730 lines
66 KiB
Plaintext
730 lines
66 KiB
Plaintext
#
|
|
# AUTH
|
|
#
|
|
# Mar 10 21:31:03 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=katarina rhost=66.23.226.92 user=katarina
|
|
# Mar 8 18:05:09 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredrik uid=0 euid=0 tty=dovecot ruser=fredrik rhost=::1
|
|
# Mar 23 19:49:48 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=petter@lidberg.se uid=0 euid=0 tty=dovecot ruser=petter@lidberg.se rhost=187.131.22.215
|
|
# Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=petter@lidberg.se rhost=187.131.22.215
|
|
# Mar 24 18:13:26 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredmiranda@mc-cabe.com uid=0 euid=0 tty=dovecot ruser=fredmiranda@mc-cabe.com rhost=41.105.13.141
|
|
# Mar 24 18:13:26 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=fredmiranda@mc-cabe.com rhost=41.105.13.141
|
|
# Mar 7 21:39:47 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=jras_81 uid=0 euid=0 tty=dovecot ruser=jras_81 rhost=177.101.130.43
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_(krb5|unix)\((dovecot)?:auth\): authentication failure
|
|
#\; logname=([_-.@[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=(dovecot)? ruser=([_-.@[:alnum:]]+)? rhost=([.:[:xdigit:]]+)?
|
|
|
|
# Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): check pass; user unknown
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_unix\(dovecot:auth\): check pass; user unknown
|
|
|
|
#
|
|
# CLAMAV
|
|
#
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: ClamAV update process started at .*$
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Received signal: (wake up|re-opening log file)$
|
|
|
|
#Apr 8 19:43:15 kvarnen freshclam[485]: bytecode.cvd updated (version: 276, sigs: 46, f-level: 63, builder: amishhammer)
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (bytecode|daily|main)\.c(l|v)d (is up to date|updated) \(version: [0-9]+, sigs: [0-9]+, f-level: [0-9]+, builder: \w+\)$
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Clamd successfully notified about the update\.$
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: --------------------------------------$
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Database updated \([0-9]+ signatures\) from .* \(IP: [0-9.]+\)$
|
|
|
|
#Mar 17 06:27:00 kvarnen freshclam[485]: Downloading main.cvd [100%]
|
|
#Apr 8 19:43:15 kvarnen freshclam[485]: Downloading bytecode.cvd [100%]
|
|
#Apr 20 15:39:53 nada freshclam[302]: Downloading bytecode-293.cdiff [100%]
|
|
#Apr 20 23:40:45 nada freshclam[302]: Downloading bytecode-294.cdiff [100%]
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Downloading ((daily|bytecode)-[0-9]+.cdiff|main.cvd|bytecode.cvd) \[100%\] ?$
|
|
|
|
#Nov 7 09:58:48 nada freshclam[304]: Reading CVD header (main.cvd): OK (IMS)
|
|
#Nov 7 09:58:48 nada freshclam[304]: Reading CVD header (daily.cvd): OK
|
|
#Nov 7 09:58:49 nada freshclam[304]: Reading CVD header (bytecode.cvd): OK
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Reading CVD header \((main|daily|bytecode).cvd\): OK( \(IMS\))?
|
|
|
|
# Mar 11 07:30:29 kvarnen freshclam[485]: nonblock_connect: connect timing out (30 secs)
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: nonblock_connect: connect timing out \(30 secs\)
|
|
|
|
# Mar 10 23:29:42 kvarnen freshclam[485]: Can't connect to port 80 of host db.local.clamav.net (IP: 213.73.255.243)
|
|
# Mar 17 05:07:52 kvarnen freshclam[485]: Can't connect to port 80 of host database.clamav.net (IP: 213.73.255.243)
|
|
# Mar 17 05:07:22 kvarnen freshclam[485]: Can't connect to port 80 of host database.clamav.net (IP: 145.58.29.83)
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Can't connect to port 80 of host (db.local|database).clamav.net \(IP: [.[:digit:]]+\)
|
|
|
|
# Mar 10 23:29:42 kvarnen freshclam[485]: WARNING: getfile: daily-21460.cdiff not found on remote server (IP: 217.19.16.188)
|
|
# Jun 25 16:58:32 kvarnen freshclam[15554]: WARNING: getfile: daily-21788.cdiff not found on db.local.clamav.net (IP: 217.19.16.188)
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: WARNING: getfile: daily-[[:digit:]]+.cdiff not found on (remote server|db.local.clamav.net) \(IP: [.[:digit:]]+\)
|
|
|
|
# Mar 10 23:29:42 kvarnen freshclam[485]: WARNING: getpatch: Can't download daily-21460.cdiff from db.local.clamav.net
|
|
#Mar 17 05:07:22 kvarnen freshclam[485]: WARNING: getpatch: Can't download main-56.cdiff from database.clamav.net
|
|
#Mar 17 05:07:22 kvarnen freshclam[485]: ERROR: getpatch: Can't download main-56.cdiff from database.clamav.net
|
|
#Mar 17 05:07:52 kvarnen freshclam[485]: ERROR: Can't download main.cvd from database.clamav.net
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (ERROR|WARNING): (getpatch: )?Can't download ((main|daily)-[[:digit:]]+.cdiff|main.cvd) from (db.local|database).clamav.net
|
|
|
|
#Mar 17 06:27:06 kvarnen freshclam[485]: WARNING: getfile: Unknown response from remote server (IP: 145.58.29.83)
|
|
#Jun 25 12:58:28 kvarnen freshclam[15554]: WARNING: getfile: Unknown response from db.local.clamav.net (IP: 145.58.29.83)
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (ERROR|WARNING): getfile: Unknown response from (remote server|db.local.clamav.net) \(IP: [.[:digit:]]+\)
|
|
|
|
# Mar 11 07:30:29 kvarnen freshclam[485]: Trying host db.local.clamav.net (145.58.29.83)...
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Trying host db.local.clamav.net \([.[:digit:]]+\)...
|
|
|
|
#Mar 17 05:07:22 kvarnen freshclam[485]: WARNING: Incremental update failed, trying to download main.cvd
|
|
#Mar 17 05:02:18 kvarnen freshclam[485]: Trying again in 5 secs...
|
|
#Mar 17 05:07:21 kvarnen freshclam[485]: nonblock_recv: recv timing out (30 secs)
|
|
\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (WARNING: Incremental update failed, trying to download main.cvd|Trying again in 5 secs...|nonblock_recv: recv timing out \(30 secs\))
|
|
|
|
#Mar 17 05:07:22 kvarnen freshclam[485]: connect_error: getsockopt(SO_ERROR): fd=4 error=111: Connection refused
|
|
\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: connect_error: getsockopt\(SO_ERROR\): fd=4 error=111: Connection refused
|
|
|
|
#Mar 17 05:07:22 kvarnen freshclam[485]: Can't connect to port 80 of host database.clamav.net (IP: 145.58.29.83)
|
|
#Mar 17 05:07:52 kvarnen freshclam[485]: Can't connect to port 80 of host database.clamav.net (IP: 213.73.255.243)
|
|
\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Can\'t connect to port 80 of host database.clamav.net \(IP: [.[:digit:]]+\)
|
|
|
|
#Mar 17 05:07:22 kvarnen freshclam[485]: Trying host database.clamav.net (213.73.255.243)...
|
|
\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Trying host database.clamav.net \([.[:digit:]]+\)...
|
|
|
|
#Mar 17 05:07:52 kvarnen freshclam[485]: Giving up on database.clamav.net...
|
|
#Mar 17 05:07:21 kvarnen freshclam[485]: Giving up on db.local.clamav.net...
|
|
\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Giving up on [.[:alnum:]]+...
|
|
|
|
#Mar 17 05:02:18 kvarnen freshclam[485]: WARNING: getfile: Download interrupted: Inappropriate ioctl for device (IP: 145.58.29.83)
|
|
#Mar 17 05:07:21 kvarnen freshclam[485]: ERROR: getfile: Download interrupted: Inappropriate ioctl for device (IP: 145.58.29.83)
|
|
\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (ERROR|WARNING): getfile: Download interrupted: Inappropriate ioctl for device \(IP: [.[:digit:]]+\)
|
|
|
|
#Mar 17 04:53:24 kvarnen freshclam[485]: WARNING: getfile: Error while reading database from db.local.clamav.net (IP: 194.109.6.97): Operation now in progress
|
|
#Mar 17 04:53:37 kvarnen freshclam[485]: WARNING: getfile: Error while reading database from db.local.clamav.net (IP: 217.19.16.188): Connection reset by peer
|
|
\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: WARNING: getfile: Error while reading database from [.[:alnum:]]+ \(IP: [.[:digit:]]+\): (Connection reset by peer|Operation now in progress)
|
|
|
|
#Mar 17 04:52:54 kvarnen freshclam[485]: Empty script main-56.cdiff, need to download entire database
|
|
#Apr 8 19:43:15 kvarnen freshclam[485]: Empty script bytecode-276.cdiff, need to download entire database
|
|
\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Empty script (main|bytecode)-[[:digit:]]+.cdiff, need to download entire database
|
|
|
|
#Mar 21 02:52:56 kvarnen freshclam[485]: bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer)
|
|
\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: bytecode.cvd is up to date \(version: [[:digit:]]+, sigs: [[:digit:]]+, f-level: [[:digit:]]+, builder: amishhammer\)
|
|
|
|
#Mar 17 06:30:26 kvarnen freshclam[485]: Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
|
|
\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Update failed. Your network may be down or none of the mirrors listed in \/etc\/clamav\/freshclam.conf is working. Check http:\/\/www.clamav.net\/doc\/mirrors-faq.html for possible reasons.
