From d9cc0edaff5275942ef1e8acc71901a6f3fd09a5 Mon Sep 17 00:00:00 2001
From: Hendrik Jaeger <root@frustcomp>
Date: Fri, 7 Sep 2018 20:14:31 +0200
Subject: [PATCH] Add custom logcheck files

---
 .../logcheck/ignore.d.server/local-cron-apt   |  1 +
 .../logcheck/ignore.d.server/local-dovecot    | 51 +++++++++++++
 .../etc/logcheck/ignore.d.server/local-icinga |  1 +
 .../logcheck/ignore.d.server/local-iptables   |  2 +
 files/etc/logcheck/ignore.d.server/local-nsd  | 13 ++++
 files/etc/logcheck/ignore.d.server/local-ntpd | 10 +++
 .../logcheck/ignore.d.server/local-proftpd    |  1 +
 .../etc/logcheck/ignore.d.server/local-spamd  |  3 +
 files/etc/logcheck/ignore.d.server/local-ssh  | 74 +++++++++++++++++++
 .../logcheck/ignore.d.server/local-unbound    |  1 +
 10 files changed, 157 insertions(+)
 create mode 100644 files/etc/logcheck/ignore.d.server/local-cron-apt
 create mode 100644 files/etc/logcheck/ignore.d.server/local-dovecot
 create mode 100644 files/etc/logcheck/ignore.d.server/local-icinga
 create mode 100644 files/etc/logcheck/ignore.d.server/local-iptables
 create mode 100644 files/etc/logcheck/ignore.d.server/local-nsd
 create mode 100644 files/etc/logcheck/ignore.d.server/local-ntpd
 create mode 100644 files/etc/logcheck/ignore.d.server/local-proftpd
 create mode 100644 files/etc/logcheck/ignore.d.server/local-spamd
 create mode 100644 files/etc/logcheck/ignore.d.server/local-ssh
 create mode 100644 files/etc/logcheck/ignore.d.server/local-unbound

diff --git a/files/etc/logcheck/ignore.d.server/local-cron-apt b/files/etc/logcheck/ignore.d.server/local-cron-apt
new file mode 100644
index 0000000..fc6f429
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-cron-apt
@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Calculating upgrade\.\.\.$
diff --git a/files/etc/logcheck/ignore.d.server/local-dovecot b/files/etc/logcheck/ignore.d.server/local-dovecot
new file mode 100644
index 0000000..2a2b25d
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-dovecot
@@ -0,0 +1,51 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_unix\(dovecot:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=([-_.@[:alnum:]]+)? rhost=([.:[:xdigit:]]+)?(  user=[-_.@[:alnum:]]+)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_unix\(dovecot:[[:alnum:]]+\): check pass; user unknown$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth-worker\([-_.[:alnum:]]+\): pam\([[:alnum:]]+,[[:digit:].]+\): unknown user$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed \([[:alpha:] ]+ finished [[:digit:].]+ secs ago\) in=[[:digit:]]+ out=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed(: Connection reset by peer)?( bytes=[[:digit:]]+/[[:digit:]]+| in=[[:digit:]]+ out=[[:digit:]]+)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed \(IDLE running for [[:digit:].]+ \+ waiting input for [[:digit:].]+ secs,( [[:digit:].]+ in locks,)? [[:digit:]]+ B in \+ [[:digit:]]+(\+[[:digit:]]+)? B out, state=wait-input\) in=[[:digit:]]+ out=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed \(No commands sent\) in=[[:digit:]]+ out=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed \(UID FETCH running for [[:digit:].]+ \+ waiting input for [[:digit:].]+ secs,( [[:digit:].]+ in locks,)? [[:digit:]]+ B in \+ [[:digit:]]+(\+[[:digit:]]+)? B out, state=wait-input\) in=[[:digit:]]+ out=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Disconnected(: Logged out| for inactivity|: Disconnected| in [[:upper:]]+|: Too many invalid IMAP commands\.)?( in IDLE)? in=[[:digit:]]+ out=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Logged out in=[[:digit:]]+ out=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lda\([[:alnum:]]+\): msgid=([][[:alnum:]":<>@?=\+\/.,_!&\$%#~-]+( \(added by.*postmaster@[[:alnum:].-]+\))?|unspecified): saved mail to [[:alnum:]\/._-]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lda\([[:alnum:]]+\): sieve: msgid=(\? )?([][[:alnum:]":<>@?=\+\/.,_!&\$%#~-]+( \(added by.*postmaster@[[:alnum:].-]+\))?|unspecified): stored mail into mailbox '[^[:space:]]+'$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lda\([[:alnum:]]+\): sieve: msgid=<[[:alnum:]":@=\+\/.,_!&\$%#~-]+>: forwarded to <[[:alnum:]":@=\+\/.,_!&\$%#~-]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(aborted authentication\): method=PLAIN, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)(( handshaking)?(: Disconnected)?)?(, session=<[[:alnum:]\/\+]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(aborted authentication\): method=PLAIN, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)(: SSL_read\(\) syscall failed: Connection reset by peer)?(, session=<[[:alnum:]\/\+]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(auth failed, [[:digit:]]+ attempts( in [[:digit:]]+ secs)?\): user=<[-_.