--- /dev/null
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ acpid: exiting$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ acpid: starting up with netlink and the input layer$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ acpid: [[:digit:]]+ rules loaded$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ acpid: waiting for events: event logging is off$
--- /dev/null
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ apache2\.logrotate: Reloading Apache httpd web server: apache2\.$
type=USER_AUTH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:authentication grantors=(\?|pam_[[:alnum:]]+,?)+ acct="[[:alnum:]?"'$#%^~&,.;:!=@_*\(\)-]*"? exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+")?$
type=USER_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_open grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]-]+")?$
type=USER_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]-]+")?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$
type=USER_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+")?$
type=ANOM_PROMISCUOUS msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): dev=[[:alnum:].]+ prom=[[:digit:]]+ old_prom=[[:digit:]]+ auid=0 uid=0 gid=0 ses=[[:digit:]]+([^[:alpha:]]+AUID="[[:alnum:]]+" UID="root" GID="root")?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: The audit daemon is exiting\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: No plugins found, not dispatching events$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Init complete, auditd 3.0 listening for events \(startup state enable\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: Selected source [[:xdigit:]:.]+( \([[:alpha:].:]+\))?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: Source [[:xdigit:]:.]+ replaced with [[:xdigit:]:.]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: chronyd version 4\.0 starting \(+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: Frequency -[[:digit:].]+ +/- [[:digit:].]+ ppm read from /var/lib/chrony/chrony\.drift$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: Using right/UTC timezone to obtain leap second data$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: Loaded seccomp filter$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: System clock TAI offset set to [[:digit:]]+ seconds$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ chronyd\[[[:digit:]]+\]: chronyd exiting$
--- /dev/null
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ init: Trying to re-exec init$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: <[[:digit:]]+>(\[ *[[:digit:]]+\.[[:digit:]]+\])? systemd-udevd\[[[:digit:]]+\]: Using default interface naming scheme 'v240'\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? Process accounting resumed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? Rekeying PTK for STA [[:xdigit:]:]+ but driver can't safely do that\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+\] kauditd_printk_skb: [[:digit:]]+ callbacks suppressed$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+\] nfsd: last server has exited, flushing export cache$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+\] NFSD: Using UMH upcall client tracking operations\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+\] NFSD: starting 90-second grace period \(net [[:xdigit:]]+\)$
--- /dev/null
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rpc\.mountd\[[[:digit:]]+\]: Version [[:digit:].]+ starting$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rpc\.mountd\[[[:digit:]]+\]: Caught signal 15, un-registering and exiting\.$
--- /dev/null
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saned\[[[:digit:]]+\]: bailing out, waiting for children\.\.\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saned\[[[:digit:]]+\]: bail_out: all children exited$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saned\[[[:digit:]]+\]: saned (AF-indep+IPv6) from sane-backends [^[:space:]]+ starting up$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saned\[[[:digit:]]+\]: do_bindings: \[0\] bind failed: Address already in use$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saned\[[[:digit:]]+\]: Now daemonized$
--- /dev/null
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: smartd received signal 15: Terminated$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: smartd is exiting \(exit status 0\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: smartd [[:digit:].-]+ r[[:digit:]]+ \[[[:alpha:]._-]+\] \(local build\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Copyright (C) 2002-[[:digit:]]{2}, Bruce Allen, Christian Franke, www\.smartmontools\.org$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Drive: DEVICESCAN, implied '-a' Directive on line 21 of file /etc/smartd.conf$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Configuration file /etc/smartd.conf was parsed, found DEVICESCAN, scanning devices$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/sd[[:alpha:]], type changed from 'scsi' to 'sat'$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/sd[[:alpha:]] [SAT], [^,]+, S/N:[[:alpha:]]+, FW:[[:alpha:]]+, [[:digit:]]+ GB$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/sd[[:alpha:]] [SAT], not found in smartd database\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/sd[[:alpha:]] [SAT], found in smartd database: .*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Monitoring [[:digit:]]+ ATA/SATA, [[:digit:]]+ SCSI/SAS and [[:digit:]]+ NVMe devices$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: beginning MaxStartups throttling$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: drop connection #[[:digit:]]+ from \[[:.[:xdigit:]]+\]:[[:digit:]]+ on \[[:.[:xdigit:]]+\]:[[:digit:]]+ past MaxStartups$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: exited MaxStartups throttling after [[:digit:]:]+, [[:digit:]]+ connections dropped$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received signal 15; terminating\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] error: read \(in tcp r\): Connection reset by peer for [:.[:xdigit:]]+( port [[:digit:]]+)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] info: generate keytag query _ta-4f66\. NULL IN$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] info: service stopped \(unbound [[:digit:].]+\)\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting#
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] notice: init module 0: subnet$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] notice: init module 1: validator$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] notice: init module 2: iterator$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] info: start of service \(unbound [[:digit:].]+\)\.$
--- /dev/null
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ vnstatd\[[[:digit:]]+\]: SIGTERM received, exiting\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ vnstatd\[[[:digit:]]+\]: vnStat daemon [[:digit:].]+ started\. \(pid:[[:digit:]]+ uid:[[:digit:]]+ gid:[[:digit:]]+ 64-bit\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ vnstatd\[[[:digit:]]+\]: Monitoring \([[:digit:]]+\): [[:alpha:]]+ \([[:digit:]]+ Mbit\)$