diff options
author | Hendrik Jäger <gitcommit@henk.geekmail.org> | 2023-09-10 13:54:22 +0200 |
---|---|---|
committer | Hendrik Jäger <gitcommit@henk.geekmail.org> | 2023-09-10 13:54:22 +0200 |
commit | 3d84a41ae6e55b86905288c7f83749c2fbf81ed8 (patch) | |
tree | e95e3791ea75822002df6c98cce52b006f7fcd27 /files/etc/logcheck | |
parent | a048e398919c962d31eb1c26abf896b1854ce994 (diff) |
update rules
Diffstat (limited to 'files/etc/logcheck')
-rw-r--r-- | files/etc/logcheck/ignore.d.server/local-dovecot | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/files/etc/logcheck/ignore.d.server/local-dovecot b/files/etc/logcheck/ignore.d.server/local-dovecot index d9eb761..2283d3a 100644 --- a/files/etc/logcheck/ignore.d.server/local-dovecot +++ b/files/etc/logcheck/ignore.d.server/local-dovecot @@ -2,12 +2,21 @@ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auth: pam_unix\(dovecot:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=[-_.@[:alnum:]]* rhost=[.:[:xdigit:]]* user=[-_.@[:alnum:]]+$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auth: pam_unix\(dovecot:[[:alnum:]]+\): check pass; user unknown$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: auth-worker\([-_.[:alnum:]]+\): pam\([[:alnum:]]+,[[:digit:].]+\): unknown user$ -^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: Connection closed(: Connection reset by peer)?( bytes=[[:digit:]]+/[[:digit:]]+| in=[[:digit:]]+ out=[[:digit:]]+)?$ -^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: Connection closed \(No commands sent\) in=[[:digit:]]+ out=[[:digit:]]+( deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+)?$ -^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?:( Disconnected:)? Connection closed(: read\(size=[[:digit:]]+\) failed: Connection reset by peer)? \((UID FETCH|IDLE) running for [[:digit:].]+ \+ waiting input for [[:digit:].]+ secs,( [[:digit:].]+ in locks,)? [[:digit:]]+ B in \+ [[:digit:]]+(\+[[:digit:]]+)? B out, state=wait-input\) in=[[:digit:]]+ out=[[:digit:]]+( deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+)?$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)<[[:digit:]]+><[[:alnum:]+/]+>: Connection closed$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed bytes=[[:digit:]]+/[[:digit:]]+| in=[[:digit:]]+ out=[[:digit:]]+$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)<[[:digit:]]+><[[:alnum:]+/]+>: Connection closed bytes=[[:digit:]]+/[[:digit:]]+| in=[[:digit:]]+ out=[[:digit:]]+$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed: Connection reset by peer$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed: Connection reset by peer bytes=[[:digit:]]+/[[:digit:]]+| in=[[:digit:]]+ out=[[:digit:]]+$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)<[[:digit:]]+><[[:alnum:]+/]+>: Connection closed: Connection reset by peer$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)<[[:digit:]]+><[[:alnum:]+/]+>: Connection closed: Connection reset by peer bytes=[[:digit:]]+/[[:digit:]]+| in=[[:digit:]]+ out=[[:digit:]]+$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed \(No commands sent\) in=[[:digit:]]+ out=[[:digit:]]+$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed \(No commands sent\) in=[[:digit:]]+ out=[[:digit:]]+ deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)<[[:digit:]]+><[[:alnum:]+/]+>: Connection closed \(No commands sent\) in=[[:digit:]]+ out=[[:digit:]]+( deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+)?$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?:( Disconnected:)? Connection closed(: read\(size=[[:digit:]]+\) failed: Connection reset by peer)? \([[:alpha:] ]+ finished [[:digit:].]+ secs ago\) in=[[:digit:]]+ out=[[:digit:]]+( deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+)?$ -^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: Disconnected(: Logged out| for inactivity|: Disconnected| in [[:upper:]]+|: Too many invalid IMAP commands\.)?( in IDLE)? in=[[:digit:]]+ out=[[:digit:]]+( deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+)?$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?:( Disconnected:)? Connection closed(: read\(size=[[:digit:]]+\) failed: Connection reset by peer)? \((UID FETCH|IDLE) running for [[:digit:].]+ \+ waiting input for [[:digit:].]+ secs,( [[:digit:].]+ in locks,)? [[:digit:]]+ B in \+ [[:digit:]]+(\+[[:digit:]]+)? B out, state=wait-input\) in=[[:digit:]]+ out=[[:digit:]]+( deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+)?$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: Disconnected: Inactivity - no input for 1800 secs in=[[:digit:]]+ out=[[:digit:]]+( deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+)?$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: Disconnected(: Logged out| for inactivity|: Disconnected| in [[:upper:]]+|: Too many invalid IMAP commands\.)?( in IDLE)? in=[[:digit:]]+ out=[[:digit:]]+( deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+)?$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: Logged out in=[[:digit:]]+ out=[[:digit:]]+( deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+)?$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: lda\([[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: msgid=([[:alnum:]":<>{}@?=+/.,_!&\$%#~-]+( \(added by.*postmaster@[[:alnum:].-]+\))?|unspecified): saved mail to [[:alnum:]/._-]+$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: lda\([[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: sieve: msgid=(\? )?([[:alnum:]":<>{}@?=+/.,_!&\$%#~-]+( \(added by.*postmaster@[[:alnum:].-]+\))?|unspecified):( fileinto action:)? stored mail into mailbox '[^[:space:]]+'$ @@ -58,9 +67,9 @@ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(((no auth( attempts in [[:digit:]]+ secs)?|auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs|client didn't finish SASL auth, waited 0 secs|disconnected before auth was ready, waited [[:digit:]] secs)?\): user=<[[:alnum:]@_.-]*>, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, TLS( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low, session=<[[:alnum:]/+]+>$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(((no auth( attempts in [[:digit:]]+ secs)?|auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs|client didn't finish SASL auth, waited 0 secs|disconnected before auth was ready, waited [[:digit:]] secs)?\): user=<[[:alnum:]@_.-]*>, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, TLS( handshaking)?(:)? SSL_(accept|read)\(?\)? syscall failed: (Broken pipe|Connection reset by peer|Success)(, session=<[[:alnum:]/+]+>)?$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(((no auth( attempts in [[:digit:]]+ secs)?|auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs|client didn't finish SASL auth, waited 0 secs|disconnected before auth was ready, waited [[:digit:]] secs)?\): user=<[[:alnum:]@_.-]*>, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, (TLS, )?session=<[[:alnum:]/+]+>$ -^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Connection closed \(auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs\): user=<[[:alnum:]@_.-]*>, method=PLAIN, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, (TLS, )?session=<[[:alnum:]/+]+>$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(tried to use disallowed plaintext auth\): user=<>, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, session=<[[:alnum:]/+]+>$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Too many (invalid|bad) commands\.?)? \(no auth attempts( in [[:digit:]]+ secs)?\): user=<>, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, TLS,)? session=<[[:alnum:]/+]+>$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Connection closed \(auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs\): user=<[[:alnum:]@_.-]*>, method=PLAIN, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, (TLS, )?session=<[[:alnum:]/+]+>$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Connection closed \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, TLS(: Connection closed)?, session=<[[:alnum:]/+]+>$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Connection closed \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, TLS handshaking: Connection closed, session=<[[:alnum:]/+]+>$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Connection closed \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, TLS, session=<[[:alnum:]/+]+>$ @@ -72,9 +81,9 @@ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Connection closed: SSL_accept\(\) failed: error:0A000102:SSL routines::unsupported protocol \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, TLS handshaking: SSL_accept\(\) failed: error:0A000102:SSL routines::unsupported protocol, session=<[[:alnum:]/+]+>$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Connection closed: SSL_accept\(\) failed: error:0A00010B:SSL routines::wrong version number \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, TLS handshaking: SSL_accept\(\) failed: error:0A00010B:SSL routines::wrong version number, session=<[[:alnum:]/+]+>$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Connection closed: SSL_accept\(\) failed: error:0A00018C:SSL routines::version too low \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, TLS handshaking: SSL_accept\(\) failed: error:0A00018C:SSL routines::version too low, session=<[[:alnum:]/+]+>$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Disconnected: Too many bad commands \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[[:xdigit:].:]+, lip=[[:xdigit:].:]+,( TLS)? session=<[[:alnum:]/+]+>$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected(: Inactivity during authentication)? \(client didn't finish SASL auth, waited [[:digit:]]+ secs\): user=<[^>]*>, method=PLAIN, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, TLS( handshaking)?: (Connection closed|Disconnected|SSL_read\(\) syscall failed: Connection reset by peer), session=<[[:alnum:]/+]+>$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected(: Inactivity during authentication)? \(client didn't finish SASL auth, waited [[:digit:]]+ secs\): user=<[^>]*>, method=PLAIN, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, TLS, session=<[[:alnum:]/+]+>$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Too many invalid commands\. \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[[:xdigit:]].:]+, lip=[[:xdigit:]].:]+, session=<[[:alnum:]/+]+>$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected (tried to use unsupported auth mechanism): user=<[-_.@[:alnum:]]*>, method=[[:alnum:]-]+, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, mpid=[[:digit:]]+,)? (TLS( handshake)?|secured))?(: Disconnected)?(, session=<[[:alnum:]/+]+>)?$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, mpid=[[:digit:]]+,)? (TLS( handshake)?|secured))?(: read\(size=[[:digit:]]+\) failed: Connection reset by peer)?(, session=<[[:alnum:]/+]+>)?$ -^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Too many invalid commands\. \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[[:xdigit:]].:]+, lip=[[:xdigit:]].:]+, session=<[[:alnum:]/+]+>$ -^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Disconnected: Too many bad commands \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[[:xdigit:].:]+, lip=[[:xdigit:].:]+,( TLS)? session=<[[:alnum:]/+]+>$ |