@[:alnum:]]+>, method=(PLAIN|LOGIN), rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)(( handshaking)?(: Disconnected)?)?(, session=<[[:alnum:]\/\+]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(auth failed, [[:digit:]]+ attempts( in [[:digit:]]+ secs)?\): user=<[-_.@[:alnum:]]+>, method=(PLAIN|LOGIN), rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)(( handshaking)?(: Disconnected)?)? SSL_read\(\) syscall failed: Connection reset by peer, session=<[[:alnum:]\/\+]+>?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(auth failed, [[:digit:]]+ attempts( in [[:digit:]]+ secs)?\): user=<[-_.@[:alnum:]]+>, method=(PLAIN|LOGIN), rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)(: SSL_read\(\) syscall failed: Connection reset by peer)?(, session=<[[:alnum:]\/\+]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS, )?session=<[[:alnum:]\/\+]+>?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? Disconnected, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)?( handshaking), )?session=<[[:alnum:]\/\+]+>?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:1408F09C:SSL routines:ssl3_get_record:http request, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:140940F5:SSL routines:ssl3_read_bytes:unexpected record, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message: SSL alert number 10, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:140A1175:SSL routines:ssl_bytes_to_cipher_list:inappropriate fallback, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:1417D0FC:SSL routines:tls_process_client_hello:unknown protocol, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) failed: error:1417D18C:SSL routines:tls_process_client_hello:version too low, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) syscall failed: Broken pipe, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) syscall failed: Connection reset by peer(, session=<[[:alnum:]\/\+]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \((disconnected before auth was ready, waited 0 secs|no auth attempts( in [[:digit:]]+ secs)?)\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) syscall failed: Success, session=<[[:alnum:]\/\+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(disconnected before greeting, waited 0 secs\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, session=<[[:alnum:]\/\+]+>?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(disconnected before greeting, waited 0 secs\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(\) syscall failed: Connection reset by peer(, session=<[[:alnum:]\/\+]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(tried to use disallowed plaintext auth\): user=<>, rip=[.[:xdigit:]]+, lip=[.[:xdigit:]]+, session=<[[:alnum:]\/\+]+>?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected(: Inactivity during authentication)? \(client didn't finish SASL auth, waited [[:digit:]]+ secs\): user=<[^>]*>, method=PLAIN, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS( handshaking)?: Disconnected, session=<[[:alnum:]\/\+]+>?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected(: Inactivity during authentication)? \(client didn't finish SASL auth, waited [[:digit:]]+ secs\): user=<[^>]*>, method=PLAIN, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS, session=<[[:alnum:]\/\+]+>?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected(: Inactivity during authentication)? \(client didn't finish SASL auth, waited [[:digit:]]+ secs\): user=<[^>]*>, method=PLAIN, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS: SSL_read\(\) syscall failed: Connection reset by peer, session=<[[:alnum:]\/\+]+>?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected (tried to use unsupported auth mechanism): user=<[-_.@[:alnum:]]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(,( mpid=[[:digit:]]+,)? (TLS( handshake)?|secured))?(: Disconnected)?(, session=<[[:alnum:]\/\+]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(,( mpid=[[:digit:]]+,)? (TLS( handshake)?|secured))?(, session=<[[:alnum:]\/\+]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Too many (invalid|bad) commands\.?)? \(no auth attempts( in [[:digit:]]+ secs)?\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+,( TLS,)? session=<[[:alnum:]\/\+]+>$
diff --git a/files/etc/logcheck/ignore.d.server/local-icinga b/files/etc/logcheck/ignore.d.server/local-icinga
new file mode 100644
index 0000000..493197d
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-icinga
@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ icinga: Auto-save of retention data completed successfully\.$
diff --git a/files/etc/logcheck/ignore.d.server/local-iptables b/files/etc/logcheck/ignore.d.server/local-iptables
new file mode 100644
index 0000000..4f56032
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-iptables
