langner · January 7, 2017 19:48
diff --git a/logcheck_ubuntu b/logcheck_ubuntu
 # amavis messages
 amavis\[[0-9]+\]: \([-0-9]+\) Passed (CLEAN|BAD-HEADER|SPAM|BANNED)

 # avahi daemon: warnings about invalid repsonses and such
 avahi-daemon\[[0-9]+\]: Invalid (query packet|legacy unicast query packet|response packet from host)
 avahi-daemon\[[0-9]+\]: Received response from host [.0-9]+ with invalid source port [0-9]+ on interface         
 avahi-daemon\[[0-9]+\]:( last)? message repeated [0-9]+ times
 avahi-daemon\[[0-9]+\]: server.c: Packet too short or invalid while reading response record.
 avahi-daemon\[[0-9]+\]: dbus-protocol.c: Too many objects for client

 # bind messages about misconfigured servers
 named\[[0-9]+\]: DNS format error
 named\[[0-9]+\]: (  )?( )?( )?( )?validating
 named\[[0-9]+\]: clients-per-query (in|de)creased to
 named\[[0-9]+\]: error \(.*\) resolving
 named\[[0-9]+\]: last message repeated [0-9] times

 # console-kit: harmless as per http://stackoverflow.com/questions/23199699/glib-critical-source-id-xxx-was-not-found-when-attempting-to-remove-it
 console-kit-daemon\[[0-9]+\]: GLib-CRITICAL: Source ID [0-9]+ was not found when attempting to remove it

 # dbus cruft
 dbus\[[0-9]+\]: \[system\] Reloaded configuration
 dbus\[[0-9]+\]: last message repeated [0-9] times

 # iptables denied packets
 kernel: \[[.0-9]+] iptables denied

 # kernel RAID messages
 kernel: \[[.0-9]+\] 3w-sas: scsi[0-9]: AEN: INFO \([x0-9A-Z]+\): Verify (started|completed):unit
 kernel: \[[.0-9]+\] 3w-sas: scsi[0-9]: AEN: INFO \(0x04:0x005[56]\): Battery charging (started|completed)
 Server_Administrator: [0-9]+ [0-9]+ - Storage Service( )? Controller log file entry:( )? Controller 0 \(PERC H710 Mini\)
 Server Administrator: Storage Service EventID: [0-9]+  The Patrol Read has (started|stopped).

 # kernel net_ratelimit messages caused by curropted UDP packets being dropped
 kernel: \[[.0-9]+\] net_ratelimit: [0-9]+ callbacks suppressed

 # ldap: harmless messages according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631932
 slapcat: DIGEST-MD5 common mech free

 # nfs: expected authenticated mount requests and unauthorized requests
 rpc.mountd\[[0-9]+\]: authenticated (un)?mount request from \w+ for \w+
 rpc.idmapd\[[0-9]+\]: dirscancb: open\(/run/rpc_pipefs/nfs/clnt195\): No such file or directory
 rpcbind: connect from [.0-9]+ to dump\(\): request from unauthorized host
 rpcbind: warning: /etc/hosts.allow, line [0-9]+: host name/address mismatch:

 # nfs: timeouts related to RAID devices
 kernel: \[[.0-9]+\] nfs: server [a-z0-9]+ not responding, timed out
 kernel: \[[.0-9]+\] RPC: AUTH_GSS upcall failed. Please check user daemon is running.

 # NetworkManager: known bug
 NetworkManager\[[0-9]+\]: <info> Unmanaged Device found; state CONNECTED forced. \(see http://bugs.launchpad.net/bugs/191889\)

 # openvpn messages
 ovpn-\w+\[[0-9]+\]: VERIFY OK: depth=[01], C=[A-Z]{2}, ST=[A-Z]{2}, L=\w+, O=\w+, CN=\w+( CA)?, emailAddress=\w+

 # os-prober messages
 os-prober: debug: [/a-z0-9]+: (is active|part of)
 os-prober: debug: running /usr/lib/os-probes/(mounted/)?[-0-9a-z]+ on( mounted)? [/a-z0-9]+
 os-prober: debug: os detected by /usr/lib/os-probes/[-0-9a-z]+
 [-0-9a-z]+: debug: [/a-z0-9]+ is (not )?a(n)? [+A-Za-z0-9]+ partition
 mounted-tests: debug: [/a-z0-9]+ type not recognised; skipping

