Hier das zweite Update meiner logcheck Regeln. Aktuell nutze ich logcheck 1.3.17 unter Debian GNU/Linux 8.
diff --git a/logcheck/ignore.d.server/amavisd-new b/logcheck/ignore.d.server/amavisd-new index fb794bd..a6121f3 100644 --- a/logcheck/ignore.d.server/amavisd-new +++ b/logcheck/ignore.d.server/amavisd-new @@ -3,5 +3,5 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) NOTICE: Not sending DSN in response to bulk mail from <[^.]*> containing [[:upper:] ]+, mail intentionally dropped$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) INFO: unfolded [[:digit:]]+ illegal all-whitespace continuation lines$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) WARN: address modified \((sender|recipient)\): <[^>]+> -> <[^>]+>$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (BAD-HEADER-[[:digit:]]|UNCHECKED|CLEAN|SPAM(MY)?) {(RelayedInbound|RelayedTaggedInbound|RelayedOpenRelay|RelayedInternal)(,Quarantined)?},( LOCAL)? (\[[.[:digit:]]+\]:[[:digit:]]+ )?(\[[.:[:alnum:]]+\] )?<([._-=@[:alnum:]]+)?> -> <([._-=@[:alnum:]]+)?>,( quarantine: [._-=/@[:alnum:]]+,)? (Queue-ID: [[:alnum:]]+, )?(Message-ID: <.*>, )?mail_id: [-_[:alnum:]]+, Hits: -?[.[:xdigit:]]*, size: [[:digit:]]+, queued_as: [_[:alnum:]]+, [[:digit:]]+ ms$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (BAD-HEADER-[[:digit:]]|UNCHECKED|CLEAN|SPAM(MY)?|UNCHECKED-ENCRYPTED) {(RelayedInbound|RelayedTaggedInbound|RelayedOpenRelay|RelayedInternal)(,Quarantined)?},( LOCAL)? (\[[.[:digit:]]+\]:[[:digit:]]+ )?(\[[.:[:alnum:]]+\] )?<([._-=@[:alnum:]]+)?> -> <([._-=@[:alnum:]]+)?>,( quarantine: [._-=/@[:alnum:]]+,)? (Queue-ID: [[:alnum:]]+, )?(Message-ID: <.*>, )?mail_id: [-_[:alnum:]]+, Hits: -?[.[:xdigit:]]*, size: [[:digit:]]+, queued_as: [_[:alnum:]]+, [[:digit:]]+ ms$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Blocked BANNED \(.*\) {(No)?BouncedInbound,Quarantined}, (\[[.[:digit:]]+\]:[[:digit:]]+ )?(\[[.:[:alnum:]]+\] )?<([._-=@[:alnum:]]+)?> -> <([._-=@[:alnum:]]+)?>, (quarantine: [[:alnum:]]/.*, )?(Queue-ID: [[:alnum:]]+, )?(Message-ID: <[._-$%@[:alnum:]]+>, )?mail_id: [-_[:alnum:]]+, Hits: -?[.[:xdigit:]]*, size: [[:digit:]]+, (queued_as: [_[:alnum:]]+, )?[[:digit:]]+ ms$ diff --git a/logcheck/ignore.d.server/clamav-freshclam b/logcheck/ignore.d.server/clamav-freshclam index 73df35f..2608bd3 100644 --- a/logcheck/ignore.d.server/clamav-freshclam +++ b/logcheck/ignore.d.server/clamav-freshclam @@ -1,6 +1,6 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: ClamAV update process started at .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Received signal: (wake up|re-opening log file)$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (daily|main)\.c(l|v)d (is up to date|updated) \(version: [0-9]+, sigs: [0-9]+, f-level: [0-9]+, builder: \w+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (bytecode|daily|main)\.c(l|v)d (is up to date|updated) \(version: [0-9]+, sigs: [0-9]+, f-level: [0-9]+, builder: \w+\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Clamd successfully notified about the update\.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: --------------------------------------$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: Database updated \([0-9]+ signatures\) from .* \(IP: [0-9.]+\)$ diff --git a/logcheck/ignore.d.server/dovecot b/logcheck/ignore.d.server/dovecot index 643a4e4..047fb97 100644 --- a/logcheck/ignore.d.server/dovecot +++ b/logcheck/ignore.d.server/dovecot @@ -28,4 +28,5 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: (Disconnected|Aborted login)(: Inactivity)? \( ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Disconnected ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lda\([-_.@[:alnum:]]+\): sieve: msgid=.*: stored mail into mailbox '[-.[:alnum:]]+'$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lda\([-_.@[:alnum:]]+\): sieve: msgid=.*: marked message to be discarded if not explicitly delivered \(discard action\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth-worker\([-_.[:alnum:]]+\): (pg|my)sql\([.:[:xdigit:]]+\): Connected to database [-_.[:alnum:]]+$ diff --git a/logcheck/ignore.d.server/apache b/logcheck/ignore.d.server/apache index 9faac7e..040caa2 100644 --- a/logcheck/ignore.d.server/apache +++ b/logcheck/ignore.d.server/apache @@ -1 +1,2 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ apache: nss_ldap: reconnect(ing|ed) to LDAP server(\.\.\.| after [0-9]+ attempt\(s\))$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ apache2\[[0-9]+\]: Reloading web server: apache2.$ diff --git a/logcheck/ignore.d.server/rsyslog b/logcheck/ignore.d.server/rsyslog index 171f20e..594b869 100644 --- a/logcheck/ignore.d.server/rsyslog +++ b/logcheck/ignore.d.server/rsyslog @@ -3,3 +3,5 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] start$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] exiting on signal [0-9]+.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd(-)?[0-9]+: action 'action 17' resumed \(module 'builtin:ompipe'\) \[try http://www.rsyslog.com/e/[0-9]+ \]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd(-)?[0-9]+: action 'action 17' suspended, next retry is \w{3} \w{3} [ :0-9]{16} \[try http://www.rsyslog.com/e/[0-9]+ \]$ Neu hinzugekommen ist eine Datei für systemd und systemd-login mit dem folgenden Inhalt:
...