update rules

3 files changed, 7 insertions, 5 deletions

diff --git a/files/etc/logcheck/ignore.d.server/local-dovecot b/files/etc/logcheck/ignore.d.server/local-dovecot
index e9cf7bf..d9eb761 100644
--- a/files/etc/logcheck/ignore.d.server/local-dovecot
+++ b/files/etc/logcheck/ignore.d.server/local-dovecot
@@ -1,4 +1,5 @@
-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auth: pam_unix\(dovecot:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=([-_.@[:alnum:]]+)? rhost=([.:[:xdigit:]]+)?(  user=[-_.@[:alnum:]]+)?$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auth: pam_unix\(dovecot:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=[-_.@[:alnum:]]* rhost=[.:[:xdigit:]]*$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auth: pam_unix\(dovecot:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=[-_.@[:alnum:]]* rhost=[.:[:xdigit:]]*  user=[-_.@[:alnum:]]+$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auth: pam_unix\(dovecot:[[:alnum:]]+\): check pass; user unknown$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: auth-worker\([-_.[:alnum:]]+\): pam\([[:alnum:]]+,[[:digit:].]+\): unknown user$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: Connection closed(: Connection reset by peer)?( bytes=[[:digit:]]+/[[:digit:]]+| in=[[:digit:]]+ out=[[:digit:]]+)?$
@@ -6,6 +7,7 @@
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?:( Disconnected:)? Connection closed(: read\(size=[[:digit:]]+\) failed: Connection reset by peer)? \((UID FETCH|IDLE) running for [[:digit:].]+ \+ waiting input for [[:digit:].]+ secs,( [[:digit:].]+ in locks,)? [[:digit:]]+ B in \+ [[:digit:]]+(\+[[:digit:]]+)? B out, state=wait-input\) in=[[:digit:]]+ out=[[:digit:]]+( deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+)?$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?:( Disconnected:)? Connection closed(: read\(size=[[:digit:]]+\) failed: Connection reset by peer)? \([[:alpha:] ]+ finished [[:digit:].]+ secs ago\) in=[[:digit:]]+ out=[[:digit:]]+( deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+)?$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: Disconnected(: Logged out| for inactivity|: Disconnected| in [[:upper:]]+|: Too many invalid IMAP commands\.)?( in IDLE)? in=[[:digit:]]+ out=[[:digit:]]+( deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+)?$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: Disconnected: Inactivity - no input for 1800 secs in=[[:digit:]]+ out=[[:digit:]]+( deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+)?$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: Logged out in=[[:digit:]]+ out=[[:digit:]]+( deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+)?$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: lda\([[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: msgid=([[:alnum:]":<>{}@?=+/.,_!&\$%#~-]+( \(added by.*postmaster@[[:alnum:].-]+\))?|unspecified): saved mail to [[:alnum:]/._-]+$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: lda\([[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: sieve: msgid=(\? )?([[:alnum:]":<>{}@?=+/.,_!&\$%#~-]+( \(added by.*postmaster@[[:alnum:].-]+\))?|unspecified):( fileinto action:)? stored mail into mailbox '[^[:space:]]+'$
@@ -74,5 +76,5 @@
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected(: Inactivity during authentication)? \(client didn't finish SASL auth, waited [[:digit:]]+ secs\): user=<[^>]*>, method=PLAIN, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, TLS, session=<[[:alnum:]/+]+>$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected (tried to use unsupported auth mechanism): user=<[-_.@[:alnum:]]*>, method=[[:alnum:]-]+, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, mpid=[[:digit:]]+,)? (TLS( handshake)?|secured))?(: Disconnected)?(, session=<[[:alnum:]/+]+>)?$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, mpid=[[:digit:]]+,)? (TLS( handshake)?|secured))?(: read\(size=[[:digit:]]+\) failed: Connection reset by peer)?(, session=<[[:alnum:]/+]+>)?$