|
|
|
|
#Mar 19 06:47:45 nada clamav-milter: ClamAV: mi_stop=1
|
|
\w{3} [ :0-9]{11} [._[:alnum:]-]+ clamav-milter: ClamAV: mi_stop=1
|
|
|
|
#Nov 7 09:58:47 nada freshclam[304]: WARNING: DNS record is older than 3 hours.
|
|
#Nov 7 09:58:47 nada freshclam[304]: WARNING: Invalid DNS reply. Falling back to HTTP mode.
|
|
\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: WARNING: (DNS record is older than 3 hours.|Invalid DNS reply. Falling back to HTTP mode.)
|
|
|
|
#Mar 9 23:47:14 nada freshclam[31063]: WARNING: Your ClamAV installation is OUTDATED!
|
|
#Mar 9 23:47:14 nada freshclam[31063]: WARNING: Local version: 0.99.3 Recommended version: 0.99.4
|
|
\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: WARNING: (Your ClamAV installation is OUTDATED!|Local version:)
|
|
|
|
#Mar 9 23:47:14 nada freshclam[31063]: DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
|
|
\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
|
|
|
|
|
|
|
|
#
|
|
# DOVECOT
|
|
#
|
|
#Mar 9 07:05:01 nada dovecot: imap(katarina): Connection closed: Connection reset by peer in=2733 out=436379
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Connection closed(: Connection reset by peer)? in=[[:digit:]]+ out=[[:digit:]]+
|
|
|
|
#Mar 18 12:52:26 nada dovecot: imap: Connection closed in=172 out=1287
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap: Connection closed in=[[:digit:]]+ out=[[:digit:]]+
|
|
|
|
|
|
#Mar 9 16:48:53 nada dovecot: imap-login: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=10): user=<birgitta>, method=PLAIN, rip=155.4.128.66, lip=66.23.226.92, TLS, session=<EbCHop8txQCbBIBC>
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Maximum number of connections from user\+IP exceeded \(mail_max_userip_connections=[[:digit:]]+\): user=<[[:alnum:]]+>, method=PLAIN, rip=[.:[:digit:]]+, lip=[.:[:digit:]]+, TLS, session=<[[:alnum:]]+>
|
|
|
|
# Mar 8 14:08:09 nada dovecot: imap-login: Disconnected (no auth attempts in 28 secs): user=<>, rip=83.185.81.166, lip=66.23.226.92, TLS handshaking: Disconnected, session=<BNTkRYktuwBTuVGm>
|
|
# Mar 8 14:10:01 nada dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=155.4.128.66, lip=66.23.226.92, TLS: Disconnected, session=<bXSMTIktugCbBIBC>
|
|
# Mar 8 15:42:52 nada dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=141.212.122.129, lip=66.23.226.92, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<M0mYmIotEACN1HqB>
|
|
# Mar 22 15:00:30 kvarnen dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=188.138.1.218, lip=95.170.86.14, session=<ZMLXoqMuFwC8igHa>
|
|
|
|
# Mar 8 09:55:24 nada dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=213.153.113.1, lip=66.23.226.92, TLS, session=<tGj3vYUtSgDVmXEB>
|
|
#Mar 10 21:31:07 nada dovecot: imap-login: Disconnected (auth failed, 1 attempts in 4 secs): user=<katarina>, method=PLAIN, rip=66.23.226.92, lip=66.23.226.92, TLS, session=<qnd3sbctoABCF+Jc>
|
|
#Mar 10 23:23:14 kvarnen dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=85.25.43.94, lip=95.170.86.14, session=<OuW1QrktjABVGSte>
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, [[:digit:]]+|no auth) attempts in [[:digit:]]+ secs\): user=<([[:alnum:]]+)?>,( method=PLAIN,)? rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS)?(, session=<[+/[:alnum:]]+>)?
|
|
|
|
#Mar 10 12:53:41 kvarnen dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=141.212.122.64, lip=95.170.86.14, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<1cA1d7AtxACN1HpA>
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \(disconnected before auth was ready, waited 0 secs\): user=<>, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS handshaking: SSL_accept\(\) failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<[/+[:alnum:]]+>
|
|
|
|
#Mar 13 02:55:07 nada dovecot: ssl-params: Generating SSL parameters
|
|
#Mar 13 02:55:16 nada dovecot: ssl-params: SSL parameters regeneration completed
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-params: (Generating SSL parameters|SSL parameters regeneration completed)
|
|
|
|
#Mar 15 14:03:51 nada dovecot: pop3-login: Disconnected (client didn't finish SASL auth, waited 0 secs): user=<>, method=PLAIN, rip=213.112.7.21, lip=66.23.226.92, TLS, session=<dEpiBxYuHQDVcAcV>
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: Disconnected \(client didn\'t finish SASL auth, waited [[:digit:]]+ secs\): user=<>, method=PLAIN, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS, session=<[[:alnum:]]+>
|
|
|
|
#Mar 16 01:47:24 kvarnen dovecot: pop3-login: Aborted login (no auth attempts in 3 secs): user=<>, rip=66.240.219.146, lip=95.170.86.14, TLS, session=<bSZ62x8uaQBC8NuS>
|
|
>
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3)-login: Aborted login \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS, session=<[[:alnum:]]+>
|
|
|
|
#Mar 23 19:49:52 nada dovecot: imap-login: Aborted login (auth failed, 1 attempts in 4 secs): user=<petter@lidberg.se>, method=PLAIN, rip=187.131.22.215, lip=66.23.226.92, TLS, session=<K0NMy7sukQC7gxbX
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3)-login: Aborted login \(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\): user=<[.@[:alnum:]]+>, method=PLAIN, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS, session=<[+/[:alnum:]]>
|
|
|
|
#Mar 14 18:40:24 nada dovecot: imap(johan): Disconnected for inactivity in reading our output in=603 out=253156
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected for inactivity in reading our output in=[[:digit:]]+ out=[[:digit:]]+
|
|
|
|
#Apr 27 14:28:26 nada dovecot: pop3(kajsa): Disconnected for inactivity top=0/0, retr=0/0, del=0/67, size=517953
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3)\([[:alnum:]]+\): Disconnected for inactivity top=[/[:digit:]]+, retr=[/[:digit:]]+, del=[/[:digit:]]+, size=[[:digit:]]+
|
|
|
|
|
|
#Mar 21 02:40:04 kvarnen dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=200.68.99.217, lip=95.170.86.14, session=<7uj4LIUuMQDIRGPZ>
|
|
#Mar 22 13:03:22 kvarnen dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=218.29.231.21, lip=95.170.86.14, session=<zjjk/6EudwDaHecV>
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: (Disconnected|Aborted login) \(tried to use disallowed plaintext auth\): user=<>, rip=[.:[:digit:]]+, lip=[.:[:digit:]]+, session=<[+/[:alnum:]]+>
|
|
|
|
#Mar 24 13:04:10 nada dovecot: imap(ninnie): Warning: Subscriptions file /home/ninnie/Maildir/subscriptions: Removing invalid entry: mail/sent-mail
|
|
#Mar 24 13:04:10 nada dovecot: imap(ninnie): Warning: Subscriptions file /home/ninnie/Maildir/subscriptions: Removing invalid entry: mail/Trash
|
|
#Mar 24 13:04:10 nada dovecot: imap(ninnie): Warning: Subscriptions file /home/ninnie/Maildir/subscriptions: Removing invalid entry: mail/Drafts
|
|
#Mar 24 13:04:10 nada dovecot: imap(ninnie): Warning: Subscriptions file /home/ninnie/Maildir/subscriptions: Removing invalid entry: mail/mormors 100-&AOU-rsdag
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Warning: Subscriptions file [/[:alnum:]]+: Removing invalid entry:
|
|
|
|
#Mar 26 22:10:17 nada dovecot: pop3(ammis): Connection closed top=0/0, retr=29/1819516, del=0/73, size=4433634
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3\([[:alnum:]]+\): Connection closed top=[/[:digit:]]+, retr=[/[:digit:]]+, del=[/[:digit:]]+, size=[[:digit:]]+
|
|
|
|
#Mar 30 20:59:38 nada dovecot: imap(katarina): Disconnected: Disconnected in=139 out=8902
|
|
#Apr 20 12:25:05 nada dovecot: imap(kajsa): Disconnected: EOF while appending in=413894 out=733
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected: (EOF while appending|Disconnected) in=[[:digit:]]+ out=[[:digit:]]+
|
|
|
|
#Apr 6 17:17:53 nada dovecot: imap(gertie): Disconnected in APPEND (1 msgs, 0 secs, 0/44908 bytes) in=884034 out=368982
|
|