 # portmap: trying to use IPv6
 kernel: \[[.0-9]+\] svc: failed to register lockdv1 RPC service \(errno 97\)

 # postfix warnings
 postfix/smtpd\[[0-9]+\]: warning: hostname [-.0-9a-zA-Z]+ does not resolve to address [.0-9]+
 postfix/smtpd\[[0-9]+\]: warning: [-.a-zA-Z0-9]+\[[.0-9]+\]: SASL login authentication failed
 postfix/smtpd\[[0-9]+\]: improper command pipelining after EHLO from unknown
 postfix/smtpd\[[0-9]+\]: last message repeated [0-9]+ times
 postfix/smtpd\[[0-9]+\]: SSL_accept error from unknown

 # roundcube messages
 roundcube: User [-._@a-zA-Z0-9]+ \[[.0-9]+\]; Message for
 roundcube: IMAP Error: Login failed for [-._@a-zA-Z0-9]+ from [.0-9]+. LOGIN: Authentication failed.

 # rsyslogd repeats
 rsyslogd: last message repeated [0-9]+ times

 # samba denied messages
 smbd\[[0-9]+\]:   Denied connection from
 smbd\[[0-9]+\]: \[[/0-9]+ [.:0-9]+, [ 0-9]+] lib/access.c:[0-9]+\(allow_access\)

 # ssh generally benign messages
 sshd\[[0-9]+\]: Accepted publickey for \w+ from [.0-9]+
 sshd\[[0-9]+\]: Connection closed by [.0-9]+ \[preauth\]
 sshd\[[0-9]+\]: subsystem request for sftp by user
 sshd\[[0-9]+\]: error: listen: Address already in use
 sshd\[[0-9]+\]: Received disconnect from

 # systemd rules (from https://wiki.debian.org/systemd/logcheck, extended slightly)
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Starting|Started) Session [[:digit:]]+ of user [^[:space:]]+\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: (Reexecuting|Reloading)\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: systemd [[:digit:]]+ running in system mode. \((\+[[:alnum:]]+ ?)+\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Expecting device [^[:space:]]+\.device\.\.\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Cleanup of Temporary Directories\.+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Run anacron jobs\.+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [a-z0-9]+ of user [^[:space:]]+\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Removed session [a-z0-9]+\.$
	# amavis messages
	amavis\[[0-9]+\]: \([-0-9]+\) Passed (CLEAN\|BAD-HEADER\|SPAM\|BANNED)

	# avahi daemon: warnings about invalid repsonses and such
	avahi-daemon\[[0-9]+\]: Invalid (query packet\|legacy unicast query packet\|response packet from host)
	avahi-daemon\[[0-9]+\]: Received response from host [.0-9]+ with invalid source port [0-9]+ on interface
	avahi-daemon\[[0-9]+\]:( last)? message repeated [0-9]+ times
	avahi-daemon\[[0-9]+\]: server.c: Packet too short or invalid while reading response record.
	avahi-daemon\[[0-9]+\]: dbus-protocol.c: Too many objects for client

	# bind messages about misconfigured servers
	named\[[0-9]+\]: DNS format error
	named\[[0-9]+\]: ( )?( )?( )?( )?validating
	named\[[0-9]+\]: clients-per-query (in\|de)creased to
	named\[[0-9]+\]: error \(.*\) resolving
	named\[[0-9]+\]: last message repeated [0-9] times

	# console-kit: harmless as per http://stackoverflow.com/questions/23199699/glib-critical-source-id-xxx-was-not-found-when-attempting-to-remove-it
	console-kit-daemon\[[0-9]+\]: GLib-CRITICAL: Source ID [0-9]+ was not found when attempting to remove it

	# dbus cruft
	dbus\[[0-9]+\]: \[system\] Reloaded configuration
	dbus\[[0-9]+\]: last message repeated [0-9] times

	# iptables denied packets
	kernel: \[[.0-9]+] iptables denied

	# kernel RAID messages
	kernel: \[[.0-9]+\] 3w-sas: scsi[0-9]: AEN: INFO \([x0-9A-Z]+\): Verify (started\|completed):unit
	kernel: \[[.0-9]+\] 3w-sas: scsi[0-9]: AEN: INFO \(0x04:0x005[56]\): Battery charging (started\|completed)
	Server_Administrator: [0-9]+ [0-9]+ - Storage Service( )? Controller log file entry:( )? Controller 0 \(PERC H710 Mini\)
	Server Administrator: Storage Service EventID: [0-9]+ The Patrol Read has (started\|stopped).

