible SMTP attack: command=(AUTH|HELO/EHLO), count=[[:digit:]]+

#Mar 13 15:15:32 nada sm-mta[22560]: u2DEFS76022560: ruleset=check_rcpt, arg1=eax_64@yahoo.com, relay=[61.190.7.133], reject=550 5.7.1 eax_64@yahoo.com... Relaying denied. IP name lookup failed [61.190.7.133]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=[-_.@[:alnum:]]+, relay=\[[.:[:digit:]]+\], reject=550 5.7.1 [-_.@[:alnum:]]+ Relaying denied. IP name lookup failed \[[.:[:digit:]]+\]


#
#  SPAMD
#
#Mar  9 15:31:44 nada spamd[27511]: bayes: cannot open bayes databases /var/lib/spamass-milter/.spamassassin/bayes_* R/W: lock failed: File exists
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: bayes: cannot open bayes databases /var/lib/spamass-milter/.spamassassin/bayes_\* R/W: lock failed: File exists


#
# SSHD
#
#Mar 10 06:59:17 nada sshd(pam_google_authenticator)[3478]: Failed to read "/bin/.google_authenticator"
#May 19 10:39:19 nada sshd(pam_google_authenticator)[18265]: Failed to compute location of secret file
#May 19 14:05:07 nada sshd(pam_google_authenticator)[20232]: Did not receive verification code from user
#May 19 14:05:17 nada sshd(pam_google_authenticator)[20399]: Invalid verification code
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: Failed to compute location of secret file
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: Did not receive verification code from user
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: Invalid verification code
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: Failed to read \"[/[:alnum:]]+\/.google_authenticator\"

# Mar 10 11:12:56 nada sshd[26548]: Received disconnect from 94.102.49.198: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
# Mar 12 04:09:09 nada sshd[23908]: Received disconnect from 195.154.52.9: 3: java.net.SocketTimeoutException: Read timed out [preauth]
# Mar  8 12:09:30 nada sshd[26267]: Received disconnect from 199.91.135.158: 3: com.jcraft.jsch.JSchException: reject HostKey: 66.23.226.92 [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: 3: (java.net.SocketTimeoutException|com.jcraft.jsch.JSchException): (reject HostKey: [.:[:digit:]]+|Auth fail|Read timed out) \[preauth\]

# Mar 10 21:31:03 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=katarina rhost=66.23.226.92  user=katarina
# Mar  8 18:05:09 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredrik uid=0 euid=0 tty=dovecot ruser=fredrik rhost=::1
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_(krb5|unix)\(dovecot:auth\): authentication failure\; logname=([[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=dovecot ruser=[[:alnum:]]+ rhost=[.:[:xdigit:]]+

#Mar 10 11:22:52 kvarnen sshd[12813]: error: PAM: Cannot make/remove an entry for the specified session for illegal user support from 40.76.54.16
#Mar 14 01:39:26 nada sshd[14346]: error: PAM: Cannot make/remove an entry for the specified session for root from 6e.a0.caa1.ip4.static.sl-reverse.com
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Cannot make/remove an entry for the specified session for (illegal user )?[[:alnum:]]+ from [.:[:digit:]]+

#Mar 14 02:25:08 nada sshd[18347]: fatal: Read from socket failed: Connection reset by peer [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Read from socket failed: Connection reset by peer \[preauth\]

#Mar 13 10:10:06 kvarnen sshd[31901]: Disconnecting: Too many authentication failures for root from 74.74.67.164 port 43335 ssh2 [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures for root from [.:[:digit:]]+ port [[:digit:]]+ ssh2 \[preauth\]

#Mar 12 12:26:38 kvarnen sshd[6051]: fatal: no matching cipher found: client aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no matching cipher found: client 


#Mar 11 21:08:21 nada suhosin[30831]: ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker '91.121.230.152', file '/home/happysthlm/www.happysthlm.se/wp/xmlrpc.php')
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - dropped [[:digit:]]+ request variables - \([[:digit:]]+ in GET, [[:digit:]]+ in POST, [[:digit:]]+ in COOKIE\) \(attacker '[.[:digit:]]+', file '[/.-_[:alnum:]]+'\)

#Mar 11 21:10:17 nada suhosin[30832]: ALERT - configured request variable name length limit exceeded - dropped variable '
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - configured request variable name length limit exceeded - dropped variable '