#Mar 18 09:58:06 nada dovecot: imap(hans): Disconnected: Disconnected in APPEND (1 msgs, 0 secs, 0/170611 bytes) in=198 out=871
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): (Disconnected: )?Disconnected in APPEND \([[:digit:]]+ msgs, [[:digit:]]+ secs, [[:digit:]]+/[[:digit:]]+ bytes\) in=[[:digit:]]+ out=[[:digit:]]+
|
|
|
|
|
|
|
|
#
|
|
# HORDE
|
|
#
|
|
#Apr 2 18:34:46 nada HORDE: [horde] Login success for fredrik to horde (46.162.117.83) [pid 25921 on line 164 of "/usr/share/horde/login.php"]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[horde\] Login success for [[:alnum:]]+ to horde \([.[:digit:]]+\) \[pid [[:digit:]]+ on line 164 of "/usr/share/horde/login.php"\]
|
|
|
|
#Apr 2 18:34:47 nada HORDE: [imp] Login success for fredrik (46.162.117.83) to {imap://nada.wahlberg.se:993/} [pid 25921 on line 157 of "/usr/share/horde/imp/lib/Auth.php"]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[imp\] Login success for [[:alnum:]]+ \([.[:digit:]]+\) to \{imap://nada.wahlberg.se:993\/\} \[pid [[:digit:]]+ on line 157 of "/usr/share/horde/imp/lib/Auth.php"\]
|
|
|
|
#Apr 2 19:31:34 nada HORDE: [kronolith] Failed to retrieve remote calendar: url = "https://calendar.google.com/calendar/ical/wahlis%40gmail.com/private-d6b56e71ef78fa437bcb4df46aaeebad/basic.ics", status = 28 [pid 25488 on line 593 of "/usr/share/horde/kronolith/lib/Driver/Ical.php"]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[kronolith\] Failed to retrieve remote calendar: url =
|
|
|
|
#Apr 2 20:17:48 nada HORDE: User is not authorized for imp [pid 21121 on line 324 of "/usr/share/php/Horde/Registry.php"]
|
|
#Apr 10 21:18:28 nada HORDE: User is not authorized for horde [pid 28010 on line 324 of "/usr/share/php/Horde/Registry.php"]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: User is not authorized for (imp|horde)
|
|
|
|
#Apr 18 13:27:36 nada HORDE: [imp] Message sent to fram.art@comhem.se from katarina (213.112.4.122) [pid 12862 on line 964 of "/usr/share/horde/imp/lib/Compose.php"]
|
|
#Apr 18 14:38:04 nada HORDE: [imp] Message sent to hello@happysthlm.se from katarina (213.112.4.122) [pid 1013 on line 964 of "/usr/share/horde/imp/lib/Compose.php"]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[imp\] Message sent to
|
|
|
|
#Apr 21 04:37:54 nada HORDE: [imp] PHP ERROR: Invalid argument supplied for foreach() [pid 7168 on line 96 of "/usr/share/horde/imp/lib/Factory/MailboxList.php"]
|
|
#Apr 20 04:49:50 nada HORDE: [imp] PHP ERROR: Invalid argument supplied for foreach() [pid 27097 on line 96 of "/usr/share/horde/imp/lib/Factory/MailboxList.php"]
|
|
#Apr 20 13:03:42 nada HORDE: [gollem] PHP ERROR: Invalid argument supplied for foreach() [pid 6356 on line 338 of "/usr/share/horde/gollem/lib/Auth.php"]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[(imp|gollem)\] PHP ERROR: Invalid argument supplied for foreach\(\)
|
|
|
|
#Apr 24 09:35:01 nada HORDE: [horde] User stiy logged out of Horde (80.251.192.97) [pid 6775 on line 107 of "/usr/share/horde/login.php"]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[horde\] User [[:alnum:]]+ logged out of Horde \([.[:digit:]]+\)
|
|
|
|
#
|
|
# MILTER-GREYLIST
|
|
#
|
|
|
|
#Apr 2 18:28:04 nada milter-greylist: DKIM failed: No signature
|
|
#Apr 2 18:34:03 nada milter-greylist: DKIM failed: Unable to verify
|
|
#Apr 2 18:36:37 nada milter-greylist: DKIM failed: Key retrieval failed
|
|
#Apr 2 18:36:58 nada milter-greylist: DKIM failed: Invalid parameter
|
|
#Apr 2 20:02:18 nada milter-greylist: DKIM failed: No key
|
|
#Apr 11 17:47:56 nada milter-greylist: DKIM failed: Syntax error
|
|
#Apr 11 23:02:34 nada milter-greylist: DKIM failed: Bad signature
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ milter-greylist: DKIM failed: (No signature|Unable to verify|Key retrieval failed|Invalid parameter|No key|Syntax error|Bad signature)
|
|
|
|
#Feb 5 13:02:12 nada milter-greylist: ignoring message beyond maxpeek = 0
|
|
#Feb 5 13:07:56 nada milter-greylist: ignoring message beyond maxpeek = 0
|
|
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ milter-greylist: ignoring message beyond maxpeek = 0
|
|
|
|
#
|
|
# MONIT
|
|
#
|
|
#Mar 10 15:21:02 nada monit[5075]: 'localhost' loadavg(5min) of 2.3 matches resource limit [loadavg(5min)>2.0]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ monit\[[[:digit:]]+\]: 'localhost' loadavg\([[:digit:]]+min\) of [.[:digit:]]+ matches resource limit \[loadavg\([[:digit:]]+min\)>[.[:digit:]]+\]
|
|
|
|
#Mar 26 18:09:14 nada monit[5075]: 'localhost' 'localhost' cpu wait usage check succeeded [current cpu wait usage=0.0%]
|
|
#Mar 10 15:23:02 nada monit[5075]: 'localhost' 'localhost' loadavg(5min) check succeeded [current loadavg(5min)=1.8]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ monit\[[[:digit:]]+\]: 'localhost' 'localhost' (loadavg\([[:digit:]]+min\)|cpu wait usage) check succeeded \[current (loadavg\([[:digit:]]+min\)|cpu wait usage)=[%.[:digit:]]+\]
|
|
|
|
#Mar 27 06:31:18 nada monit[5075]: 'clamav-milter' process PID changed from 26461 to 14050
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ monit\[[[:digit:]]+\]: '[-[:alnum:]]+' process PID changed from [[:digit:]]+ to [[:digit:]]+
|
|
|
|
#Mar 27 06:33:18 nada monit[5075]: 'clamav-milter' process PID has not changed since last cycle
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ monit\[[[:digit:]]+\]: '[-[:alnum:]]+' process PID has not changed since last cycle
|
|
|
|
|
|
|
|
#
|
|
# NAMED
|
|
#
|
|
#Mar 11 06:34:44 nada named[1771]: received control channel command 'reload'
|
|
#Mar 11 06:34:44 nada named[1771]: reading built-in trusted keys from file '/etc/bind/bind.keys'
|
|
#Mar 11 06:34:44 nada named[1771]: sizing zone task pool based on 21 zones
|
|
#Mar 11 06:34:44 nada named[1771]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: (Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones|sizing zone task pool based on [[:digit:]]+ zones|received control channel command 'reload( [.[:alnum:]]+)?'|reading built-in trusted keys from file '/etc/bind/bind.keys')
|
|
|
|
#Mar 10 06:43:39 nada named[1771]: client 95.170.86.14#50337: received notify for zone 'happysthlm.com'
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [.:[:xdigit:]]+\#[[:digit:]]+: received notify for zone '[-.[:alnum:]]+'
|
|
|
|
#Mar 13 19:06:05 nada named[1771]: client 95.170.86.14#54781: transfer of 'stiy.com/IN': IXFR ended
|
|
#Mar 3 18:45:43 nada named[31321]: client 46.21.104.9#48923: transfer of 'wahlberg.se/IN': AXFR-style IXFR started
|
|
#Mar 3 18:45:43 nada named[31321]: client 46.21.104.9#48923: transfer of 'wahlberg.se/IN': AXFR-style IXFR ended
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [.:[:xdigit:]]+\#[[:digit:]]+: transfer of '[-.[:alnum:]]+/IN':( AXFR-style) IXFR (started|ended)
|
|
|
|
#Mar 11 06:34:44 nada named[1771]: reloading configuration succeeded
|
|
#Mar 11 06:34:44 nada named[1771]: reloading zones succeeded
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: reloading (configuration|zones) succeeded
|
|
|
|
#Mar 11 06:34:44 nada named[1771]: using default UDP/IPv4 port range: [1024, 65535]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: using default UDP/IPv(4|6) port range: \[[[:digit:]]+, [[:digit:]]+\]
|
|
|
|
#Mar 13 19:02:30 kvarnen named[8896]: transfer of 'acroyoga.se/IN' from 66.23.226.92#53: Transfer completed: 0 messages, 0 records, 0 bytes, 127.193 secs (0 bytes/sec)
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: transfer of '[-.[:alnum:]]+/IN' from [.[:digit:]]+#[[:digit:]]+: Transfer completed: [[:digit:]]+ messages, [[:digit:]]+ records, [[:digit:]]+ bytes, [.[:digit:]]+ secs \([[:digit:]]+ bytes/sec\)
|
|
|
|
#Mar 21 05:58:39 kvarnen named[8896]: transfer of 'happysthlm.se/IN' from 66.23.226.92#53: connected using 95.170.86.14#33872
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: transfer of '[-.[:alnum:]]+/IN' from [.[:digit:]]+#[[:digit:]]+: connected using [.[:digit:]]+#[[:digit:]]+
