From 7ec67a606d7090aa58a0d2f35af45f87825cf3c4 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Wed, 12 Feb 2020 16:15:00 +0100 Subject: [PATCH 01/44] new rules --- ignore.d.server/domino-amavisd | 9 +++++- ignore.d.server/domino-dovecot | 54 ++++++++++++++++----------------- ignore.d.server/domino-influxd | 2 ++ ignore.d.server/domino-influxdb | 11 ------- ignore.d.server/domino-ntp | 13 +++++--- ignore.d.server/domino-postfix | 30 ++++++++++++++++++ ignore.d.server/domino-tor | 13 +++++--- 7 files changed, 85 insertions(+), 47 deletions(-) create mode 100644 ignore.d.server/domino-influxd delete mode 100644 ignore.d.server/domino-influxdb diff --git a/ignore.d.server/domino-amavisd b/ignore.d.server/domino-amavisd index 50700b2..a4f10c0 100644 --- a/ignore.d.server/domino-amavisd +++ b/ignore.d.server/domino-amavisd @@ -1,4 +1,4 @@ -# ; -*- mode: text; fill-column: 99999 -*- +# ; -*- mode: conf; fill-column: 99999 -*- # Sat Aug 4 17:58:14 CST 2018 @@ -7,3 +7,10 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (CLEAN|SPAM|SPAMMY|INFECTED \([-._[:alnum:][:space:]]+\)|BAD-HEADER(-[[:digit:]])?)( \{((Relayed(OpenRelay|Inbound|Outbound)|Quarantined),?)+\})?,( LOCAL)?( \[(IPv6:)?[[:xdigit:].:]{3,39}\](:[[:digit:]]+)?){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( quarantine: [[:alnum:]]/(spam|virus|badh)-[-+_[:alnum:]]+(\.gz)?,)?( Queue-ID: [[:xdigit:]]{10,11},)?( Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+_[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]/]+(, dkim_id=[-=_+\.,@[:alnum:]]+)?(, dkim_sd=[^[:space:]]+)?( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Blocked (SPAM|BANNED \([-.,_[:alnum:][:space:]\\]+\))( {((NoBounceInbound|BouncedOpenRelay|DiscardedInbound|Quarantined|NoBounceOpenRelay),?)+})?,(( \[(IPv6:)?[[:xdigit:].:]{3,39}\](:[[:digit:]]+)?){1,2})? <[^>]*> -> (<[^>]*>,?)+,( quarantine: [[:alnum:]]/(banned|spam)-[-+_[:alnum:]]+(\.gz)?,)?( Queue-ID: [[:xdigit:]]{10},)?( Message-ID: <[^>]+>,)?( \((added by[^)]+|sfid-[_[:xdigit:]]+)\),)?( Resent-Message-ID: <[^>]+>,)?( mail_id: [-+_[:alnum:]]+,)? Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+(, dkim_id=[-=_+\.,@[:alnum:]]+)?(, dkim_sd=[^[:space:]]+)?( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$ + + +# Jan 01 00:00:00 debian amavis[23028]: (23028-15) Passed SPAM {RelayedTaggedInbound,Quarantined}, [1.2.3.4] [1.2.3.4] -> , quarantine: 2/spam-21caAMxOOX1T.gz, mail_id: 21caAMxOOX1T, Hits: 22.109, size: 2257, queued_as: 9F5CB40970, 1782 ms +# Jan 01 00:00:00 debian amavis[13944]: (13944-18) Passed SPAM {RelayedTaggedInbound,Quarantined}, [1.2.3.4] [1.2.3.4] -> , quarantine: t/spam-texYR1HFOQJL.gz, Message-ID: <2079978790.654136.1579145280906.JavaMail.user@domain.com>, mail_id: texYR1HFOQJL, Hits: 6.627, size: 4410, queued_as: 0993B400C9, 796 ms +# Jan 01 00:00:00 debian amavis[11111]: (07635-18) Passed SPAM {RelayedTaggedInbound,Quarantined}, [1.2.3.4] [1.2.3.4] -> , quarantine: w/spam-wHNx4wR-oxs3.gz, Message-ID: <20200120002624.B93004436@mail0.ceniai.inf.cu>, mail_id: wHNx4wR-oxs3, Hits: 8.798, size: 2295, queued_as: AF9314084B, 4047 ms + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([0-9-]+\) Passed SPAM {RelayedTaggedInbound,Quarantined}, \[[0-9.]+\] \[[0-9.]+\] <[@[:alnum:].]+> -> <[@[:alnum:].]+>, quarantine: [[:alnum:]\/.-]+,( Message-ID: <[[:alnum:]@.]+>,)? mail_id: [[:alnum:]-]+, Hits: [0-9.]+, size: [0-9]+, queued_as: [[:alnum:]]+, [0-9]+ ms$ diff --git a/ignore.d.server/domino-dovecot b/ignore.d.server/domino-dovecot index ad5151a..698f783 100644 --- a/ignore.d.server/domino-dovecot +++ b/ignore.d.server/domino-dovecot @@ -1,40 +1,40 @@ -# ; -*- mode: text; fill-column: 99999 -*- +# ; -*- mode: conf; fill-column: 99999 -*- +# auth + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: Event [[:alnum:]]+ leaked \(parent=\(nil\)\): auth-client-connection.c:[0-9]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: plain\(\?,[.[:digit:]]+\): Request timed out waiting for client to continue authentication \([[:digit:]]+ secs\)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap: Connection closed in=[[:digit:]]+ out=[[:digit:]]+$ -# Aug 13 23:21:00 debian dovecot: imap(routeruser)<18757>: Connection closed (IDLE running for 0.001 + waiting input for 8.605 secs, 2 B in + 10 B out, state=wait-input) in=170461 out=572606 deleted=0 expunged=0 trashed=0 hdr_count=624 hdr_bytes=168025 body_count=0 body_bytes=0 +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \((no auth attempts in [0-9]+ secs|disconnected before auth was ready, waited [0-9]+ secs)\):( user=<>,)? rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS:? (handshaking: (read\(size=[0-9]+\) failed: Connection reset by peer|Connection closed)|SSL_read failed: error:[[:alnum:]]+:SSL\sroutines:ssl3_read_bytes:unexpected record), session=<[[:alnum:]\+\/]+>$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap: Connection closed in=[[:digit:]]+ out=[[:digit:]]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed \((UID FETCH|UID STORE|LIST|NOOP|STATUS|append)? finished [0-9.]+ secs ago\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Disconnected for inactivity in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]\.@_-]+\)<[[:digit:]]+><[\/[:alnum:]]+>: Connection closed \(IDLE running for [[:digit:]\.]+ \+ waiting input for [[:digit:]\.]+ secs, [0-9]+ B in \+ [[:digit:]\+]+ B out, state=wait-input\) in=[0-9]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ - -# Aug 13 19:32:47 debian dovecot: imap(routeruser)<21817>: Logged out in=305 out=46530 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=221 body_count=0 body_bytes=0 - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([\._@[:alnum:]-]+\)<[[:digit:]]+><[\+\/[:alnum:]]+>: Logged out in=[[:digit:]]+ out=[[:digit:]]+ deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed(: read\(size=[0-9]+\))?( failed: Connection reset by peer)? \(IDLE running for [0-9.]+ \+ waiting input for [0-9.]+ secs, [0-9]+ B in \+ [0-9\+]+ B out, state=wait-input\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ -# Sep 18 05:09:54 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=1.2.3.4, lip=2.3.4.5, TLS handshaking: read(size=1024) failed: Connection reset by peer, session= -# Sep 21 17:50:17 debian dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=1.2.3.4, lip=2.3.4.5, TLS handshaking: Connection closed, session= -# Nov 14 07:59:36 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=1.2.3.4, lip=2.3.4.5, TLS: SSL_read failed: error:140940F5:SSL -routines:ssl3_read_bytes:unexpected record, session= - -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \((no auth attempts in [0-9]+ secs|disconnected before auth was ready, waited [0-9]+ secs)\):( user=<>,)? rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS:? (handshaking: (read\(size=[0-9]+\) failed: Connection reset by peer|Connection closed)|SSL_read failed: error:[[:alnum:]]+:SSL\sroutines:ssl3_read_bytes:unexpected record), session=<[[:alnum:]\+\/]+>$ - -# Sep 17 03:09:07 debian dovecot: auth: Warning: Event 0x562bf4aefcc0 leaked (parent=(nil)): auth-client-connection.c:338 - -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: Event [[:alnum:]]+ leaked \(parent=\(nil\)\): auth-client-connection.c:[0-9]+$ - -# Nov 6 00:00:00 linode2 dovecot: imap(abc@domain.com)<3549><7UkTJq6W7pxPvAGh>: Disconnected for inactivity in=322 out=1009 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 - -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Disconnected for inactivity in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ -# Nov 6 00:00:00 linode2 dovecot: imap(abc@domain.com)<1187>: Connection closed (UID FETCH finished 895.794 secs ago) in=329 out=3439 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 -# Nov 6 00:00:00 linode2 dovecot: imap(abc@domain.com)<1186>: Connection closed (LIST finished 895.877 secs ago) in=23 out=897 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 -# Nov 6 00:00:00 linode2 dovecot: imap(abc@domain.com)<28476>: Connection closed (NOOP finished 0.072 secs ago) in=31 out=940 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<2246>: Connection closed (noop finished 0.087 secs ago) in=4358 out=46877 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=461 body_count=0 body_bytes=0 +# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<16368>: Connection closed (noop finished 0.099 secs ago) in=1157 out=74605 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=304 body_count=0 body_bytes=0 +# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<16443>: Connection closed (noop finished 0.081 secs ago) in=1207 out=74860 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=310 body_count=0 body_bytes=0 +# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<18518>: Connection closed (IDLE finished 137.627 secs ago) in=1074 out=5163 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<20806>: Connection closed (UID SEARCH finished 2.242 secs ago) in=54 out=1167 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<13658>: Connection closed (UID fetch finished 0.145 secs ago) in=9581 out=9495290 deleted=0 expunged=0 trashed=0 hdr_count=4 hdr_bytes=1467 body_count=144 body_bytes=9365757 +# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<8849>: Connection closed (UID fetch finished 0.160 secs ago) in=172 out=109992 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed \((UID FETCH|UID STORE|LIST|NOOP|STATUS|append)? finished [0-9.]+ secs ago\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \((noop|IDLE|UID (SEARCH|fetch)) finished [.0-9]+ secs ago\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ -# Nov 9 11:12:28 linode2 dovecot: imap(abc@domain.com)<2509><7BepIueWNJtPvWPC>: Connection closed: read(size=8013) failed: Connection reset by peer (IDLE running for 0.001 + waiting input for 0.001 secs, 2 B in + 10 B out, state=wait-input) in=179 out=10967 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 -# Nov 9 11:12:28 linode2 dovecot: imap(abc@domain.com)<2508>: Connection closed (IDLE running for 0.001 + waiting input for 0.001 secs, 2 B in + 10+10 B out, state=wait-input) in=180 out=89621 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= +# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= +# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS handshaking: Connection closed, session= +# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS handshaking: Connection closed, session= +# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= +# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= +# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS: Connection closed, session= +# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS: Connection closed, session= +# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: read(size=583) failed: Connection reset by peer, session= -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed(: read\(size=[0-9]+\))?( failed: Connection reset by peer)? \(IDLE running for [0-9.]+ \+ waiting input for [0-9.]+ secs, [0-9]+ B in \+ [0-9\+]+ B out, state=wait-input\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(no auth attempts in [0-9]+ secs\): user=<>, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS( handshaking)?:( read\(size=583\) failed:)? Connection (closed|reset by peer), session=<[\/\+[:alnum:]]+>$ diff --git a/ignore.d.server/domino-influxd b/ignore.d.server/domino-influxd new file mode 100644 index 0000000..cd77cba --- /dev/null +++ b/ignore.d.server/domino-influxd @@ -0,0 +1,2 @@ +# ; -*- mode: conf; fill-column: 99999 -*- + diff --git a/ignore.d.server/domino-influxdb b/ignore.d.server/domino-influxdb deleted file mode 100644 index b88942b..0000000 --- a/ignore.d.server/domino-influxdb +++ /dev/null @@ -1,11 +0,0 @@ -# ; -*- mode: conf; fill-column: 99999 -*- - -# Nov 24 09:51:32 debian influxd[27703]: [httpd] 192.168.0.1 - root [24/Nov/2019:09:51:32 +0100] "GET /query?db=abc&q=SELECT+%2A+from+state HTTP/1.1" 200 244 "-" "python-requests/2.22.0" 9d3d77ce-0e97-11ea-8077-000000000000 1833 -# Nov 24 09:51:46 debian influxd[27703]: [httpd] ::1 - - [24/Nov/2019:09:51:46 +0100] "POST /query?db=&epoch=ns&q=SHOW+DATABASES HTTP/1.1" 200 116 "-" "InfluxDBShell/1.6.4" a52ae7c6-0e97-11ea-8079-000000000000 2350 -# Nov 24 09:52:45 debian influxd[27703]: [httpd] 192.168.0.1 - root [24/Nov/2019:09:52:45 +0100] "POST /write?db=abc HTTP/1.1" 204 0 "-" "python-requests/2.22.0" c841ac38-0e97-11ea-807d-000000000000 6362 - -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ influxd\[[0-9]+\]: \[httpd\]( [,.:[:digit:]]+,)? [,.:[:digit:]]+ \-( \-)? [[:alnum:]-]+ \[[\/:\+[:alnum:] ]+\] \"(POST|GET) \/[\?\=\&\+\%[:alnum:]-]+ HTTP\/1\.1\" [0-9]+ [0-9]+ \"\-\" \"[\-\/\.[:alnum:]]+\" [[:alnum:]-]+ [0-9]+$ - -# Nov 24 09:51:32 debian influxd[27703]: ts=2019-11-24T08:51:32.912602Z lvl=info msg="Executing query" log_id=0JIHWOo0000 service=query query="SELECT * FROM abc.autogen.state" - -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ influxd\[[0-9]+\]: ts=[\:\-\.[:alnum:]]+ lvl=info msg=\"Executing query\" log_id=[[:alnum:]]+ service=query query=\"[\*\.\(\)\>\=\<[:alnum:] -]+\"$ diff --git a/ignore.d.server/domino-ntp b/ignore.d.server/domino-ntp index f96e62e..4cc3109 100644 --- a/ignore.d.server/domino-ntp +++ b/ignore.d.server/domino-ntp @@ -1,16 +1,21 @@ # ; -*- mode: conf; fill-column: 99999 -*- -# Oct 3 16:24:34 debian-linode ntpd[3668]: receive: KoD packet from 185.228.137.116 has inconsistent xmt/org/rec timestamps. Ignoring. +# Oct 3 16:24:34 debian ntpd[3668]: receive: KoD packet from 185.228.137.116 has inconsistent xmt/org/rec timestamps. Ignoring. ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: receive: KoD packet from [.0-9]+ has inconsistent xmt\/org\/rec timestamps.\s+Ignoring.$ -# Aug 25 09:02:36 router ntpd[879]: Soliciting pool server 2a02:f40:10:1::3 +# Aug 25 09:02:36 debian ntpd[879]: Soliciting pool server 2a02:f40:10:1::3 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: Soliciting pool server [\.\:[:xdigit:]]+$ -# Nov 17 07:13:36 linode2 ntpd[32535]: 2a03:4000:29:91:2549:9:f370:a1 local addr 2a01:7e01::f03c:91ff:fe92:641e -> -# Nov 17 07:13:37 linode2 ntpd[32535]: 2001:638:504:2000::35 local addr 2a01:7e01::f03c:91ff:fe92:641e -> +# Nov 17 07:13:36 debian ntpd[32535]: 2a03:4000:29:91:2549:9:f370:a1 local addr 2a01:7e01::f03c:91ff:fe92:641e -> +# Nov 17 07:13:37 debian ntpd[32535]: 2001:638:504:2000::35 local addr 2a01:7e01::f03c:91ff:fe92:641e -> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: [.[:xdigit:]:]+ local addr [.[:xdigit:]:]+ -> $ + + +# Jan 01 00:00:00 debian ntpd[32535]: new interface(s) found: waking up resolver + +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: new interface\(s\) found: waking up resolver$ diff --git a/ignore.d.server/domino-postfix b/ignore.d.server/domino-postfix index c16dbdd..de6643a 100644 --- a/ignore.d.server/domino-postfix +++ b/ignore.d.server/domino-postfix @@ -45,3 +45,33 @@ # Nov 16 05:31:27 debian-linode postfix/smtpd[2253]: warning: hostname 30.223.46.89.baremetal.zare.com does not resolve to address 89.46.223.30: No address associated with hostname ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: warning: hostname [[:alnum:].]+ does not resolve to address [.[:digit:]]+: No address associated with hostname$ + + +# Jan 01 00:00:00 debian postfix/smtp[11111]: 172733EFE6: Cannot start TLS: handshake failure +# Jan 01 00:00:00 debian postfix/smtp[11111]: B8B6B3E588: Cannot start TLS: handshake failure +# Jan 01 00:00:00 debian postfix/smtp[11111]: D5FD93E557: Cannot start TLS: handshake failure + +\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: [[:alnum:]]+: Cannot start TLS: handshake failure$ + + +# Jan 01 00:00:00 debian postfix/smtp[11111]: SSL_connect error to eu-smtp-inbound-2.mimecast.com[195.130.217.201]:25: -1 +# Jan 01 00:00:00 debian postfix/smtp[11111]: SSL_connect error to mail.po-mysl.pl[185.204.218.208]:25: -1 +# Jan 01 00:00:00 debian postfix/smtp[11111]: SSL_connect error to mail.po-mysl.pl[185.204.218.208]:25: -1 +# Jan 01 00:00:00 debian postfix/smtp[11111]: SSL_connect error to mail.po-mysl.pl[185.204.218.208]:25: -1 +# Jan 01 00:00:00 debian postfix/smtp[11111]: SSL_connect error to mail.po-mysl.pl[185.204.218.208]:25: -1 + +\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: SSL_connect error to [\.[:alnum:]-]+\[[.0-9]+\]:[0-9]+: [[:digit:]-]+$ + + +# Jan 01 00:00:00 debian postfix/smtp[11111]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332: +# Jan 01 00:00:00 debian postfix/smtp[11111]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332: +# Jan 01 00:00:00 debian postfix/smtp[11111]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332: +# Jan 01 00:00:00 debian postfix/smtp[11111]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332: + +\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: warning: TLS library problem: error:[[:alnum:]]+:SSL routines:ssl3_get_record:wrong version number:..\/ssl\/record\/ssl3_record.c:[0-9]+:$ + + +# Jan 01 00:00:00 debian postfix/smtpd[11111]: Anonymous TLS connection established from z13.domain.com[1.2.3.4]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256 +# Jan 01 00:00:00 debian postfix/smtpd[11111]: Anonymous TLS connection established from z15.domain.com[1.2.3.4]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256 + +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: Anonymous TLS connection established from [.[:alnum:]]+\[[.0-9]+\]: TLSv[.0-9]+ with cipher [_[:alnum:]]+ \([\/0-9]+ bits\) key-exchange ECDHE \([[:alnum:]-]+\) server-signature [[:alnum:]-]+ \([0-9]+ bits\) server-digest [[:alnum:]]+$ diff --git a/ignore.d.server/domino-tor b/ignore.d.server/domino-tor index 44d9f0e..672840d 100644 --- a/ignore.d.server/domino-tor +++ b/ignore.d.server/domino-tor @@ -1,4 +1,4 @@ -# ; -*- mode: text; fill-column: 99999 -*- +# ; -*- mode: conf; fill-column: 99999 -*- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Your network connection speed appears to have changed. Resetting timeout to [[:digit:]]+s after [[:digit:]]+ timeouts and [[:digit:]]+ buildtimes.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: We now have enough directory information to build circuits.$ @@ -11,11 +11,16 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Heartbeat: Tor's uptime is( [0-9]+ days)? [[:digit:]:]+ hours, with [0-9]+ circuits open. I've sent [.[:digit:]]+ [[:alnum:]]{1,2} and received [.[:digit:]]+ [[:alnum:]]{1,2}.$ -# Nov 7 00:01:05 linode2 Tor[14367]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc". -# Nov 7 00:01:05 linode2 Tor[14367]: Read configuration file "/etc/tor/torrc". +# Nov 7 00:01:05 debian Tor[14367]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc". +# Nov 7 00:01:05 debian Tor[14367]: Read configuration file "/etc/tor/torrc". ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Read configuration file "[[:alnum:]\/-]+".$ -# Nov 7 00:01:05 linode2 Tor[14367]: Received reload signal (hup). Reloading config and resetting internal state. +# Nov 7 00:01:05 debian Tor[14367]: Received reload signal (hup). Reloading config and resetting internal state. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Received reload signal \(hup\)\. Reloading config and resetting internal state\.$ + + +# Jan 01 00:00:00 debian Tor[14367]: Requested exit point '$39C1B28407EAC759801AFCB7106D5DC05B42A8C9' is not known. Closing. + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Requested exit point \'[[:alnum:]$]+\' is not known. Closing.$ From a168f227a128d399cf81cbdfefc3348b7919c5b3 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Thu, 9 Apr 2020 11:33:14 +0200 Subject: [PATCH 02/44] add squid --- ignore.d.server/domino-squid | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 ignore.d.server/domino-squid diff --git a/ignore.d.server/domino-squid b/ignore.d.server/domino-squid new file mode 100644 index 0000000..1a19633 --- /dev/null +++ b/ignore.d.server/domino-squid @@ -0,0 +1,10 @@ +# ; -*- mode: conf; fill-column: 99999 -*- + +#Apr 9 10:45:52 debian squid[30555]: Logfile: opening log stdio:/var/spool/squid/netdb.state +#Apr 9 10:45:52 debian squid[30555]: Logfile: closing log stdio:/var/spool/squid/netdb.state + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Logfile: (opening|closing) log stdio:\/var\/spool\/squid\/netdb.state$ + +#Apr 9 10:45:52 debian squid[30555]: NETDB state saved; 0 entries, 0 msec + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: NETDB state saved; [0-9.]+ entries, [0-9.]+ msec$ From d96bf978573f2f3622be4ddc3875fc356b25aecc Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Tue, 14 Apr 2020 19:05:07 +0200 Subject: [PATCH 03/44] add spamd rules --- ignore.d.server/domino-spamd | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 ignore.d.server/domino-spamd diff --git a/ignore.d.server/domino-spamd b/ignore.d.server/domino-spamd new file mode 100644 index 0000000..b995186 --- /dev/null +++ b/ignore.d.server/domino-spamd @@ -0,0 +1,10 @@ +# ; -*- mode: conf; fill-column: 99999 -*- + + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: connection from [[:alnum:]:]+ \[[[:alnum:]:]+\]:[0-9]+ to port [0-9]+, fd [0-9]+$ + +# Apr 14 15:16:56 debian spamd[18599]: spamd: result: Y 5 - FREEMAIL_FORGED_REPLYTO,HTML_MESSAGE,SPF_FAIL,TO_NO_BRKTS_HTML_IMG scantime=1.0,size=16475,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43742,mid=<98140bdf92d37fc0d41dc08b9c4fe028@domain.com>,autolearn=no autolearn_force=no +# Apr 14 15:16:56 debian spamd[18600]: spamd: result: Y 5 - FREEMAIL_FORGED_REPLYTO,HTML_MESSAGE,SPF_FAIL,TO_NO_BRKTS_HTML_IMG scantime=1.0,size=16991,user=abc-1,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43744,mid=<98140bdf92d37fc0d41dc08b9c4fe028@domain.com>,autolearn=no autolearn_force=no +# Apr 14 15:48:13 debian spamd[18599]: spamd: result: . 0 - DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,HTML_IMAGE_RATIO_06,HTML_MESSAGE,LOTS_OF_MONEY,MAILING_LIST_MULTI,SPF_SOFTFAIL scantime=1.0,size=23150,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43862,mid=,autolearn=no autolearn_force=no + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: [[:alnum:].]+ [0-9]+ - [[:alnum:]_,]+ scantime=[0-9.]+,size=[0-9]+,user=[[:alnum:]_-]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[[:digit:]:.]+,raddr=[[:digit:]:.]+,rport=[0-9]+,mid=<[[:alnum:]@.-]+>,autolearn=(yes|no) autolearn_force=(yes|no)$ From 61a7633a8e9ba78e672b14e3865ac9c7fa3a73f3 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Wed, 15 Apr 2020 11:08:52 +0200 Subject: [PATCH 04/44] update --- deploy.sh | 4 ---- ignore.d.server/domino-dovecot | 25 +++++++++++++++++++++---- ignore.d.server/domino-hostapd | 5 ++++- 3 files changed, 25 insertions(+), 9 deletions(-) diff --git a/deploy.sh b/deploy.sh index a63186d..36c901a 100755 --- a/deploy.sh +++ b/deploy.sh @@ -2,14 +2,10 @@ HOSTS=( linode2 - linode2- linode - linode- adm waw edyta - m81 - m81- ) for host in ${HOSTS[*]}; do diff --git a/ignore.d.server/domino-dovecot b/ignore.d.server/domino-dovecot index 698f783..14a8bfc 100644 --- a/ignore.d.server/domino-dovecot +++ b/ignore.d.server/domino-dovecot @@ -14,20 +14,23 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([\._@[:alnum:]-]+\)<[[:digit:]]+><[\+\/[:alnum:]]+>: Logged out in=[[:digit:]]+ out=[[:digit:]]+ deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed(: read\(size=[0-9]+\))?( failed: Connection reset by peer)? \(IDLE running for [0-9.]+ \+ waiting input for [0-9.]+ secs, [0-9]+ B in \+ [0-9\+]+ B out, state=wait-input\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ +# Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS handshaking: SSL connection closed during handshake, session= +# Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS handshaking: SSL connection closed during handshake, session= +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(no auth attempts in [0-9]+ secs\): user=<[[:alnum:]@_.-]*>, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS handshaking: SSL connection closed during handshake, session=<[[:alnum:]\+\/]+>$ + +# Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): user=<[[:alnum:]@_.-]+>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS: Connection closed, session=<[[:alnum:]\+\/]+>$ -# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<2246>: Connection closed (noop finished 0.087 secs ago) in=4358 out=46877 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=461 body_count=0 body_bytes=0 -# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<16368>: Connection closed (noop finished 0.099 secs ago) in=1157 out=74605 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=304 body_count=0 body_bytes=0 # Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<16443>: Connection closed (noop finished 0.081 secs ago) in=1207 out=74860 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=310 body_count=0 body_bytes=0 # Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<18518>: Connection closed (IDLE finished 137.627 secs ago) in=1074 out=5163 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 # Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<20806>: Connection closed (UID SEARCH finished 2.242 secs ago) in=54 out=1167 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 # Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<13658>: Connection closed (UID fetch finished 0.145 secs ago) in=9581 out=9495290 deleted=0 expunged=0 trashed=0 hdr_count=4 hdr_bytes=1467 body_count=144 body_bytes=9365757 -# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<8849>: Connection closed (UID fetch finished 0.160 secs ago) in=172 out=109992 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \((noop|IDLE|UID (SEARCH|fetch)) finished [.0-9]+ secs ago\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ -# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS handshaking: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS handshaking: Connection closed, session= @@ -38,3 +41,17 @@ # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: read(size=583) failed: Connection reset by peer, session= ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(no auth attempts in [0-9]+ secs\): user=<>, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS( handshaking)?:( read\(size=583\) failed:)? Connection (closed|reset by peer), session=<[\/\+[:alnum:]]+>$ + +# Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: stored mail into mailbox 'INBOX' +# Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: stored mail into mailbox 'INBOX' + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=<[[:alnum:]@_.