type=USER_ERR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:bad_ident grantors=\? acct="\?" exe="/usr/sbin/sshd" hostname=[[:alnum:]:.]+ addr=[[:xdigit:]:.]+ terminal=ssh res=failed'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+"( ID="[[:alnum:]]+")?)?$
type=USER_LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=login (acct="?[[:alnum:]@_-]+"?|id=[[:digit:]]+) exe="/usr/sbin/sshd" hostname=(\?|[[:alnum:]:.]+) addr=[[:xdigit:]:.]+ terminal=[^[:space:]]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+"( ID="[[:alnum:]]+")?)?$
type=USER_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:session_open grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]-]+")?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: backlog 0$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: backlog_limit 8192$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: backlog_wait_time 60000$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: backlog_wait_time_actual 0$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: enabled 1$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: failure 1$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Init complete, auditd 3.0 listening for events \(startup state enable\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: lost 0$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: No plugins found, not dispatching events$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: No rules$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: pid 441$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: rate_limit 0$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: /sbin/augenrules: No change$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: The audit daemon is exiting\.$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: backlog 0$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: backlog_limit 8192$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: backlog_wait_time 60000$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: backlog_wait_time_actual 0$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: enabled 1$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: failure 1$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Init complete, auditd 3.0 listening for events \(startup state enable\)$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: lost 0$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: No plugins found, not dispatching events$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: No rules$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: pid 441$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: rate_limit 0$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: /sbin/augenrules: No change$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: The audit daemon is exiting\.$
projects / user / henk / code / puppet / modules / logcheck.git / blobdiff