|
|
|
|
#Mar 21 05:58:32 kvarnen named[8896]: zone happysthlm.se/IN: refresh: retry limit for master 66.23.226.92#53 exceeded (source 0.0.0.0#0)
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: zone [-.[:alnum:]]+/IN: refresh: retry limit for master [.[:digit:]]+#[[:digit:]]+ exceeded \(source [.[:digit:]]+#[[:digit:]]+\)
|
|
|
|
#Mar 16 21:43:05 kvarnen named[8896]: master 66.23.226.92#53 (source 0.0.0.0#0) deleted from unreachable cache
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: master [.[:digit:]]+#[[:digit:]]+ \(source [.[:digit:]]+#[[:digit:]]+\) deleted from unreachable cache
|
|
|
|
#Mar 24 02:08:41 nada named[5002]: client 192.42.132.103#45345: notify question section contains no SOA
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [#.[:digit:]]+: notify question section contains no SOA
|
|
|
|
#Mar 26 21:45:26 nada named[5002]: managed-keys-zone ./IN: No DNSKEY RRSIGs found for '.': success
|
|
#Apr 2 22:17:28 nada named[300]: managed-keys-zone: No DNSKEY RRSIGs found for '.': succes
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone( ./IN)?: No DNSKEY RRSIGs found for '.': success
|
|
|
|
#Apr 2 22:49:14 nada named[5002]: managed-keys-zone ./IN: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
|
|
#Apr 13 16:22:06 nada named[296]: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone( ./IN)?: Unable to fetch DNSKEY set '[.[:alnum:]]+': SERVFAIL
|
|
|
|
#Dec 19 17:32:19 nada named[5082]: managed-keys-zone: Active key unexpectedly missing from dlv.isc.org
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone: Active key unexpectedly missing from dlv.isc.org
|
|
|
|
|
|
#Mar 26 21:45:26 nada named[5002]: validating @0xb82ba940: . NS: got insecure response; parent indicates it should be secure
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: validating [@[:alnum:]]+: . NS: got insecure response; parent indicates it should be secure
|
|
|
|
#Apr 10 05:59:24 marconi named[7781]: validating formelracing.se/SOA: no valid signature found
|
|
#Apr 10 05:59:24 marconi named[7781]: validating formelracing.se/A: no valid signature found
|
|
#Apr 10 05:59:24 marconi named[7781]: validating cmqpg0nlq5bi4s4ucti6jj2avrd7mhtj.formelracing.se/NSEC3: no valid signature found
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]:[[:space:]]+validating [.[:alnum:]]+/(A|SOA|NSEC3): no valid signature found
|
|
|
|
#Mar 3 18:03:34 marconi named[27570]: transfer of 'wahlberg.se/IN' from 66.23.226.92#53: Transfer status: success
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: transfer of '[-.[:alnum:]]+/IN' from [#.[:digit:]]+: Transfer status: success
|
|
|
|
#Mar 4 15:06:28 marconi named[27570]: client 113.240.250.154#43169: message parsing failed: bad compression pointer
|
|
#Apr 20 20:40:11 marconi named[11602]: client 125.64.94.201#52717: message parsing failed: bad label type
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [#.[:digit:]]+: message parsing failed: bad (compression pointer|label type)
|
|
|
|
#Mar 16 10:33:41 nada named[31321]: zone happysthlm.se/IN: loaded serial 2017031600
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: zone [-.[:alnum:]]+/IN: loaded serial [[:digit:]]+
|
|
|
|
#Apr 10 06:49:43 nada named[297]: automatic empty zone: 10.IN-ADDR.ARPA
|
|
#Apr 10 06:49:43 nada named[297]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: automatic empty zone: [.[:alnum:]]+(IN-ADDR|IP6).ARPA
|
|
|
|
#Apr 11 06:48:06 nada named[297]: all zones loaded
|
|
#Apr 11 06:48:06 nada named[297]: running
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: (all zones loaded|running)
|
|
|
|
#Apr 11 06:48:06 nada rndc[15568]: server reload successful
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rndc\[[[:digit:]]+\]: server reload successful
|
|
|
|
#Apr 13 00:24:51 marconi named[7781]: DNS format error from 8.8.8.8#53 resolving slashdot.org/DS: Name . (SOA) not subdomain of zone org -- invalid response
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: DNS format error from [\#.[:digit:]]+ resolving [-_.[:alnum:]]+/DS: Name . \(SOA\) not subdomain of zone org -- invalid response
|
|
|
|
|
|
#
|
|
# SASLAUTHD
|
|
#
|
|
|
|
#Mar 11 16:25:32 nada saslauthd[1732]: do_auth : auth failure: [user=no-reply] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
|
|
#Mar 11 16:27:11 nada saslauthd[1732]: do_auth : auth failure: [user=Dr_Gonzo] [service=smtp] [realm=Challenge-UK.com] [mech=shadow] [reason=Unknown]
|
|
#Apr 13 09:42:29 kvarnen saslauthd[620]: do_auth : auth failure: [user=test] [service=] [realm=] [mech=pam] [reason=PAM auth error]
|
|
#Apr 15 19:27:33 nada saslauthd[1732]: do_auth : auth failure: [user=backuppc ] [service=smtp] [realm=wahlberg.se] [mech=shadow] [reason=Unknown]
|
|
#Apr 2 16:58:34 nada saslauthd[619]: do_auth : auth failure: [user=prueba] [service=smtp] [realm=] [mech=shadow] [reason=Invalid username]
|
|
#Apr 2 19:08:45 nada saslauthd[604]: do_auth : auth failure: [user=backup] [service=smtp] [realm=] [mech=shadow] [reason=Incorrect password]
|
|
#Feb 6 02:20:14 nada saslauthd[610]: do_auth : auth failure: [user=Adm1n!] [service=smtp] [realm=#] [mech=shadow] [reason=Invalid username]
|
|
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_auth[[:blank:]]+: auth failure: \[user=([[:print:]]+)?\] \[service=(smtp)?\] \[realm=([[:print:]]+)?\] \[mech=(pam|shadow)\] \[reason=(Unknown|PAM auth error|Invalid username|Incorrect password)\]
|
|
|
|
#Apr 13 09:42:28 kvarnen saslauthd[620]: pam_unix(:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: pam_(krb5|unix)\((dovecot)?:auth\): authentication failure\; logname=([-.@[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=(dovecot)? ruser=([-.@[:alnum:]]+)? rhost=([.:[:xdigit:]]+)?
|
|
|
|
#Apr 13 09:42:28 kvarnen saslauthd[620]: pam_unix(:auth): check pass; user unknown
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: pam_unix\(:auth\): check pass; user unknown
|
|
#Aug 23 18:39:24 nada saslauthd[1713]: do_request : NULL login received
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_request : NULL login received
|
|
|
|
#
|
|
# SM-MTA
|
|
#
|
|
#Mar 9 07:31:29 nada sm-mta[24919]: u296VPig024919: ruleset=check_rcpt, arg1=<netshopping@sanfo.com>, relay=[75.98.154.125], reject=550 5.7.1 <netshopping@sanfo.com>... Relaying denied. IP name lookup failed [75.98.154.125]
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=<[-_.@[:alnum:]]+>, relay=\[[.:[:digit:]]+\], reject=550 5.7.1 <[-_.@[:alnum:]]+>... Relaying denied. IP name lookup failed \[[.:[:digit:]]+\]
|
|
|
|
#Mar 11 13:55:34 nada sm-mta[10612]: u2BCtW1I010612: ruleset=check_rcpt, arg1=<star.pop3@hotmail.com>, relay=rdns2.fastmkt.xyz [177.11.51.157] (may be forged), reject=550 5.7.1 <star.pop3@hotmail.com>... Relaying denied. IP name possibly forged [177.11.51.157]
|
|
#Mar 27 22:21:47 nada sm-mta[3607]: u2RKLiXq003607: ruleset=check_rcpt, arg1=eax_64@yahoo.com, relay=125-227-60-218.HINET-IP.hinet.net [125.227.60.218] (may be forged), reject=550 5.7.1 eax_64@yahoo.com... Relaying denied. IP name possibly forged [125.227.60.218]
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=(<)?[-_.@[:alnum:]]+(>)?, relay=[-.[:alnum:]]+ \[[.:[:digit:]]+\] \(may be forged\), reject=550 5.7.1 (<)?[-_.@[:alnum:]]+(>)?... Relaying denied. IP name possibly forged \[[.:[:digit:]]+\]
|
|
|
|
#Mar 9 07:33:07 nada sm-mta[24033]: u296N4QZ024033: collect: premature EOM: Connection reset by [208.87.25.77]
|
|
#Apr 15 17:29:00 nada sm-mta[687]: u3FFSq2F000687: collect: premature EOM: Connection reset by 99-198-26-191.cust.wildblue.net
|
|
#Apr 18 11:07:40 nada sm-mta[22391]: u3I87Z3E022391: collect: premature EOM: Connection timed out with rs-mta-31.anpdm.com
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: collect: premature EOM: Connection (reset by|timed out with) (\[)?[-.:[:alnum:]]+(\])?