-]+>: stored mail into mailbox '[[:alnum:]_-]+'$ + +# Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<10252>: sieve: msgid=: forwarded to +# Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: forwarded to + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=<[[:alnum:]@_.-]+>: forwarded to <[[:alnum:]@._-]+>$ + +# Jan 1 00:00:00 debian dovecot: lmtp(24420): Disconnect from local: Client has quit the connection (state=READY) + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\): Disconnect from local: Client has quit the connection \(state=READY\)$ diff --git a/ignore.d.server/domino-hostapd b/ignore.d.server/domino-hostapd index 4f3c907..62f18c2 100644 --- a/ignore.d.server/domino-hostapd +++ b/ignore.d.server/domino-hostapd @@ -1,4 +1,4 @@ -# ; -*- mode: text; fill-column: 99999 -*- +# ; -*- mode: conf; fill-column: 99999 -*- # Nov 2 00:00:00 debian hostapd: wls12: STA 0a:0a:0a:0a:0a:0a IEEE 802.1X: Supplicant used different EAP type: 3 (unknown) @@ -43,3 +43,6 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hostapd(\[[0-9]+\])?:\s+frame too short for this IEEE 802\.1(1|X) packet$ +# Jan 1 00:00:00 debian hostapd[687]: wls4: AP-STA-POLL-OK 3c:71:bf:2d:10:52 + +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hostapd(\[[0-9]+\])?: [[:alnum:]]+: AP-STA-POLL-OK [[:xdigit:]:]{17}$ From 784d67065ac1621b81e42b6d23a8630eb6d6b7ec Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Wed, 15 Apr 2020 15:23:24 +0200 Subject: [PATCH 05/44] update --- ignore.d.server/domino-spamd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ignore.d.server/domino-spamd b/ignore.d.server/domino-spamd index b995186..890ab19 100644 --- a/ignore.d.server/domino-spamd +++ b/ignore.d.server/domino-spamd @@ -6,5 +6,6 @@ # Apr 14 15:16:56 debian spamd[18599]: spamd: result: Y 5 - FREEMAIL_FORGED_REPLYTO,HTML_MESSAGE,SPF_FAIL,TO_NO_BRKTS_HTML_IMG scantime=1.0,size=16475,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43742,mid=<98140bdf92d37fc0d41dc08b9c4fe028@domain.com>,autolearn=no autolearn_force=no # Apr 14 15:16:56 debian spamd[18600]: spamd: result: Y 5 - FREEMAIL_FORGED_REPLYTO,HTML_MESSAGE,SPF_FAIL,TO_NO_BRKTS_HTML_IMG scantime=1.0,size=16991,user=abc-1,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43744,mid=<98140bdf92d37fc0d41dc08b9c4fe028@domain.com>,autolearn=no autolearn_force=no # Apr 14 15:48:13 debian spamd[18599]: spamd: result: . 0 - DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,HTML_IMAGE_RATIO_06,HTML_MESSAGE,LOTS_OF_MONEY,MAILING_LIST_MULTI,SPF_SOFTFAIL scantime=1.0,size=23150,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43862,mid=,autolearn=no autolearn_force=no +# Apr 15 14:48:25 debian spamd[8102]: spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,SPF_FAIL,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL scantime=0.5,size=21463,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=46926,mid=,autolearn=no autolearn_force=no -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: [[:alnum:].]+ [0-9]+ - [[:alnum:]_,]+ scantime=[0-9.]+,size=[0-9]+,user=[[:alnum:]_-]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[[:digit:]:.]+,raddr=[[:digit:]:.]+,rport=[0-9]+,mid=<[[:alnum:]@.-]+>,autolearn=(yes|no) autolearn_force=(yes|no)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: [[:alnum:].]+ [[:digit:]-]+ - [[:alnum:]_,]+ scantime=[0-9.]+,size=[0-9]+,user=[[:alnum:]_-]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[[:digit:]:.]+,raddr=[[:digit:]:.]+,rport=[0-9]+,mid=<[[:alnum:]@.-]+>,autolearn=(yes|no) autolearn_force=(yes|no)$ From f0439a04f84da73d6c4e8ea717a57e676be6cd0c Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Mon, 20 Apr 2020 09:02:16 +0200 Subject: [PATCH 06/44] update --- ignore.d.server/domino-dovecot | 4 +- ignore.d.server/domino-postfix | 4 +- ignore.d.server/domino-spamd | 2 +- ignore.d.server/domino-squid | 72 ++++++++++++++++++++++++++++++++++ 4 files changed, 77 insertions(+), 5 deletions(-) diff --git a/ignore.d.server/domino-dovecot b/ignore.d.server/domino-dovecot index 14a8bfc..04752ee 100644 --- a/ignore.d.server/domino-dovecot +++ b/ignore.d.server/domino-dovecot @@ -45,12 +45,12 @@ # Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: stored mail into mailbox 'INBOX' # Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: stored mail into mailbox 'INBOX' -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=<[[:alnum:]@_.-]+>: stored mail into mailbox '[[:alnum:]_-]+'$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=?: stored mail into mailbox '[[:alnum:]_-]+'$ # Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<10252>: sieve: msgid=: forwarded to # Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: forwarded to -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=<[[:alnum:]@_.-]+>: forwarded to <[[:alnum:]@._-]+>$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=?: forwarded to <[[:alnum:]@._-]+>$ # Jan 1 00:00:00 debian dovecot: lmtp(24420): Disconnect from local: Client has quit the connection (state=READY) diff --git a/ignore.d.server/domino-postfix b/ignore.d.server/domino-postfix index de6643a..a1e348d 100644 --- a/ignore.d.server/domino-postfix +++ b/ignore.d.server/domino-postfix @@ -28,7 +28,7 @@ # Sep 9 09:17:58 debian postfix/smtpd[5361]: Anonymous TLS connection established from mail-lj1-f177.google.com[209.85.208.177]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 # Nov 16 02:09:33 linode2 postfix/smtpd[27303]: Anonymous TLS connection established from ms1622.m.lrmailr.pl[164.132.49.188]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: Anonymous TLS connection established from [-._[:alnum:]]+\[[.[:digit:]]+\]: TLSv[\.0-9]+ with cipher [_[:alnum:]-]+ \([0-9]+\/[0-9]+ bits\) key-exchange [_[:alnum:]-]+ server-signature [_[:alnum:]-]+ \([0-9]+ bits\)( server-digest [_[:alnum:]-]+)?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: Anonymous TLS connection established from [-._[:alnum:]]+\[[:.[:digit:]]+\]: TLSv[\.0-9]+ with cipher [_[:alnum:]-]+ \([0-9]+\/[0-9]+ bits\) key-exchange [_[:alnum:]-]+ server-signature [_[:alnum:]-]+ \([0-9]+ bits\)( server-digest [_[:alnum:]-]+)?$ # Nov 14 05:14:24 router postfix/smtpd[21323]: warning: unknown[1.2.3.4]: SASL Plain authentication failed: @@ -74,4 +74,4 @@ # Jan 01 00:00:00 debian postfix/smtpd[11111]: Anonymous TLS connection established from z13.domain.com[1.2.3.4]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256 # Jan 01 00:00:00 debian postfix/smtpd[11111]: Anonymous TLS connection established from z15.domain.com[1.2.3.4]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256 -^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: Anonymous TLS connection established from [.[:alnum:]]+\[[.0-9]+\]: TLSv[.0-9]+ with cipher [_[:alnum:]]+ \([\/0-9]+ bits\) key-exchange ECDHE \([[:alnum:]-]+\) server-signature [[:alnum:]-]+ \([0-9]+ bits\) server-digest [[:alnum:]]+$ +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: Anonymous TLS connection established from [.[:alnum:]-]+\[[:.0-9a-f]+\]: TLSv[.0-9]+ with cipher [_[:alnum:]]+ \([\/0-9]+ bits\) key-exchange (ECDHE|X25519)( \([[:alnum:]-]+\))? server-signature [[:alnum:]-]+ \([0-9]+ bits\)( server-digest [[:alnum:]]+)?$ diff --git a/ignore.d.server/domino-spamd b/ignore.d.server/domino-spamd index 890ab19..024207b 100644 --- a/ignore.d.server/domino-spamd +++ b/ignore.d.server/domino-spamd @@ -8,4 +8,4 @@ # Apr 14 15:48:13 debian spamd[18599]: spamd: result: . 0 - DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,HTML_IMAGE_RATIO_06,HTML_MESSAGE,LOTS_OF_MONEY,MAILING_LIST_MULTI,SPF_SOFTFAIL scantime=1.0,size=23150,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43862,mid=,autolearn=no autolearn_force=no # Apr 15 14:48:25 debian spamd[8102]: spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,SPF_FAIL,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL scantime=0.5,size=21463,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=46926,mid=,autolearn=no autolearn_force=no -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: [[:alnum:].]+ [[:digit:]-]+ - [[:alnum:]_,]+ scantime=[0-9.]+,size=[0-9]+,user=[[:alnum:]_-]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[[:digit:]:.]+,raddr=[[:digit:]:.]+,rport=[0-9]+,mid=<[[:alnum:]@.-]+>,autolearn=(yes|no) autolearn_force=(yes|no)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: [[:alnum:].]+ [[:digit:]-]+ - [[:alnum:]_,]+ scantime=[0-9.]+,size=[0-9]+,user=[[:alnum:]_-]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[[:digit:]:.]+,raddr=[[:digit:]:.]+,rport=[0-9]+,mid=<[[:alnum:]:=\$_\/@.+-]+>,(rmid=<[[:alnum:]:\$=_\/@.+-]+>,)?autolearn=(yes|no|spam|ham) autolearn_force=(yes|no)$ diff --git a/ignore.d.server/domino-squid b/ignore.d.server/domino-squid index 1a19633..52f55fb 100644 --- a/ignore.d.server/domino-squid +++ b/ignore.d.server/domino-squid @@ -8,3 +8,75 @@ #Apr 9 10:45:52 debian squid[30555]: NETDB state saved; 0 entries, 0 msec ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: NETDB state saved; [0-9.]+ entries, [0-9.]+ msec$ + + +# Jan 1 00:00:00 debian squid[12451]: Squid Parent: (squid-1) process 14076 started +# Jan 1 00:00:00 debian squid[12451]: Squid Parent: squid-1 process 23082 exited due to signal 6 with status 0 + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Squid Parent: \(?squid-1\)? process [0-9]+ (started|exited due to signal [0-9]+ with status [0-9]+)$ + +# Jan 1 00:00:00 debian squid[14076]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9 + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Accepting HTTP Socket connections at local=\[::\]:[0-9]+ remote=\[::\] FD [0-9]+ flags=[0-9]+$ + +# Jan 1 00:00:00 debian squid[14076]: Adaptation support is off. + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Adaptation support is off.$ + +# Jan 1 00:00:00 debian squid[14076]: DNS Socket created at 1.2.3.4, FD 9 +# Jan 1 00:00:00 debian squid[14076]: DNS Socket created at [::], FD 5 + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: DNS Socket created at [0-9.\[\]:]+, FD [0-9]+$ + +# Jan 1 00:00:00 debian squid[14076]: Finished loading MIME types and icons. + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Finished loading MIME types and icons.$ + +# Jan 1 00:00:00 debian squid[14076]: Initializing IP Cache... + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Initializing IP Cache...$ + +# Jan 1 00:00:00 debian squid[14076]: Logfile Daemon: opening log /var/log/squid/access.log +# Jan 1 00:00:00 debian squid[14076]: Logfile: opening log daemon:/var/log/squid/access.log + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Logfile( Daemon)?: opening log (daemon:)?\/var\/log\/squid\/access.log$ + +# Jan 1 00:00:00 debian squid[14076]: Pinger socket opened on FD 14 + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Pinger socket opened on FD [0-9]+$ + +# Jan 1 00:00:00 debian squid[14076]: Process Roles: worker + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Process Roles: worker$ + +# Jan 1 00:00:00 debian squid[14076]: Service Name: squid + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Service Name: squid$ + +# Jan 1 00:00:00 debian squid[14076]: Squid plugin modules loaded: 0 + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Squid plugin modules loaded: [0-9]+$ + +# Jan 1 00:00:00 debian squid[14076]: Starting Squid Cache version 4.6 for x86_64-pc-linux-gnu... + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Starting Squid Cache version [0-9.]+ for x86_64-pc-linux-gnu\.\.\.$ + +# Jan 1 00:00:00 debian squid[14076]: Store logging disabled + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Store logging disabled$ + +# Jan 1 00:00:00 debian squid[14076]: Swap maxSize 0 + 262144 KB, estimated 20164 objects + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Swap maxSize [0-9]+ \+ [0-9]+ KB, estimated [0-9]+ objects$ + +# Jan 1 00:00:00 debian squid[23082]: Closing Pinger socket on FD 14 + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Closing Pinger socket on FD [0-9]+$ + +# Jan 1 00:00:00 debian squid[23082]: assertion failed: comm.cc:428: "!isOpen(conn->fd)" + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: assertion failed: [[:alnum:].:]+ \"\!isOpen\([[:alnum:]>-]+\)\"$ + +# Jan 1 00:00:00 debian squid[23082]: logfileRotate: daemon:/var/log/squid/access.log + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: logfileRotate: daemon:\/var\/log\/squid\/[[:alnum:]]+.log$ From 763aaa8f376a94148e7bb1e4cb7e96c5836a955c Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Mon, 20 Apr 2020 20:27:55 +0200 Subject: [PATCH 07/44] update --- ignore.d.server/domino-spamd | 6 +++++- ignore.d.server/domino-squid | 31 +++++++++++++++++++++++++++++-- 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/ignore.d.server/domino-spamd b/ignore.d.server/domino-spamd index 024207b..ba9d8b3 100644 --- a/ignore.d.server/domino-spamd +++ b/ignore.d.server/domino-spamd @@ -8,4 +8,8 @@ # Apr 14 15:48:13 debian spamd[18599]: spamd: result: . 0 - DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,HTML_IMAGE_RATIO_06,HTML_MESSAGE,LOTS_OF_MONEY,MAILING_LIST_MULTI,SPF_SOFTFAIL scantime=1.0,size=23150,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43862,mid=,autolearn=no autolearn_force=no # Apr 15 14:48:25 debian spamd[8102]: spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,SPF_FAIL,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL scantime=0.5,size=21463,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=46926,mid=,autolearn=no autolearn_force=no -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: [[:alnum:].]+ [[:digit:]-]+ - [[:alnum:]_,]+ scantime=[0-9.]+,size=[0-9]+,user=[[:alnum:]_-]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[[:digit:]:.]+,raddr=[[:digit:]:.]+,rport=[0-9]+,mid=<[[:alnum:]:=\$_\/@.+-]+>,(rmid=<[[:alnum:]:\$=_\/@.+-]+>,)?autolearn=(yes|no|spam|ham) autolearn_force=(yes|no)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: [[:alnum:].]+ [[:digit:]-]+ - [[:alnum:]_,]+ scantime=[0-9.]+,size=[0-9]+,user=[[:alnum:]@_.-]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[[:digit:]:.]+,raddr=[[:digit:]:.]+,rport=[0-9]+,mid=<[[:alnum:]:=\$_\/@.+-]+>,(rmid=<[[:alnum:]:\$=_\/@.+-]+>,)?autolearn=(yes|no|spam|ham) autolearn_force=(yes|no)$ + +# Apr 20 11:39:28 debian spamd[23580]: spamd: using default config for user@domain.com: /home/vmail/domain.com/.spamassasin/user_-1/user_prefs + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: using default config for [[:alnum:].@_-]+: \/home\/vmail\/[[:alnum:]_.-]+\/.spamassassin\/[[:alnum:]_-]+\/user_prefs$ diff --git a/ignore.d.server/domino-squid b/ignore.d.server/domino-squid index 52f55fb..8f16235 100644 --- a/ignore.d.server/domino-squid +++ b/ignore.d.server/domino-squid @@ -3,7 +3,7 @@ #Apr 9 10:45:52 debian squid[30555]: Logfile: opening log stdio:/var/spool/squid/netdb.state #Apr 9 10:45:52 debian squid[30555]: Logfile: closing log stdio:/var/spool/squid/netdb.state -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Logfile: (opening|closing) log stdio:\/var\/spool\/squid\/netdb.state$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Logfile: (opening|closing) log stdio:\/var\/spool\/squid\/[[:alnum:].]+$ #Apr 9 10:45:52 debian squid[30555]: NETDB state saved; 0 entries, 0 msec @@ -39,7 +39,7 @@ # Jan 1 00:00:00 debian squid[14076]: Logfile Daemon: opening log /var/log/squid/access.log # Jan 1 00:00:00 debian squid[14076]: Logfile: opening log daemon:/var/log/squid/access.log -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Logfile( Daemon)?: opening log (daemon:)?\/var\/log\/squid\/access.log$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Logfile( Daemon)?: (opening|closing) log (daemon:)?\/var\/log\/squid\/[[:alnum:].]+$ # Jan 1 00:00:00 debian squid[14076]: Pinger socket opened on FD 14 @@ -80,3 +80,30 @@ # Jan 1 00:00:00 debian squid[23082]: logfileRotate: daemon:/var/log/squid/access.log ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: logfileRotate: daemon:\/var\/log\/squid\/[[:alnum:]]+.log$ + +# Apr 20 09:01:27 debian squid[4642]: Startup: Initializing Authentication Schemes ... +# Apr 20 09:01:27 debian squid[4642]: Startup: Initialized Authentication Scheme 'basic' +# Apr 20 09:01:27 debian squid[4642]: Startup: Initialized Authentication Scheme 'digest' +# Apr 20 09:01:27 debian squid[4642]: Startup: Initialized Authentication Scheme 'negotiate' +# Apr 20 09:01:27 debian squid[4642]: Startup: Initialized Authentication Scheme 'ntlm' +# Apr 20 09:01:27 debian squid[4642]: Startup: Initialized Authentication. + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Startup: Initializ(ed|ing) Authentication\.?( Scheme(s)? (\.\.\.|\'[[:alnum:]]+\'))? + +# Apr 20 09:01:27 debian squid[4642]: Processing Configuration File: /etc/squid/squid.conf (depth 0) +# Apr 20 09:01:27 debian squid[4642]: Processing Configuration File: /etc/squid/conf.d/debian.conf (depth 1) + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Processing Configuration File: \/etc\/squid\/(conf\.d\/)?[[:alnum:].]+ \(depth [0-9]+\)$ + +# Apr 20 09:01:27 debian squid[4642]: Reconfiguring Squid Cache (version 4.6)... + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Reconfiguring Squid Cache \(version [0-9.]+\)\.\.\.$ + +# Apr 20 09:01:27 debian squid[4642]: Closing HTTP(S) port [::]:3128 + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Closing HTTP(S) port \[[0-9a-f:]+\]:[0-9]+$ + +# Apr 20 09:01:27 debian squid[4642]: Initializing https:// proxy context + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Initializing https\:\/\/ proxy context$ + From 7c672a9fb2c0c6ba912a8b066a7ed98d4d7306c7 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Thu, 23 Apr 2020 11:46:58 +0200 Subject: [PATCH 08/44] split dovecot rules --- ignore.d.server/domino-dovecot | 38 ++++++++++------------------------ ignore.d.server/domino-squid | 2 +- 2 files changed, 12 insertions(+), 28 deletions(-) diff --git a/ignore.d.server/domino-dovecot b/ignore.d.server/domino-dovecot index 04752ee..164a1c3 100644 --- a/ignore.d.server/domino-dovecot +++ b/ignore.d.server/domino-dovecot @@ -5,8 +5,6 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: Event [[:alnum:]]+ leaked \(parent=\(nil\)\): auth-client-connection.c:[0-9]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: plain\(\?,[.[:digit:]]+\): Request timed out waiting for client to continue authentication \([[:digit:]]+ secs\)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \((no auth attempts in [0-9]+ secs|disconnected before auth was ready, waited [0-9]+ secs)\):( user=<>,)? rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS:? (handshaking: (read\(size=[0-9]+\) failed: Connection reset by peer|Connection closed)|SSL_read failed: error:[[:alnum:]]+:SSL\sroutines:ssl3_read_bytes:unexpected record), session=<[[:alnum:]\+\/]+>$ - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap: Connection closed in=[[:digit:]]+ out=[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed \((UID FETCH|UID STORE|LIST|NOOP|STATUS|append)? finished [0-9.]+ secs ago\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Disconnected for inactivity in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ @@ -14,44 +12,30 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([\._@[:alnum:]-]+\)<[[:digit:]]+><[\+\/[:alnum:]]+>: Logged out in=[[:digit:]]+ out=[[:digit:]]+ deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed(: read\(size=[0-9]+\))?( failed: Connection reset by peer)? \(IDLE running for [0-9.]+ \+ waiting input for [0-9.]+ secs, [0-9]+ B in \+ [0-9\+]+ B out, state=wait-input\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ +# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<16443>: Connection closed (noop finished 0.081 secs ago) in=1207 out=74860 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=310 body_count=0 body_bytes=0 +# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<18518>: Connection closed (IDLE finished 137.627 secs ago) in=1074 out=5163 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<20806>: Connection closed (UID SEARCH finished 2.242 secs ago) in=54 out=1167 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<13658>: Connection closed (UID fetch finished 0.145 secs ago) in=9581 out=9495290 deleted=0 expunged=0 trashed=0 hdr_count=4 hdr_bytes=1467 body_count=144 body_bytes=9365757 +# Apr 21 22:22:01 debian dovecot: imap(user@domain.com)<37293>: Connection closed (No commands sent) in=0 out=374 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(((noop|IDLE|UID (SEARCH|fetch)) finished [.0-9]+ secs ago|No commands sent)\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ + # Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS handshaking: SSL connection closed during handshake, session= # Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS handshaking: SSL connection closed during handshake, session= ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(no auth attempts in [0-9]+ secs\): user=<[[:alnum:]@_.-]*>, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS handshaking: SSL connection closed during handshake, session=<[[:alnum:]\+\/]+>$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \((no auth attempts in [0-9]+ secs|disconnected before auth was ready, waited [0-9]+ secs)\):( user=<>,)? rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS:? (handshaking: (read\(size=[0-9]+\) failed: Connection reset by peer|Connection closed)|SSL_read failed: error:[[:alnum:]]+:SSL\sroutines:ssl3_read_bytes:unexpected record), session=<[[:alnum:]\+\/]+>$ + # Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): user=<[[:alnum:]@_.-]+>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS: Connection closed, session=<[[:alnum:]\+\/]+>$ -# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<16443>: Connection closed (noop finished 0.081 secs ago) in=1207 out=74860 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=310 body_count=0 body_bytes=0 -# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<18518>: Connection closed (IDLE finished 137.627 secs ago) in=1074 out=5163 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 -# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<20806>: Connection closed (UID SEARCH finished 2.242 secs ago) in=54 out=1167 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 -# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<13658>: Connection closed (UID fetch finished 0.145 secs ago) in=9581 out=9495290 deleted=0 expunged=0 trashed=0 hdr_count=4 hdr_bytes=1467 body_count=144 body_bytes=9365757 - -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \((noop|IDLE|UID (SEARCH|fetch)) finished [.0-9]+ secs ago\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ - - # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS handshaking: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS handshaking: Connection closed, session= -# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= -# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: read(size=583) failed: Connection reset by peer, session= -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(no auth attempts in [0-9]+ secs\): user=<>, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS( handshaking)?:( read\(size=583\) failed:)? Connection (closed|reset by peer), session=<[\/\+[:alnum:]]+>$ - -# Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: stored mail into mailbox 'INBOX' -# Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: stored mail into mailbox 'INBOX' - -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=?: stored mail into mailbox '[[:alnum:]_-]+'$ - -# Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<10252>: sieve: msgid=: forwarded to -# Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: forwarded to - -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=?: forwarded to <[[:alnum:]@._-]+>$ - -# Jan 1 00:00:00 debian dovecot: lmtp(24420): Disconnect from local: Client has quit the connection (state=READY) - -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\): Disconnect from local: Client has quit the connection \(state=READY\)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(no auth attempts in [0-9]+ secs\): user=<>, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS( handshaking)?:( read\(size=[0-9]+\) failed:)? Connection (closed|reset by peer), session=<[\/\+[:alnum:]]+>$ diff --git a/ignore.d.server/domino-squid b/ignore.d.server/domino-squid index 8f16235..9e17246 100644 --- a/ignore.d.server/domino-squid +++ b/ignore.d.server/domino-squid @@ -26,7 +26,7 @@ # Jan 1 00:00:00 debian squid[14076]: DNS Socket created at 1.2.3.4, FD 9 # Jan 1 00:00:00 debian squid[14076]: DNS Socket created at [::], FD 5 -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: DNS Socket created at [0-9.\[\]:]+, FD [0-9]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: DNS Socket created at [0-9a-f.