Update logcheck rules

12 files changed, 49 insertions, 1 deletions

diff --git a/files/etc/logcheck/ignore.d.server/local-acpid b/files/etc/logcheck/ignore.d.server/local-acpid
new file mode 100644
index 0000000..12468ae
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-acpid
@@ -0,0 +1,4 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ acpid: exiting$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ acpid: starting up with netlink and the input layer$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ acpid: [[:digit:]]+ rules loaded$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ acpid: waiting for events: event logging is off$
diff --git a/files/etc/logcheck/ignore.d.server/local-apache2 b/files/etc/logcheck/ignore.d.server/local-apache2
new file mode 100644
index 0000000..123c2af
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-apache2
@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ apache2\.logrotate: Reloading Apache httpd web server: apache2\.$
diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd
index 165f1fa..778c969 100644
--- a/files/etc/logcheck/ignore.d.server/local-auditd
+++ b/files/etc/logcheck/ignore.d.server/local-auditd
@@ -10,6 +10,9 @@ type=USER_ACCT msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digi
 type=USER_AUTH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:authentication grantors=(\?|pam_[[:alnum:]]+,?)+ acct="[[:alnum:]?"'$#%^~&,.;:!=@_*\(\)-]*"? exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+")?$
 type=USER_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_open grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]-]+")?$
 type=USER_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]-]+")?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$
 type=USER_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+")?$
 type=ANOM_PROMISCUOUS msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): dev=[[:alnum:].]+ prom=[[:digit:]]+ old_prom=[[:digit:]]+ auid=0 uid=0 gid=0 ses=[[:digit:]]+([^[:alpha:]]+AUID="[[:alnum:]]+" UID="root" GID="root")?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: The audit daemon is exiting\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: No plugins found, not dispatching events$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Init complete, auditd 3.0 listening for events \(startup state enable\)$
diff --git a/files/etc/logcheck/ignore.d.server/local-chrony b/files/etc/logcheck/ignore.d.server/local-chrony
index e770b49..4e39d3d 100644
--- a/files/etc/logcheck/ignore.d.server/local-chrony
+++ b/files/etc/logcheck/ignore.d.server/local-chrony
@@ -1,2 +1,8 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: Selected source [[:xdigit:]:.]+( \([[:alpha:].:]+\))?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: Source [[:xdigit:]:.]+ replaced with [[:xdigit:]:.]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: chronyd version 4\.0 starting \(+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: Frequency -[[:digit:].]+ +/- [[:digit:].]+ ppm read from /var/lib/chrony/chrony\.drift$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: Using right/UTC timezone to obtain leap second data$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: Loaded seccomp filter$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: System clock TAI offset set to [[:digit:]]+ seconds$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: chronyd exiting$
diff --git a/files/etc/logcheck/ignore.d.server/local-init b/files/etc/logcheck/ignore.d.server/local-init
new file mode 100644
index 0000000..ac58215
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-init
@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ init: Trying to re-exec init$
diff --git a/files/etc/logcheck/ignore.d.server/local-kernel b/files/etc/logcheck/ignore.d.server/local-kernel
index 5f141e5..c548a01 100644
--- a/files/etc/logcheck/ignore.d.server/local-kernel
+++ b/files/etc/logcheck/ignore.d.server/local-kernel
@@ -5,3 +5,7 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: <[[:digit:]]+>(\[ *[[:digit:]]+\.[[:digit:]]+\])? systemd-udevd\[[[:digit:]]+\]: Using default interface naming scheme 'v240'\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? Process accounting resumed$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? Rekeying PTK for STA [[:xdigit:]:]+ but driver can't safely do that\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+\] kauditd_printk_skb: [[:digit:]]+ callbacks suppressed$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+\] nfsd: last server has exited, flushing export cache$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+\] NFSD: Using UMH upcall client tracking operations\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+\] NFSD: starting 90-second grace period \(net [[:xdigit:]]+\)$
diff --git a/files/etc/logcheck/ignore.d.server/local-rpcmountd b/files/etc/logcheck/ignore.d.server/local-rpcmountd
new file mode 100644
index 0000000..f414d7d
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-rpcmountd