|
|
|
|
#Mar 9 07:33:07 nada sm-mta[24033]: u296N4QZ024033: SYSERR(root): collect: I/O error on connection from [208.87.25.77], from=<noc@newwiiindows.com>
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: SYSERR\(root\): collect: I\/O error on connection from \[[.:[:digit:]]+\], from=<[-_.@[:alnum:]]+>
|
|
|
|
#Mar 13 20:32:32 nada sm-mta[19605]: u2DJWTDv019605: h87-96-164-121.dynamic.se.alltele.net [87.96.164.121]: possible SMTP attack: command=AUTH, count=5
|
|
#Mar 13 21:08:13 nada sm-mta[22820]: u2DK8AKe022820: h87-96-164-121.dynamic.se.alltele.net [87.96.164.121]: possible SMTP attack: command=AUTH, count=5
|
|
#Mar 23 10:07:56 nada sm-mta[20809]: u2N97qjp020809: hostby.ankas-group.net [46.161.40.200] (may be forged): possible SMTP attack: command=AUTH, count=5
|
|
#Mar 19 17:55:33 nada sm-mta[7383]: q2JGtBif007383: [183.13.205.9]: possible SMTP attack: command=AUTH, count=5
|
|
#Mar 21 12:11:16 nada sm-mta[13902]: q2LBB9M2013902: [91.201.64.99]: possible SMTP attack: command=HELO/EHLO, count=3
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ([-.[:alnum:]]+ )?\[[.[:xdigit:]]+\]( \(may be forged\))?: possible SMTP attack: command=(AUTH|HELO/EHLO), count=[[:digit:]]+
|
|
|
|
#Mar 13 15:15:32 nada sm-mta[22560]: u2DEFS76022560: ruleset=check_rcpt, arg1=eax_64@yahoo.com, relay=[61.190.7.133], reject=550 5.7.1 eax_64@yahoo.com... Relaying denied. IP name lookup failed [61.190.7.133]
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=[-_.@[:alnum:]]+, relay=\[[.:[:digit:]]+\], reject=550 5.7.1 [-_.@[:alnum:]]+ Relaying denied. IP name lookup failed \[[.:[:digit:]]+\]
|
|
|
|
#Mar 15 11:26:20 nada sm-mta[6679]: STARTTLS=client, relay=mail.compenta.se., version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA256, bits=128/128
|
|
#Mar 30 20:47:04 nada sm-mta[9603]: STARTTLS=client, relay=mail-gw01.fsdata.se., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
|
|
#Sep 11 00:02:05 cocacola sm-mta[4678]: STARTTLS=client, relay=mail.wahlberg.se., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
|
|
#Mar 9 00:02:06 cocacola sm-mta[30768]: STARTTLS=client, relay=mail.wahlberg.se., version=TLSv1.2, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, relay=[-.:[:alnum:]]+, (version=TLSv1(.2)?(/SSLv3)?, verify=FAIL, cipher=[-[:alnum:]]+, bits=[/[:digit:]]+|field=cn_subject, status=failed to extract CN)
|
|
|
|
#Mar 22 13:31:42 nada sendmail[24653]: gethostbyaddr(127.0.0.2) failed: 1
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sendmail\[[[:digit:]]+\]: gethostbyaddr\(127.0.0.2\) failed: 1
|
|
|
|
# Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (greylist): write(Q) returned -1, expected 5: Broken pipe
|
|
# Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (spamassassin): write(Q) returned -1, expected 5: Broken pipe
|
|
# Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (clamav): write(Q) returned -1, expected 5: Broken pipe
|
|
# Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (greylist): to error state
|
|
# Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (spamassassin): to error state
|
|
# Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (clamav): to error state
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: Milter \([[:alnum:]]+\): (to error state|write\(Q\) returned -1, expected 5: Broken pipe)
|
|
|
|
#Mar 30 15:36:53 nada sm-mta[12291]: u2U9XkgT020620: u2UDarTR012291: sender notify: Warning: could not send message for past 4 hours
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: [[:alnum:]]+: sender notify: Warning: could not send message for past 4 hours
|
|
|
|
#Mar 30 19:01:40 nada sm-mta[30590]: u2UGiH7o030590: collect: premature EOM: No route to host
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: collect: premature EOM: No route to host
|
|
|
|
#Apr 4 01:58:18 nada sm-mta[23839]: u33Nw9KS023839: Milter: to=webmex@hotmail.com%nada.wahlberg.se, reject=451 4.7.1 Greylisting in action, please come back later
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: Milter: to=[.@%[:alnum:]]+, reject=451 4.7.1 Greylisting in action, please come back later
|
|
|
|
#Apr 2 18:36:44 nada sm-mta[21418]: v32GagN8021418: Milter: data, reject=451 4.3.2 Please try again later
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: Milter: data, reject=451 4.3.2 Please try again later
|
|
|
|
#Apr 9 09:51:26 nada sm-mta[6169]: u397pP13006169: rejecting commands from [113.240.250.156] [113.240.250.156] due to pre-greeting traffic after 1 seconds
|
|
#Mar 23 19:07:02 nada sm-mta[20228]: v2NI71CW020228: rejecting commands from ec2-35-165-194-208.us-west-2.compute.amazonaws.com [35.165.194.208] due to pre-greeting traffic after 1 seconds
|
|
#Mar 23 23:44:38 nada sm-mta[17761]: v2NMibVZ017761: rejecting commands from ecs-160-44-202-130.reverse.open-telekom-cloud.com [160.44.202.130] due to pre-greeting traffic after 1 seconds
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: rejecting commands from (\[[.[:digit:]]+\]|[-.[:alnum:]]+) \[[.[:digit:]]+\] due to pre-greeting traffic after [[:digit:]]+ seconds
|
|
|
|
#Apr 15 10:25:06 nada sm-mta[23906]: u3F8P26J023665: u3F8P66I023906: DSN: Service unavailable
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [[:alnum:]]+: DSN: Service unavailable
|
|
|
|
#Mar 17 11:32:29 nada sm-mta[775]: v2HAWQ2g000768: v2HAWT2f000775: DSN: Host unknown (Name server: hgadvokat.se: host not found)
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [[:alnum:]]+: DSN: Host unknown \(Name server:
|
|
#[-.[:alnum:]]+: host not found\)
|
|
|
|
|
|
#Apr 14 11:05:05 nada sm-mta[15662]: u3E955KV015662: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET http://www.ipip.net/ HTTP/1.1\r\n
|
|
#Apr 20 15:10:44 nada sm-mta[5182]: u3KDAiZT005182: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET / HTTP/1.1\r\n
|
|
#Mar 20 04:00:44 nada sm-mta[21983]: v2K30iPx021983: [180.163.2.117]: probable open proxy: command=GET / HTTP/1.1\r\n
|
|
#Apr 12 15:05:34 nada sm-mta[20644]: v3CD5WoV020644: [60.191.40.195]: probable open proxy: command=GET / HTTP/1.0\r\n
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: ([-.[:alnum:]]+ )?\[[.[:digit:]]+\]: probable open proxy: command=GET (http://www.ipip.net)?/ HTTP/1.(0|1)\\r\\n
|
|
|
|
#Oct 24 06:04:11 nada sm-mta[7813]: STARTTLS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1
|
|
|
|
#Oct 24 06:04:11 nada sm-mta[7813]: STARTTLS=client: 7813:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:757:
|
|
#Oct 24 17:54:12 nada sm-mta[11900]: STARTTLS=client: 11900:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:757:
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client: [[:digit:]]+:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:757:
|
|
|
|
#Oct 24 06:04:11 nada sm-mta[7813]: ruleset=tls_server, arg1=SOFTWARE, relay=mail.adlibris.com, reject=403 4.7.0 TLS handshake failed.