\[\]:]+, FD [0-9]+$ # Jan 1 00:00:00 debian squid[14076]: Finished loading MIME types and icons. From 8b6f5d47bc999fcb07d36416e3c972f119b7ac3a Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Fri, 24 Apr 2020 19:23:53 +0200 Subject: [PATCH 09/44] add --- ignore.d.server/domino-dovecot-lmtp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 ignore.d.server/domino-dovecot-lmtp diff --git a/ignore.d.server/domino-dovecot-lmtp b/ignore.d.server/domino-dovecot-lmtp new file mode 100644 index 0000000..510c9e2 --- /dev/null +++ b/ignore.d.server/domino-dovecot-lmtp @@ -0,0 +1,16 @@ +# ; -*- mode: conf; fill-column: 99999 -*- + + +# Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: stored mail into mailbox 'INBOX' +# Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: stored mail into mailbox 'INBOX' + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=?: stored mail into mailbox '[[:alnum:]_-]+'$ + +# Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<10252>: sieve: msgid=: forwarded to +# Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: forwarded to + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=?: forwarded to <[[:alnum:]@._-]+>$ + +# Jan 1 00:00:00 debian dovecot: lmtp(24420): Disconnect from local: Client has quit the connection (state=READY) + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\): Disconnect from local: Client has quit the connection \(state=READY\)$ From ee1a4946a8692e0734ff780b59fff7b60aba3b08 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Thu, 30 Apr 2020 15:16:26 +0200 Subject: [PATCH 10/44] update --- ignore.d.server/domino-dovecot-lmtp | 7 ++- ignore.d.server/domino-postfix | 75 +++++++++++++++-------------- ignore.d.server/domino-spamd | 2 +- ignore.d.server/domino-systemd | 5 +- 4 files changed, 48 insertions(+), 41 deletions(-) diff --git a/ignore.d.server/domino-dovecot-lmtp b/ignore.d.server/domino-dovecot-lmtp index 510c9e2..8c59aab 100644 --- a/ignore.d.server/domino-dovecot-lmtp +++ b/ignore.d.server/domino-dovecot-lmtp @@ -3,8 +3,9 @@ # Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: stored mail into mailbox 'INBOX' # Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: stored mail into mailbox 'INBOX' +# Apr 1 03:42:34 debian dovecot: lmtp(do@minik.pl)<27587>: sieve: msgid=? : stored mail into mailbox 'debian-user' -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=?: stored mail into mailbox '[[:alnum:]_-]+'$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=(\? )??: stored mail into mailbox '[[:alnum:]_-]+'$ # Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<10252>: sieve: msgid=: forwarded to # Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: forwarded to @@ -14,3 +15,7 @@ # Jan 1 00:00:00 debian dovecot: lmtp(24420): Disconnect from local: Client has quit the connection (state=READY) ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\): Disconnect from local: Client has quit the connection \(state=READY\)$ + + + + diff --git a/ignore.d.server/domino-postfix b/ignore.d.server/domino-postfix index a1e348d..ef29ac0 100644 --- a/ignore.d.server/domino-postfix +++ b/ignore.d.server/domino-postfix @@ -1,77 +1,78 @@ # ; -*- mode: conf; fill-column: 99999 -*- +# --- smtpd --- + # Sep 18 22:55:37 debian postfix/smtpd[13312]: warning: TLS library problem: error:1417D0FC:SSL routines:tls_process_client_hello:unknown protocol:../ssl/statem/statem_srvr.c:938: # Sep 18 22:55:38 debian postfix/smtpd[13312]: warning: TLS library problem: error:1417D18C:SSL routines:tls_process_client_hello:version too low:../ssl/statem/statem_srvr.c:974: # Sep 18 22:55:39 debian postfix/smtpd[13312]: warning: TLS library problem: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1399:SSL alert number 70: # Sep 18 22:55:40 debian postfix/smtpd[13312]: warning: TLS library problem: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1399:SSL alert number 70: # Sep 22 04:29:35 debian postfix/smtpd[26597]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared -# Oct 3 04:20:03 linode2 postfix/smtpd[9011]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1404: -# Nov 15 23:39:59 linode2 postfix/smtpd[20808]: warning: TLS library problem: error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol:../ssl/statem/statem_srvr.c:1636: -# Nov 15 23:39:59 linode2 postfix/smtpd[20808]: warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../ssl/statem/statem_srvr.c:1661: +# Oct 3 04:20:03 debian postfix/smtpd[9011]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1404: +# Nov 15 23:39:59 debian postfix/smtpd[20808]: warning: TLS library problem: error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol:../ssl/statem/statem_srvr.c:1636: +# Nov 15 23:39:59 debian postfix/smtpd[20808]: warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../ssl/statem/statem_srvr.c:1661: ^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:(tls_process_client_hello:(unknown protocol|version too low):|tls_post_process_client_hello:no shared cipher:|tls_early_post_process_client_hello:(unknown protocol:|version too low:)|ssl3_read_bytes:tlsv[0-9]+ alert protocol version:|tls_post_process_client_hello:no shared)?(..\/ssl\/(record|statem)\/(statem_srvr.c:[0-9]+:|rec_layer_s3.c:[0-9]+:SSL alert number [0-9]+:))?$ -# ? +# Nov 14 05:14:24 debian postfix/smtpd[21323]: warning: unknown[1.2.3.4]: SASL Plain authentication failed: +# Nov 14 05:21:37 debian postfix/smtpd[21372]: warning: 123domain.com[1.2.3.4]: SASL Plain authentication failed: -^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:[\/_.:[:alnum:]]+ alert number [[:xdigit:]]+:$ +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: warning: [-.[:alnum:]]+\[[.[:digit:]]+\]: SASL Plain authentication failed:$ -# ? +# Nov 16 05:31:27 debian-linode postfix/smtpd[2253]: warning: hostname 30.223.46.89.baremetal.zare.com does not resolve to address 89.46.223.30: No address associated with hostname -^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(/submission|/smtps|/[0-9]+)?/smtpd\[[[:digit:]]+\]: disconnect from [[:alnum:]_\.-]+\[[[:alnum:]\.:]+\] commands=[0-9]/[0-9]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: warning: hostname [[:alnum:].]+ does not resolve to address [.[:digit:]]+: No address associated with hostname$ +# Apr 30 07:02:05 debian postfix/smtpd[20567]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:1661: -# Jun 11 12:20:40 linode2 postfix/smtpd[19535]: NOQUEUE: reject: MAIL from oakwood.hyperslice.net[109.203.106.148]: 552 5.3.4 Message size exceeds fixed limit; proto=ESMTP helo= +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[[:digit:]]+\]: warning: TLS library problem: error:[[:alnum:]]+:SSL routines:tls_early_post_process_client_hello:unsupported protocol:\.\.\/ssl\/statem\/statem_srvr.c:[0-9]+:$ -\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(/submission|/smtps|/[0-9]+)?/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: MAIL from [\.[:alnum:]]+\[[\.[:alnum:]]+\]: 552 5\.3\.4 Message size exceeds fixed limit; proto=ESMTP helo=<[.[:alnum:]]+>$ +# Jan 01 00:00:00 debian postfix/smtpd[11111]: Anonymous TLS connection established from z15.domain.com[1.2.3.4]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256 +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: Anonymous TLS connection established from [.[:alnum:]-]+\[[:.0-9a-f]+\]: TLSv[.0-9]+ with cipher [_[:alnum:]]+ \([\/0-9]+ bits\) key-exchange (ECDHE|X25519)( \([[:alnum:]-]+\))? server-signature [[:alnum:]-]+ \([0-9]+ bits\)( server-digest [[:alnum:]]+)?$ -# Sep 9 09:17:58 debian postfix/smtpd[5361]: Anonymous TLS connection established from mail-lj1-f177.google.com[209.85.208.177]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 -# Nov 16 02:09:33 linode2 postfix/smtpd[27303]: Anonymous TLS connection established from ms1622.m.lrmailr.pl[164.132.49.188]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) +# -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: Anonymous TLS connection established from [-._[:alnum:]]+\[[:.[:digit:]]+\]: TLSv[\.0-9]+ with cipher [_[:alnum:]-]+ \([0-9]+\/[0-9]+ bits\) key-exchange [_[:alnum:]-]+ server-signature [_[:alnum:]-]+ \([0-9]+ bits\)( server-digest [_[:alnum:]-]+)?$ +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:[\/_.:[:alnum:]]+ alert number [[:xdigit:]]+:$ +# Jan 01 00:00:00 debian postfix/smtp[11111]: 172733EFE6: Cannot start TLS: handshake failure -# Nov 14 05:14:24 router postfix/smtpd[21323]: warning: unknown[1.2.3.4]: SASL Plain authentication failed: -# Nov 14 05:21:37 router postfix/smtpd[21372]: warning: 123domain.com[1.2.3.4]: SASL Plain authentication failed: +# --- smtp --- -^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: warning: [-.[:alnum:]]+\[[.[:digit:]]+\]: SASL Plain authentication failed:$ +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: [[:alnum:]]+: Cannot start TLS: handshake failure$ +# Jan 01 00:00:00 debian postfix/smtp[11111]: SSL_connect error to eu-smtp-inbound-2.mimecast.com[195.130.217.201]:25: -1 +# Jan 01 00:00:00 debian postfix/smtp[11111]: SSL_connect error to mail.po-mysl.pl[185.204.218.208]:25: -1 -# Dec 13 11:50:26 linode2 postfix/cleanup[3960]: CD1D940A83: message-id= +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: SSL_connect error to [\.[:alnum:]-]+\[[.0-9]+\]:[0-9]+: [[:digit:]-]+$ -^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/cleanup\[[0-9]+\]: [[:xdigit:]]+: message-id=$ +# Jan 01 00:00:00 debian postfix/smtp[11111]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332: +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: warning: TLS library problem: error:[[:alnum:]]+:SSL routines:ssl3_get_record:wrong version number:..\/ssl\/record\/ssl3_record.c:[0-9]+:$ -# Nov 16 05:31:27 debian-linode postfix/smtpd[2253]: warning: hostname 30.223.46.89.baremetal.zare.com does not resolve to address 89.46.223.30: No address associated with hostname +# Apr 30 09:19:07 debian postfix/smtp[28712]: warning: TLS library problem: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1544:SSL alert number 70: -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: warning: hostname [[:alnum:].]+ does not resolve to address [.[:digit:]]+: No address associated with hostname$ +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: warning: TLS library problem: error:[[:alnum:]]+:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:..\/ssl\/record\/rec_layer_s3.c:[0-9]+:SSL alert number [0-9]+:$ +# Apr 30 11:02:05 domino postfix/smtp[6625]: Untrusted TLS connection established to poczta.cos.pl[133.111.171.21]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 -# Jan 01 00:00:00 debian postfix/smtp[11111]: 172733EFE6: Cannot start TLS: handshake failure -# Jan 01 00:00:00 debian postfix/smtp[11111]: B8B6B3E588: Cannot start TLS: handshake failure -# Jan 01 00:00:00 debian postfix/smtp[11111]: D5FD93E557: Cannot start TLS: handshake failure +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: (Untrusted|Trusted) TLS connection established to [-._[:alnum:]]+\[[0-9a-f:.]+\]:[0-9]+: TLSv1\.3 with cipher [_[:alnum:]-]+ \([0-9]+\/[0-9]+ bits\) key-exchange [[:alnum:]]+ server-signature [[:alnum:]-]+ \([P0-9-]+( bits)?\) server-digest [[:alnum:]]+$ -\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: [[:alnum:]]+: Cannot start TLS: handshake failure$ +# --- submission smtps --- +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(/submission|/smtps|/[0-9]+)?/smtpd\[[[:digit:]]+\]: disconnect from [[:alnum:]_\.-]+\[[[:alnum:]\.:]+\] commands=[0-9]/[0-9]$ -# Jan 01 00:00:00 debian postfix/smtp[11111]: SSL_connect error to eu-smtp-inbound-2.mimecast.com[195.130.217.201]:25: -1 -# Jan 01 00:00:00 debian postfix/smtp[11111]: SSL_connect error to mail.po-mysl.pl[185.204.218.208]:25: -1 -# Jan 01 00:00:00 debian postfix/smtp[11111]: SSL_connect error to mail.po-mysl.pl[185.204.218.208]:25: -1 -# Jan 01 00:00:00 debian postfix/smtp[11111]: SSL_connect error to mail.po-mysl.pl[185.204.218.208]:25: -1 -# Jan 01 00:00:00 debian postfix/smtp[11111]: SSL_connect error to mail.po-mysl.pl[185.204.218.208]:25: -1 +# Jun 11 12:20:40 debian postfix/smtpd[19535]: NOQUEUE: reject: MAIL from oakwood.hyperslice.net[109.203.106.148]: 552 5.3.4 Message size exceeds fixed limit; proto=ESMTP helo= -\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: SSL_connect error to [\.[:alnum:]-]+\[[.0-9]+\]:[0-9]+: [[:digit:]-]+$ +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(/submission|/smtps|/[0-9]+)?/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: MAIL from [\.[:alnum:]]+\[[\.[:alnum:]]+\]: 552 5\.3\.4 Message size exceeds fixed limit; proto=ESMTP helo=<[.[:alnum:]]+>$ +# Sep 9 09:17:58 debian postfix/smtpd[5361]: Anonymous TLS connection established from mail-lj1-f177.google.com[209.85.208.177]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 +# Nov 16 02:09:33 debian postfix/smtpd[27303]: Anonymous TLS connection established from ms1622.m.lrmailr.pl[164.132.49.188]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) -# Jan 01 00:00:00 debian postfix/smtp[11111]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332: -# Jan 01 00:00:00 debian postfix/smtp[11111]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332: -# Jan 01 00:00:00 debian postfix/smtp[11111]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332: -# Jan 01 00:00:00 debian postfix/smtp[11111]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332: +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: Anonymous TLS connection established from [-._[:alnum:]]+\[[:.[:digit:]]+\]: TLSv[\.0-9]+ with cipher [_[:alnum:]-]+ \([0-9]+\/[0-9]+ bits\) key-exchange [_[:alnum:]-]+ server-signature [_[:alnum:]-]+ \([0-9]+ bits\)( server-digest [_[:alnum:]-]+)?$ -\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: warning: TLS library problem: error:[[:alnum:]]+:SSL routines:ssl3_get_record:wrong version number:..\/ssl\/record\/ssl3_record.c:[0-9]+:$ +# --- cleanup --- +# Dec 13 11:50:26 debian postfix/cleanup[3960]: CD1D940A83: message-id= -# Jan 01 00:00:00 debian postfix/smtpd[11111]: Anonymous TLS connection established from z13.domain.com[1.2.3.4]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256 -# Jan 01 00:00:00 debian postfix/smtpd[11111]: Anonymous TLS connection established from z15.domain.com[1.2.3.4]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256 +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/cleanup\[[0-9]+\]: [[:xdigit:]]+: message-id=$ -^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: Anonymous TLS connection established from [.[:alnum:]-]+\[[:.0-9a-f]+\]: TLSv[.0-9]+ with cipher [_[:alnum:]]+ \([\/0-9]+ bits\) key-exchange (ECDHE|X25519)( \([[:alnum:]-]+\))? server-signature [[:alnum:]-]+ \([0-9]+ bits\)( server-digest [[:alnum:]]+)?$ diff --git a/ignore.d.server/domino-spamd b/ignore.d.server/domino-spamd index ba9d8b3..5b43244 100644 --- a/ignore.d.server/domino-spamd +++ b/ignore.d.server/domino-spamd @@ -8,7 +8,7 @@ # Apr 14 15:48:13 debian spamd[18599]: spamd: result: . 0 - DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,HTML_IMAGE_RATIO_06,HTML_MESSAGE,LOTS_OF_MONEY,MAILING_LIST_MULTI,SPF_SOFTFAIL scantime=1.0,size=23150,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43862,mid=,autolearn=no autolearn_force=no # Apr 15 14:48:25 debian spamd[8102]: spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,SPF_FAIL,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL scantime=0.5,size=21463,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=46926,mid=,autolearn=no autolearn_force=no -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: [[:alnum:].]+ [[:digit:]-]+ - [[:alnum:]_,]+ scantime=[0-9.]+,size=[0-9]+,user=[[:alnum:]@_.-]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[[:digit:]:.]+,raddr=[[:digit:]:.]+,rport=[0-9]+,mid=<[[:alnum:]:=\$_\/@.+-]+>,(rmid=<[[:alnum:]:\$=_\/@.+-]+>,)?autolearn=(yes|no|spam|ham) autolearn_force=(yes|no)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: [[:alnum:].]+ [[:digit:]-]+ - [[:alnum:]_,]+ scantime=[0-9.]+,size=[0-9]+,user=[[:alnum:]@_.-]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[[:digit:]:.]+,raddr=[[:digit:]:.]+,rport=[0-9]+,mid=(<[[:alnum:]:=\$_\/@.+-]+>|\(unknown\)),(rmid=<[[:alnum:]:\$=_\/@.+-]+>,)?autolearn=(yes|no|spam|ham) autolearn_force=(yes|no)$ # Apr 20 11:39:28 debian spamd[23580]: spamd: using default config for user@domain.com: /home/vmail/domain.com/.spamassasin/user_-1/user_prefs diff --git a/ignore.d.server/domino-systemd b/ignore.d.server/domino-systemd index ce2e8d7..2214184 100644 --- a/ignore.d.server/domino-systemd +++ b/ignore.d.server/domino-systemd @@ -1,4 +1,4 @@ -# ; -*- mode: text; fill-column: 99999 -*- +# ; -*- mode: conf; fill-column: 99999 -*- # Jun 23 07:09:04 router systemd[1]: phpsessionclean.service: Succeeded. # Jun 23 16:15:03 router systemd[1]: apt-daily.service: Succeeded. @@ -55,8 +55,9 @@ # systemd-logind: # Sep 20 13:17:24 router systemd-logind[486]: Session 760 logged out. Waiting for processes to exit. +# Apr 28 21:56:49 debian systemd-logind[398]: Session c4 logged out. Waiting for processes to exit. -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[ :[:digit:]]+\]: Session [0-9]+ logged out. Waiting for processes to exit.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[ :[:digit:]]+\]: Session [[:alnum:]]+ logged out. Waiting for processes to exit.$ # D-Bus: # Sep 20 08:03:29 router systemd[658]: Listening on D-Bus User Message Bus Socket. From 4bb3d9190cea28c939562e48802fe2f28b018877 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Mon, 4 May 2020 08:03:37 +0200 Subject: [PATCH 11/44] update --- ignore.d.server/domino-dovecot | 18 +++++++++++++----- ignore.d.server/domino-postfix | 4 ++-- ignore.d.server/domino-spamd | 23 +++++++++++++++++++++++ 3 files changed, 38 insertions(+), 7 deletions(-) diff --git a/ignore.d.server/domino-dovecot b/ignore.d.server/domino-dovecot index 164a1c3..3b6af38 100644 --- a/ignore.d.server/domino-dovecot +++ b/ignore.d.server/domino-dovecot @@ -5,6 +5,8 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: Event [[:alnum:]]+ leaked \(parent=\(nil\)\): auth-client-connection.c:[0-9]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: plain\(\?,[.[:digit:]]+\): Request timed out waiting for client to continue authentication \([[:digit:]]+ secs\)$ +# imap + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap: Connection closed in=[[:digit:]]+ out=[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed \((UID FETCH|UID STORE|LIST|NOOP|STATUS|append)? finished [0-9.]+ secs ago\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Disconnected for inactivity in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ @@ -12,13 +14,19 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([\._@[:alnum:]-]+\)<[[:digit:]]+><[\+\/[:alnum:]]+>: Logged out in=[[:digit:]]+ out=[[:digit:]]+ deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed(: read\(size=[0-9]+\))?( failed: Connection reset by peer)? \(IDLE running for [0-9.]+ \+ waiting input for [0-9.]+ secs, [0-9]+ B in \+ [0-9\+]+ B out, state=wait-input\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ -# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<16443>: Connection closed (noop finished 0.081 secs ago) in=1207 out=74860 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=310 body_count=0 body_bytes=0 -# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<18518>: Connection closed (IDLE finished 137.627 secs ago) in=1074 out=5163 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 -# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<20806>: Connection closed (UID SEARCH finished 2.242 secs ago) in=54 out=1167 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 -# Jan 01 00:00:00 debian dovecot: imap(user@domain.com)<13658>: Connection closed (UID fetch finished 0.145 secs ago) in=9581 out=9495290 deleted=0 expunged=0 trashed=0 hdr_count=4 hdr_bytes=1467 body_count=144 body_bytes=9365757 +# Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<28998>: Connection closed (ID finished 0.296 secs ago) in=89 out=448 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +# Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<29432>: Connection closed (SELECT finished 0.096 secs ago) in=121 out=981 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +# Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<16443>: Connection closed (noop finished 0.081 secs ago) in=1207 out=74860 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=310 body_count=0 body_bytes=0 +# Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<18518>: Connection closed (IDLE finished 137.627 secs ago) in=1074 out=5163 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +# Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<20806>: Connection closed (UID SEARCH finished 2.242 secs ago) in=54 out=1167 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +# Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<13658>: Connection closed (UID fetch finished 0.145 secs ago) in=9581 out=9495290 deleted=0 expunged=0 trashed=0 hdr_count=4 hdr_bytes=1467 body_count=144 body_bytes=9365757 # Apr 21 22:22:01 debian dovecot: imap(user@domain.com)<37293>: Connection closed (No commands sent) in=0 out=374 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(((noop|IDLE|UID (SEARCH|fetch)) finished [.0-9]+ secs ago|No commands sent)\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(((ID|SELECT|noop|IDLE|UID (SEARCH|fetch)) finished [.0-9]+ secs ago|No commands sent)\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ + +# May 3 09:23:30 debian dovecot: imap(abc@domain.com)<11038>: Connection closed (IDLE running for 0.014 + waiting input for 558.906 secs, 0.001 in locks, 2 B in + 10 B out, state=wait-input) in=199 out=1429 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(IDLE running for [0-9.]+ \+ waiting input for [0-9.]+ secs, [0-9.]+ in locks, [0-9.]+ B in \+ [0-9.]+ B out, state=wait-input\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ # Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS handshaking: SSL connection closed during handshake, session= # Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS handshaking: SSL connection closed during handshake, session= diff --git a/ignore.d.server/domino-postfix b/ignore.d.server/domino-postfix index ef29ac0..d68276e 100644 --- a/ignore.d.server/domino-postfix +++ b/ignore.d.server/domino-postfix @@ -18,9 +18,9 @@ ^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: warning: [-.[:alnum:]]+\[[.[:digit:]]+\]: SASL Plain authentication failed:$ -# Nov 16 05:31:27 debian-linode postfix/smtpd[2253]: warning: hostname 30.223.46.89.baremetal.zare.com does not resolve to address 89.46.223.30: No address associated with hostname +# Jan 1 00:00:00 debian postfix/smtpd[21504]: warning: hostname zg-0428c-216.stretchoid.com does not resolve to address 1.2.3.4: No address associated with hostname -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: warning: hostname [[:alnum:].]+ does not resolve to address [.[:digit:]]+: No address associated with hostname$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: warning: hostname [[:alnum:].-]+ does not resolve to address [.[:digit:]]+: No address associated with hostname$ # Apr 30 07:02:05 debian postfix/smtpd[20567]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:1661: diff --git a/ignore.d.server/domino-spamd b/ignore.d.server/domino-spamd index 5b43244..08e409c 100644 --- a/ignore.d.server/domino-spamd +++ b/ignore.d.server/domino-spamd @@ -13,3 +13,26 @@ # Apr 20 11:39:28 debian spamd[23580]: spamd: using default config for user@domain.com: /home/vmail/domain.com/.spamassasin/user_-1/user_prefs ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: using default config for [[:alnum:].@_-]+: \/home\/vmail\/[[:alnum:]_.-]+\/.spamassassin\/[[:alnum:]_-]+\/user_prefs$ + +# Jan 1 00:00:00 debian spamd[19297]: spamd: server socket closed, type IO::Socket::IP +# Jan 1 00:00:00 debian spamd[19297]: spamd: server socket closed, type IO::Socket::IP + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server socket closed, type IO::Socket::IP$ + +# Jan 1 00:00:00 debian spamd[6670]: zoom: able to use 371/372 'body_0' compiled rules (99.731%) + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: zoom: able to use [0-9\/]+ \'body_0\' compiled rules \([0-9.]+\%\)$ + +# Jan 1 00:00:00 debian spamd[4108]: prefork: child states: II [... logline repeated 47 times] + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: child states: II \[\.\.\. logline repeated [0-9]+ times\]$ + +# Jan 1 00:00:00 debian spamd[6670]: spamd: server started on IO::Socket::IP [::1]:783, IO::Socket::IP [127.0.0.1]:783 (running version 3.4.2) + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server started on IO::Socket::IP \[::1\]:783, IO::Socket::IP \[[0-9.]+\]:783 \(running version [0-9.]+\)$ + +# Jan 1 00:00:00 debian spamd: spamd: restarting using '/usr/sbin/spamd -d --pidfile=/run/spamd.pid -u debian-spamd -l --create-prefs -x --virtual-config-dir=/home/vmail/%d/.spamassassin/%l --max-children 5 --helper-home-dir' + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd: spamd: restarting using \'\/usr\/sbin\/spamd -d --pidfile=\/run\/spamd\.pid -u debian-spamd -l --create-prefs -x --virtual-config-dir=[[:alnum:]\/\%\.]+ --max-children [0-9]+ --helper-home-dir\'$ + + From 534fb8cf17b6ce06c81ec3b2432cb4292b766337 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Thu, 14 May 2020 18:05:12 +0200 Subject: [PATCH 12/44] fix checking regexps: git -f was parsing commented lines --- test.