@@ -0,0 +1,2 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rpc\.mountd\[[[:digit:]]+\]: Version [[:digit:].]+ starting$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rpc\.mountd\[[[:digit:]]+\]: Caught signal 15, un-registering and exiting\.$
diff --git a/files/etc/logcheck/ignore.d.server/local-saned b/files/etc/logcheck/ignore.d.server/local-saned
new file mode 100644
index 0000000..4e58a75
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-saned
@@ -0,0 +1,5 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saned\[[[:digit:]]+\]: bailing out, waiting for children\.\.\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saned\[[[:digit:]]+\]: bail_out: all children exited$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saned\[[[:digit:]]+\]: saned (AF-indep+IPv6) from sane-backends [^[:space:]]+ starting up$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saned\[[[:digit:]]+\]: do_bindings: \[0\] bind failed: Address already in use$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saned\[[[:digit:]]+\]: Now daemonized$
diff --git a/files/etc/logcheck/ignore.d.server/local-smart b/files/etc/logcheck/ignore.d.server/local-smart
new file mode 100644
index 0000000..5199ca0
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-smart
@@ -0,0 +1,11 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: smartd received signal 15: Terminated$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: smartd is exiting \(exit status 0\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: smartd [[:digit:].-]+ r[[:digit:]]+ \[[[:alpha:]._-]+\] \(local build\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Copyright (C) 2002-[[:digit:]]{2}, Bruce Allen, Christian Franke, www\.smartmontools\.org$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Drive: DEVICESCAN, implied '-a' Directive on line 21 of file /etc/smartd.conf$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Configuration file /etc/smartd.conf was parsed, found DEVICESCAN, scanning devices$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/sd[[:alpha:]], type changed from 'scsi' to 'sat'$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/sd[[:alpha:]] [SAT], [^,]+, S/N:[[:alpha:]]+, FW:[[:alpha:]]+, [[:digit:]]+ GB$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/sd[[:alpha:]] [SAT], not found in smartd database\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/sd[[:alpha:]] [SAT], found in smartd database: .*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Monitoring [[:digit:]]+ ATA/SATA, [[:digit:]]+ SCSI/SAS and [[:digit:]]+ NVMe devices$
diff --git a/files/etc/logcheck/ignore.d.server/local-ssh b/files/etc/logcheck/ignore.d.server/local-ssh
index a3f516e..5be2620 100644
--- a/files/etc/logcheck/ignore.d.server/local-ssh
+++ b/files/etc/logcheck/ignore.d.server/local-ssh
@@ -104,3 +104,4 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: beginning MaxStartups throttling$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: drop connection #[[:digit:]]+ from \[[:.[:xdigit:]]+\]:[[:digit:]]+ on \[[:.[:xdigit:]]+\]:[[:digit:]]+ past MaxStartups$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: exited MaxStartups throttling after [[:digit:]:]+, [[:digit:]]+ connections dropped$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received signal 15; terminating\.$
diff --git a/files/etc/logcheck/ignore.d.server/local-unbound b/files/etc/logcheck/ignore.d.server/local-unbound
index 9fda52e..1c34c8a 100644
--- a/files/etc/logcheck/ignore.d.server/local-unbound
+++ b/files/etc/logcheck/ignore.d.server/local-unbound
@@ -1,2 +1,9 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] error: read \(in tcp r\): Connection reset by peer for [:.[:xdigit:]]+( port [[:digit:]]+)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] info: generate keytag query _ta-4f66\. NULL IN$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] info: service stopped \(unbound [[:digit:].]+\)\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting#
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] notice: init module 0: subnet$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] notice: init module 1: validator$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] notice: init module 2: iterator$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] info: start of service \(unbound [[:digit:].]+\)\.$
diff --git a/files/etc/logcheck/ignore.d.server/local-vnstatd b/files/etc/logcheck/ignore.d.server/local-vnstatd
new file mode 100644
index 0000000..10bbbe0
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-vnstatd
@@ -0,0 +1,3 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ vnstatd\[[[:digit:]]+\]: SIGTERM received, exiting\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ vnstatd\[[[:digit:]]+\]: vnStat daemon [[:digit:].]+ started\. \(pid:[[:digit:]]+ uid:[[:digit:]]+ gid:[[:digit:]]+ 64-bit\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ vnstatd\[[[:digit:]]+\]: Monitoring \([[:digit:]]+\): [[:alpha:]]+ \([[:digit:]]+ Mbit\)$