	# kernel net_ratelimit messages caused by curropted UDP packets being dropped
	kernel: \[[.0-9]+\] net_ratelimit: [0-9]+ callbacks suppressed

	# ldap: harmless messages according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631932
	slapcat: DIGEST-MD5 common mech free

	# nfs: expected authenticated mount requests and unauthorized requests
	rpc.mountd\[[0-9]+\]: authenticated (un)?mount request from \w+ for \w+
	rpc.idmapd\[[0-9]+\]: dirscancb: open\(/run/rpc_pipefs/nfs/clnt195\): No such file or directory
	rpcbind: connect from [.0-9]+ to dump\(\): request from unauthorized host
	rpcbind: warning: /etc/hosts.allow, line [0-9]+: host name/address mismatch:

	# nfs: timeouts related to RAID devices
	kernel: \[[.0-9]+\] nfs: server [a-z0-9]+ not responding, timed out
	kernel: \[[.0-9]+\] RPC: AUTH_GSS upcall failed. Please check user daemon is running.

	# NetworkManager: known bug
	NetworkManager\[[0-9]+\]: <info> Unmanaged Device found; state CONNECTED forced. \(see http://bugs.launchpad.net/bugs/191889\)

	# openvpn messages
	ovpn-\w+\[[0-9]+\]: VERIFY OK: depth=[01], C=[A-Z]{2}, ST=[A-Z]{2}, L=\w+, O=\w+, CN=\w+( CA)?, emailAddress=\w+

	# os-prober messages
	os-prober: debug: [/a-z0-9]+: (is active\|part of)
	os-prober: debug: running /usr/lib/os-probes/(mounted/)?[-0-9a-z]+ on( mounted)? [/a-z0-9]+
	os-prober: debug: os detected by /usr/lib/os-probes/[-0-9a-z]+
	[-0-9a-z]+: debug: [/a-z0-9]+ is (not )?a(n)? [+A-Za-z0-9]+ partition
	mounted-tests: debug: [/a-z0-9]+ type not recognised; skipping

	# portmap: trying to use IPv6
	kernel: \[[.0-9]+\] svc: failed to register lockdv1 RPC service \(errno 97\)

	# postfix warnings
	postfix/smtpd\[[0-9]+\]: warning: hostname [-.0-9a-zA-Z]+ does not resolve to address [.0-9]+
	postfix/smtpd\[[0-9]+\]: warning: [-.a-zA-Z0-9]+\[[.0-9]+\]: SASL login authentication failed
	postfix/smtpd\[[0-9]+\]: improper command pipelining after EHLO from unknown
	postfix/smtpd\[[0-9]+\]: last message repeated [0-9]+ times
	postfix/smtpd\[[0-9]+\]: SSL_accept error from unknown

	# roundcube messages
	roundcube: User [-._@a-zA-Z0-9]+ \[[.0-9]+\]; Message for
	roundcube: IMAP Error: Login failed for [-._@a-zA-Z0-9]+ from [.0-9]+. LOGIN: Authentication failed.

	# rsyslogd repeats
	rsyslogd: last message repeated [0-9]+ times

	# samba denied messages
	smbd\[[0-9]+\]: Denied connection from
	smbd\[[0-9]+\]: \[[/0-9]+ [.:0-9]+, [ 0-9]+] lib/access.c:[0-9]+\(allow_access\)

	# ssh generally benign messages
	sshd\[[0-9]+\]: Accepted publickey for \w+ from [.0-9]+
	sshd\[[0-9]+\]: Connection closed by [.0-9]+ \[preauth\]
	sshd\[[0-9]+\]: subsystem request for sftp by user
	sshd\[[0-9]+\]: error: listen: Address already in use
	sshd\[[0-9]+\]: Received disconnect from

	# systemd rules (from https://wiki.debian.org/systemd/logcheck, extended slightly)
	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Starting\|Started) Session [[:digit:]]+ of user [^[:space:]]+\.$
	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: (Reexecuting\|Reloading)\.$
	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: systemd [[:digit:]]+ running in system mode. \((\+[[:alnum:]]+ ?)+\)$
	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Expecting device [^[:space:]]+\.device\.\.\.$
	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing\|ed) Cleanup of Temporary Directories\.+$
	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing\|ed) Run anacron jobs\.+$
	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [a-z0-9]+ of user [^[:space:]]+\.$
	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Removed session [a-z0-9]+\.$