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/test.sh b/test.sh index 87f88f4..027c439 100755 --- a/test.sh +++ b/test.sh @@ -12,7 +12,7 @@ failflag=0 basepath=$(git rev-parse --show-toplevel) cd $basepath/ignore.d.server for i in `ls`; do - egrep -f $i /dev/null #2>/dev/null + cat $i | grep -v "^#" | egrep -f - /dev/null #2>/dev/null if [ $? -ne 1 ]; then echo "error in server/$i" failflag=1 @@ -20,12 +20,12 @@ for i in `ls`; do done cd $basepath/ignore.d.workstation - for i in `ls`; do - egrep -f $i /dev/null #2>/dev/null - if [ $? -ne 1 ]; then - echo "error in workstation/$i" - failflag=1 - fi +for i in `ls`; do + cat $i | grep -v "^#" | egrep -f - /dev/null #2>/dev/null + if [ $? -ne 1 ]; then + echo "error in workstation/$i" + failflag=1 + fi done exit $failflag From 37982ef5625f815f678af31170d2d68af1d4f8d6 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Thu, 14 May 2020 18:05:23 +0200 Subject: [PATCH 13/44] update --- ignore.d.server/domino-dnscrypt-proxy | 2 +- ignore.d.server/domino-dovecot | 16 +++++++--------- ignore.d.server/domino-dovecot-lmtp | 7 ++----- ignore.d.server/domino-kernel | 6 +++++- ignore.d.server/domino-spamd | 17 +++++++++++++---- ignore.d.server/domino-systemd | 26 ++++++++++++-------------- 6 files changed, 40 insertions(+), 34 deletions(-) diff --git a/ignore.d.server/domino-dnscrypt-proxy b/ignore.d.server/domino-dnscrypt-proxy index c59ecef..e05d35b 100644 --- a/ignore.d.server/domino-dnscrypt-proxy +++ b/ignore.d.server/domino-dnscrypt-proxy @@ -2,4 +2,4 @@ # Aug 11 22:50:28 debian dnscrypt-proxy[25869]: [2019-08-11 22:50:28] [NOTICE] Server with the lowest initial latency: soltysiak (rtt: 29ms) -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnscrypt-proxy\[[[:digit:]]+\]: \[[-[:digit:]]+ [\:[:digit:]]+\] \[NOTICE\] Server with the lowest initial latency: [[:alnum:]]+ \(rtt: [[:digit:]]+ms\)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnscrypt-proxy\[[[:digit:]]+\]: \[[[:digit:]-]+ [\:[:digit:]]+\] \[NOTICE\] Server with the lowest initial latency: [[:alnum:]]+ \(rtt: [[:digit:]]+ms\)$ diff --git a/ignore.d.server/domino-dovecot b/ignore.d.server/domino-dovecot index 3b6af38..a88445a 100644 --- a/ignore.d.server/domino-dovecot +++ b/ignore.d.server/domino-dovecot @@ -7,6 +7,11 @@ # imap +# Jan 1 00:00:00 debian dovecot: imap: Warning: Time jumped forwards 14 seconds +# Jan 1 00:00:00 debian dovecot: imap: Warning: Time jumped forwards 28 seconds +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap: Warning: Time jumped forwards [0-9]+ seconds$ + + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap: Connection closed in=[[:digit:]]+ out=[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed \((UID FETCH|UID STORE|LIST|NOOP|STATUS|append)? finished [0-9.]+ secs ago\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Disconnected for inactivity in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ @@ -21,29 +26,22 @@ # Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<20806>: Connection closed (UID SEARCH finished 2.242 secs ago) in=54 out=1167 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 # Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<13658>: Connection closed (UID fetch finished 0.145 secs ago) in=9581 out=9495290 deleted=0 expunged=0 trashed=0 hdr_count=4 hdr_bytes=1467 body_count=144 body_bytes=9365757 # Apr 21 22:22:01 debian dovecot: imap(user@domain.com)<37293>: Connection closed (No commands sent) in=0 out=374 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 - -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(((ID|SELECT|noop|IDLE|UID (SEARCH|fetch)) finished [.0-9]+ secs ago|No commands sent)\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ +# Jan 1 00:00:00 debian dovecot: imap(john.doe@do-main.com)<20592>: Connection closed (FETCH finished 126.461 secs ago) in=688 out=7307 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(((ID|SELECT|FETCH|noop|IDLE|UID (SEARCH|fetch)) finished [.0-9]+ secs ago|No commands sent)\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ # May 3 09:23:30 debian dovecot: imap(abc@domain.com)<11038>: Connection closed (IDLE running for 0.014 + waiting input for 558.906 secs, 0.001 in locks, 2 B in + 10 B out, state=wait-input) in=199 out=1429 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(IDLE running for [0-9.]+ \+ waiting input for [0-9.]+ secs, [0-9.]+ in locks, [0-9.]+ B in \+ [0-9.]+ B out, state=wait-input\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ # Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS handshaking: SSL connection closed during handshake, session= # Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS handshaking: SSL connection closed during handshake, session= - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(no auth attempts in [0-9]+ secs\): user=<[[:alnum:]@_.-]*>, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS handshaking: SSL connection closed during handshake, session=<[[:alnum:]\+\/]+>$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \((no auth attempts in [0-9]+ secs|disconnected before auth was ready, waited [0-9]+ secs)\):( user=<>,)? rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS:? (handshaking: (read\(size=[0-9]+\) failed: Connection reset by peer|Connection closed)|SSL_read failed: error:[[:alnum:]]+:SSL\sroutines:ssl3_read_bytes:unexpected record), session=<[[:alnum:]\+\/]+>$ # Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): user=<[[:alnum:]@_.-]+>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS: Connection closed, session=<[[:alnum:]\+\/]+>$ # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= -# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS handshaking: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS handshaking: Connection closed, session= -# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= -# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: read(size=583) failed: Connection reset by peer, session= - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(no auth attempts in [0-9]+ secs\): user=<>, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS( handshaking)?:( read\(size=[0-9]+\) failed:)? Connection (closed|reset by peer), session=<[\/\+[:alnum:]]+>$ diff --git a/ignore.d.server/domino-dovecot-lmtp b/ignore.d.server/domino-dovecot-lmtp index 8c59aab..33bd3c8 100644 --- a/ignore.d.server/domino-dovecot-lmtp +++ b/ignore.d.server/domino-dovecot-lmtp @@ -1,6 +1,5 @@ # ; -*- mode: conf; fill-column: 99999 -*- - # Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: stored mail into mailbox 'INBOX' # Jan 1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417>: sieve: msgid=: stored mail into mailbox 'INBOX' # Apr 1 03:42:34 debian dovecot: lmtp(do@minik.pl)<27587>: sieve: msgid=? : stored mail into mailbox 'debian-user' @@ -12,10 +11,8 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=?: forwarded to <[[:alnum:]@._-]+>$ +# May 5 00:57:29 debian dovecot: lmtp(9716): Disconnect from local: Remote closed connection (state=READY) # Jan 1 00:00:00 debian dovecot: lmtp(24420): Disconnect from local: Client has quit the connection (state=READY) -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\): Disconnect from local: Client has quit the connection \(state=READY\)$ - - - +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\): Disconnect from local: (Client has quit the|Remote closed) connection \(state=READY\)$ diff --git a/ignore.d.server/domino-kernel b/ignore.d.server/domino-kernel index f54c800..88deed7 100644 --- a/ignore.d.server/domino-kernel +++ b/ignore.d.server/domino-kernel @@ -1,4 +1,4 @@ -# ; -*- mode: text; fill-column: 99999 -*- +# ; -*- mode: conf; fill-column: 99999 -*- # Jun 16 08:28:17 debian kernel: [219862.976978] input: 40:EF:4C:33:AE:21 as /devices/virtual/input/input14 @@ -17,3 +17,7 @@ Jun 17 18:47:23 router kernel: [6425157.863842] ip6_tables: (C) 2000-2006 Netfil ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[ .[:digit:]]+\] INFO: NMI handler \(perf_event_nmi_handler\) took too long to run: [.[:digit:]]+ msecs$ +# Jan 1 00:00:00 debian kernel: [5674129.042703] device br0 entered promiscuous mode +# Jan 1 00:00:00 debian kernel: [5674141.471188] device br0 left promiscuous mode + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[ .[:digit:]]+\] device [[:alnum:]]+ (entered|left) promiscuous mode$ diff --git a/ignore.d.server/domino-spamd b/ignore.d.server/domino-spamd index 08e409c..dfb0585 100644 --- a/ignore.d.server/domino-spamd +++ b/ignore.d.server/domino-spamd @@ -3,6 +3,16 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: connection from [[:alnum:]:]+ \[[[:alnum:]:]+\]:[0-9]+ to port [0-9]+, fd [0-9]+$ +# Jan 1 00:00:00 debian spamd[807]: dns: no callback for id 24621/IN/TXT/_adsp._domainkey.slsware.net, ignored, packet on next debug line +# Jan 1 00:00:00 debian spamd[807]: dns: no callback for id 15235/IN/MX/slsware.net, ignored, packet on next debug line + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: no callback for id [[:alnum:]\._\/]+, ignored, packet on next debug line$ + +# Jan 1 00:00:00 debian spamd[807]: dns: no likely matching queries for id 15235 +# Jan 1 00:00:00 debian spamd[807]: dns: no likely matching queries for id 24621 + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: no likely matching queries for id [0-9]+$ + # Apr 14 15:16:56 debian spamd[18599]: spamd: result: Y 5 - FREEMAIL_FORGED_REPLYTO,HTML_MESSAGE,SPF_FAIL,TO_NO_BRKTS_HTML_IMG scantime=1.0,size=16475,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43742,mid=<98140bdf92d37fc0d41dc08b9c4fe028@domain.com>,autolearn=no autolearn_force=no # Apr 14 15:16:56 debian spamd[18600]: spamd: result: Y 5 - FREEMAIL_FORGED_REPLYTO,HTML_MESSAGE,SPF_FAIL,TO_NO_BRKTS_HTML_IMG scantime=1.0,size=16991,user=abc-1,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43744,mid=<98140bdf92d37fc0d41dc08b9c4fe028@domain.com>,autolearn=no autolearn_force=no # Apr 14 15:48:13 debian spamd[18599]: spamd: result: . 0 - DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,HTML_IMAGE_RATIO_06,HTML_MESSAGE,LOTS_OF_MONEY,MAILING_LIST_MULTI,SPF_SOFTFAIL scantime=1.0,size=23150,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43862,mid=,autolearn=no autolearn_force=no @@ -19,7 +29,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server socket closed, type IO::Socket::IP$ -# Jan 1 00:00:00 debian spamd[6670]: zoom: able to use 371/372 'body_0' compiled rules (99.731%) +# Jan 1 00:00:00 debian spamd[66370]: zoom: able to use 371/372 'body_0' compiled rules (99.731%) ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: zoom: able to use [0-9\/]+ \'body_0\' compiled rules \([0-9.]+\%\)$ @@ -31,8 +41,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server started on IO::Socket::IP \[::1\]:783, IO::Socket::IP \[[0-9.]+\]:783 \(running version [0-9.]+\)$ -# Jan 1 00:00:00 debian spamd: spamd: restarting using '/usr/sbin/spamd -d --pidfile=/run/spamd.pid -u debian-spamd -l --create-prefs -x --virtual-config-dir=/home/vmail/%d/.spamassassin/%l --max-children 5 --helper-home-dir' - -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd: spamd: restarting using \'\/usr\/sbin\/spamd -d --pidfile=\/run\/spamd\.pid -u debian-spamd -l --create-prefs -x --virtual-config-dir=[[:alnum:]\/\%\.]+ --max-children [0-9]+ --helper-home-dir\'$ +# Jan 1 06:55:16 debian spamd: spamd: restarting using '/usr/sbin/spamd -d --pidfile=/run/spamd.pid --create-prefs --max-children 5 --helper-home-dir -u debian-spamd -x --virtual-config-dir=/home/vmail/%d/.spamassassin/%l --allow-tell' +--create-prefs --max-children 5 --helper-home-dir -u debian-spamd -x --virtual-config-dir=/home/vmail/%d/.spamassassin/%l --allow-tell'^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd: spamd: restarting using \'\/usr\/sbin\/spamd -d --pidfile=\/run\/spamd\.pid --create-prefs --max-children [0-9]+ --helper-home-dir -u debian-spamd -x --virtual-config-dir=\/home\/vmail\/\%d\/.spamassassin\/\%l --allow-tell\'$ diff --git a/ignore.d.server/domino-systemd b/ignore.d.server/domino-systemd index 2214184..8e310a4 100644 --- a/ignore.d.server/domino-systemd +++ b/ignore.d.server/domino-systemd @@ -21,46 +21,44 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Closed|Listening on) CUPS Scheduler.$ -# timesyncd: # Aug 14 08:22:50 debian systemd-timesyncd[762]: Synchronized to time server for the first time 193.219.28.147:123 (2.debian.pool.ntp.org). # Nov 14 13:35:50 debian systemd-timesyncd[291]: Synchronized to time server for the first time 91.212.242.20:123 (0.debian.pool.ntp.org). - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: Timed out waiting for reply from [.[:digit:]:]+ \([.[:alnum:]]+\).$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: Synchronized to time server for the first time [.[:digit:]:]+ \([.[:alnum:]]+\).$ -# systemd-networkd-wait-online: # Aug 14 06:24:04 debian systemd-networkd-wait-online[1360]: Event loop failed: Connection timed out # Aug 14 06:39:06 debian systemd-networkd-wait-online[2275]: Event loop failed: Connection timed out # Aug 13 23:53:11 debian systemd-networkd-wait-online[7015]: Event loop failed: Connection timed out - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-networkd-wait-online\[[[:digit:]]+\]: Event loop failed: Connection timed out$ - # Nov 15 08:04:02 router systemd-networkd[28813]: tun1: Gained carrier # Nov 15 08:04:02 router systemd-networkd[28813]: tun1: Gained IPv6LL # Nov 15 08:14:59 router systemd-networkd[28813]: tun1: Lost carrier - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-networkd\[[[:digit:]]+\]: tun[0-9]+: (Gained|Lost) (carrier|IPv6LL)$ - # Nov 15 09:12:43 router systemd-udevd[17579]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-udevd\[[[:digit:]]+\]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.$ - # Sep 20 13:12:43 router systemd[1]: Created slice User Slice of UID 33. # Sep 20 08:06:32 router systemd[1]: Removed slice User Slice of UID 33. - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[ :[:digit:]]+\]: (Created|Removed) slice (User Slice of UID [[:digit:]]+)?.$ -# systemd-logind: # Sep 20 13:17:24 router systemd-logind[486]: Session 760 logged out. Waiting for processes to exit. # Apr 28 21:56:49 debian systemd-logind[398]: Session c4 logged out. Waiting for processes to exit. - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[ :[:digit:]]+\]: Session [[:alnum:]]+ logged out. Waiting for processes to exit.$ -# D-Bus: # Sep 20 08:03:29 router systemd[658]: Listening on D-Bus User Message Bus Socket. # Sep 20 08:06:33 router systemd[658]: Closed D-Bus User Message Bus Socket. - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Listening on|Closed) D-Bus User Message Bus Socket. + +# Jan 1 00:00:00 debian systemd[13129]: Finished Exit the Session. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Exit the Session\.$ + +# Jan 1 00:00:00 debian systemd[1]: Finished Clean php session files. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Clean php session files\.$ + +# Jan 1 00:00:00 debian systemd[1]: Finished Collect apt metrics for prometheus-node-exporter. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Collect [[:alnum:]]+ metrics for prometheus-node-exporter\.$ + +# Jan 1 00:00:00 debian systemd[1]: Finished User Runtime Directory /run/user/1000. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished User Runtime Directory \/run\/user\/[0-9]+\.$ From 682898c7755dad216138e00c4e44cb46d5f785c2 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Thu, 14 May 2020 18:05:33 +0200 Subject: [PATCH 14/44] update --- ignore.d.server/domino-dhclient | 5 +++++ ignore.d.server/domino-opendkim | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 ignore.d.server/domino-dhclient create mode 100644 ignore.d.server/domino-opendkim diff --git a/ignore.d.server/domino-dhclient b/ignore.d.server/domino-dhclient new file mode 100644 index 0000000..eaba716 --- /dev/null +++ b/ignore.d.server/domino-dhclient @@ -0,0 +1,5 @@ +# ; -*- mode: conf; fill-column: 99999 -*- + +# May 3 04:14:16 debian dhclient[442]: DHCPREQUEST for 1.2.3.4 on eth0 to 2.3.4.5 port 67 + +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient\[[[:digit:]]+\]: DHCP(REQUEST|RELEASE) (for [.0-9]{7,15} )?on [[:alnum:].-]+ to [.0-9]{7,15} port 67( \(xid=0x[[:xdigit:]]{8}\))?$ diff --git a/ignore.d.server/domino-opendkim b/ignore.d.server/domino-opendkim new file mode 100644 index 0000000..880d0f6 --- /dev/null +++ b/ignore.d.server/domino-opendkim @@ -0,0 +1,5 @@ +# ; -*- mode: conf; fill-column: 99999 -*- + +# Jan 1 00:00:00 debian opendkim[689]: AC9103E9A5: external host mail-oi1-x22b.google.com attempted to send as costam.org.pl + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:xdigit:]]{10,11}: external host [[:alnum:]\.-]+ attempted to send as [[:alnum:]\.-]+$ From 5b000a26ff8346c493748ec70bc01e1b6d416e4d Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Thu, 14 May 2020 18:25:31 +0200 Subject: [PATCH 15/44] change to ansible --- deploy.sh | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/deploy.sh b/deploy.sh index 36c901a..f6aed43 100755 --- a/deploy.sh +++ b/deploy.sh @@ -1,18 +1,3 @@ -#!/bin/bash +#!/bin/sh -HOSTS=( - linode2 - linode - adm - waw - edyta -) - -for host in ${HOSTS[*]}; do - echo "syncing ${host}" - rsync --timeout 5 -av --chown=root:logcheck ignore.d.server/ root@${host}:/etc/logcheck/ignore.d.server -done - -# rsync -av --chown=root:logcheck ignore.d.server/ root@linode2:/etc/logcheck/ignore.d.server -# rsync -av --chown=root:logcheck ignore.d.server/ root@adm:/etc/logcheck/ignore.d.server -# rsync -av --chown=root:logcheck ignore.d.server/ root@edyta.org.pl:/etc/logcheck/ignore.d.server +ansible-playbook deploy.yml From 54ed68db8c9d7fb8cffb9d5540c2595eacd1a0fc Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Thu, 14 May 2020 18:35:34 +0200 Subject: [PATCH 16/44] update scripts --- .gitignore | 1 + deploy.sh | 4 ++++ deploy.yml | 12 ++++++++++++ 3 files changed, 17 insertions(+) create mode 100644 deploy.yml diff --git a/.gitignore b/.gitignore index ef4d453..e059b2c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ /* !/.gitignore +!/deploy* !/ignore.d.server/ /ignore.d.server/* !/ignore.d.server/domino* diff --git a/deploy.sh b/deploy.sh index f6aed43..3b2210e 100755 --- a/deploy.sh +++ b/deploy.sh @@ -1,3 +1,7 @@ #!/bin/sh +set -e + +./test.sh + ansible-playbook deploy.yml diff --git a/deploy.yml b/deploy.yml new file mode 100644 index 0000000..c895462 --- /dev/null +++ b/deploy.yml @@ -0,0 +1,12 @@ +- hosts: servers,!nanode,!m81 + + remote_user: root + + gather_facts: false + + tasks: + - name: sync + synchronize: + src: ignore.d.server + dest: /etc/logcheck + delete: yes From 4cae1b94fe94ef1b812ba5987409d18b29ea1480 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Fri, 15 May 2020 07:55:19 +0200 Subject: [PATCH 17/44] update --- ignore.d.server/domino-spamd | 5 +---- ignore.d.server/domino-squid | 32 +------------------------------ ignore.d.server/domino-systemd | 35 +++++++++++++++++++--------------- 3 files changed, 22 insertions(+), 50 deletions(-) diff --git a/ignore.d.server/domino-spamd b/ignore.d.server/domino-spamd index dfb0585..c9ee7ba 100644 --- a/ignore.d.server/domino-spamd +++ b/ignore.d.server/domino-spamd @@ -1,6 +1,5 @@ # ; -*- mode: conf; fill-column: 99999 -*- - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: connection from [[:alnum:]:]+ \[[[:alnum:]:]+\]:[0-9]+ to port [0-9]+, fd [0-9]+$ # Jan 1 00:00:00 debian spamd[807]: dns: no callback for id 24621/IN/TXT/_adsp._domainkey.slsware.net, ignored, packet on next debug line @@ -42,6 +41,4 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server started on IO::Socket::IP \[::1\]:783, IO::Socket::IP \[[0-9.]+\]:783 \(running version [0-9.]+\)$ # Jan 1 06:55:16 debian spamd: spamd: restarting using '/usr/sbin/spamd -d --pidfile=/run/spamd.pid --create-prefs --max-children 5 --helper-home-dir -u debian-spamd -x --virtual-config-dir=/home/vmail/%d/.spamassassin/%l --allow-tell' - ---create-prefs --max-children 5 --helper-home-dir -u debian-spamd -x --virtual-config-dir=/home/vmail/%d/.spamassassin/%l --allow-tell'^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd: spamd: restarting using \'\/usr\/sbin\/spamd -d --pidfile=\/run\/spamd\.pid --create-prefs --max-children [0-9]+ --helper-home-dir -u debian-spamd -x --virtual-config-dir=\/home\/vmail\/\%d\/.spamassassin\/\%l --allow-tell\'$ - +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd: spamd: restarting using \'\/usr\/sbin\/spamd -d --pidfile=\/run\/spamd\.pid --create-prefs --max-children [0-9]+ --helper-home-dir -u debian-spamd -x --virtual-config-dir=\/home\/vmail\/\%d\/.spamassassin\/\%l --allow-tell\'$ diff --git a/ignore.d.server/domino-squid b/ignore.d.server/domino-squid index 9e17246..1a451cf 100644 --- a/ignore.d.server/domino-squid +++ b/ignore.d.server/domino-squid @@ -1,109 +1,79 @@ # ; -*- mode: conf; fill-column: 99999 -*- -#Apr 9 10:45:52 debian squid[30555]: Logfile: opening log stdio:/var/spool/squid/netdb.state #Apr 9 10:45:52 debian squid[30555]: Logfile: closing log stdio:/var/spool/squid/netdb.state - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Logfile: (opening|closing) log stdio:\/var\/spool\/squid\/[[:alnum:].]+$ #Apr 9 10:45:52 debian squid[30555]: NETDB state saved; 0 entries, 0 msec - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: NETDB state saved; [0-9.]+ entries, [0-9.]+ msec$ - # Jan 1 00:00:00 debian squid[12451]: Squid Parent: (squid-1) process 14076 started # Jan 1 00:00:00 debian squid[12451]: Squid Parent: squid-1 process 23082 exited due to signal 6 with status 0 - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Squid Parent: \(?squid-1\)? process [0-9]+ (started|exited due to signal [0-9]+ with status [0-9]+)$ # Jan 1 00:00:00 debian squid[14076]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9 - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Accepting HTTP Socket connections at local=\[::\]:[0-9]+ remote=\[::\] FD [0-9]+ flags=[0-9]+$ # Jan 1 00:00:00 debian squid[14076]: Adaptation support is off. - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Adaptation support is off.$ # Jan 1 00:00:00 debian squid[14076]: DNS Socket created at 1.2.3.4, FD 9 # Jan 1 00:00:00 debian squid[14076]: DNS Socket created at [::], FD 5 - -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: DNS Socket created at [0-9a-f.\[\]:]+, FD [0-9]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: DNS Socket created at ([.[:digit:]]+|\[[\.:[:xdigit:]+]\]|\[::\]), FD [0-9]+$ # Jan 1 00:00:00 debian squid[14076]: Finished loading MIME types and icons. - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Finished loading MIME types and icons.$ # Jan 1 00:00:00 debian squid[14076]: Initializing IP Cache... - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Initializing IP Cache...$ # Jan 1 00:00:00 debian squid[14076]: Logfile Daemon: opening log /var/log/squid/access.log # Jan 1 00:00:00 debian squid[14076]: Logfile: opening log daemon:/var/log/squid/access.log - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Logfile( Daemon)?: (opening|closing) log (daemon:)?\/var\/log\/squid\/[[:alnum:].]+$ # Jan 1 00:00:00 debian squid[14076]: Pinger socket opened on FD 14 - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Pinger socket opened on FD [0-9]+$ # Jan 1 00:00:00 debian squid[14076]: Process Roles: worker - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Process Roles: worker$ # Jan 1 00:00:00 debian squid[14076]: Service Name: squid - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Service Name: squid$ # Jan 1 00:00:00 debian squid[14076]: Squid plugin modules loaded: 0 - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Squid plugin modules loaded: [0-9]+$ # Jan 1 00:00:00 debian squid[14076]: Starting Squid Cache version 4.6 for x86_64-pc-linux-gnu... - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Starting Squid Cache version [0-9.]+ for x86_64-pc-linux-gnu\.\.\.$ # Jan 1 00:00:00 debian squid[14076]: Store logging disabled - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Store logging disabled$ # Jan 1 00:00:00 debian squid[14076]: Swap maxSize 0 + 262144 KB, estimated 20164 objects - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Swap maxSize [0-9]+ \+ [0-9]+ KB, estimated [0-9]+ objects$ # Jan 1 00:00:00 debian squid[23082]: Closing Pinger socket on FD 14 - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Closing Pinger socket on FD [0-9]+$ # Jan 1 00:00:00 debian squid[23082]: assertion failed: comm.cc:428: "!isOpen(conn->fd)" - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: assertion failed: [[:alnum:].:]+ \"\!isOpen\([[:alnum:]>-]+\)\"$ # Jan 1 00:00:00 debian squid[23082]: logfileRotate: daemon:/var/log/squid/access.log - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: logfileRotate: daemon:\/var\/log\/squid\/[[:alnum:]]+.log$ # Apr 20 09:01:27 debian squid[4642]: Startup: Initializing Authentication Schemes ... # Apr 20 09:01:27 debian squid[4642]: Startup: Initialized Authentication Scheme 'basic' -# Apr 20 09:01:27 debian squid[4642]: Startup: Initialized Authentication Scheme 'digest' -# Apr 20 09:01:27 debian squid[4642]: Startup: Initialized Authentication Scheme 'negotiate' -# Apr 20 09:01:27 debian squid[4642]: Startup: Initialized Authentication Scheme 'ntlm' # Apr 20 09:01:27 debian squid[4642]: Startup: Initialized Authentication. - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Startup: Initializ(ed|ing) Authentication\.?( Scheme(s)? (\.\.\.|\'[[:alnum:]]+\'))? # Apr 20 09:01:27 debian squid[4642]: Processing Configuration File: /etc/squid/squid.conf (depth 0) # Apr 20 09:01:27 debian squid[4642]: Processing Configuration File: /etc/squid/conf.d/debian.conf (depth 1) - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Processing Configuration File: \/etc\/squid\/(conf\.d\/)?[[:alnum:].]+ \(depth [0-9]+\)$ # Apr 20 09:01:27 debian squid[4642]: Reconfiguring Squid Cache (version 4.6)... - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Reconfiguring Squid Cache \(version [0-9.]+\)\.\.\.