@@ -0,0 +1,2 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] unknown INPUT traffic: IN=[[:alnum:]]+ OUT= MAC=[[:xdigit:]:.]+ SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP|132|41|155|253)( SPT=[[:digit:]]+ DPT=[[:digit:]]+ (WINDOW=[[:digit:]]+ RES=0x[[:xdigit:]]+ (CWR )?(ECE )?(PSH )?(SYN |ACK |RST )+(PSH )?URGP=[[:digit:]]+|LEN=[[:digit:]]+))?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] [[:alnum:]]+ bruteforce attempt: IN=[[:alnum:]]+ OUT= MAC=[[:digit:]a-f:]+ SRC=[[:digit:]a-f:.]+ DST=[[:digit:]a-f:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP) SPT=[[:digit:]]+ DPT=[[:digit:]]+ (WINDOW=[[:digit:]]+ RES=0x00 (CWR ECE )?(SYN|ACK|RST) (PSH )?(FIN )??URGP=[[:digit:]]+|LEN=[[:digit:]]+)$
diff --git a/files/etc/logcheck/ignore.d.server/local-nsd b/files/etc/logcheck/ignore.d.server/local-nsd
new file mode 100644
index 0000000..0ec2db0
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-nsd
@@ -0,0 +1,13 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nsd\[[[:digit:]]+\]: Handle incoming notify for zone [[:alnum:].-]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nsd\[[[:digit:]]+\]: memory recyclebin holds [[:digit:]] bytes$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nsd\[[[:digit:]]+\]: notify for [[:alnum:].]+ from [[:xdigit:].:]+ serial [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nsd\[[[:digit:]]+\]: Notify received and accepted, forward to xfrd$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nsd\[[[:digit:]]+\]: NSTATS [[:digit:]]+ [[:digit:]]+ (A=[[:digit:]]+ )?(NS=[[:digit:]]+ )?(CNAME=[[:digit:]]+ )?(SOA=[[:digit:]]+ )?(PTR=[[:digit:]]+ )?(MX=[[:digit:]]+ )?(TXT=[[:digit:]]+ )?(AAAA=[[:digit:]]+ )?(SRV=[[:digit:]]+ )?(NAPTR=[[:digit:]]+ )?(TYPE38=[[:digit:]]+ )?(NSEC=[[:digit:]]+ )?(DNSKEY=[[:digit:]]+ )?(SPF=[[:digit:]]+ )?(TYPE251=[[:digit:]]+ )?(TYPE252=[[:digit:]]+ )?TYPE255=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nsd\[[[:digit:]]+\]: signal received, reloading\.\.\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nsd\[[[:digit:]]+\]: xfrd: zone [[:alnum:].]+ committed "received update to serial [[:digit:]]+ at [[:digit:]T:-]+ from [[:xdigit:].:]+"$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nsd\[[[:digit:]]+\]: xfrd: zone [[:alnum:].-]+ written received XFR from [[:digit:].]+ with serial [[:digit:]]+ to disk$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nsd\[[[:digit:]]+\]: axfr for [[:alnum:].-]+ from [[:xdigit:].:]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nsd\[[[:digit:]]+\]: XSTATS [[:digit:]]+ [[:digit:]]+ RR=[[:digit:]]+ RNXD=[[:digit:]]+ RFwdR=[[:digit:]]+ RDupR=[[:digit:]]+ RFail=[[:digit:]]+ RFErr=[[:digit:]]+ RErr=[[:digit:]]+ RAXFR=[[:digit:]]+ RLame=[[:digit:]]+ ROpts=[[:digit:]]+ SSysQ=[[:digit:]]+ SAns=[[:digit:]]+ SFwdQ=[[:digit:]]+ SDupQ=[[:digit:]]+ SErr=[[:digit:]]+ RQ=[[:digit:]]+ RIQ=[[:digit:]]+ RFwdQ=[[:digit:]]+ RDupQ=[[:digit:]]+ RTCP=[[:digit:]]+ SFwdR=[[:digit:]]+ SFail=[[:digit:]]+ SFErr=[[:digit:]]+ SNaAns=[[:digit:]]+ SNXD=[[:digit:]]+ RUQ=[[:digit:]]+ RURQ=[[:digit:]]+ RUXFR=[[:digit:]]+ RUUpd=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nsd\[[[:digit:]]+\]: zone [[:alnum:].]+\. received update to serial [[:digit:]]+ at [[:digit:]T:-]+ from [[:xdigit:].:]+ of [[:digit:]]+ bytes in [[:digit:]e.-]+ seconds$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nsd\[[[:digit:]]+\]: zone [[:alnum:].]+ serial [[:digit:]]+ is updated to [[:digit:]]+\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nsd\[[[:digit:]]+\]: Zone [[:alnum:].-]+ serial [[:digit:]]+ is updated to [[:digit:]]+.$
diff --git a/files/etc/logcheck/ignore.d.server/local-ntpd b/files/etc/logcheck/ignore.d.server/local-ntpd
new file mode 100644
index 0000000..18b1db2
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-ntpd
@@ -0,0 +1,10 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: time reset [+-]*[0-9]{1,2}\.[0-9]{6} s$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronisation lost$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: no servers reachable$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronized to ([0-9.]{7,15}|[0-9a-fA-F:.]{4,39}), stratum [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: synchronized to LOCAL\([0-9]+\), stratum [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status change) [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: precision = [0-9]+\.[0-9]+ usec$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: peer ([.0-9]{7,15}|[0-9a-fA-F:.]{4,39}) now (in)?valid$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: adjusting local clock by -?[.0-9]+s$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: adjust time server -?[.0-9]+ offset$
diff --git a/files/etc/logcheck/ignore.d.server/local-proftpd b/files/etc/logcheck/ignore.d.server/local-proftpd
new file mode 100644
