From: Hendrik Jäger <gitcommit@henk.geekmail.org>
Date: Thu, 27 Jun 2024 11:55:31 +0000 (+0200)
Subject: update rules
X-Git-Url: https://git.netwichtig.de/gitweb/?a=commitdiff_plain;ds=sidebyside;p=user%2Fhenk%2Fcode%2Fpuppet%2Fmodules%2Flogcheck.git

update rules
---

diff --git a/files/etc/logcheck/ignore.d.server/local-exim b/files/etc/logcheck/ignore.d.server/local-exim
index 49340b4..839ed98 100644
--- a/files/etc/logcheck/ignore.d.server/local-exim
+++ b/files/etc/logcheck/ignore.d.server/local-exim
@@ -37,6 +37,7 @@
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])?( [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2})? Connection closed without quit after message from [^[:space:]]* to [^[:space:]]* via \[[[:xdigit:].:]+\]: command-timeout$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])?( [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2})? Connection closed without quit after message from [^[:space:]]* to [^[:space:]]* via \[[[:xdigit:].:]+\]: connection-lost$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])?( [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2})? Connection closed without quit after message from [^[:space:]]* to [^[:space:]]* via \[[[:xdigit:].:]+\]: data-timeout$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])?( [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2})? Connection closed without quit after message from [^[:space:]]* to [^[:space:]]* via \[[[:xdigit:].:]+\]: synchronization-error$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])?( [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2})? Connection closed without quit after message from [^[:space:]]* to [^[:space:]]* via \[[[:xdigit:].:]+\]: tls-failed$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])?( [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2})? DKIM: d=[[:alnum:].-]+ s=[[:alnum:]._-]+ c=(simple|relaxed)/(simple|relaxed) a=(rsa-sha256|ed25519-sha256) b=(512|1024|2048|4096)( i=[[:alnum:]@=_.-]+)?( t=[[:digit:]]+)?( x=[[:digit:]]+)?( l=[[:digit:]]+)? \[invalid - public key record \(currently\?\) unavailable\]$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])?( [[:alnum:]]{6}-[[:alnum:]]{6}-[[:alnum:]]{2})? DKIM: d=[[:alnum:].-]+ s=[[:alnum:]._-]+ c=(simple|relaxed)/(simple|relaxed) a=(rsa-sha256|ed25519-sha256) b=(512|1024|2048|4096)( i=[[:alnum:]@=_.-]+)?( t=[[:digit:]]+)?( x=[[:digit:]]+)?( l=[[:digit:]]+)? \[verification failed - body hash mismatch \(body probably modified in transit\)\]$
@@ -91,6 +92,7 @@
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? H=(([^[:space:]]+ )?(\([^[:space:]]+\) )?)?\[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ incomplete transaction \(connection lost\) from <[^[:space:]]*>( for .*)?$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? H=(([^[:space:]]+ )?(\([^[:space:]]+\) )?)?\[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ incomplete transaction \(QUIT\) from <[^[:space:]]*>$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? H=(([^[:space:]]+ )?(\([^[:space:]]+\) )?)?\[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ incomplete transaction \(RSET\) from <[^[:space:]]*>( for [^[:space:]]+)?$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? H=(([^[:space:]]+ )?(\([^[:space:]]+\) )?)?\[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ incomplete transaction \(sync failure\) from <[^[:space:]]*>( for [^[:space:]]+)?$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? H=(([^[:space:]]+ )?(\([^[:space:]]+\) )?)?\[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ sender verify defer for <[^[:space:]]+>: host lookup did not complete$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? H=(([^[:space:]]+ )?(\([^[:space:]]+\) )?)?\[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ sender verify defer for <[^[:space:]]+>: remote host address is the local host$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? H=(([^[:space:]]+ )?(\([^[:space:]]+\) )?)?\[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ sender verify fail for <[^[:space:]]+>: all relevant MX records point to non-existent hosts$
@@ -122,6 +124,7 @@
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? SMTP connection from \[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ \(TCP/IP connection count = [[:digit:]]+\)$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? SMTP data timeout \(message abandoned\) on( TLS)? connection from( [^[:space:]]+| \([^[:space:]]+\)| [^[:space:]]+ \([^[:space:]]+\))? \[[[:xdigit:].:]+\]:[[:digit:]]+ F=<[^[:space:]]*>$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? SMTP protocol error in "[^"]*" H=(([^[:space:]]+ )?(\([^[:space:]]+\) )?)?(\[[[:xdigit:].:]+\]:[[:digit:]]+)? I=\[[[:xdigit:].:]+\]:[[:digit:]]+ .*$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected .*$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? SMTP syntax error in ".*" H=([^[:space:]]+ )?\[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ .*$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? Start queue run: pid=[[:digit:]]+$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? TLS error on connection from( [^[:space:]]+)?( \([^[:space:]]+\))? \[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ \((gnutls_handshake|recv|send)\): A disallowed SNI server name has been received\.$