$ # Apr 20 09:01:27 debian squid[4642]: Closing HTTP(S) port [::]:3128 - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Closing HTTP(S) port \[[0-9a-f:]+\]:[0-9]+$ # Apr 20 09:01:27 debian squid[4642]: Initializing https:// proxy context - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Initializing https\:\/\/ proxy context$ - diff --git a/ignore.d.server/domino-systemd b/ignore.d.server/domino-systemd index 8e310a4..4e80033 100644 --- a/ignore.d.server/domino-systemd +++ b/ignore.d.server/domino-systemd @@ -1,24 +1,29 @@ # ; -*- mode: conf; fill-column: 99999 -*- -# Jun 23 07:09:04 router systemd[1]: phpsessionclean.service: Succeeded. -# Jun 23 16:15:03 router systemd[1]: apt-daily.service: Succeeded. -# Jun 26 06:46:39 router systemd[1]: apt-daily-upgrade.service: Succeeded. -# Aug 11 20:05:44 debian systemd[1]: session-193.scope: Succeeded. -# Aug 14 00:00:15 debian systemd[1]: cups.path: Succeeded. -# Aug 14 00:00:15 debian systemd[1]: cups.socket: Succeeded. -# Sep 20 08:06:32 router systemd[1]: user@33.service: Succeeded. -# Sep 20 08:06:32 router systemd[658]: run-user-33.mount: Succeeded. -# Sep 20 08:06:32 router systemd[1]: run-user-33.mount: Succeeded. -# Sep 20 08:06:32 router systemd[1]: user-runtime-dir@33.service: Succeeded. -# Sep 20 08:06:33 router systemd[1]: user@1000.service: Succeeded. -# Sep 20 08:06:33 router systemd[1]: run-user-1000.mount: Succeeded. -# Sep 20 08:06:33 router systemd[1]: user-runtime-dir@1000.service: Succeeded. +# Jan 1 00:00:00 debian systemd[1]: Finished Autocommit of changes in /etc directory. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Autocommit of changes in \/etc directory\.$ + +# Jan 1 00:00:00 debian systemd[1]: Finished Certbot. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Certbot\.$ + +# Jan 1 00:00:00 debian systemd[1]: Finished Cleanup of Temporary Directories. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Cleanup of Temporary Directories\.$ + +# Jan 1 00:00:00 debian systemd[1]: Finished Daily apt download activities. +# Jan 1 00:00:00 debian systemd[1]: Finished Daily apt upgrade and clean activities. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Daily apt (download|upgrade and clean) activities\.$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [-[:alnum:].@]+.(service|path|socket|scope|mount): Succeeded.$ +# Jan 1 00:00:00 debian systemd[1]: Finished Daily man-db regeneration. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Daily man-db regeneration\.$ + +# Jan 1 00:00:00 debian systemd[1]: Finished Rotate log files. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Rotate log files\.$ + +# Sep 20 08:06:33 router systemd[1]: user-runtime-dir@1000.service: Succeeded. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [-[:alnum:].@]+.(service|path|socket|scope|timer|mount): Succeeded.$ # Aug 14 00:00:15 debian systemd[1]: Closed CUPS Scheduler. # Aug 14 00:00:15 debian systemd[1]: Listening on CUPS Scheduler. - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Closed|Listening on) CUPS Scheduler.$ # Aug 14 08:22:50 debian systemd-timesyncd[762]: Synchronized to time server for the first time 193.219.28.147:123 (2.debian.pool.ntp.org). From 5fe3fbda8cb030b7d3153b2d1166dee503a4e665 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Sat, 16 May 2020 09:25:52 +0200 Subject: [PATCH 18/44] update --- ignore.d.server/domino-spamd | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/ignore.d.server/domino-spamd b/ignore.d.server/domino-spamd index c9ee7ba..14ceea0 100644 --- a/ignore.d.server/domino-spamd +++ b/ignore.d.server/domino-spamd @@ -4,41 +4,33 @@ # Jan 1 00:00:00 debian spamd[807]: dns: no callback for id 24621/IN/TXT/_adsp._domainkey.slsware.net, ignored, packet on next debug line # Jan 1 00:00:00 debian spamd[807]: dns: no callback for id 15235/IN/MX/slsware.net, ignored, packet on next debug line - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: no callback for id [[:alnum:]\._\/]+, ignored, packet on next debug line$ # Jan 1 00:00:00 debian spamd[807]: dns: no likely matching queries for id 15235 # Jan 1 00:00:00 debian spamd[807]: dns: no likely matching queries for id 24621 - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: no likely matching queries for id [0-9]+$ # Apr 14 15:16:56 debian spamd[18599]: spamd: result: Y 5 - FREEMAIL_FORGED_REPLYTO,HTML_MESSAGE,SPF_FAIL,TO_NO_BRKTS_HTML_IMG scantime=1.0,size=16475,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43742,mid=<98140bdf92d37fc0d41dc08b9c4fe028@domain.com>,autolearn=no autolearn_force=no # Apr 14 15:16:56 debian spamd[18600]: spamd: result: Y 5 - FREEMAIL_FORGED_REPLYTO,HTML_MESSAGE,SPF_FAIL,TO_NO_BRKTS_HTML_IMG scantime=1.0,size=16991,user=abc-1,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43744,mid=<98140bdf92d37fc0d41dc08b9c4fe028@domain.com>,autolearn=no autolearn_force=no # Apr 14 15:48:13 debian spamd[18599]: spamd: result: . 0 - DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,HTML_IMAGE_RATIO_06,HTML_MESSAGE,LOTS_OF_MONEY,MAILING_LIST_MULTI,SPF_SOFTFAIL scantime=1.0,size=23150,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43862,mid=,autolearn=no autolearn_force=no # Apr 15 14:48:25 debian spamd[8102]: spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,SPF_FAIL,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL scantime=0.5,size=21463,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=46926,mid=,autolearn=no autolearn_force=no - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: [[:alnum:].]+ [[:digit:]-]+ - [[:alnum:]_,]+ scantime=[0-9.]+,size=[0-9]+,user=[[:alnum:]@_.-]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[[:digit:]:.]+,raddr=[[:digit:]:.]+,rport=[0-9]+,mid=(<[[:alnum:]:=\$_\/@.+-]+>|\(unknown\)),(rmid=<[[:alnum:]:\$=_\/@.+-]+>,)?autolearn=(yes|no|spam|ham) autolearn_force=(yes|no)$ # Apr 20 11:39:28 debian spamd[23580]: spamd: using default config for user@domain.com: /home/vmail/domain.com/.spamassasin/user_-1/user_prefs - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: using default config for [[:alnum:].@_-]+: \/home\/vmail\/[[:alnum:]_.-]+\/.spamassassin\/[[:alnum:]_-]+\/user_prefs$ # Jan 1 00:00:00 debian spamd[19297]: spamd: server socket closed, type IO::Socket::IP # Jan 1 00:00:00 debian spamd[19297]: spamd: server socket closed, type IO::Socket::IP - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server socket closed, type IO::Socket::IP$ # Jan 1 00:00:00 debian spamd[66370]: zoom: able to use 371/372 'body_0' compiled rules (99.731%) - -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: zoom: able to use [0-9\/]+ \'body_0\' compiled rules \([0-9.]+\%\)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: zoom: able to use [0-9\/]+ 'body_0' compiled rules \([0-9.]+\%\)$ # Jan 1 00:00:00 debian spamd[4108]: prefork: child states: II [... logline repeated 47 times] - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: child states: II \[\.\.\. logline repeated [0-9]+ times\]$ # Jan 1 00:00:00 debian spamd[6670]: spamd: server started on IO::Socket::IP [::1]:783, IO::Socket::IP [127.0.0.1]:783 (running version 3.4.2) - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server started on IO::Socket::IP \[::1\]:783, IO::Socket::IP \[[0-9.]+\]:783 \(running version [0-9.]+\)$ # Jan 1 06:55:16 debian spamd: spamd: restarting using '/usr/sbin/spamd -d --pidfile=/run/spamd.pid --create-prefs --max-children 5 --helper-home-dir -u debian-spamd -x --virtual-config-dir=/home/vmail/%d/.spamassassin/%l --allow-tell' -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd: spamd: restarting using \'\/usr\/sbin\/spamd -d --pidfile=\/run\/spamd\.pid --create-prefs --max-children [0-9]+ --helper-home-dir -u debian-spamd -x --virtual-config-dir=\/home\/vmail\/\%d\/.spamassassin\/\%l --allow-tell\'$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd: spamd: restarting using '\/usr\/sbin\/spamd -d --pidfile=\/run\/spamd\.pid --create-prefs --max-children [0-9]+ --helper-home-dir -u debian-spamd -x --virtual-config-dir=\/home\/vmail\/\%d\/.spamassassin\/\%l --allow-tell'$ From 08f1151ba23332dd43490da9151b887a9e621ffc Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Wed, 20 May 2020 09:08:25 +0200 Subject: [PATCH 19/44] update --- ignore.d.server/domino-dovecot | 6 ++++-- ignore.d.server/domino-postfix | 5 ++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ignore.d.server/domino-dovecot b/ignore.d.server/domino-dovecot index a88445a..158c223 100644 --- a/ignore.d.server/domino-dovecot +++ b/ignore.d.server/domino-dovecot @@ -1,12 +1,14 @@ # ; -*- mode: conf; fill-column: 99999 -*- -# auth +# Jan 1 00:00:00 debian dovecot[4316]: doveadm(john.doe@do-main.com): Fatal: connect(2a01:7e01::f03c:91ff:fe92:641e:12345) failed: No route to host +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot\[[0-9]+\]: doveadm\([@.[:alnum:]-]+\): Fatal: connect\([\:[:xdigit:]]+\) failed: No route to host$ + +# auth ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: Event [[:alnum:]]+ leaked \(parent=\(nil\)\): auth-client-connection.c:[0-9]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: plain\(\?,[.[:digit:]]+\): Request timed out waiting for client to continue authentication \([[:digit:]]+ secs\)$ # imap - # Jan 1 00:00:00 debian dovecot: imap: Warning: Time jumped forwards 14 seconds # Jan 1 00:00:00 debian dovecot: imap: Warning: Time jumped forwards 28 seconds ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap: Warning: Time jumped forwards [0-9]+ seconds$ diff --git a/ignore.d.server/domino-postfix b/ignore.d.server/domino-postfix index d68276e..13abc94 100644 --- a/ignore.d.server/domino-postfix +++ b/ignore.d.server/domino-postfix @@ -62,9 +62,12 @@ ^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(/submission|/smtps|/[0-9]+)?/smtpd\[[[:digit:]]+\]: disconnect from [[:alnum:]_\.-]+\[[[:alnum:]\.:]+\] commands=[0-9]/[0-9]$ # Jun 11 12:20:40 debian postfix/smtpd[19535]: NOQUEUE: reject: MAIL from oakwood.hyperslice.net[109.203.106.148]: 552 5.3.4 Message size exceeds fixed limit; proto=ESMTP helo= - ^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(/submission|/smtps|/[0-9]+)?/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: MAIL from [\.[:alnum:]]+\[[\.[:alnum:]]+\]: 552 5\.3\.4 Message size exceeds fixed limit; proto=ESMTP helo=<[.[:alnum:]]+>$ +# Jan 1 00:00:00 debian postfix/smtpd[3169]: NOQUEUE: reject: RCPT from ip242.ip-54-38-110.eu[1.2.3.4]: 550 5.7.27 : Sender address rejected: Domain example.com does not accept mail (nullMX); from= to= proto=SMTP helo= +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [.[:alnum:]-]+\[[.0-9]+\]: [0-9]+ [.0-9]+ <[@._[:alnum:]-]+>: Sender address rejected: Domain example.com does not accept mail \(nullMX\); from=<[@._[:alnum:]-]+> to=<[@._[:alnum:]-]+> proto=SMTP helo=<[._[:alnum:]-]+>$ + + # Sep 9 09:17:58 debian postfix/smtpd[5361]: Anonymous TLS connection established from mail-lj1-f177.google.com[209.85.208.177]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 # Nov 16 02:09:33 debian postfix/smtpd[27303]: Anonymous TLS connection established from ms1622.m.lrmailr.pl[164.132.49.188]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) From 35f3591ae6fe529ec8b5e4e3133d787dd29fddb0 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Wed, 20 May 2020 09:53:35 +0200 Subject: [PATCH 20/44] update --- deploy.sh | 2 +- ignore.d.server/domino-dovecot | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/deploy.sh b/deploy.sh index 3b2210e..9edd53b 100755 --- a/deploy.sh +++ b/deploy.sh @@ -2,6 +2,6 @@ set -e -./test.sh +./test.sh && echo "test done." ansible-playbook deploy.yml diff --git a/ignore.d.server/domino-dovecot b/ignore.d.server/domino-dovecot index 158c223..d37df94 100644 --- a/ignore.d.server/domino-dovecot +++ b/ignore.d.server/domino-dovecot @@ -1,6 +1,5 @@ # ; -*- mode: conf; fill-column: 99999 -*- - # Jan 1 00:00:00 debian dovecot[4316]: doveadm(john.doe@do-main.com): Fatal: connect(2a01:7e01::f03c:91ff:fe92:641e:12345) failed: No route to host ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot\[[0-9]+\]: doveadm\([@.[:alnum:]-]+\): Fatal: connect\([\:[:xdigit:]]+\) failed: No route to host$ @@ -43,6 +42,9 @@ # Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): user=<[[:alnum:]@_.-]+>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS: Connection closed, session=<[[:alnum:]\+\/]+>$ +# Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (client didn't finish SASL auth, waited 1 secs): user=<>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, TLS: read(size=401) failed: Connection reset by peer, session= +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(client didn\'t finish SASL auth, waited 1 secs\): user=<[[:alnum:]@_.-]*>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS: read\(size=[0-9]+\) failed: Connection reset by peer, session=<[+\/[:alnum:]]+>$ + # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS handshaking: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: read(size=583) failed: Connection reset by peer, session= From b282c4d9143c319ddf21bb0977d777181a864632 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Wed, 20 May 2020 12:12:11 +0200 Subject: [PATCH 21/44] update --- ignore.d.server/domino-postfix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ignore.d.server/domino-postfix b/ignore.d.server/domino-postfix index 13abc94..7da653c 100644 --- a/ignore.d.server/domino-postfix +++ b/ignore.d.server/domino-postfix @@ -54,8 +54,8 @@ ^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: warning: TLS library problem: error:[[:alnum:]]+:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:..\/ssl\/record\/rec_layer_s3.c:[0-9]+:SSL alert number [0-9]+:$ # Apr 30 11:02:05 domino postfix/smtp[6625]: Untrusted TLS connection established to poczta.cos.pl[133.111.171.21]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 - -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: (Untrusted|Trusted) TLS connection established to [-._[:alnum:]]+\[[0-9a-f:.]+\]:[0-9]+: TLSv1\.3 with cipher [_[:alnum:]-]+ \([0-9]+\/[0-9]+ bits\) key-exchange [[:alnum:]]+ server-signature [[:alnum:]-]+ \([P0-9-]+( bits)?\) server-digest [[:alnum:]]+$ +# Jan 1 00:00:00 debian postfix/smtp[28014]: Trusted TLS connection established to mail.galapp.net[1.2.3.4]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256 +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: (Untrusted|Trusted) TLS connection established to [-._[:alnum:]]+\[[0-9a-f:.]+\]:[0-9]+: TLSv1\.3 with cipher [_[:alnum:]-]+ \([0-9]+\/[0-9]+ bits\) key-exchange [[:alnum:]]+( \(P-[0-9]+\))? server-signature [[:alnum:]-]+ \([P0-9-]+( bits)?\) server-digest [[:alnum:]]+$ # --- submission smtps --- From 4ee9d4f839af42271700dff30686081144442172 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Wed, 3 Jun 2020 12:52:42 +0200 Subject: [PATCH 22/44] update --- ignore.d.server/domino-dovecot | 16 +++++++++++++--- ignore.d.server/domino-postfix | 6 ++++++ ignore.d.server/domino-systemd | 15 ++++++++++++--- ignore.d.server/domino-tor | 16 +++++++++++----- 4 files changed, 42 insertions(+), 11 deletions(-) diff --git a/ignore.d.server/domino-dovecot b/ignore.d.server/domino-dovecot index d37df94..936854e 100644 --- a/ignore.d.server/domino-dovecot +++ b/ignore.d.server/domino-dovecot @@ -1,5 +1,12 @@ # ; -*- mode: conf; fill-column: 99999 -*- +# Jan 1 00:00:00 debian dovecot: imap(john.doe@do-main.com)<19460>: Connection closed (UID fetch finished 0.495 secs ago - running for 0.023 + waiting for 4.854 secs, 33 B in + 1596677 B out) in=19688 out=27174696 deleted=0 expunged=0 trashed=0 hdr_count=631 hdr_bytes=276866 body_count=616 body_bytes=26682967 +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]-]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(UID fetch finished [.0-9]+ secs ago - running for [.0-9]+ \+ waiting for [.0-9]+ secs, [.0-9]+ B in \+ [.0-9]+ B out\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ + + +# Jan 1 00:00:00 debian dovecot: imap(john.doe@do-main.com)<3626>: Server shutting down. in=329 out=3420 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Server shutting down. in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ + # Jan 1 00:00:00 debian dovecot[4316]: doveadm(john.doe@do-main.com): Fatal: connect(2a01:7e01::f03c:91ff:fe92:641e:12345) failed: No route to host ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot\[[0-9]+\]: doveadm\([@.[:alnum:]-]+\): Fatal: connect\([\:[:xdigit:]]+\) failed: No route to host$ @@ -8,18 +15,18 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: plain\(\?,[.[:digit:]]+\): Request timed out waiting for client to continue authentication \([[:digit:]]+ secs\)$ # imap -# Jan 1 00:00:00 debian dovecot: imap: Warning: Time jumped forwards 14 seconds # Jan 1 00:00:00 debian dovecot: imap: Warning: Time jumped forwards 28 seconds ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap: Warning: Time jumped forwards [0-9]+ seconds$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap: Connection closed in=[[:digit:]]+ out=[[:digit:]]+$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed \((UID FETCH|UID STORE|LIST|NOOP|STATUS|append)? finished [0-9.]+ secs ago\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed \((EXAMINE|UID FETCH|UID STORE|LIST|NOOP|STATUS|append)? finished [0-9.]+ secs ago\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Disconnected for inactivity in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]\.@_-]+\)<[[:digit:]]+><[\/[:alnum:]]+>: Connection closed \(IDLE running for [[:digit:]\.]+ \+ waiting input for [[:digit:]\.]+ secs, [0-9]+ B in \+ [[:digit:]\+]+ B out, state=wait-input\) in=[0-9]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([\._@[:alnum:]-]+\)<[[:digit:]]+><[\+\/[:alnum:]]+>: Logged out in=[[:digit:]]+ out=[[:digit:]]+ deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed(: read\(size=[0-9]+\))?( failed: Connection reset by peer)? \(IDLE running for [0-9.]+ \+ waiting input for [0-9.]+ secs, [0-9]+ B in \+ [0-9\+]+ B out, state=wait-input\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ + # Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<28998>: Connection closed (ID finished 0.296 secs ago) in=89 out=448 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 # Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<29432>: Connection closed (SELECT finished 0.096 secs ago) in=121 out=981 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 # Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<16443>: Connection closed (noop finished 0.081 secs ago) in=1207 out=74860 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=310 body_count=0 body_bytes=0 @@ -43,9 +50,12 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): user=<[[:alnum:]@_.-]+>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS: Connection closed, session=<[[:alnum:]\+\/]+>$ # Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (client didn't finish SASL auth, waited 1 secs): user=<>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, TLS: read(size=401) failed: Connection reset by peer, session= -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(client didn\'t finish SASL auth, waited 1 secs\): user=<[[:alnum:]@_.-]*>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS: read\(size=[0-9]+\) failed: Connection reset by peer, session=<[+\/[:alnum:]]+>$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(client didn\'t finish SASL auth, waited [.0-9]+ secs\): user=<[[:alnum:]@_.-]*>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS: read\(size=[0-9]+\) failed: Connection reset by peer, session=<[+\/[:alnum:]]+>$ # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS handshaking: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: read(size=583) failed: Connection reset by peer, session= ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(no auth attempts in [0-9]+ secs\): user=<>, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS( handshaking)?:( read\(size=[0-9]+\) failed:)? Connection (closed|reset by peer), session=<[\/\+[:alnum:]]+>$ + +# Jan 1 00:00:00 debian dovecot: imap-login: Login: user=, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, mpid=25205, TLS: Connection closed, session=<8/MvZBWnqdXCKQ3I> +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Login: user=<[[:alnum:]@_.-]*>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, mpid=[0-9]+, TLS: Connection closed, session=<[+\/[:alnum:]]+>$ diff --git a/ignore.d.server/domino-postfix b/ignore.d.server/domino-postfix index 7da653c..af82564 100644 --- a/ignore.d.server/domino-postfix +++ b/ignore.d.server/domino-postfix @@ -1,5 +1,11 @@ # ; -*- mode: conf; fill-column: 99999 -*- +# Jan 1 00:00:00 debian postfix/postfix-script[5427]: refreshing the Postfix mail system +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/postfix-script\[[0-9]+\]: refreshing the Postfix mail system$ + +# Jan 1 00:00:00 debian postfix/master[1634]: reload -- version 3.4.10, configuration /etc/postfix +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/master\[[0-9]+\]: reload -- version [.0-9]+, configuration \/etc\/postfix$ + # --- smtpd --- # Sep 18 22:55:37 debian postfix/smtpd[13312]: warning: TLS library problem: error:1417D0FC:SSL routines:tls_process_client_hello:unknown protocol:../ssl/statem/statem_srvr.c:938: diff --git a/ignore.d.server/domino-systemd b/ignore.d.server/domino-systemd index 4e80033..06a9639 100644 --- a/ignore.d.server/domino-systemd +++ b/ignore.d.server/domino-systemd @@ -28,11 +28,16 @@ # Aug 14 08:22:50 debian systemd-timesyncd[762]: Synchronized to time server for the first time 193.219.28.147:123 (2.debian.pool.ntp.org). # Nov 14 13:35:50 debian systemd-timesyncd[291]: Synchronized to time server for the first time 91.212.242.20:123 (0.debian.pool.ntp.org). -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: Timed out waiting for reply from [.[:digit:]:]+ \([.[:alnum:]]+\).$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: Synchronized to time server for the first time [.[:digit:]:]+ \([.[:alnum:]]+\).$ -# Aug 14 06:24:04 debian systemd-networkd-wait-online[1360]: Event loop failed: Connection timed out -# Aug 14 06:39:06 debian systemd-networkd-wait-online[2275]: Event loop failed: Connection timed out +# Jan 1 00:00:00 debian systemd-timesyncd[14223]: Network configuration changed, trying to establish connection. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: Network configuration changed, trying to establish connection\.$ + +# Jan 1 00:00:00 debian systemd-timesyncd[14223]: Initial synchronization to time server 1.2.3.4:123 (0.debian.pool.ntp.org). +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: Initial synchronization to time server [.[:digit:]:]+ \([.[:alnum:]]+\).$ + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: Timed out waiting for reply from [.[:digit:]:]+ \([.[:alnum:]]+\).$ + # Aug 13 23:53:11 debian systemd-networkd-wait-online[7015]: Event loop failed: Connection timed out ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-networkd-wait-online\[[[:digit:]]+\]: Event loop failed: Connection timed out$ @@ -41,6 +46,10 @@ # Nov 15 08:14:59 router systemd-networkd[28813]: tun1: Lost carrier ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-networkd\[[[:digit:]]+\]: tun[0-9]+: (Gained|Lost) (carrier|IPv6LL)$ +# Jan 1 00:00:00 debian systemd-networkd[14240]: tun1: Link UP +# Jan 1 00:00:00 debian systemd-networkd[14240]: tun1: Link DOWN +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-networkd\[[[:digit:]]+\]: tun[0-9]+: Link (UP|DOWN)$ + # Nov 15 09:12:43 router systemd-udevd[17579]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-udevd\[[[:digit:]]+\]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.$ diff --git a/ignore.d.server/domino-tor b/ignore.d.server/domino-tor index 672840d..bef076c 100644 --- a/ignore.d.server/domino-tor +++ b/ignore.d.server/domino-tor @@ -1,26 +1,32 @@ # ; -*- mode: conf; fill-column: 99999 -*- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Your network connection speed appears to have changed. Resetting timeout to [[:digit:]]+s after [[:digit:]]+ timeouts and [[:digit:]]+ buildtimes.$ + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: We now have enough directory information to build circuits.$ + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: I learned some more directory information, but not enough to build a circuit: We're missing descriptors for [/[:digit:]]+ of our primary entry guards \(total microdescriptors: [/[:digit:]]+\).$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Our directory information is no longer up-to-date enough to build circuits: We're missing descriptors for [/[:digit:]]+ of our primary entry guards \(total microdescriptors: [/[:digit:]]+\).$ + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: I learned some more directory information, but not enough to build a circuit: We're missing descriptors for [\/[:digit:]]+ of our primary entry guards \(total microdescriptors: [\/[:digit:]]+\). That's ok. We will try to fetch missing descriptors soon.$ + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Our directory information is no longer up-to-date enough to build circuits: We're missing descriptors for [\/[:digit:]]+ of our primary entry guards \(total microdescriptors: [\/[:digit:]]+\).( That's ok. We will try to fetch missing descriptors soon.)?$ + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Your Guard grocock ([\$[:alnum:]]+) is failing a very large amount of circuits. Most likely this means the Tor network is overloaded, but it could also mean an attack against you or potentially the guard itself. Success counts are [/[:digit:]]+. Use counts are [/[:digit:]]+. [[:digit:]]+ circuits completed, [[:digit:]]+ were unusable, [[:digit:]]+ collapsed, and [[:digit:]]+ timed out. For reference, your timeout cutoff is [[:digit:]]+ seconds.$ + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Average packaged cell fullness: [.[:digit:]]+\%. TLS write overhead: [.