index 0000000..3bd4889
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-proftpd
@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]+\]: connect from [.:[:xdigit:]]+ \([.:[:xdigit:]]+\)$
diff --git a/files/etc/logcheck/ignore.d.server/local-spamd b/files/etc/logcheck/ignore.d.server/local-spamd
new file mode 100644
index 0000000..add411d
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-spamd
@@ -0,0 +1,3 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[[:digit:]]+\]:( spamd:)? connection from [._[:alnum:]-]+ \[[\.[:digit:]]+\]:[[:digit:]]+ to port [[:digit:]]+, fd [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[[:digit:]]+\]: (spamd: )?result: [.YN] [ [:digit:]-]+ - ([._[:alnum:],]+ )?scantime=[[:digit:].]+,size=[[:digit:]]+,(user=[^,]+,uid=[[:digit:]]+,required_score=[[:digit:].]+,rhost=[._[:alnum:]-]+,raddr=[[:digit:].]+,rport=[/[:alnum:].-]+,)?mid=(<[^[:space:]]+>|\(unknown\))(rmid=(<[^[:space:]]+>|\(unknown\)),)?,(bayes=[.[:digit:]]+(e-[[:digit:]]+)?,)?autolearn=(ham|spam|no|disabled|unavailable)(,shortcircuit=(ham|spam|no))?( autolearn_force=(no|yes))? *$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (spamd|check|re(port|voke))\[[[:digit:]]+\]: pyzor: \[[[:digit:]]+\] error: TERMINATED, signal 15 \(000f\)$
diff --git a/files/etc/logcheck/ignore.d.server/local-ssh b/files/etc/logcheck/ignore.d.server/local-ssh
new file mode 100644
index 0000000..53d8687
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-ssh
@@ -0,0 +1,74 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+ ssh2: (RSA-CERT ID [[:alnum:]]+@[[:alnum:]]+ \(serial [[:digit:]]+\) CA )?(RSA|ED25519) [:.[:xdigit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad packet length [[:digit:]]+\. \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '[^']*' from [:.[:xdigit:]]+ port [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: channel_by_id: 1: bad id: channel free$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: channel_input_success_failure: 1: unknown$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection (closed|reset) by [:.[:xdigit:]]+ port [[:digit:]]+ \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Could not write ident string to UNKNOWN$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Did not receive identification string from ([:[:xdigit:].]+|UNKNOWN)+ port [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnected from [:[:xdigit:].]+ port [[:digit:]]+ \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: bad client public DH value \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Change of username or service not allowed: \([^,]*,ssh-connection\) -> \([^,]*,ssh-connection\) \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Packet corrupt \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures for (invalid user|root) [[:alnum:]]+ from [[:digit:].]+ port [[:digit:]]+ ssh2 \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: connect_to .* port [[:digit:]]+: failed\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex protocol error: type 30 seq 1 \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: maximum authentication attempts exceeded for (invalid user [[:alnum:][:space:][:digit:]@\\!._-]*|root) from [:.[:xdigit:]]+ port [[:digit:]]+ ssh2 \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Authentication failure for( illegal user)? [^[:space:]]* from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: service\(sshd\) ignoring max retries; [[:digit:]] > [[:digit:]]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: User not known to the underlying authentication module for illegal user [^[:space:]]* from [^[:space:]]*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?10: user closed connection \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: BUNNYBYTEv0.1 \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: (Bye )?(Goodb|B)ye \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: Client disconnecting normally \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: Closed due to user request\. \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: disconnected by user \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: disconnect \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: Cooling down ;\) \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: Inchidere normala \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: JIHAD FROM BU. \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: logout \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: Normal Shutdown(, Thank you for playing)? \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: Shutdown, Thanks for playing \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: ok \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: Operation timeout \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: PECL\/ssh2 \(http:\/\/pecl\.php\.net\/packages\/ssh2\) \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: +\[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: [[:space:]]*\[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: These aren't the droids we're looking for\. \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?13: (Closed due to )?