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: ruleset=tls_server, arg1=SOFTWARE, relay=[.[:alnum:]]+, reject=403 4.7.0 TLS handshake failed.
|
|
|
|
#Mar 4 09:14:31 nada sm-mta[25219]: v248EUKL025219: AUTH decode64 error [-5 for "Y2FzdG9yQHdhaGxiZXJnLnNlAGNhc3RvckB3YWhsYmVyZy5zZQBwb2tlbW9uDQ==\r"], relay=[156.67.106.207]
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: AUTH decode64 error \[-5 for "Y2FzdG9yQHdhaGxiZXJnLnNlAGNhc3RvckB3YWhsYmVyZy5zZQBwb2tlbW9uDQ==\\r"\], relay=\[[.:[:digit:]]+\]
|
|
|
|
#Mar 6 23:47:37 nada sm-mta[11119]: v26MlObG011113: Fixed MIME Content-Type header field (possible attack)
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: Fixed MIME Content-Type header field \(possible attack\)
|
|
|
|
#Mar 8 07:31:45 nada sm-mta[16598]: v286VitB016598: AUTH decode64 error [-5 for "Y2FzdG9yAGNhc3RvcgBwb2tlbW9uDQ==\r"], relay=[156.67.106.207]
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: AUTH decode64 error \[-5 for "[=\\[:alnum:]]+"\], relay=\[[.:[:digit:]]+\]
|
|
|
|
#Mar 16 03:41:06 nada sm-mta[28708]: STARTTLS: write error=syscall error (-1), errno=32, get_error=error:00000000:lib(0):func(0):reason(0), retry=99, ssl_err=5
|
|
#Sep 12 10:27:41 nada sm-mta[4522]: STARTTLS: read error=syscall error (-1), errno=104, get_error=error:00000000:lib(0):func(0):reason(0), retry=1, ssl_err=5
|
|
#Sep 8 20:49:21 nada sm-mta[14243]: STARTTLS: read error=syscall error (-1), errno=110, get_error=error:00000000:lib(0):func(0):reason(0), retry=1, ssl_err=5
|
|
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS: (read|write) error=syscall error \(-1\), errno=[[:digit:]]+, get_error=error:00000000:lib\(0\):func\(0\):reason\(0\), retry=(1|99), ssl_err=5
|
|
|
|
#Apr 10 19:18:06 nada sendmail[17597]: v3AHI6dq017597: Authentication-Warning: nada.wahlberg.se: www-data set sender to katarina@happysthlm.se using -f
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sendmail\[[0-9]+\]: [[:alnum:]]+: Authentication-Warning: nada.wahlberg.se: www-data set sender to [.@[:alnum:]]+ using -f
|
|
|
|
|
|
|
|
#
|
|
# SPAMD
|
|
#
|
|
#Mar 9 15:31:44 nada spamd[27511]: bayes: cannot open bayes databases /var/lib/spamass-milter/.spamassassin/bayes_* R/W: lock failed: File exists
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: bayes: cannot open bayes databases /var/lib/spamass-milter/.spamassassin/bayes_\* R/W: lock failed: File exists
|
|
|
|
#Mar 23 13:36:12 nada spamd[3731]: pyzor: check failed: internal error, python traceback seen in response
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: pyzor: check failed: internal error, python traceback seen in response
|
|
|
|
#Mar 26 06:57:06 nada spamd[17910]: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: server socket setup failed, retry [[:digit:]]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
|
|
|
|
#Mar 26 06:57:15 nada spamd[17910]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
|
|
|
|
#Mar 26 06:57:09 nada spamd[17905]: spamd: server started on port 783/tcp (running version 3.3.2)
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server started on port 783/tcp \(running version [.[:digit:]]+\)
|
|
|
|
#Mar 26 06:57:05 nada spamd[10050]: spamd: server hit by SIGHUP, restarting
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server hit by SIGHUP, restarting
|
|
|
|
#Mar 26 06:57:05 nada spamd[10050]: spamd: child [23926] killed successfully: interrupted, signal 2 (0002)
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: child \[[[:digit:]]+\] killed successfully: interrupted, signal 2 \(0002\)
|
|
|
|
#Mar 26 06:57:05 nada spamd.pid[10050]: spamd: restarting using '/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir --user-config -d --pidfile=/var/run/spamd.pid'
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd.pid\[[0-9]+\]: spamd: restarting using '/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir --user-config -d --pidfile=/var/run/spamd.pid'
|
|
|
|
#Mar 9 06:51:00 nada spamassassin.pid --create-prefs --max-children 5 --helper-home-dir --user-config: spamd: restarting using '/usr/sbin/spamd -d --pidfile=/var/run/spamassassin.pid --create-prefs --max-children 5 --helper-home-dir --user-config'
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamassassin.pid --create-prefs --max-children 5 --helper-home-dir --user-config: spamd: restarting using
|
|
|
|
#Mar 28 10:48:05 nada spamd[17905]: prefork: server reached --max-children setting, consider raising it
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: server reached --max-children setting, consider raising it
|
|
|
|
#Apr 2 06:38:03 nada spamd[16362]: rules: failed to run NO_DNS_FOR_FROM RBL test, skipping:
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: rules: failed to run NO_DNS_FOR_FROM RBL test, skipping:
|
|
|
|
#Apr 27 00:44:20 nada spamd[23159]: razor2: razor2 check failed: Invalid argument razor2: razor2 had unknown error during get_server_info at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 185. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 325.
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: razor2: razor2 check failed: Invalid argument razor2: razor2 had unknown error during get_server_info at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 185. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 325.
|
|
|
|
#Mar 2 07:21:44 nada spamc[16024]: connect to spamd on 127.0.0.1 failed, retrying (#1 of 3): Connection refused
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamc\[[0-9]+\]: connect to spamd on (127.0.0.1|::1) failed, retrying \(#(1|2) of 3\): Connection refused
|
|
|
|
#Apr 2 18:28:04 nada spamd[12078]: spamd: connection from localhost.localdomain [127.0.0.1]:57662 to port 783, fd 5
|
|
#Nov 16 07:08:39 nada spamd[20266]: spamd: connection from 127.0.0.1 [127.0.0.1]:49978 to port 783, fd 5
|
|
#Oct 29 09:03:40 nada spamd[11605]: spamd: connection from ::1 [::1]:33100 to port 783, fd 5
|
|
#Oct 29 09:08:44 nada spamd[11605]: spamd: connection from ::1 [::1]:38096 to port 783, fd 5
|
|
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: connection from (localhost.localdomain|127.0.0.1|::1) \[(127.0.0.1|::1)\]:[[:digit:]]+ to port 783, fd 5
|
|
|
|
#Apr 2 18:28:06 nada spamd[12078]: dns: reply to 9869/IN/A/22211110.com truncated (EDNS 4096 bytes), 89 answer records
|
|
#Apr 2 20:37:14 nada spamd[12078]: dns: reply to 52792/IN/TXT/freemediainternet.com truncated (EDNS 4096 bytes), 2 answer records
|
|
#Apr 2 21:13:53 nada spamd[12078]: dns: reply to 28509/IN/TXT/bronto.com truncated (EDNS 4096 bytes), 13 answer records
|
|
#Apr 11 00:55:11 nada spamd[13608]: dns: reply to 34774/IN/A/relayhi2.mysmtp.com truncated (EDNS 4096 bytes), 120 answer records
|
|
#Apr 16 16:46:57 nada spamd[17910]: dns: reply to 27982/IN/TXT/micro-campus.com truncated (EDNS 4096 bytes), 1 answer records
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: reply to [[:digit:]]+\/IN\/(A|TXT)\/[-_.[:alnum:]]+ truncated \(EDNS 4096 bytes\), [[:digit:]]+ answer records
|
|
|
|
#Apr 2 19:45:30 nada spamd[12078]: spamd: result: Y 17 - BAYES_50,DATE_IN_PAST_96_XX,HTML_MESSAGE,MIMEOLE_DIRECT_TO_MX,MISSING_MID,PYZOR_CHECK,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_SBL_CSS,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK scantime=1.8,size=1914,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=33068,mid=(unknown),bayes=0.499958,autolearn=no autolearn_force=no
|
|
#Apr 2 19:49:28 nada spamd[12078]: spamd: result: Y 11 - BAYES_50,DATE_IN_FUTURE_24_48,MISSING_MID,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_BRBL_LASTEXT,SPF_HELO_SOFTFAIL,URIBL_DBL_SPAM,URIBL_SBL_A scantime=2.5,size=3208,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=39030,mid=(unknown),bayes=0.508483,autolearn=no autolearn_force=no
|
|
#Apr 9 22:13:12 nada spamd[15599]: spamd: result: . 4 - BAYES_50,DATE_IN_FUTURE_96_Q,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,MISSING_MID,RP_MATCHES_RCVD,SPF_PASS scantime=2.6,size=11507,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45326,mid=(unknown),bayes=0.485144,autolearn=no autolearn_force=no
|
|
#Apr 14 13:41:44 nada spamd[3869]: spamd: result: . -2 - BAYES_00,DATE_IN_FUTURE_48_96,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FROM_EXCESS_BASE64,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_MID,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,SPF_HELO_PASS scantime=2.1,size=34843,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=60296,mid=(unknown),bayes=0.000000,autolearn=ham autolearn_force=no