[:digit:]]+\%$ # Jun 25 19:20:39 router Tor[992]: Heartbeat: Tor's uptime is 6:00 hours, with 6 circuits open. I've sent 878 kB and received 1.70 MB. - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Heartbeat: Tor's uptime is( [0-9]+ days)? [[:digit:]:]+ hours, with [0-9]+ circuits open. I've sent [.[:digit:]]+ [[:alnum:]]{1,2} and received [.[:digit:]]+ [[:alnum:]]{1,2}.$ # Nov 7 00:01:05 debian Tor[14367]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc". # Nov 7 00:01:05 debian Tor[14367]: Read configuration file "/etc/tor/torrc". - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Read configuration file "[[:alnum:]\/-]+".$ # Nov 7 00:01:05 debian Tor[14367]: Received reload signal (hup). Reloading config and resetting internal state. - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Received reload signal \(hup\)\. Reloading config and resetting internal state\.$ # Jan 01 00:00:00 debian Tor[14367]: Requested exit point '$39C1B28407EAC759801AFCB7106D5DC05B42A8C9' is not known. Closing. - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Requested exit point \'[[:alnum:]$]+\' is not known. Closing.$ + +# Jun 2 11:59:22 dell-r710 Tor[2585]: Failed to find node for hop #1 of our path. Discarding this circuit. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Failed to find node for hop #[0-9]+ of our path\. Discarding this circuit\.$ From b955be1598710ad77b942a3f1fe7ba894c434731 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Thu, 4 Jun 2020 19:12:43 +0200 Subject: [PATCH 23/44] Update --- ignore.d.server/domino-dovecot | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ignore.d.server/domino-dovecot b/ignore.d.server/domino-dovecot index 936854e..5d4f951 100644 --- a/ignore.d.server/domino-dovecot +++ b/ignore.d.server/domino-dovecot @@ -1,5 +1,7 @@ # ; -*- mode: conf; fill-column: 99999 -*- + + # Jan 1 00:00:00 debian dovecot: imap(john.doe@do-main.com)<19460>: Connection closed (UID fetch finished 0.495 secs ago - running for 0.023 + waiting for 4.854 secs, 33 B in + 1596677 B out) in=19688 out=27174696 deleted=0 expunged=0 trashed=0 hdr_count=631 hdr_bytes=276866 body_count=616 body_bytes=26682967 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]-]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(UID fetch finished [.0-9]+ secs ago - running for [.0-9]+ \+ waiting for [.0-9]+ secs, [.0-9]+ B in \+ [.0-9]+ B out\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ @@ -50,8 +52,9 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): user=<[[:alnum:]@_.-]+>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS: Connection closed, session=<[[:alnum:]\+\/]+>$ # Jan 1 00:00:00 debian dovecot: imap-login: Disconnected (client didn't finish SASL auth, waited 1 secs): user=<>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, TLS: read(size=401) failed: Connection reset by peer, session= -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(client didn\'t finish SASL auth, waited [.0-9]+ secs\): user=<[[:alnum:]@_.-]*>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS: read\(size=[0-9]+\) failed: Connection reset by peer, session=<[+\/[:alnum:]]+>$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(client didn't finish SASL auth, waited [.0-9]+ secs\): user=<[[:alnum:]@_.-]*>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS: read\(size=[0-9]+\) failed: Connection reset by peer, session=<[+\/[:alnum:]]+>$ +# ' # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS handshaking: Connection closed, session= # Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: read(size=583) failed: Connection reset by peer, session= From 77d295a51cc8cc71a6b8c7757f49a6bd9e645d8a Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Fri, 5 Jun 2020 18:13:00 +0200 Subject: [PATCH 24/44] Update --- ignore.d.server/domino-dovecot | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ignore.d.server/domino-dovecot b/ignore.d.server/domino-dovecot index 5d4f951..9785d6b 100644 --- a/ignore.d.server/domino-dovecot +++ b/ignore.d.server/domino-dovecot @@ -1,10 +1,11 @@ # ; -*- mode: conf; fill-column: 99999 -*- - # Jan 1 00:00:00 debian dovecot: imap(john.doe@do-main.com)<19460>: Connection closed (UID fetch finished 0.495 secs ago - running for 0.023 + waiting for 4.854 secs, 33 B in + 1596677 B out) in=19688 out=27174696 deleted=0 expunged=0 trashed=0 hdr_count=631 hdr_bytes=276866 body_count=616 body_bytes=26682967 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]-]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(UID fetch finished [.0-9]+ secs ago - running for [.0-9]+ \+ waiting for [.0-9]+ secs, [.0-9]+ B in \+ [.0-9]+ B out\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ +# Jan 1 00:00:00 debian dovecot: imap(john.doe@do-main.com)<19714>: Connection closed: read(size=8113) failed: Connection reset by peer (UID FETCH running for 0.028 + waiting input/output for 0.020 secs, 19 B in + 204872+2080 B out, state=wait-output) in=79 out=206478 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]-]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed: read\(size=8113\) failed: Connection reset by peer \(UID FETCH running for [.0-9]+ \+ waiting input\/output for [.0-9]+ secs, [.0-9]+ B in \+ [+.0-9]+ B out, state=wait-output\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ # Jan 1 00:00:00 debian dovecot: imap(john.doe@do-main.com)<3626>: Server shutting down. in=329 out=3420 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Server shutting down. in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ @@ -37,7 +38,7 @@ # Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<13658>: Connection closed (UID fetch finished 0.145 secs ago) in=9581 out=9495290 deleted=0 expunged=0 trashed=0 hdr_count=4 hdr_bytes=1467 body_count=144 body_bytes=9365757 # Apr 21 22:22:01 debian dovecot: imap(user@domain.com)<37293>: Connection closed (No commands sent) in=0 out=374 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 # Jan 1 00:00:00 debian dovecot: imap(john.doe@do-main.com)<20592>: Connection closed (FETCH finished 126.461 secs ago) in=688 out=7307 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(((ID|SELECT|FETCH|noop|IDLE|UID (SEARCH|fetch)) finished [.0-9]+ secs ago|No commands sent)\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]-]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(((ID|SELECT|FETCH|noop|IDLE|UID (SEARCH|fetch)) finished [.0-9]+ secs ago|No commands sent)\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ # May 3 09:23:30 debian dovecot: imap(abc@domain.com)<11038>: Connection closed (IDLE running for 0.014 + waiting input for 558.906 secs, 0.001 in locks, 2 B in + 10 B out, state=wait-input) in=199 out=1429 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(IDLE running for [0-9.]+ \+ waiting input for [0-9.]+ secs, [0-9.]+ in locks, [0-9.]+ B in \+ [0-9.]+ B out, state=wait-input\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ @@ -62,3 +63,6 @@ # Jan 1 00:00:00 debian dovecot: imap-login: Login: user=, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, mpid=25205, TLS: Connection closed, session=<8/MvZBWnqdXCKQ3I> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Login: user=<[[:alnum:]@_.-]*>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, mpid=[0-9]+, TLS: Connection closed, session=<[+\/[:alnum:]]+>$ + +# Jun 5 11:22:59 vps417842 dovecot: lmtp(john.doe@do-main.com)<29931>: sieve: msgid=: stored mail into mailbox 'INBOX' +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (dovecot: )?(lmtp|lda)\([-_.,@[:alnum:] ]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: (Error: )?([-+_\/.,@:[:alnum:] ]+: )?(sieve: )?(msgid=(\? )?(?(\ )?|unspecified): )?( \(((added by )?[^[:space:]]+|sfid-[_[:xdigit:]]+)\)?)?(saved mail to INBOX|stored mail into mailbox '[^']+'|marked message to be discarded if not explicitly delivered \(discard action\)|(forwarded to|sent vacation response to|discarding vacation response for message implicitly delivered to|not sending vacation response to system address|discarding vacation response to mailinglist recipient|discarded vacation reply to|discarding vacation response to (auto-submitted|precedence=(bulk|Bulk|list)) message from|discarded duplicate (vacation response|forward) to) <[^[:space:]]*>|failed to open script [\/[:alnum:].]+ \(view user logfile [\/[:alnum:].]+ for more information\))$ From 752fa0a0727d9eb25d77ef61b31bf98ed58cfb80 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Fri, 5 Jun 2020 18:13:43 +0200 Subject: [PATCH 25/44] Add lsyncd --- ignore.d.server/domino-lsyncd | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 ignore.d.server/domino-lsyncd diff --git a/ignore.d.server/domino-lsyncd b/ignore.d.server/domino-lsyncd new file mode 100644 index 0000000..7ee0ca6 --- /dev/null +++ b/ignore.d.server/domino-lsyncd @@ -0,0 +1,19 @@ +# ; -*- mode: conf; fill-column: 99999 -*- + +# May 27 13:02:26 debian systemd[31861]: Created slice lsyncd.slice. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: (Created|Removed) slice lsyncd.slice.$ + +# May 27 13:04:58 debian systemd[31861]: lsyncd@pix2.service: Main process exited, code=exited, status=143/n/a +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: lsyncd@pix2.service: Main process exited, code=exited, status=[0-9]+\/n\/a$ + +# May 27 13:04:58 debian systemd[31861]: lsyncd@pix2.service: Failed with result 'exit-code'. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: lsyncd@pix2.service: Failed with result 'exit-code'.$ + +# May 27 13:02:26 debian lsyncd[31871]: 13:02:26 Normal: --- Startup --- +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ lsyncd\[[0-9]+\]: [\:[:digit:]]+ Normal: --- (Startup|TERM signal, fading) ---$ + +# May 27 13:02:26 debian lsyncd[31871]: 13:02:26 Normal: recursive startup rsync: /var/www/adm/pix2/ -> domain.com:/home/user/sites/pix2/ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ lsyncd\[[0-9]+\]: [\:[:digit:]]+ Normal: recursive startup rsync: [\/[:alnum:]]+ -> [.\:\/[:alnum:]]+$ + +# May 27 13:02:29 debian lsyncd[31871]: 13:02:29 Normal: Startup of "/var/www/adm/pix2/" finished: 0 +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ lsyncd\[[0-9]+\]: [\:[:digit:]]+ Normal: Startup of "[\/[:alnum:]]+" finished: 0$ From 2a3c320343f3a002bc34f95efaaa84640339e7de Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Fri, 28 Aug 2020 09:44:08 +0200 Subject: [PATCH 26/44] Update --- ignore.d.server/domino-dovecot | 8 ++++++-- ignore.d.server/domino-kernel | 3 +++ ignore.d.server/domino-spamd | 3 +++ ignore.d.server/domino-tor | 7 ++++++- 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/ignore.d.server/domino-dovecot b/ignore.d.server/domino-dovecot index 9785d6b..12fb3b3 100644 --- a/ignore.d.server/domino-dovecot +++ b/ignore.d.server/domino-dovecot @@ -29,7 +29,8 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([\._@[:alnum:]-]+\)<[[:digit:]]+><[\+\/[:alnum:]]+>: Logged out in=[[:digit:]]+ out=[[:digit:]]+ deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed(: read\(size=[0-9]+\))?( failed: Connection reset by peer)? \(IDLE running for [0-9.]+ \+ waiting input for [0-9.]+ secs, [0-9]+ B in \+ [0-9\+]+ B out, state=wait-input\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ - +# Aug 28 01:20:24 debian dovecot: imap(user@domain.com)<557292>: Connection closed (SEARCH finished 0.403 secs ago) in=87 out=3864 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 +# Aug 20 12:01:07 debian dovecot: imap(user@domain.com)<157847><9K4aJ0ytxsAfusUW>: Connection closed (UID EXPUNGE finished 196.892 secs ago) in=243 out=1470 deleted=3 expunged=3 trashed=3 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 # Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<28998>: Connection closed (ID finished 0.296 secs ago) in=89 out=448 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 # Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<29432>: Connection closed (SELECT finished 0.096 secs ago) in=121 out=981 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 # Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<16443>: Connection closed (noop finished 0.081 secs ago) in=1207 out=74860 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=310 body_count=0 body_bytes=0 @@ -38,7 +39,7 @@ # Jan 1 00:00:00 debian dovecot: imap(user@domain.com)<13658>: Connection closed (UID fetch finished 0.145 secs ago) in=9581 out=9495290 deleted=0 expunged=0 trashed=0 hdr_count=4 hdr_bytes=1467 body_count=144 body_bytes=9365757 # Apr 21 22:22:01 debian dovecot: imap(user@domain.com)<37293>: Connection closed (No commands sent) in=0 out=374 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 # Jan 1 00:00:00 debian dovecot: imap(john.doe@do-main.com)<20592>: Connection closed (FETCH finished 126.461 secs ago) in=688 out=7307 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]-]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(((ID|SELECT|FETCH|noop|IDLE|UID (SEARCH|fetch)) finished [.0-9]+ secs ago|No commands sent)\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]-]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(((ID|SELECT|FETCH|noop|IDLE|UID )?(SEARCH|EXPUNGE|fetch)? finished [.0-9]+ secs ago|No commands sent)\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ # May 3 09:23:30 debian dovecot: imap(abc@domain.com)<11038>: Connection closed (IDLE running for 0.014 + waiting input for 558.906 secs, 0.001 in locks, 2 B in + 10 B out, state=wait-input) in=199 out=1429 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(IDLE running for [0-9.]+ \+ waiting input for [0-9.]+ secs, [0-9.]+ in locks, [0-9.]+ B in \+ [0-9.]+ B out, state=wait-input\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ @@ -64,5 +65,8 @@ # Jan 1 00:00:00 debian dovecot: imap-login: Login: user=, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, mpid=25205, TLS: Connection closed, session=<8/MvZBWnqdXCKQ3I> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Login: user=<[[:alnum:]@_.-]*>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, mpid=[0-9]+, TLS: Connection closed, session=<[+\/[:alnum:]]+>$ +# Aug 23 05:50:30 debian dovecot: imap-login: Login: user=, method=PLAIN, rip=1.2.3.4, lip=2.3.4.5, mpid=302123, TLS: read(size=337) failed: Connection reset by peer, session= +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Login: user=<[[:alnum:]@_.-]*>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, mpid=[0-9]+, TLS: read\(size=[0-9]+\) failed: Connection reset by peer, session=<[+\/[:alnum:]]+>$ + # Jun 5 11:22:59 vps417842 dovecot: lmtp(john.doe@do-main.com)<29931>: sieve: msgid=: stored mail into mailbox 'INBOX' ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (dovecot: )?(lmtp|lda)\([-_.,@[:alnum:] ]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: (Error: )?([-+_\/.,@:[:alnum:] ]+: )?(sieve: )?(msgid=(\? )?(?(\ )?|unspecified): )?( \(((added by )?[^[:space:]]+|sfid-[_[:xdigit:]]+)\)?)?(saved mail to INBOX|stored mail into mailbox '[^']+'|marked message to be discarded if not explicitly delivered \(discard action\)|(forwarded to|sent vacation response to|discarding vacation response for message implicitly delivered to|not sending vacation response to system address|discarding vacation response to mailinglist recipient|discarded vacation reply to|discarding vacation response to (auto-submitted|precedence=(bulk|Bulk|list)) message from|discarded duplicate (vacation response|forward) to) <[^[:space:]]*>|failed to open script [\/[:alnum:].]+ \(view user logfile [\/[:alnum:].]+ for more information\))$ diff --git a/ignore.d.server/domino-kernel b/ignore.d.server/domino-kernel index 88deed7..bbd75fe 100644 --- a/ignore.d.server/domino-kernel +++ b/ignore.d.server/domino-kernel @@ -21,3 +21,6 @@ Jun 17 18:47:23 router kernel: [6425157.863842] ip6_tables: (C) 2000-2006 Netfil # Jan 1 00:00:00 debian kernel: [5674141.471188] device br0 left promiscuous mode ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[ .[:digit:]]+\] device [[:alnum:]]+ (entered|left) promiscuous mode$ + +# Aug 19 07:48:03 debian kernel: [155896.114715] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[ .[:digit:]]+\] conntrack: generic helper won't handle protocol [0-9]+. Please consider loading the specific helper module.$ diff --git a/ignore.d.server/domino-spamd b/ignore.d.server/domino-spamd index 14ceea0..e26f0fa 100644 --- a/ignore.d.server/domino-spamd +++ b/ignore.d.server/domino-spamd @@ -34,3 +34,6 @@ # Jan 1 06:55:16 debian spamd: spamd: restarting using '/usr/sbin/spamd -d --pidfile=/run/spamd.pid --create-prefs --max-children 5 --helper-home-dir -u debian-spamd -x --virtual-config-dir=/home/vmail/%d/.spamassassin/%l --allow-tell' ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd: spamd: restarting using '\/usr\/sbin\/spamd -d --pidfile=\/run\/spamd\.pid --create-prefs --max-children [0-9]+ --helper-home-dir -u debian-spamd -x --virtual-config-dir=\/home\/vmail\/\%d\/.spamassassin\/\%l --allow-tell'$ + +# Aug 22 06:55:05 debian spamd[251886]: spamd: server pid: 251886 +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: server pid: [0-9]+$ diff --git a/ignore.d.server/domino-tor b/ignore.d.server/domino-tor index bef076c..2177989 100644 --- a/ignore.d.server/domino-tor +++ b/ignore.d.server/domino-tor @@ -10,7 +10,9 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Our directory information is no longer up-to-date enough to build circuits: We're missing descriptors for [\/[:digit:]]+ of our primary entry guards \(total microdescriptors: [\/[:digit:]]+\).( That's ok. We will try to fetch missing descriptors soon.)?$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Your Guard grocock ([\$[:alnum:]]+) is failing a very large amount of circuits. Most likely this means the Tor network is overloaded, but it could also mean an attack against you or potentially the guard itself. Success counts are [/[:digit:]]+. Use counts are [/[:digit:]]+. [[:digit:]]+ circuits completed, [[:digit:]]+ were unusable, [[:digit:]]+ collapsed, and [[:digit:]]+ timed out. For reference, your timeout cutoff is [[:digit:]]+ seconds.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: (Your )?Guard [[:alnum:]]+ \([\$[:alnum:]]+\) is failing a very large amount of circuits. Most likely this means the Tor network is overloaded, but it could also mean an attack against you or potentially the guard itself\. Success counts are [0-9]+\/[0-9]+\. Use counts are [0-9]+\/[0-9]+. [[:digit:]]+ circuits completed, [[:digit:]]+ were unusable, [[:digit:]]+ collapsed, and [[:digit:]]+ timed out. For reference, your timeout cutoff is [[:digit:]]+ seconds.$ + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: (Your )?Guard [[:alnum:]]+ \([\$[:alnum:]]+\) is failing an extremely large amount of circuits. This could indicate a route manipulation attack, extreme network overload, or a bug. Success counts are [0-9]+\/[0-9]+. Use counts are [0-9]+\/[0-9]+. [0-9]+ circuits completed, [0-9]+ were unusable, [0-9]+ collapsed, and [0-9]+ timed out. For reference, your timeout cutoff is [0-9]+ seconds.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Average packaged cell fullness: [.[:digit:]]+\%. TLS write overhead: [.[:digit:]]+\%$ @@ -30,3 +32,6 @@ # Jun 2 11:59:22 dell-r710 Tor[2585]: Failed to find node for hop #1 of our path. Discarding this circuit. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Failed to find node for hop #[0-9]+ of our path\. Discarding this circuit\.$ + +# Aug 27 00:07:54 debian Tor[1986412]: Received http status code 404 ("Not found") from server '1.2.3.4:443' while fetching consensus directory. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Received http status code 404 \("Not found"\) from server '[[:digit:].:]+' while fetching consensus directory.$ From bbb06a8dd316412f25d4b6adb769dc154c13ec64 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Thu, 26 Nov 2020 19:29:14 +0100 Subject: [PATCH 27/44] Update --- ignore.d.server/domino-kernel | 3 +++ ignore.d.server/domino-spamass-milter | 4 ++++ ignore.d.server/domino-sshd | 5 +++-- ignore.d.server/domino-tor | 7 ++++++- 4 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 ignore.d.server/domino-spamass-milter diff --git a/ignore.d.server/domino-kernel b/ignore.d.server/domino-kernel index bbd75fe..4fbf7ed 100644 --- a/ignore.d.server/domino-kernel +++ b/ignore.d.server/domino-kernel @@ -24,3 +24,6 @@ Jun 17 18:47:23 router kernel: [6425157.863842] ip6_tables: (C) 2000-2006 Netfil # Aug 19 07:48:03 debian kernel: [155896.114715] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[ .[:digit:]]+\] conntrack: generic helper won't handle protocol [0-9]+. Please consider loading the specific helper module.$ + +# Nov 26 16:13:34 debian kernel: [14885.004498] Rekeying PTK for STA 00:0f:02:02:98:98 but driver can't safely do that. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[.[:digit:]]+\] Rekeying PTK for STA [[:xdigit:]:]+ but driver can\'t safely do that\.$ diff --git a/ignore.d.server/domino-spamass-milter b/ignore.d.server/domino-spamass-milter new file mode 100644 index 0000000..6006b47 --- /dev/null +++ b/ignore.d.server/domino-spamass-milter @@ -0,0 +1,4 @@ +# ; -*- mode: conf; fill-column: 99999 -*- + +# Aug 20 15:49:12 debian spamass-milter[887]: Could not extract score from <> +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamass-milter\[[[:digit:]]+\]: Could not extract score from <>$ diff --git a/ignore.d.server/domino-sshd b/ignore.d.server/domino-sshd index 0dfb703..13cd143 100644 --- a/ignore.d.server/domino-sshd +++ b/ignore.d.server/domino-sshd @@ -1,5 +1,6 @@ # ; -*- mode: text; fill-column: 99999 -*- -# Sep 21 19:15:41 router sshd[1743]: Connection closed by authenticating user root 1.2.3.4 port 51354 [preauth] +# Sep 21 19:15:41 debian sshd[1743]: Connection closed by authenticating user root 1.2.3.4 port 51354 [preauth] +# Oct 4 17:29:59 debian sshd[6511]: Connection closed by authenticating user www-data 10.4.0.1 port 45568 [preauth] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by authenticating user [[:alnum:]]+ [.[:digit:]]+ port [0-9]+ \[preauth\]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by authenticating user [-[:alnum:]]+ [.[:digit:]]+ port [0-9]+ \[preauth\]$ diff --git a/ignore.d.server/domino-tor b/ignore.d.server/domino-tor index 2177989..1924dc8 100644 --- a/ignore.d.server/domino-tor +++ b/ignore.d.server/domino-tor @@ -26,7 +26,6 @@ # Nov 7 00:01:05 debian Tor[14367]: Received reload signal (hup). Reloading config and resetting internal state. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Received reload signal \(hup\)\. Reloading config and resetting internal state\.$ - # Jan 01 00:00:00 debian Tor[14367]: Requested exit point '$39C1B28407EAC759801AFCB7106D5DC05B42A8C9' is not known. Closing. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Requested exit point \'[[:alnum:]$]+\' is not known. Closing.$ @@ -35,3 +34,9 @@ # Aug 27 00:07:54 debian Tor[1986412]: Received http status code 404 ("Not found") from server '1.2.3.4:443' while fetching consensus directory. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Received http status code 404 \("Not found"\) from server '[[:digit:].:]+' while fetching consensus directory.$ + +# Sep 1 13:09:14 debian Tor[809]: No circuits are opened. Relaxed timeout for circuit 4552 (a Measuring circuit timeout 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway. [11 similar message(s) suppressed in last 3600 seconds] +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: No circuits are opened\. Relaxed timeout for circuit [0-9]+ \(a Measuring circuit timeout [0-9]+-hop circuit in state doing handshakes with channel state open\) to [0-9]+ms\. However, it appears the circuit has timed out anyway\. \[[0-9]+ similar message\(s\) suppressed in last 3600 seconds\]$ + +# Oct 5 06:19:34 debian Tor[1986412]: Received http status code 404 ("Consensus is too old") from server '1.2.3.4:443' while fetching consensus directory. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Received http status code [0-9]+ \("Consensus is too old"\) from server '[.[:digit:]:]+' while fetching consensus directory.$ From a5be6126fd302e3d27f0cd76d8c8a3ed1f0f7e65 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Wed, 16 Dec 2020 08:33:35 +0100 Subject: [PATCH 28/44] Update --- ignore.d.server/domino-kernel | 2 +- ignore.d.server/domino-ntp | 4 ++++ ignore.d.server/domino-spamd | 4 +++- ignore.d.server/domino-systemd | 6 +++++- 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/ignore.d.server/domino-kernel b/ignore.d.server/domino-kernel index 4fbf7ed..d4e42e5 100644 --- a/ignore.d.server/domino-kernel +++ b/ignore.d.server/domino-kernel @@ -26,4 +26,4 @@ Jun 17 18:47:23 router kernel: [6425157.863842] ip6_tables: (C) 2000-2006 Netfil ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[ .[:digit:]]+\] conntrack: generic helper won't handle protocol [0-9]+. Please consider loading the specific helper module.$ # Nov 26 16:13:34 debian kernel: [14885.004498] Rekeying PTK for STA 00:0f:02:02:98:98 but driver can't safely do that. -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[.[:digit:]]+\] Rekeying PTK for STA [[:xdigit:]:]+ but driver can\'t safely do that\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[.[:digit:]]+\] Rekeying PTK for STA [[:xdigit:]:]+ but driver can't safely do that\.$ diff --git a/ignore.d.server/domino-ntp b/ignore.d.server/domino-ntp index 4cc3109..06550b6 100644 --- a/ignore.d.server/domino-ntp +++ b/ignore.d.server/domino-ntp @@ -19,3 +19,7 @@ # Jan 01 00:00:00 debian ntpd[32535]: new interface(s) found: waking up resolver ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: new interface\(s\) found: waking up resolver$ + +# Jan 01 01:01:01 debian ntpd[843]: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): will expire in less than 24 days + +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: leapsecond file \('\/usr\/share\/zoneinfo\/leap-seconds.list'\): will expire in less than [0-9]+ days$ diff --git a/ignore.d.server/domino-spamd b/ignore.d.server/domino-spamd index e26f0fa..4e7034e 100644 --- a/ignore.d.server/domino-spamd +++ b/ignore.d.server/domino-spamd @@ -14,7 +14,9 @@ # Apr 14 15:16:56 debian spamd[18600]: spamd: result: Y 5 - FREEMAIL_FORGED_REPLYTO,HTML_MESSAGE,SPF_FAIL,TO_NO_BRKTS_HTML_IMG scantime=1.0,size=16991,user=abc-1,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43744,mid=<98140bdf92d37fc0d41dc08b9c4fe028@domain.com>,autolearn=no autolearn_force=no # Apr 14 15:48:13 debian spamd[18599]: spamd: result: . 