[Uu]ser request\.? \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?13: Unable to authenticate \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?14: no authentication methods available \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?14: No more user authentication methods available. \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?14: Unable to connect using the available authentication methods \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?2: Handshake failed \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?3: com\.jcraft\.jsch\.JSchException: Auth (cancel|fail) \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?3: com\.jcraft\.jsch\.JSchException: reject HostKey: [:.[:alnum:]]+ \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?3: com\.jcraft\.jsch\.JSchException: timeout in waiting for rekeying process\. \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?3: java\.net\.SocketTimeoutException: Read timed out \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?3: org\.vngx\.jsch\.userauth\.AuthCancelException: User authentication canceled by user \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?3: Tamir\.SharpSsh\.jsch\.JSchException: Auth fail\\\\r\\\\n   \\\\320\\\\262 Tamir\.SharpSsh\.jsch\.Session\.connect\(Int32 connectTimeout\) \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?7: User interaction is not allowed \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?7: Service not available \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed (keyboard-interactive/pam|password|none) for (i(llegal|nvalid) user )?.* from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+) port [[:digit:]]{1,5} ssh2?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no hostkey alg \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no matching cipher found: client .*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no matching mac found: client .*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Read from socket failed: Connection reset by peer \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: Broken pipe \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: Connection reset by peer \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: input_userauth_request: invalid user [[:alnum:][:space:].:+-]+\[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: invalid public DH value: <= 1 \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user [[:alnum:][:space:][:digit:]@\$#\\!.:=_+-]* from [:.[:xdigit:]]+ port [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: PAM service\(sshd\) ignoring max retries; [[:digit:]] > [[:digit:]]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+user=(root|nobody|backup|daemon|www-data|games|news|mail|lp|sync|uucp|identd|gnats|irc|list|proxy|sys|nagios|mysql|bin|ftp|sshd|smmsp|snmp|man|ntp|quagga|libuuid|Debian-exim|proftpd|logcheck|vmail|statd|dovecot|postfix|puppet|bacula))?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): check pass; user unknown
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Postponed (publickey|keyboard-interactive) for ([^[:space:]]+|invalid user)[[:space:]]+from [^[:space:]]+ port [[:digit:]]+ ssh2 \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Unable to negotiate with [:.[:xdigit:]]+ port [[:digit:]]+: no matching (cipher|key exchange method|host key type) found\. Their offer: .* \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [._[:alnum:]-]+ from [[:alnum:].-]+ not allowed because none of user's groups are listed in AllowGroups$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: warning: can't get client address: Connection reset by peer$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: ssh_dispatch_run_fatal: Connection from [:.[:xdigit:]]+ port [[:digit:]]+: Broken pipe \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: packet_write_wait: Connection from [:.[:xdigit:]]+ port [[:digit:]]+: Broken pipe \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: WARNING: no suitable primes in /etc/ssh/moduli$
diff --git a/files/etc/logcheck/ignore.d.server/local-unbound b/files/etc/logcheck/ignore.d.server/local-unbound
new file mode 100644
index 0000000..6963ce2
--- /dev/null
+++ b/files/etc/logcheck/ignore.d.server/local-unbound
@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]]+:0\] error: read (in tcp r): Connection reset by peer for [:.[:xdigit:]]+$
-- 
2.39.2