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: (.|Y) [-[:digit:]]+
|
|
|
|
|
|
#Mar 9 06:51:00 nada spamd[29947]: spamd: server socket closed, type IO::Socket::IP
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server socket closed, type IO::Socket::IP
|
|
|
|
Mar 9 06:51:04 nada spamd[31055]: spamd: server started on IO::Socket::IP [127.0.0.1]:783 (running version 3.4.0)
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server started on IO::Socket::IP \[127.0.0.1\]:783 \(running version 3.4.0\)
|
|
|
|
#Mar 9 06:51:02 nada spamd[31055]: zoom: able to use 345/345 'body_0' compiled rules (100%)
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: zoom: able to use [[:digit:]]+/[[:digit:]]+ 'body_0' compiled rules \(100%\)
|
|
|
|
#Nov 16 07:08:09 nada spamd[15284]: util: setuid: ruid=111 euid=111 rgid=65534 65534 egid=65534 65534
|
|
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: util: setuid: ruid=111 euid=111 rgid=65534 65534 egid=65534 65534
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
# SSHD
|
|
#
|
|
|
|
#Mar 10 06:59:17 nada sshd(pam_google_authenticator)[3478]: Failed to read "/bin/.google_authenticator"
|
|
#May 19 10:39:19 nada sshd(pam_google_authenticator)[18265]: Failed to compute location of secret file
|
|
#May 19 14:05:07 nada sshd(pam_google_authenticator)[20232]: Did not receive verification code from user
|
|
#May 19 14:05:17 nada sshd(pam_google_authenticator)[20399]: Invalid verification code
|
|
#Feb 28 21:45:36 nada sshd(pam_google_authenticator)[26185]: Failed to update secret file "/root/.google_authenticator"
|
|
#Mar 3 12:57:42 nada sshd(pam_google_authenticator)[20838]: Failed to update secret file "/root/.google_authenticator"
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: (Failed to (read|update)( secret file)? \"[/[:alnum:]]+\/.google_authenticator\"|Invalid verification code|Failed to compute location of secret file|Did not receive verification code from user)
|
|
|
|
# Mar 10 11:12:56 nada sshd[26548]: Received disconnect from 94.102.49.198: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
|
|
# Apr 7 05:56:43 kvarnen sshd[2034]: error: Received disconnect from 212.83.191.8: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
|
|
# Mar 12 04:09:09 nada sshd[23908]: Received disconnect from 195.154.52.9: 3: java.net.SocketTimeoutException: Read timed out [preauth]
|
|
# Mar 8 12:09:30 nada sshd[26267]: Received disconnect from 199.91.135.158: 3: com.jcraft.jsch.JSchException: reject HostKey: 66.23.226.92 [preauth]
|
|
# Feb 28 03:09:57 nada sshd[30462]: Received disconnect from 47.89.188.218: 3: com.jcraft.jsch.JSchException: Auth cancel [preauth]
|
|
#Mar 3 21:19:31 marconi sshd[17576]: error: Received disconnect from 212.83.160.203 port 57458:3: com.jcraft.jsch.JSchException: Auth cancel [preauth]
|
|
#Mar 19 04:36:45 marconi sshd[26598]: error: Received disconnect from 46.165.220.212 port 52999:13: User request [preauth]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:( error:)? Received disconnect from [.:[:digit:]]+( port [[:digit:]]+:|: )(3|13): (java.net.SocketTimeoutException|com.jcraft.jsch.JSchException|User request)(: )?(reject HostKey: [.:[:digit:]]+|Auth fail|Read timed out|Auth cancel)? \[preauth\]
|
|
|
|
#Mar 26 16:18:46 nada sshd[3298]: Received disconnect from 91.193.74.33: 11: Bye [preauth]
|
|
#Apr 7 13:59:42 nada sshd[19013]: Received disconnect from 2.234.148.20: 11: ok [preauth]
|
|
#Apr 3 12:26:03 nada sshd[15236]: Received disconnect from 125.212.232.83: 11: Closed due to user request. [preauth]
|
|
#May 14 10:15:47 nada sshd[26005]: Received disconnect from 115.239.230.223: 11: disconnect [preauth]
|
|
#Aug 17 10:52:11 nada sshd[24804]: Received disconnect from 89.97.55.33: 11: disconnected by user [preauth]
|
|
#Mar 17 07:29:31 nada sshd[7692]: Received disconnect from 178.162.211.197: 13: User request [preauth]
|
|
#Apr 2 16:50:49 nada sshd[1363]: Received disconnect from 58.218.199.145: 11: [preauth]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: (11|13): (User request|disconnect(ed by user)?|ok|Bye|Closed due to user request.)? \[preauth\]
|
|
|
|
#Mar 24 11:06:21 kvarnen sshd[5495]: channel 4: open failed: administratively prohibited: open failed
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: channel [[:digit:]]: open failed: administratively prohibited: open failed
|
|
|
|
#Mar 10 11:22:52 kvarnen sshd[12813]: error: PAM: Cannot make/remove an entry for the specified session for illegal user support from 40.76.54.16
|
|
#Mar 30 14:57:07 nada sshd[8420]: error: PAM: Cannot make/remove an entry for the specified session for illegal user admin from d5152db40.static.telenet.be
|
|
#Mar 14 01:39:26 nada sshd[14346]: error: PAM: Cannot make/remove an entry for the specified session for root from 6e.a0.caa1.ip4.static.sl-reverse.com
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Cannot make/remove an entry for the specified session for (illegal user )?[[:alnum:]]+ from [-.:[:alnum:]]+
|
|
|
|
#Mar 14 02:25:08 nada sshd[18347]: fatal: Read from socket failed: Connection reset by peer [preauth]
|
|
#Mar 6 04:03:02 nada sshd[11959]: fatal: Write failed: Connection reset by peer [preauth]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: (Read from socket|Write) failed: Connection reset by peer \[preauth\]
|
|
|
|
#Mar 13 10:10:06 kvarnen sshd[31901]: Disconnecting: Too many authentication failures for root from 74.74.67.164 port 43335 ssh2 [preauth]
|
|
#Feb 3 11:52:58 nada sshd[16082]: Disconnecting: Too many authentication failures for root [preauth]
|
|
#Apr 2 19:44:16 nada sshd[15909]: Disconnecting: Too many authentication failures for invalid user openvpn from 177.40.96.203 port 58746 ssh2 [preauth]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures for (invalid user )?[[:alnum:]]+ (from [.:[:digit:]]+ port [[:digit:]]+ ssh2 )?\[preauth\]
|
|
|
|
#Mar 12 12:26:38 kvarnen sshd[6051]: fatal: no matching cipher found: client aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no matching cipher found: client
|
|
|
|
#Mar 15 09:24:00 kvarnen sshd[3572]: Protocol major versions differ for 40.76.48.189: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u1 vs. SSH-1.5-NmapNSE_1.0
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Protocol major versions differ for [.:[:digit:]]+:
|
|
|
|
#Apr 10 20:46:18 nada sshd[6046]: pam_unix(sshd:auth): conversation failed
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): conversation failed
|
|
|
|
#May 11 19:13:29 nada sshd[10882]: pam_krb5(sshd:auth): authentication failure; logname=ai_luat uid=0 euid=0 tty=ssh ruser= rhost=218.200.188.213
|
|
#May 15 03:18:15 nada sshd[23461]: pam_krb5(sshd:auth): authentication failure; logname=.php uid=0 euid=0 tty=ssh ruser= rhost=59.0.85.43
|
|
#May 27 23:53:37 nada sshd[499]: pam_krb5(sshd:auth): authentication failure; logname=tbs#015 uid=0 euid=0 tty=ssh ruser= rhost=58.117.82.210
|
|
#May 28 00:22:32 nada sshd[4355]: pam_krb5(sshd:auth): authentication failure; logname=oliver#015 uid=0 euid=0 tty=ssh ruser= rhost=58.117.82.210
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_krb5\(sshd:auth\): authentication failure; logname=[.#_[:alnum:]]+ uid=0 euid=0 tty=ssh ruser= rhost=[.:[:digit:]]+
|
|
|
|
#Apr 10 20:50:19 nada sshd(pam_google_authenticator)[6490]: Trying to reuse a previously used time-based code. Retry again in 30 seconds. Warning! This might mean, you are currently subject to a man-in-the-middle attack
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: Trying to reuse a previously used time-based code. Retry again in 30 seconds. Warning! This might mean, you are currently subject to a man-in-the-middle attack
|
|
|
|
#May 11 01:17:42 kvarnen sshd[14739]: fatal: Unable to negotiate a key exchange method [preauth]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]
|
|
|
|
#Mar 17 09:44:38 marconi sshd[27920]: fatal: Unable to negotiate with 212.129.20.230 port 51562: no matching cipher found. Their offer: aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]
|
|
#Feb 5 05:36:40 marconi sshd[12309]: Unable to negotiate with 36.255.159.233 port 65061: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc [preauth]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:( fatal:)? Unable to negotiate with [.[:digit:]]+ port [[:alnum:]]+: no matching cipher found. Their offer: .* \[preauth\]
|
|
|
|