0 - DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,HTML_IMAGE_RATIO_06,HTML_MESSAGE,LOTS_OF_MONEY,MAILING_LIST_MULTI,SPF_SOFTFAIL scantime=1.0,size=23150,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43862,mid=,autolearn=no autolearn_force=no # Apr 15 14:48:25 debian spamd[8102]: spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,SPF_FAIL,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL scantime=0.5,size=21463,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=46926,mid=,autolearn=no autolearn_force=no -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: [[:alnum:].]+ [[:digit:]-]+ - [[:alnum:]_,]+ scantime=[0-9.]+,size=[0-9]+,user=[[:alnum:]@_.-]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[[:digit:]:.]+,raddr=[[:digit:]:.]+,rport=[0-9]+,mid=(<[[:alnum:]:=\$_\/@.+-]+>|\(unknown\)),(rmid=<[[:alnum:]:\$=_\/@.+-]+>,)?autolearn=(yes|no|spam|ham) autolearn_force=(yes|no)$ +# Dec 13 09:00:14 debian spamd[9959]: spamd: result: . -2 - BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS,URIBL_BLOCKED scantime=0.6,size=2609,user=user@domain.com,uid=115,required_score=5.0,rhost=::1,raddr=::1,rport=56124,mid=<20201213080002.187DD501447@hostname>,bayes=0.000000,autolearn=ham autolearn_force=no + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: [[:alnum:].]+ [[:digit:]-]+ - [[:alnum:]_,]+ scantime=[0-9.]+,size=[0-9]+,user=[[:alnum:]@_.-]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[[:digit:]:.]+,raddr=[[:digit:]:.]+,rport=[0-9]+,mid=(<[[:alnum:]:=\$_\/@.+-]+>|\(unknown\)),(bayes=[0-9.]+,)?(rmid=<[[:alnum:]:\$=_\/@.+-]+>,)?autolearn=(yes|no|spam|ham) autolearn_force=(yes|no)$ # Apr 20 11:39:28 debian spamd[23580]: spamd: using default config for user@domain.com: /home/vmail/domain.com/.spamassasin/user_-1/user_prefs ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: using default config for [[:alnum:].@_-]+: \/home\/vmail\/[[:alnum:]_.-]+\/.spamassassin\/[[:alnum:]_-]+\/user_prefs$ diff --git a/ignore.d.server/domino-systemd b/ignore.d.server/domino-systemd index 06a9639..4846c91 100644 --- a/ignore.d.server/domino-systemd +++ b/ignore.d.server/domino-systemd @@ -8,6 +8,7 @@ # Jan 1 00:00:00 debian systemd[1]: Finished Cleanup of Temporary Directories. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Cleanup of Temporary Directories\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Gets the latest METAR message\.$ # Jan 1 00:00:00 debian systemd[1]: Finished Daily apt download activities. # Jan 1 00:00:00 debian systemd[1]: Finished Daily apt upgrade and clean activities. @@ -63,7 +64,7 @@ # Sep 20 08:03:29 router systemd[658]: Listening on D-Bus User Message Bus Socket. # Sep 20 08:06:33 router systemd[658]: Closed D-Bus User Message Bus Socket. -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Listening on|Closed) D-Bus User Message Bus Socket. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Listening on|Closed) D-Bus User Message Bus Socket.$ # Jan 1 00:00:00 debian systemd[13129]: Finished Exit the Session. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Exit the Session\.$ @@ -76,3 +77,6 @@ # Jan 1 00:00:00 debian systemd[1]: Finished User Runtime Directory /run/user/1000. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished User Runtime Directory \/run\/user\/[0-9]+\.$ + +# Dec 4 19:11:12 debian systemd[19869]: Queued start job for default target Main User Target. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Queued start job for default target Main User Target.$ From 9bf2a602aca554258944a1e66356d6aed200fac9 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Thu, 11 Mar 2021 20:15:08 +0100 Subject: [PATCH 29/44] Update --- ignore.d.server/domino-syncthing | 4 ++++ ignore.d.server/domino-syslog | 4 ++-- ignore.d.server/domino-systemd | 14 ++++++++++++++ 3 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 ignore.d.server/domino-syncthing diff --git a/ignore.d.server/domino-syncthing b/ignore.d.server/domino-syncthing new file mode 100644 index 0000000..da03432 --- /dev/null +++ b/ignore.d.server/domino-syncthing @@ -0,0 +1,4 @@ +# ; -*- mode: conf; fill-column: 99999 -*- + +# Dec 26 13:14:11 debian syncthing[1362758]: [IF6O5] INFO: +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ syncthing\[[[:digit:]]+\]: \[[[:alnum:]]+\] INFO: diff --git a/ignore.d.server/domino-syslog b/ignore.d.server/domino-syslog index 4f982cc..57dc71c 100644 --- a/ignore.d.server/domino-syslog +++ b/ignore.d.server/domino-syslog @@ -1,5 +1,5 @@ -# ; -*- mode: text; fill-column: 99999 -*- +# ; -*- mode: conf; fill-column: 99999 -*- # Sep 18 00:00:04 debian-linode rsyslogd: [origin software="rsyslogd" swVersion="8.1901.0" x-pid="720" x-info="https://www.rsyslog.com"] rsyslogd was HUPed - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd: \[origin software=\"rsyslogd\" swVersion=\"[[:digit:].]+\" x-pid=\"[0-9]+\" x-info=\"https:\/\/www.rsyslog.com\"\] rsyslogd was HUPed$ + diff --git a/ignore.d.server/domino-systemd b/ignore.d.server/domino-systemd index 4846c91..6281a88 100644 --- a/ignore.d.server/domino-systemd +++ b/ignore.d.server/domino-systemd @@ -80,3 +80,17 @@ # Dec 4 19:11:12 debian systemd[19869]: Queued start job for default target Main User Target. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Queued start job for default target Main User Target.$ + +# Jan 23 07:35:48 debian systemd[1]: session-c18.scope: Consumed 1.201s CPU time. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [[:alnum:]-]+.(service|scope|slice): Consumed [[:digit:].]+s CPU time.$ + +# Jan 23 07:35:47 debian systemd[563453]: Created slice User Application Slice. +# Jan 23 07:35:58 debian systemd[563453]: Removed slice User Application Slice. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Created|Removed) slice User Application Slice.$ + +# Jan 24 20:23:37 debian systemd[1068423]: Created slice app-lsyncd.slice. +# Jan 24 20:23:49 debian systemd[1068423]: Removed slice app-lsyncd.slice. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Created|Removed) slice [[:alnum:].-]+.$ + +# Jan 25 00:00:01 debian systemd[1]: rsyslog.service: Sent signal SIGHUP to main process 572 (rsyslogd) on client request. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: rsyslog.service: Sent signal SIGHUP to main process [0-9]+ \(rsyslogd\) on client request.$ From a4fbf93ef879c55e006165d9bf3a62b1dc0f043e Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Sun, 25 Apr 2021 16:57:11 +0200 Subject: [PATCH 30/44] Update --- ignore.d.server/domino-hostapd | 4 ++++ ignore.d.server/domino-tor | 3 +++ 2 files changed, 7 insertions(+) diff --git a/ignore.d.server/domino-hostapd b/ignore.d.server/domino-hostapd index 62f18c2..385b3c8 100644 --- a/ignore.d.server/domino-hostapd +++ b/ignore.d.server/domino-hostapd @@ -46,3 +46,7 @@ # Jan 1 00:00:00 debian hostapd[687]: wls4: AP-STA-POLL-OK 3c:71:bf:2d:10:52 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hostapd(\[[0-9]+\])?: [[:alnum:]]+: AP-STA-POLL-OK [[:xdigit:]:]{17}$ + +# Apr 22 09:31:54 debian hostapd[1555]: wlp13s0: STA-OPMODE-SMPS-MODE-CHANGED 50:2f:9b:04:0a:b5 off + +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hostapd(\[[0-9]+\])?: [[:alnum:]]+: STA-OPMODE-SMPS-MODE-CHANGED [[:xdigit:]:]{17} off$ diff --git a/ignore.d.server/domino-tor b/ignore.d.server/domino-tor index 1924dc8..5e82a24 100644 --- a/ignore.d.server/domino-tor +++ b/ignore.d.server/domino-tor @@ -40,3 +40,6 @@ # Oct 5 06:19:34 debian Tor[1986412]: Received http status code 404 ("Consensus is too old") from server '1.2.3.4:443' while fetching consensus directory. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Received http status code [0-9]+ \("Consensus is too old"\) from server '[.[:digit:]:]+' while fetching consensus directory.$ + +# Apr 25 14:32:41 debian Tor[28899]: http status 400 ("Nonauthoritative directory does not accept posted server descriptors") response from dirserver '185.100.87.41:443'. Malformed rendezvous descriptor? +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: http status 400 \("Nonauthoritative directory does not accept posted server descriptors"\) response from dirserver \'[:.0-9]+\'. Malformed rendezvous descriptor\?$ From 363e916adb1299dad427264b4d83214f1c2702a9 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Sun, 25 Apr 2021 16:57:31 +0200 Subject: [PATCH 31/44] Add dnsmasq --- ignore.d.server/domino-dnsmasq | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 ignore.d.server/domino-dnsmasq diff --git a/ignore.d.server/domino-dnsmasq b/ignore.d.server/domino-dnsmasq new file mode 100644 index 0000000..635c0f4 --- /dev/null +++ b/ignore.d.server/domino-dnsmasq @@ -0,0 +1,2 @@ +# Apr 22 12:32:20 debian dnsmasq-dhcp[1222]: DHCPSOLICIT(br0) 00:01:00:01:27:f4:b3:ab:74:78:27:68:64:04 +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: DHCPSOLICIT\([[:alnum:]]+\) [[:xdigit:]:]+$ From ebb2f6738873eb2a1d50aeb1af2e523b5106ec5f Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Wed, 7 Jul 2021 19:03:47 +0200 Subject: [PATCH 32/44] update --- deploy.yml | 2 +- ignore.d.server/domino-kernel | 3 +++ ignore.d.server/domino-spamd | 8 ++++++-- ignore.d.server/domino-tor | 5 ++++- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/deploy.yml b/deploy.yml index c895462..1d08d69 100644 --- a/deploy.yml +++ b/deploy.yml @@ -1,4 +1,4 @@ -- hosts: servers,!nanode,!m81 +- hosts: servers,!nanode,!m81,!edyta.org.pl remote_user: root diff --git a/ignore.d.server/domino-kernel b/ignore.d.server/domino-kernel index d4e42e5..9482050 100644 --- a/ignore.d.server/domino-kernel +++ b/ignore.d.server/domino-kernel @@ -27,3 +27,6 @@ Jun 17 18:47:23 router kernel: [6425157.863842] ip6_tables: (C) 2000-2006 Netfil # Nov 26 16:13:34 debian kernel: [14885.004498] Rekeying PTK for STA 00:0f:02:02:98:98 but driver can't safely do that. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[.[:digit:]]+\] Rekeying PTK for STA [[:xdigit:]:]+ but driver can't safely do that\.$ + +# May 17 07:26:40 debian kernel: [8672235.902147] ath10k_pci 0000:0d:00.0: Invalid peer id 217 peer stats buffer +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[.[:digit:]]+\] ath10k_pci [[:alnum:]:.]+ Invalid peer id [0-9]+ peer stats buffer$ diff --git a/ignore.d.server/domino-spamd b/ignore.d.server/domino-spamd index 4e7034e..c683f96 100644 --- a/ignore.d.server/domino-spamd +++ b/ignore.d.server/domino-spamd @@ -4,7 +4,7 @@ # Jan 1 00:00:00 debian spamd[807]: dns: no callback for id 24621/IN/TXT/_adsp._domainkey.slsware.net, ignored, packet on next debug line # Jan 1 00:00:00 debian spamd[807]: dns: no callback for id 15235/IN/MX/slsware.net, ignored, packet on next debug line -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: no callback for id [[:alnum:]\._\/]+, ignored, packet on next debug line$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: no callback for id [[:alnum:]\._\/-]+, ignored, packet on next debug line$ # Jan 1 00:00:00 debian spamd[807]: dns: no likely matching queries for id 15235 # Jan 1 00:00:00 debian spamd[807]: dns: no likely matching queries for id 24621 @@ -34,8 +34,12 @@ # Jan 1 00:00:00 debian spamd[6670]: spamd: server started on IO::Socket::IP [::1]:783, IO::Socket::IP [127.0.0.1]:783 (running version 3.4.2) ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server started on IO::Socket::IP \[::1\]:783, IO::Socket::IP \[[0-9.]+\]:783 \(running version [0-9.]+\)$ +# May 7 06:35:43 debian spamd: spamd: restarting using '/usr/sbin/spamd -d --pidfile=/var/run/spamd.pid --create-prefs --max-children 5 --helper-home-dir -u debian-spamd -x --virtual-config-dir=/home/vmail/%d/.spamassassin/%l --allow-tell' # Jan 1 06:55:16 debian spamd: spamd: restarting using '/usr/sbin/spamd -d --pidfile=/run/spamd.pid --create-prefs --max-children 5 --helper-home-dir -u debian-spamd -x --virtual-config-dir=/home/vmail/%d/.spamassassin/%l --allow-tell' -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd: spamd: restarting using '\/usr\/sbin\/spamd -d --pidfile=\/run\/spamd\.pid --create-prefs --max-children [0-9]+ --helper-home-dir -u debian-spamd -x --virtual-config-dir=\/home\/vmail\/\%d\/.spamassassin\/\%l --allow-tell'$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd: spamd: restarting using '\/usr\/sbin\/spamd -d --pidfile=(\/var)?\/run\/spamd\.pid --create-prefs --max-children [0-9]+ --helper-home-dir -u debian-spamd -x --virtual-config-dir=\/home\/vmail\/\%d\/.spamassassin\/\%l --allow-tell'$ # Aug 22 06:55:05 debian spamd[251886]: spamd: server pid: 251886 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: server pid: [0-9]+$ + +# May 28 11:25:25 linode2 spamd[28526]: spamd: using default config for spamass-milter: /home/vmail//.spamassassin//user_prefs +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: using default config for spamass-milter: \/home\/vmail\/\/.spamassassin\/\/user_prefs$ diff --git a/ignore.d.server/domino-tor b/ignore.d.server/domino-tor index 5e82a24..f9041c4 100644 --- a/ignore.d.server/domino-tor +++ b/ignore.d.server/domino-tor @@ -42,4 +42,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Received http status code [0-9]+ \("Consensus is too old"\) from server '[.[:digit:]:]+' while fetching consensus directory.$ # Apr 25 14:32:41 debian Tor[28899]: http status 400 ("Nonauthoritative directory does not accept posted server descriptors") response from dirserver '185.100.87.41:443'. Malformed rendezvous descriptor? -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: http status 400 \("Nonauthoritative directory does not accept posted server descriptors"\) response from dirserver \'[:.0-9]+\'. Malformed rendezvous descriptor\?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: http status 400 \("Nonauthoritative directory does not accept posted server descriptors"\) response from dirserver '[[:digit:].:]+'. Malformed rendezvous descriptor\?$ + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Our onion service received [0-9]+ v2 and [0-9]+ v3 [[:alnum:]]+ cells and attempted to launch [0-9]+ rendezvous circuits.$ + From e2533b5a13b22693f8d20614e844ead6c8ad7b5d Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Wed, 7 Jul 2021 19:04:11 +0200 Subject: [PATCH 33/44] add new files --- ignore.d.server/domino-openvpn | 17 +++++++++++++++++ ignore.d.server/domino-python3 | 10 ++++++++++ ignore.d.server/domino-unbound | 4 ++++ 3 files changed, 31 insertions(+) create mode 100644 ignore.d.server/domino-openvpn create mode 100644 ignore.d.server/domino-python3 create mode 100644 ignore.d.server/domino-unbound diff --git a/ignore.d.server/domino-openvpn b/ignore.d.server/domino-openvpn new file mode 100644 index 0000000..48e761c --- /dev/null +++ b/ignore.d.server/domino-openvpn @@ -0,0 +1,17 @@ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: [[:alnum:].\/:]+ peer info: .*$ + +# Jun 22 15:05:02 debian ovpn-server[701778]: hostname1/1.2.3.4:12345 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key +# Jun 22 15:05:02 debian ovpn-server[701778]: hostname1/1.2.3.4:12345 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: [[:alnum:].\/:]+ (Incoming|Outgoing) Data Channel: Cipher '[[:alnum:]-]+' initialized with [0-9]+ bit key$ + +# Jun 22 15:06:13 debian ovpn-server[701778]: hostname/1.2.3.4:12345 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=linode, name=EasyRSA, emailAddress=me@myhost.mydomain +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: [[:alnum:].\/:]+ VERIFY OK: .*$ + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: [[:alnum:].\/:]+ TLS: soft reset sec=[0-9-]+ bytes=[[:digit:]\/-]+ pkts=[[:digit:]\/-]+$ + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: [[:alnum:].\/:]+ Control Channel: TLSv[0-9.]+, cipher TLSv[0-9.]+ [[:alnum:]_]+, [0-9]+ bit [[:alnum:]]+$ + +# Jun 23 07:34:08 debian ovpn-server[701778]: 192.168.0.6:1194 TLS: Initial packet from [AF_INET]192.168.0.6:1194, sid=c793723e cc9e1b35 +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: [[:alnum:].\/:]+ TLS: Initial packet from \[AF_INET\][[:digit:].:]+, sid=[[:xdigit:]]+ [[:xdigit:]]+$ + + diff --git a/ignore.d.server/domino-python3 b/ignore.d.server/domino-python3 new file mode 100644 index 0000000..ed70777 --- /dev/null +++ b/ignore.d.server/domino-python3 @@ -0,0 +1,10 @@ +# ; -*- mode: conf; fill-column: 99999 -*- + + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: Export: (otodom|gratka)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: Photos: (True|False)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: Exporting [0-9]+ objects.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: Connect to ftps...$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: [dwrx-]+\s*[0-9]+ [[:alnum:]@.]+ [[:alnum:]@.-]+\s*[0-9]+ [[:alnum:]]+\s*[0-9]+ [[:digit:]:]+ .*$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: Export done.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]:]+\]: estatesexport@(otodom|gratka).service: Consumed [0-9.]+s CPU time.$ diff --git a/ignore.d.server/domino-unbound b/ignore.d.server/domino-unbound new file mode 100644 index 0000000..b5351cf --- /dev/null +++ b/ignore.d.server/domino-unbound @@ -0,0 +1,4 @@ +# ; -*- mode: conf; fill-column: 99999 -*- + +# Jul 7 17:28:11 debian unbound: [2051328:0] info: generate keytag query _ta-4f66. NULL IN +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]:]+\] info: generate keytag query [[:alnum:]_.-]+ NULL IN$ From 4176b0a0d9b1cc873c8a51cd2c2214ad4331190d Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Mon, 9 Aug 2021 10:27:50 +0200 Subject: [PATCH 34/44] Update --- deploy.yml | 2 +- ignore.d.server/domino-prometheus | 3 +++ ignore.d.server/domino-python3 | 2 +- ignore.d.server/domino-sudodomino-apt | 5 +++++ 4 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 ignore.d.server/domino-sudodomino-apt diff --git a/deploy.yml b/deploy.yml index 1d08d69..1d9cfc2 100644 --- a/deploy.yml +++ b/deploy.yml @@ -2,7 +2,7 @@ remote_user: root - gather_facts: false + gather_facts: true tasks: - name: sync diff --git a/ignore.d.server/domino-prometheus b/ignore.d.server/domino-prometheus index 53f7f8a..34cb8fa 100644 --- a/ignore.d.server/domino-prometheus +++ b/ignore.d.server/domino-prometheus @@ -5,3 +5,6 @@ # Nov 22 10:00:03 debian prometheus[32638]: level=info ts=2019-11-22T09:00:03.649576084Z caller=compact.go:391 component=tsdb msg="compact blocks" count=3 mint=1574380800000 maxt=1574402400000 ulid=01DT95DY28TPGM37SHKZGW8HNZ sources="[01DT8GTS3F22AAFPBRMCT8AHD6 01DT8QPFWB6RYKAM4PQVSWEQTT 01DT8YJ74G7F58SFX0JCEFRZER]" duration=121.365121ms ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ prometheus\[[0-9]+\]: level=info ts=[-[:digit:]TZ\.:]+ caller=(compact|head)\.go:[0-9]+ component=tsdb msg="(write block|head GC completed|compact blocks)?"( count=[0-9]+)?( mint=[0-9]+ maxt=[0-9]+ ulid=[[:alnum:]]+)?( sources="\[[[:alnum:] ]+\]")?( duration=[[:digit:]\.]+ms)?$ + +# apc exporter +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ apcupsd-exporter\[[0-9]+\]: [[:digit:]\/]+ [[:digit:]:]+ &{status:[[:alnum:]]+ nomPower:[[:digit:]]+ batteryChargePercent:[[:digit:]]+ timeOnBattery:[[:digit:]]+ timeLeft:[[:digit:]]+ cumTimeOnBattery:[[:digit:]]+ loadPercent:[[:digit:].]+ batteryVoltage:[[:digit:].]+ lineVoltage:[[:digit:].]+ nomBatteryVoltage:[[:digit:].]+ nomInputVoltage:[[:digit:].]+ hostname:[[:alnum:]_-]+ upsName:[[:alnum:]]+}$ diff --git a/ignore.d.server/domino-python3 b/ignore.d.server/domino-python3 index ed70777..a1c2301 100644 --- a/ignore.d.server/domino-python3 +++ b/ignore.d.server/domino-python3 @@ -5,6 +5,6 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: Photos: (True|False)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: Exporting [0-9]+ objects.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: Connect to ftps...$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: [dwrx-]+\s*[0-9]+ [[:alnum:]@.]+ [[:alnum:]@.-]+\s*[0-9]+ [[:alnum:]]+\s*[0-9]+ [[:digit:]:]+ .*$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: [dwrx-]+\s*[0-9]+ [[:alnum:]@.]+\s*[[:alnum:]@._-]+\s*[0-9]+ [[:alnum:]]+\s*[0-9]+ [[:digit:]:]+ .*$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: Export done.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]:]+\]: estatesexport@(otodom|gratka).service: Consumed [0-9.]+s CPU time.$ diff --git a/ignore.d.server/domino-sudodomino-apt b/ignore.d.server/domino-sudodomino-apt new file mode 100644 index 0000000..5b163ac --- /dev/null +++ b/ignore.d.server/domino-sudodomino-apt @@ -0,0 +1,5 @@ +# ; -*- mode: conf; fill-column: 99999 -*- + +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_ssh_agent_auth: matching key found: file\/command \/etc\/security\/authorized_keys, line [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_ssh_agent_auth: Found matching [[:alnum:]]+ key: [[:xdigit:]:]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_ssh_agent_auth: Authenticated: `[[:alnum:]]+' as `[[:alnum:]]+' using \/etc\/security\/authorized_keys$ From 716d583aa0edc42be463939528ffb69f4185ad51 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Mon, 6 Sep 2021 12:20:04 +0200 Subject: [PATCH 35/44] Update --- deploy.yml | 2 +- ignore.d.server/domino-kernel | 7 +++++++ ignore.d.server/domino-postfix | 4 ++++ ignore.d.server/domino-systemd | 2 ++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/deploy.yml b/deploy.yml index 1d9cfc2..85970e6 100644 --- a/deploy.yml +++ b/deploy.yml @@ -1,4 +1,4 @@ -- hosts: servers,!nanode,!m81,!edyta.org.pl +- hosts: servers,!nanode remote_user: root diff --git a/ignore.d.server/domino-kernel b/ignore.d.server/domino-kernel index 9482050..367d02e 100644 --- a/ignore.d.server/domino-kernel +++ b/ignore.d.server/domino-kernel @@ -30,3 +30,10 @@ Jun 17 18:47:23 router kernel: [6425157.863842] ip6_tables: (C) 2000-2006 Netfil # May 17 07:26:40 debian kernel: [8672235.902147] ath10k_pci 0000:0d:00.0: Invalid peer id 217 peer stats buffer ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[.[:digit:]]+\] ath10k_pci [[:alnum:]:.]+ Invalid peer id [0-9]+ peer stats buffer$ + +# Jan 1 00:00:00 debian kernel: [3130700.334016] md: md0: data-check done. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[.[:digit:]]+\] md: md[0-9]+: data-check done.$ + +# Jan 1 00:00:00 debian kernel: [3128758.102199] md: data-check of RAID array md0 +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[.[:digit:]]+\] md: data-check of RAID array md[0-9]+$ + diff --git a/ignore.d.server/domino-postfix b/ignore.d.server/domino-postfix index af82564..0b5b85b 100644 --- a/ignore.d.server/domino-postfix +++ b/ignore.d.server/domino-postfix @@ -36,6 +36,10 @@ ^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: Anonymous TLS connection established from [.[:alnum:]-]+\[[:.0-9a-f]+\]: TLSv[.0-9]+ with cipher [_[:alnum:]]+ \([\/0-9]+ bits\) key-exchange (ECDHE|X25519)( \([[:alnum:]-]+\))? server-signature [[:alnum:]-]+ \([0-9]+ bits\)( server-digest [[:alnum:]]+)?$ +# Sep 01 15:37:11 debian postfix/smtpd[11363]: improper command pipelining after HELO from unknown[1.2.3.4]: STARTTLS\r\n +# Sep 1 11:18:50 debian postfix/smtpd[28021]: improper command pipelining after EHLO from unknown[223.229.67.159]: HELO example.com\r\nSTARTTLS\r\n +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: improper command pipelining after [HELO]+ from unknown\[[[:digit:].]+\]: (HELO [[:alnum:].]+\\r\\n)?STARTTLS\\r\\n$ + # ^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:[\/_.:[:alnum:]]+ alert number [[:xdigit:]]+:$ diff --git a/ignore.d.server/domino-systemd b/ignore.d.server/domino-systemd index 6281a88..16e92c1 100644 --- a/ignore.d.server/domino-systemd +++ b/ignore.d.server/domino-systemd @@ -82,7 +82,9 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Queued start job for default target Main User Target.$ # Jan 23 07:35:48 debian systemd[1]: session-c18.scope: Consumed 1.201s CPU time. +# Aug 31 23:25:00 debian systemd[1]: session-15432.scope: Consumed 1min 52.828s CPU time. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [[:alnum:]-]+.(service|scope|slice): Consumed [[:digit:].]+s CPU time.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [[:alnum:]-]+.(service|scope|slice): Consumed ([[:digit:]]+min )?[[:digit:].]+s CPU time.$ # Jan 23 07:35:47 debian systemd[563453]: Created slice User Application Slice. # Jan 23 07:35:58 debian systemd[563453]: Removed slice User Application Slice. From 778e144a3cbde007992026d9b1b33e6ec1b707a5 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Mon, 6 Sep 2021 12:20:22 +0200 Subject: [PATCH 36/44] Add --- ignore.d.server/domino-uptimed | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ignore.d.server/domino-uptimed diff --git a/ignore.d.server/domino-uptimed b/ignore.d.server/domino-uptimed new file mode 100644 index 0000000..b683277 --- /dev/null +++ b/ignore.d.server/domino-uptimed @@ -0,0 +1,3 @@ +# ; -*- mode: conf; fill-column: 99999 -*- + +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ uptimed: milestone: .