-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Too many invalid commands. \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[[:xdigit:]].:]+, lip=[[:xdigit:]].:]+, session=<[[:alnum:]/+]+>$
-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Disconnected: Too many bad commands \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[[:xdigit:]].:]+, lip=[[:xdigit:]].:]+, session=<[[:alnum:]/+]+>$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Too many invalid commands\. \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[[:xdigit:]].:]+, lip=[[:xdigit:]].:]+, session=<[[:alnum:]/+]+>$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected: Disconnected: Too many bad commands \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[[:xdigit:].:]+, lip=[[:xdigit:].:]+,( TLS)? session=<[[:alnum:]/+]+>$
diff --git a/files/etc/logcheck/ignore.d.server/local-spamd b/files/etc/logcheck/ignore.d.server/local-spamd
index 2993c3f..3d22312 100644
--- a/files/etc/logcheck/ignore.d.server/local-spamd
+++ b/files/etc/logcheck/ignore.d.server/local-spamd
@@ -3,7 +3,7 @@
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[[:digit:]]+\]: pyzor: \[[[:digit:]]+\] error: TERMINATED, signal 15 \(000f\)$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: util: setuid: ruid=[[:digit:]]+ euid=[[:digit:]]+ rgid=[[:digit:]]+ 8 45 108 egid=[[:digit:]]+ 8 45 108$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: dns: new_dns_packet: domain is utf8 flagged: [[:alnum:].-]+$
-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: prefork: adjust: [0-2] idle children less than 1 minimum idle children\. Increasing spamd children: [[:digit:]]+ started\.$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: prefork: adjust: [0-2] idle children less than 1 minimum idle children\.  ?Increasing spamd children: [[:digit:]]+ started\.$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: prefork: adjust: [3-5] idle children more than 2 maximum idle children\. Decreasing spamd children: [[:digit:]]+ killed\.$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: prefork: child states: II \[\.\.\. logline repeated [[:digit:]]+ times\]$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: handled cleanup of child pid \[[[:digit:]]+\] due to SIGCHLD: interrupted, signal 2 \(0002\)$
diff --git a/files/etc/logcheck/ignore.d.server/local-tor b/files/etc/logcheck/ignore.d.server/local-tor
index 0dd6c15..e4708fe 100644
--- a/files/etc/logcheck/ignore.d.server/local-tor
+++ b/files/etc/logcheck/ignore.d.server/local-tor
@@ -3,7 +3,7 @@
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Heartbeat: Tor's uptime is ([[:digit:]]+ day(s)? )?[[:digit:]]+:[[:digit:]]+ hours, with [[:digit:]]+ circuits open. I've sent [[:digit:].]+ [GMk]B and received [[:digit:].]+ [GMk]B\.( I've received [[:digit:]]+ connections on IPv4 and [[:digit:]]+ on IPv6. I've made [[:digit:]]+ connections with IPv4 and [[:digit:]]+ with IPv6\.)?$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: http status 400 \("Nonauthoritative directory does not accept posted server descriptors"\) response from dirserver '[[:xdigit:]:.]+:[[:digit:]]+'\. Malformed rendezvous descriptor\?$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Interrupt: exiting cleanly\.$
-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Our onion service received [[:digit:]]+ v2 and [[:digit:]]+ v3 INTRODUCE2 cells and attempted to launch [[:digit:]]+ rendezvous circuits\.$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ Tor\[[[:digit:]]+\]:( Heartbeat:)? Our onion service received( [[:digit:]]+ v2 and)? [[:digit:]]+ v3 INTRODUCE2 cells and attempted to launch [[:digit:]]+ rendezvous circuits\.$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Parsing GEOIP IPv4 file /usr/share/tor/geoip\.$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Parsing GEOIP IPv6 file /usr/share/tor/geoip6\.$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Received http status code 404 \("Consensus is too old"\) from server '[[:xdigit:]:.]+:443' while fetching consensus directory\.$