#Apr 27 12:36:56 kvarnen sshd[26293]: Bad protocol version identification 'GET http://clientapi.ipip.net/echo.php?info=20160427185402 HTTP/1.1' from 106.184.2.29 port 7680
|
|
#May 13 16:59:50 kvarnen sshd[21380]: Bad protocol version identification '' from 171.13.14.52 port 59637
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '.*' from [.:[:digit:]]+ port [[:digit:]]+
|
|
|
|
#May 5 10:08:49 nada sshd[4523]: fatal: no hostkey alg [preauth]
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no hostkey alg \[preauth\]
|
|
|
|
#Aug 16 19:28:06 nada sshd[12135]: Postponed keyboard-interactive/pam for invalid user admin from 75.149.180.141 port 65264 ssh2 [preauth]
|
|
#Aug 16 21:57:30 nada sshd[26976]: Postponed keyboard-interactive/pam for invalid user support from 103.207.36.244 port 59302 ssh2 [preauth]
|
|
#Mar 1 09:28:37 nada sshd[4919]: Postponed keyboard-interactive/pam for root from 218.65.30.43 port 23516 ssh2 [preauth]
|
|
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Postponed keyboard-interactive/pam for( invalid user)? [[:alnum:]]+ from [.:[:digit:]]+ port [[:digit:]]+ ssh2 \[preauth\]
|
|
|
|
#Apr 22 14:23:22 nada sshd[19599]: subsystem request for sftp by user petter
|
|
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user [[:alnum:]]+
|
|
|
|
#May 28 00:22:32 nada sshd[4355]: input_userauth_request: invalid user oliver\\r [preauth]
|
|
#Mar 4 07:38:01 nada sshd[15794]: input_userauth_request: invalid user [preauth]
|
|
#Sep 9 06:55:41 marconi sshd[11486]: input_userauth_request: invalid user 0101 [preauth]
|
|
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: input_userauth_request: invalid user ([ ._[:alnum:]]+(\\\\r| )?) \[preauth\]
|
|
|
|
#Apr 21 16:11:24 nada sshd[20234]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=host.94.220.181.95.rev.numer.gy user=root
|
|
#Oct 24 06:33:25 nada sshd[10577]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-68-161-233-215.ny325.east.verizon.net user=lp
|
|
#Nov 3 00:10:37 nada sshd[29893]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=host26-153-static.37-88-b.business.telecomitalia.it user=root
|
|
#Nov 3 03:00:15 nada sshd[12808]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-200-105-158-166.acelerate.net user=root
|
|
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=[-.[:alnum:]]+ user=[[:alnum:]]+
|
|
|
|
|
|
#Mar 1 03:03:26 nada sshd[28313]: fatal: Write failed: Broken pipe [preauth]
|
|
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: Broken pipe \[preauth\]
|
|
|
|
#Mar 6 22:43:34 nada sshd[4306]: Disconnecting: Packet corrupt [preauth]
|
|
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Packet corrupt \[preauth\]
|
|
|
|
#Mar 6 22:43:34 nada sshd[4306]: Bad packet length 4081589265. [preauth]
|
|
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad packet length [[:digit:]]+. \[preauth\]
|
|
|
|
#Mar 8 03:17:11 nada sshd[23415]: Received disconnect from 91.195.103.166: 11: Client disconnecting normally [preauth]
|
|
#Mar 7 19:37:07 nada sshd[9647]: Received disconnect from 91.195.103.173: 11: Client disconnecting normally [preauth]
|
|
#Mar 9 15:08:55 marconi sshd[25800]: Received disconnect from 61.158.188.21 port 59944:11: ok [preauth]
|
|
#Mar 9 15:22:40 marconi sshd[29305]: Received disconnect from 202.163.123.135 port 59164:11: ok [preauth]
|
|
#Apr 16 07:45:39 nada sshd[31491]: error: Received disconnect from 37.229.184.255: 2: Handshake failed [preauth]
|
|
#Apr 13 09:47:05 marconi sshd[695]: error: Received disconnect from 37.229.184.255 port 61294:2: Handshake failed [preauth]
|
|
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [.:[:digit:]]+(:)? (port [[:digit:]]+:)?(11|2): (Client disconnecting normally|ok|Handshake failed) \[preauth\]
|
|
|
|
#Sep 9 06:55:41 marconi sshd[11486]: Invalid user 0101 from 91.197.232.109
|
|
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user ([ -@.[:alnum:]]+)? from [.:[:digit:]]+
|
|
|
|
#Sep 11 11:32:09 cocacola sshd[5924]: Received disconnect from 5.189.139.2: 11: Normal Shutdown, Thank you for playing [preauth]
|
|
#Sep 8 13:32:49 marconi sshd[20127]: Received disconnect from 103.27.239.143 port 40512:11: Normal Shutdown, Thank you for playing [preauth]
|
|
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.[:alnum:]]+
|
|
(: port )?[.:[:digit:]]+: Normal Shutdown, Thank you for playing \[preauth\]
|
|
|
|
# Apr 18 17:29:30 nada internal-sftp[9277]: session opened for local user petter from [212.16.177.66]
|
|
# Apr 18 17:29:31 nada internal-sftp[9277]: opendir "/home/petter/www.lidberg.se/mazda/Old"
|
|
# Apr 18 17:29:31 nada internal-sftp[9277]: closedir "/home/petter/www.lidberg.se/mazda/Old"
|
|
# Apr 18 17:29:38 nada internal-sftp[9277]: open "/home/petter/www.lidberg.se/mazda/Old/demo.html" flags READ mode 0666
|
|
# Apr 18 17:29:38 nada internal-sftp[9277]: close "/home/petter/www.lidberg.se/mazda/Old/demo.html" bytes read 3754 written 0
|
|
# Apr 18 17:33:38 nada internal-sftp[9277]: session closed for local user petter from [212.16.177.66]
|
|
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ internal-sftp\[[[:digit:]]+\]:
|
|
|
|
#May 3 18:14:45 nada sshd[30553]: error: Received disconnect from 178.215.81.7: 14: No more user authentication methods available. [preauth]
|
|
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Received disconnect from [.:[:digit:]]+: 14: No more user authentication methods available. \[preauth\]
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
# SUHOSIN
|
|
#
|
|
|
|
#Mar 11 21:08:21 nada suhosin[30831]: ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker '91.121.230.152', file '/home/happysthlm/www.happysthlm.se/wp/xmlrpc.php')
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - dropped [[:digit:]]+ request variables - \([[:digit:]]+ in GET, [[:digit:]]+ in POST, [[:digit:]]+ in COOKIE\) \(attacker '[.[:digit:]]+', file '.*'\)
|
|
|
|
#Mar 11 21:10:17 nada suhosin[30832]: ALERT - configured request variable name length limit exceeded - dropped variable
|
|
#Aug 23 06:06:16 nada suhosin[4003]: ALERT - configured GET variable value length limit exceeded - dropped variable 'page' (attacker '216.172.189.152', file '/home/fredrik/www.wahlis.com/dnsupdate/man.php')
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - configured (GET|request) variable (value|name) length limit exceeded - dropped variable
|
|
|
|
#Apr 19 21:14:31 nada suhosin[28060]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'file' (attacker '62.210.203.159', file '/home/happysthlm/www.happysthlm.se/index.php')
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'file' \(attacker '[.[:digit:]]+', file '.*'\)
|
|
|
|
|
|
|
|
#
|
|
# Systemd
|
|
#
|
|
|
|
#Oct 13 08:31:17 kvarnen systemd[1]: Starting Cleanup of Temporary Directories...
|
|
#Oct 13 08:31:17 kvarnen systemd[1]: Started Cleanup of Temporary Directories.
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: (Started|Starting) Cleanup of Temporary Directories.{1,3}
|
|
|
|
#Apr 11 06:47:59 nada systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
|
|
#Apr 11 06:48:04 nada systemd: pam_unix(systemd-user:session): session closed for user nobody
|
|
#Apr 18 17:29:30 nada systemd: pam_unix(systemd-user:session): session opened for user petter by (uid=0)
|
|
#Apr 18 17:33:38 nada systemd: pam_unix(systemd-user:session): session closed for user petter
|
|
#Apr 11 15:12:51 nada systemd: pam_unix(systemd-user:session): session closed for user fredrik
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user (nobody|fredrik|petter)( by \(uid=0\))?
|
|
|
|
|
|
|
|
#Apr 11 06:47:59 nada systemd-logind[306]: Existing logind session ID 264242 used by new audit session, ignoring
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Existing logind session ID [[:digit:]]+ used by new audit session, ignoring
|
|
|
|
#Apr 11 06:47:59 nada systemd-logind[306]: New session c12 of user nobody.
|
|
#Apr 11 06:47:59 nada systemd-logind[306]: Removed session c12.
|
|
#Apr 11 10:58:01 nada systemd-logind[306]: New session c14 of user fredrik.
|
|
#Apr 11 11:04:24 nada systemd-logind[306]: New session c15 of user fredrik.
|
|
#Apr 18 17:29:30 nada systemd-logind[305]: New session c36 of user petter.
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: (Removed session [[:alnum:]]+.|New session [[:alnum:]]+ of user (nobody|fredrik|petter).)
|
|
|
|
|
|
|
|
|
|
|
|
#Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...
|
|
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fredrik\[[[:digit:]]+\]: Kontrollrad. Syns detta har vi problem...
|