*$ From ee6222d115bfa6b16775a000bbd381f0ca5a39d6 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Sat, 19 Feb 2022 21:43:02 +0100 Subject: [PATCH 37/44] Add new rules --- ignore.d.server/domino-dnsmasq | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ignore.d.server/domino-dnsmasq b/ignore.d.server/domino-dnsmasq index 635c0f4..451381d 100644 --- a/ignore.d.server/domino-dnsmasq +++ b/ignore.d.server/domino-dnsmasq @@ -1,2 +1,8 @@ # Apr 22 12:32:20 debian dnsmasq-dhcp[1222]: DHCPSOLICIT(br0) 00:01:00:01:27:f4:b3:ab:74:78:27:68:64:04 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: DHCPSOLICIT\([[:alnum:]]+\) [[:xdigit:]:]+$ + +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: DHCPCONFIRM\([[:alnum:]]+\) [[:xdigit:]:]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: DHCPREPLY\([[:alnum:]]+\) [[:xdigit:]:]+ [[:xdigit:]:]+ confirm failed$ + +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq\[[0-9]+\]: reducing DNS packet size for nameserver [[:digit:].]+ to [0-9]+$ + From a0b03cb3218c0346fcc43b46ec135df875203c0b Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Tue, 22 Feb 2022 12:21:54 +0100 Subject: [PATCH 38/44] update --- ignore.d.server/domino-dnsmasq | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ignore.d.server/domino-dnsmasq b/ignore.d.server/domino-dnsmasq index 451381d..74f395f 100644 --- a/ignore.d.server/domino-dnsmasq +++ b/ignore.d.server/domino-dnsmasq @@ -6,3 +6,6 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq\[[0-9]+\]: reducing DNS packet size for nameserver [[:digit:].]+ to [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: DHCPINFORMATION-REQUEST\([[:alnum:]]+\) [[:xdigit:]:]+ [[:alnum:]_-]+$ + + From 2fbd62b36dd0d28ee1f7f75eb73e6a727c19ca1a Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Fri, 22 Apr 2022 12:55:28 +0200 Subject: [PATCH 39/44] update rules --- ignore.d.server/domino-dovecot | 2 +- ignore.d.server/domino-hostapd | 4 ++++ ignore.d.server/domino-ntp | 4 ++++ ignore.d.server/domino-systemd | 4 ++++ 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/ignore.d.server/domino-dovecot b/ignore.d.server/domino-dovecot index 12fb3b3..8010b80 100644 --- a/ignore.d.server/domino-dovecot +++ b/ignore.d.server/domino-dovecot @@ -23,7 +23,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap: Connection closed in=[[:digit:]]+ out=[[:digit:]]+$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed \((EXAMINE|UID FETCH|UID STORE|LIST|NOOP|STATUS|append)? finished [0-9.]+ secs ago\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed \((EXAMINE|UID FETCH|UID STORE|LIST|NOOP|STATUS|APPEND|append)? finished [0-9.]+ secs ago\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Disconnected for inactivity in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]\.@_-]+\)<[[:digit:]]+><[\/[:alnum:]]+>: Connection closed \(IDLE running for [[:digit:]\.]+ \+ waiting input for [[:digit:]\.]+ secs, [0-9]+ B in \+ [[:digit:]\+]+ B out, state=wait-input\) in=[0-9]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([\._@[:alnum:]-]+\)<[[:digit:]]+><[\+\/[:alnum:]]+>: Logged out in=[[:digit:]]+ out=[[:digit:]]+ deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+$ diff --git a/ignore.d.server/domino-hostapd b/ignore.d.server/domino-hostapd index 385b3c8..2489f5b 100644 --- a/ignore.d.server/domino-hostapd +++ b/ignore.d.server/domino-hostapd @@ -50,3 +50,7 @@ # Apr 22 09:31:54 debian hostapd[1555]: wlp13s0: STA-OPMODE-SMPS-MODE-CHANGED 50:2f:9b:04:0a:b5 off ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hostapd(\[[0-9]+\])?: [[:alnum:]]+: STA-OPMODE-SMPS-MODE-CHANGED [[:xdigit:]:]{17} off$ + +# Apr 22 04:09:39 debian hostapd[1537]: Station f0:05:d1:c6:ed:12 trying to disassociate, but it is not associated + +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hostapd(\[[0-9]+\])?: Station [[:xdigit:]:]+ trying to disassociate, but it is not associated$ diff --git a/ignore.d.server/domino-ntp b/ignore.d.server/domino-ntp index 06550b6..4513e2b 100644 --- a/ignore.d.server/domino-ntp +++ b/ignore.d.server/domino-ntp @@ -23,3 +23,7 @@ # Jan 01 01:01:01 debian ntpd[843]: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): will expire in less than 24 days ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: leapsecond file \('\/usr\/share\/zoneinfo\/leap-seconds.list'\): will expire in less than [0-9]+ days$ + +# Apr 22 10:20:48 debian ntpd[2656614]: no peer for too long, server running free now + +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: no peer for too long, server running free now$ diff --git a/ignore.d.server/domino-systemd b/ignore.d.server/domino-systemd index 16e92c1..fd3148a 100644 --- a/ignore.d.server/domino-systemd +++ b/ignore.d.server/domino-systemd @@ -96,3 +96,7 @@ # Jan 25 00:00:01 debian systemd[1]: rsyslog.service: Sent signal SIGHUP to main process 572 (rsyslogd) on client request. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: rsyslog.service: Sent signal SIGHUP to main process [0-9]+ \(rsyslogd\) on client request.$ + +# Apr 22 07:39:39 debian systemd: pam_unix(systemd-user:session): session opened for user nobody(uid=65534) by (uid=0) + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session opened for user nobody\(uid=[0-9]+\) by \(uid=[0-9]+\)$ From f7748dd9760f530715a3f4b3be81b9f84b7c3e81 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Thu, 26 May 2022 21:47:57 +0200 Subject: [PATCH 40/44] Add new rules --- ignore.d.server/domino-syslog | 2 +- ignore.d.server/domino-systemd | 3 ++- ignore.d.server/domino-tor | 7 +++++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ignore.d.server/domino-syslog b/ignore.d.server/domino-syslog index 57dc71c..e045b7c 100644 --- a/ignore.d.server/domino-syslog +++ b/ignore.d.server/domino-syslog @@ -1,5 +1,5 @@ # ; -*- mode: conf; fill-column: 99999 -*- # Sep 18 00:00:04 debian-linode rsyslogd: [origin software="rsyslogd" swVersion="8.1901.0" x-pid="720" x-info="https://www.rsyslog.com"] rsyslogd was HUPed -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd: \[origin software=\"rsyslogd\" swVersion=\"[[:digit:].]+\" x-pid=\"[0-9]+\" x-info=\"https:\/\/www.rsyslog.com\"\] rsyslogd was HUPed$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd:\s? \[origin software=\"rsyslogd\" swVersion=\"[[:digit:].]+\" x-pid=\"[0-9]+\" x-info=\"https:\/\/www.rsyslog.com\"\] rsyslogd was HUPed$ diff --git a/ignore.d.server/domino-systemd b/ignore.d.server/domino-systemd index fd3148a..3486861 100644 --- a/ignore.d.server/domino-systemd +++ b/ignore.d.server/domino-systemd @@ -99,4 +99,5 @@ # Apr 22 07:39:39 debian systemd: pam_unix(systemd-user:session): session opened for user nobody(uid=65534) by (uid=0) -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session opened for user nobody\(uid=[0-9]+\) by \(uid=[0-9]+\)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session opened for user [[:alnum:]]+\(uid=[0-9]+\) by \(uid=[0-9]+\)$ + diff --git a/ignore.d.server/domino-tor b/ignore.d.server/domino-tor index f9041c4..06eed16 100644 --- a/ignore.d.server/domino-tor +++ b/ignore.d.server/domino-tor @@ -46,3 +46,10 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Our onion service received [0-9]+ v2 and [0-9]+ v3 [[:alnum:]]+ cells and attempted to launch [0-9]+ rendezvous circuits.$ +# May 1 02:29:21 debian Tor[32138]: Tor has not observed any network activity for the past 150 seconds. Disabling circuit build timeout recording. + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Tor has not observed any network activity for the past [0-9]+ seconds\. Disabling circuit build timeout recording\.$ + +# May 1 02:29:27 debian Tor[32138]: Tor now sees network activity. Restoring circuit build timeout recording. Network was down for 156 seconds during 4 circuit attempts. + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Tor now sees network activity. Restoring circuit build timeout recording\. Network was down for [0-9]+ seconds during 4 circuit attempts\.$ From 3a6c3cb0e13db5a63b73d940a68629b1fb57d586 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Sat, 23 Jul 2022 14:16:45 +0200 Subject: [PATCH 41/44] Update rules --- ignore.d.server/domino-hostapd | 3 ++- ignore.d.server/domino-opendkim | 5 +++++ ignore.d.server/domino-tor | 8 +++++++- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ignore.d.server/domino-hostapd b/ignore.d.server/domino-hostapd index 2489f5b..44d66a7 100644 --- a/ignore.d.server/domino-hostapd +++ b/ignore.d.server/domino-hostapd @@ -28,8 +28,9 @@ # Nov 2 00:00:00 debian hostapd[544]: wls12: CTRL-EVENT-EAP-STARTED 0a:0a:0a:0a:0a:0a # Nov 2 00:00:00 debian hostapd[544]: wls12: CTRL-EVENT-EAP-SUCCESS2 0a:0a:0a:0a:0a:0a # Nov 2 00:00:00 debian hostapd[544]: wls12: CTRL-EVENT-EAP-TIMEOUT-FAILURE 0a:0a:0a:0a:0a:0a +# Jul 1 00:00:00 debian hostapd[213]: wlp6s1: CTRL-EVENT-EAP-TIMEOUT-FAILURE2 0a:0a:0a:0a:0a:0a -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hostapd(\[[0-9]+\])?: [[:alnum:]]+: CTRL-EVENT-EAP-(STARTED|SUCCESS2|RETRANSMIT(2)?|TIMEOUT-FAILURE|FAILURE2|PROPOSED-METHOD) ([[:xdigit:]:]{17})?(vendor=[0-9]+ method=[0-9]+)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hostapd(\[[0-9]+\])?: [[:alnum:]]+: CTRL-EVENT-EAP-(STARTED|SUCCESS2|RETRANSMIT(2)?|TIMEOUT-FAILURE2?|FAILURE2|PROPOSED-METHOD) ([[:xdigit:]:]{17})?(vendor=[0-9]+ method=[0-9]+)?$ # Nov 9 15:52:09 debian hostapd[491]: Switching to 40 MHz operation diff --git a/ignore.d.server/domino-opendkim b/ignore.d.server/domino-opendkim index 880d0f6..1033f4c 100644 --- a/ignore.d.server/domino-opendkim +++ b/ignore.d.server/domino-opendkim @@ -3,3 +3,8 @@ # Jan 1 00:00:00 debian opendkim[689]: AC9103E9A5: external host mail-oi1-x22b.google.com attempted to send as costam.org.pl ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:xdigit:]]{10,11}: external host [[:alnum:]\.-]+ attempted to send as [[:alnum:]\.-]+$ + +# Jul 21 07:02:12 debian opendkim[604]: 054F13E803: s=mail d=domain.com a=rsa-sha256 SSL +# Jul 21 07:02:17 debian opendkim[604]: 5145C3E803: s=mail d=domain.com a=rsa-sha256 SSL + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:xdigit:]]{10,11}: s=[[:alnum:].-]+ d=[[:alnum:].-]+ a=(rsa|ed25519)-sha256 SSL$ diff --git a/ignore.d.server/domino-tor b/ignore.d.server/domino-tor index 06eed16..46e7b14 100644 --- a/ignore.d.server/domino-tor +++ b/ignore.d.server/domino-tor @@ -17,7 +17,10 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Average packaged cell fullness: [.[:digit:]]+\%. TLS write overhead: [.[:digit:]]+\%$ # Jun 25 19:20:39 router Tor[992]: Heartbeat: Tor's uptime is 6:00 hours, with 6 circuits open. I've sent 878 kB and received 1.70 MB. -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Heartbeat: Tor's uptime is( [0-9]+ days)? [[:digit:]:]+ hours, with [0-9]+ circuits open. I've sent [.[:digit:]]+ [[:alnum:]]{1,2} and received [.[:digit:]]+ [[:alnum:]]{1,2}.$ +# Jul 21 00:02:11 debian Tor[647]: Heartbeat: Tor's uptime is 1 day 12:00 hours, with 9 circuits open. I've sent 14.64 MB and received 18.83 MB. I've received 0 connections on IPv4 and 0 on IPv6. +# Jul 21 12:02:11 debian Tor[647]: Heartbeat: Tor's uptime is 2 days 0:00 hours, with 9 circuits open. I've sent 21.09 MB and received 25.67 MB. I've received 0 connections on IPv4 and 0 on IPv6. I've made 40 connections with IPv4 and 0 with IPv6. + +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Heartbeat: Tor's uptime is( [0-9]+ days?)? [[:digit:]:]+ hours, with [0-9]+ circuits open. I've sent [.[:digit:]]+ [[:alnum:]]{1,2} and received [.[:digit:]]+ [[:alnum:]]{1,2}.( I've received [0-9]+ connections on IPv4 and [0-9]+ on IPv6.)?( I've made [0-9]+ connections with IPv4 and [0-9]+ with IPv6.)?$ # Nov 7 00:01:05 debian Tor[14367]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc". # Nov 7 00:01:05 debian Tor[14367]: Read configuration file "/etc/tor/torrc". @@ -53,3 +56,6 @@ # May 1 02:29:27 debian Tor[32138]: Tor now sees network activity. Restoring circuit build timeout recording. Network was down for 156 seconds during 4 circuit attempts. ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Tor now sees network activity. Restoring circuit build timeout recording\. Network was down for [0-9]+ seconds during 4 circuit attempts\.$ + +# Jul 21 00:02:11 debian Tor[647]: While not bootstrapping, fetched this many bytes: 1055429 (consensus network-status fetch); 326938 (microdescriptor fetch) +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: While not bootstrapping, fetched this many bytes: [0-9]+ \(consensus network-status fetch\); [0-9]+ \(microdescriptor fetch\)$ From 6c5baa80bf813f19353341f5372163db6ea812e9 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Sat, 13 Aug 2022 19:27:34 +0200 Subject: [PATCH 42/44] update --- ignore.d.server/domino-systemd | 6 +++--- ignore.d.server/domino-tor | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ignore.d.server/domino-systemd b/ignore.d.server/domino-systemd index 3486861..c83a009 100644 --- a/ignore.d.server/domino-systemd +++ b/ignore.d.server/domino-systemd @@ -21,7 +21,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Rotate log files\.$ # Sep 20 08:06:33 router systemd[1]: user-runtime-dir@1000.service: Succeeded. -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [-[:alnum:].@]+.(service|path|socket|scope|timer|mount): Succeeded.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [-_[:alnum:].@]+.(service|path|socket|scope|timer|mount): Succeeded.$ # Aug 14 00:00:15 debian systemd[1]: Closed CUPS Scheduler. # Aug 14 00:00:15 debian systemd[1]: Listening on CUPS Scheduler. @@ -98,6 +98,6 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: rsyslog.service: Sent signal SIGHUP to main process [0-9]+ \(rsyslogd\) on client request.$ # Apr 22 07:39:39 debian systemd: pam_unix(systemd-user:session): session opened for user nobody(uid=65534) by (uid=0) +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (systemd|runuser): pam_unix\((systemd-user|runuser):session\): session opened for user [[:alnum:]-]+\(uid=[0-9]+\) by \(uid=[0-9]+\)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session opened for user [[:alnum:]]+\(uid=[0-9]+\) by \(uid=[0-9]+\)$ - +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Online ext4 Metadata Check for All Filesystems\.$ diff --git a/ignore.d.server/domino-tor b/ignore.d.server/domino-tor index 46e7b14..d86f818 100644 --- a/ignore.d.server/domino-tor +++ b/ignore.d.server/domino-tor @@ -58,4 +58,4 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Tor now sees network activity. Restoring circuit build timeout recording\. Network was down for [0-9]+ seconds during 4 circuit attempts\.$ # Jul 21 00:02:11 debian Tor[647]: While not bootstrapping, fetched this many bytes: 1055429 (consensus network-status fetch); 326938 (microdescriptor fetch) -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: While not bootstrapping, fetched this many bytes: [0-9]+ \(consensus network-status fetch\); [0-9]+ \(microdescriptor fetch\)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: While not bootstrapping, fetched this many bytes: [0-9]+ \(consensus network-status fetch\);( [0-9]+ \(authority cert fetch\);)? [0-9]+ \(microdescriptor fetch\)$ From caffc754301ca53a6a9e03b02d2c8f87af48f28b Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Mon, 9 Jan 2023 12:35:51 +0100 Subject: [PATCH 43/44] update --- ignore.d.server/domino-opendkim | 2 +- ignore.d.server/domino-postfix | 25 +++++++++++++++++++++++++ ignore.d.server/domino-spamd | 17 ++++++++++++++++- ignore.d.server/domino-squid | 9 +++++++++ ignore.d.server/domino-systemd | 4 ++++ ignore.d.server/repo-smartd | 3 ++- 6 files changed, 57 insertions(+), 3 deletions(-) diff --git a/ignore.d.server/domino-opendkim b/ignore.d.server/domino-opendkim index 1033f4c..ce06f41 100644 --- a/ignore.d.server/domino-opendkim +++ b/ignore.d.server/domino-opendkim @@ -7,4 +7,4 @@ # Jul 21 07:02:12 debian opendkim[604]: 054F13E803: s=mail d=domain.com a=rsa-sha256 SSL # Jul 21 07:02:17 debian opendkim[604]: 5145C3E803: s=mail d=domain.com a=rsa-sha256 SSL -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:xdigit:]]{10,11}: s=[[:alnum:].-]+ d=[[:alnum:].-]+ a=(rsa|ed25519)-sha256 SSL$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:xdigit:]]{10,11}: s=[[:alnum:]_.-]+ d=[[:alnum:].-]+ a=(rsa|ed25519)-sha256 SSL$ diff --git a/ignore.d.server/domino-postfix b/ignore.d.server/domino-postfix index 0b5b85b..dc347d4 100644 --- a/ignore.d.server/domino-postfix +++ b/ignore.d.server/domino-postfix @@ -74,6 +74,9 @@ # Jun 11 12:20:40 debian postfix/smtpd[19535]: NOQUEUE: reject: MAIL from oakwood.hyperslice.net[109.203.106.148]: 552 5.3.4 Message size exceeds fixed limit; proto=ESMTP helo= ^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(/submission|/smtps|/[0-9]+)?/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: MAIL from [\.[:alnum:]]+\[[\.[:alnum:]]+\]: 552 5\.3\.4 Message size exceeds fixed limit; proto=ESMTP helo=<[.[:alnum:]]+>$ +# Jan 8 11:15:03 debian postfix/smtpd[41137]: NOQUEUE: reject: RCPT from unknown[185.239.242.52]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [.[:alnum:]-]+\[[.0-9]+\]: [0-9]+ [.0-9]+ <[@._[:alnum:]-]+>: Relay access denied; from=<[@._=[:alnum:]-]+> to=<[@._=[:alnum:]-]+> proto=(E)SMTP helo=<[._[:alnum:]-]+>$ + # Jan 1 00:00:00 debian postfix/smtpd[3169]: NOQUEUE: reject: RCPT from ip242.ip-54-38-110.eu[1.2.3.4]: 550 5.7.27 : Sender address rejected: Domain example.com does not accept mail (nullMX); from= to= proto=SMTP helo= ^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [.[:alnum:]-]+\[[.0-9]+\]: [0-9]+ [.0-9]+ <[@._[:alnum:]-]+>: Sender address rejected: Domain example.com does not accept mail \(nullMX\); from=<[@._[:alnum:]-]+> to=<[@._[:alnum:]-]+> proto=SMTP helo=<[._[:alnum:]-]+>$ @@ -89,3 +92,25 @@ ^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/cleanup\[[0-9]+\]: [[:xdigit:]]+: message-id=$ +# Jan 8 12:45:41 debian postfix/cleanup[4112707]: B371B3E840: replace: header Received: from debian-m2.debian-m2 (unknown [IPv6:2001:4707:d03d:0:a260:69ff:fec4:3a5f])??(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)?? key-exchange X25519 server-signature RSA-PSS from unknown[2001:407:d03d:0:a260:69ff:fec4:3a5f]; from= to= proto=ESMTP helo=: Received: from debian-m2 (thanks!) + +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/cleanup\[[0-9]+\]: [[:xdigit:]]+: replace: header Received: from [\.[:alnum:]-]+ \(unknown \[[\.[:alnum:][:xdigit:]:]+\]\)\?\?\(using TLSv[0-9.]+ with cipher TLS_[[:alnum:]_]+ \([0-9\/]+ bits\)\?\? key-exchange [[:alnum:]-]+ server-signature RSA-PSS from unknown\[[[:xdigit:]:]+\]; from=<[[:alnum:]@_.-]+> to=<[[:alnum:]@_.-]+> proto=(E)SMTP helo=<[[:alnum:]@_.-]+>: Received: from [[:alnum:]-]+ \(thanks!\)$ + +# --- qmgr --- + +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/qmgr\[[0-9]+\]: [[:xdigit:]]+: removed$ + +# --- scache --- + +# Jan 8 11:05:37 debian postfix/scache[2995]: statistics: domain lookup hits=0 miss=1 success=0% + +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/scache\[[0-9]+\]: statistics: (domain|address) lookup hits=[0-9]+ miss=[0-9]+ success=[0-9.]+%$ + +# Jan 8 11:05:37 debian postfix/scache[2995]: statistics: start interval Jan 8 11:02:10 + +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/scache\[[0-9]+\]: statistics: start interval \w{3} [ :[:digit:]]{11}$ + +# Jan 8 11:05:37 debian postfix/scache[4110981]: statistics: max simultaneous domains=1 addresses=1 connection=1 + +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/scache\[[0-9]+\]: statistics: max simultaneous domains=[0-9]+ addresses=[0-9]+ connection=[0-9]+$ + diff --git a/ignore.d.server/domino-spamd b/ignore.d.server/domino-spamd index c683f96..155146a 100644 --- a/ignore.d.server/domino-spamd +++ b/ignore.d.server/domino-spamd @@ -41,5 +41,20 @@ # Aug 22 06:55:05 debian spamd[251886]: spamd: server pid: 251886 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: server pid: [0-9]+$ -# May 28 11:25:25 linode2 spamd[28526]: spamd: using default config for spamass-milter: /home/vmail//.spamassassin//user_prefs +# May 28 11:25:25 debian spamd[28526]: spamd: using default config for spamass-milter: /home/vmail//.spamassassin//user_prefs ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: using default config for spamass-milter: \/home\/vmail\/\/.spamassassin\/\/user_prefs$ + +# Jan 8 20:04:03 debian spamd[4105928]: spamd: processing message aka for me@mail.com:115 +# Jan 8 10:02:08 debian spamd[4105928]: spamd: processing message <20230108090202.C0EC43C174@someone.com> for me@domain.com:115 +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: processing message <[[:alnum:]:=\$_\/@.+-]+>( aka <[[:alnum:]:=\$_\/@.+-]+>)? for [@._[:alnum:]-]+:[0-9]+$ + +# Jan 8 10:02:16 debian spamd[4105928]: spamd: clean message (-2.1/5.0) for me@domain.com:115 in 0.1 seconds, 2269 bytes. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: clean message \([0-9\/.-]+\) for [@._[:alnum:]-]+:[0-9]+ in [0-9.]+ seconds, [0-9]+ bytes.$ + +# Jan 8 06:54:32 debian spamd[23459]: spamd: server successfully spawned child process, pid 23460 +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: server successfully spawned child process, pid [0-9]+$ + +# Jan 8 07:24:47 debian spamd[4066587]: logger: removing stderr method +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: logger: removing stderr method$ + + diff --git a/ignore.d.server/domino-squid b/ignore.d.server/domino-squid index 1a451cf..eb3a69a 100644 --- a/ignore.d.server/domino-squid +++ b/ignore.d.server/domino-squid @@ -1,5 +1,14 @@ # ; -*- mode: conf; fill-column: 99999 -*- +# Jan 9 00:00:03 debian squid[384047]: storeDirWriteCleanLogs: Starting... +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: storeDirWriteCleanLogs: Starting...$ + +# Jan 9 00:00:03 debian squid[384047]: Finished. Wrote 0 entries. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: [\s]+Finished. Wrote [0-9]+ entries.$ + +# Jan 9 00:00:03 debian squid[384047]: Took 0.00 seconds ( 0.00 entries/sec). +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: [\s]+Took [0-9.]+ seconds \([\s0-9.]+ entries\/sec\).$ + #Apr 9 10:45:52 debian squid[30555]: Logfile: closing log stdio:/var/spool/squid/netdb.state ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Logfile: (opening|closing) log stdio:\/var\/spool\/squid\/[[:alnum:].]+$ diff --git a/ignore.d.server/domino-systemd b/ignore.d.server/domino-systemd index c83a009..19f845c 100644 --- a/ignore.d.server/domino-systemd +++ b/ignore.d.server/domino-systemd @@ -101,3 +101,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (systemd|runuser): pam_unix\((systemd-user|runuser):session\): session opened for user [[:alnum:]-]+\(uid=[0-9]+\) by \(uid=[0-9]+\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Online ext4 Metadata Check for All Filesystems\.$ + +# Jan 8 11:19:14 debian systemd[1884981]: Reached target Main User Target. +# Jan 8 11:20:30 debian systemd[1884981]: Reached target Exit the Session. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[ :[:digit:]]+\]: Reached target (Main User Target|Exit the Session).$ diff --git a/ignore.d.server/repo-smartd b/ignore.d.server/repo-smartd index 4d3cbea..b8ae771 100644 --- a/ignore.d.server/repo-smartd +++ b/ignore.d.server/repo-smartd @@ -1,5 +1,6 @@ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/[^[:space:]]+ (\[(SAT|areca_disk#[[:digit:]]{2}_enc#[[:digit:]]{2})\])?, SMART (Prefailure|Usage) Attribute: [[:digit:]]+ [-_[:alnum:]]+ changed from [[:digit:]]+ to [[:digit:]]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: \/dev\/[^[:space:]]+( \[megaraid_disk_[0-9]+\])? (\[(SAT|areca_disk#[[:digit:]]{2}_enc#[[:digit:]]{2})\])?, SMART (Prefailure|Usage) Attribute: [[:digit:]]+ [-_[:alnum:]]+ changed from [[:digit:]]+ to [[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/[^[:space:]]+( \[[_/[:alnum:][:space:]]+\])? (\[(SAT|areca_disk#[[:digit:]]{2}_enc#[[:digit:]]{2})\])?, starting scheduled (Offline Immediate |(Long|Short) Self-)Test\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/[^[:space:]]+( \[[_/[:alnum:][:space:]]+\])? (\[(SAT|areca_disk#[[:digit:]]{2}_enc#[[:digit:]]{2})\])?, previous self-test completed without error$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/[^[:space:]]+( \[[_/[:alnum:][:space:]]+\])? (\[(SAT|areca_disk#[[:digit:]]{2}_enc#[[:digit:]]{2})\])?, CHECK POWER STATUS spins up disk \([0x[:xdigit:]]+ -> [0x[:xdigit:]]+\)$ + From 65cad52fd8bf4686f20b06a64ea7e564267d68a5 Mon Sep 17 00:00:00 2001 From: Dominik Szmek Date: Mon, 9 Jan 2023 12:36:12 +0100 Subject: [PATCH 44/44] Add new rules --- ignore.d.server/domino-anacron | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 ignore.d.server/domino-anacron diff --git a/ignore.d.server/domino-anacron b/ignore.d.server/domino-anacron new file mode 100644 index 0000000..fedfe5f --- /dev/null +++ b/ignore.d.server/domino-anacron @@ -0,0 +1,22 @@ +# ; -*- mode: conf; fill-column: 99999 -*- + +# Jan 9 07:30:02 debian anacron[2533381]: Will run job `cron.daily' in 5 min. +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ anacron\[[0-9]+\]: Will run job \`cron.[[:alnum:]]+\' in [0-9]+ min.$ + +# Jan 9 07:30:02 debian anacron[2533381]: Jobs will be executed sequentially +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ anacron\[[0-9]+\]: Jobs will be executed sequentially$ + +# Jan 9 07:35:02 debian anacron[2533930]: Updated timestamp for job `cron.daily' to 2023-01-09 +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ anacron\[[0-9]+\]: Updated timestamp for job \`cron.[[:alnum:]]+\' to [0-9-]+$ + +# Jan 9 07:35:40 debian anacron[2533381]: Job `cron.daily' terminated +# Jan 9 07:35:02 debian anacron[2533381]: Job `cron.daily' started +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ anacron\[[0-9]+\]: Job \`cron.[[:alnum:]]+\' (started|terminated)$ + +# Jan 8 11:30:54 debian anacron[2464186]: Anacron 2.3 started on 2023-01-08 +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ anacron\[[0-9]+\]: Anacron [0-9.]+ started on [0-9-]+$ + +# Jan 8 11:30:54 debian anacron[2464186]: Normal exit (0 jobs run) +# Jan 9 07:35:40 debian anacron[2533381]: Normal exit (1 job run) +^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ anacron\[[0-9]+\]: Normal exit \([0-9]+ job(s) run\)$ +