Additional logcheck rules for Ubuntu 10/12 workstations and servers

logcheck_ubuntu

# amavis messages
amavis\[[0-9]+\]: \([-0-9]+\) Passed (CLEAN|BAD-HEADER|SPAM|BANNED)

# avahi daemon: warnings about invalid repsonses and such
avahi-daemon\[[0-9]+\]: Invalid (query packet|legacy unicast query packet|response packet from host)
avahi-daemon\[[0-9]+\]: Received response from host [.0-9]+ with invalid source port [0-9]+ on interface         
avahi-daemon\[[0-9]+\]:( last)? message repeated [0-9]+ times
avahi-daemon\[[0-9]+\]: server.c: Packet too short or invalid while reading response record.
avahi-daemon\[[0-9]+\]: dbus-protocol.c: Too many objects for client

# bind messages about misconfigured servers
named\[[0-9]+\]: DNS format error
named\[[0-9]+\]: (  )?( )?( )?( )?validating
named\[[0-9]+\]: clients-per-query (in|de)creased to
named\[[0-9]+\]: error \(.*\) resolving
named\[[0-9]+\]: last message repeated [0-9] times

# console-kit: harmless as per http://stackoverflow.com/questions/23199699/glib-critical-source-id-xxx-was-not-found-when-attempting-to-remove-it
console-kit-daemon\[[0-9]+\]: GLib-CRITICAL: Source ID [0-9]+ was not found when attempting to remove it

# dbus cruft
dbus\[[0-9]+\]: \[system\] Reloaded configuration
dbus\[[0-9]+\]: last message repeated [0-9] times

# iptables denied packets
kernel: \[[.0-9]+] iptables denied

# kernel RAID messages
kernel: \[[.0-9]+\] 3w-sas: scsi[0-9]: AEN: INFO \([x0-9A-Z]+\): Verify (started|completed):unit
kernel: \[[.0-9]+\] 3w-sas: scsi[0-9]: AEN: INFO \(0x04:0x005[56]\): Battery charging (started|completed)
Server_Administrator: [0-9]+ [0-9]+ - Storage Service( )? Controller log file entry:( )? Controller 0 \(PERC H710 Mini\)
Server Administrator: Storage Service EventID: [0-9]+  The Patrol Read has (started|stopped).

# kernel net_ratelimit messages caused by curropted UDP packets being dropped
kernel: \[[.0-9]+\] net_ratelimit: [0-9]+ callbacks suppressed

# ldap: harmless messages according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631932
slapcat: DIGEST-MD5 common mech free

# nfs: expected authenticated mount requests and unauthorized requests
rpc.mountd\[[0-9]+\]: authenticated (un)?mount request from \w+ for \w+
rpc.idmapd\[[0-9]+\]: dirscancb: open\(/run/rpc_pipefs/nfs/clnt195\): No such file or directory
rpcbind: connect from [.0-9]+ to dump\(\): request from unauthorized host
rpcbind: warning: /etc/hosts.allow, line [0-9]+: host name/address mismatch:

# nfs: timeouts related to RAID devices
kernel: \[[.0-9]+\] nfs: server [a-z0-9]+ not responding, timed out
kernel: \[[.0-9]+\] RPC: AUTH_GSS upcall failed. Please check user daemon is running.

# NetworkManager: known bug
NetworkManager\[[0-9]+\]: <info> Unmanaged Device found; state CONNECTED forced. \(see http://bugs.launchpad.net/bugs/191889\)

# openvpn messages
ovpn-\w+\[[0-9]+\]: VERIFY OK: depth=[01], C=[A-Z]{2}, ST=[A-Z]{2}, L=\w+, O=\w+, CN=\w+( CA)?, emailAddress=\w+

# os-prober messages
os-prober: debug: [/a-z0-9]+: (is active|part of)
os-prober: debug: running /usr/lib/os-probes/(mounted/)?[-0-9a-z]+ on( mounted)? [/a-z0-9]+
os-prober: debug: os detected by /usr/lib/os-probes/[-0-9a-z]+
[-0-9a-z]+: debug: [/a-z0-9]+ is (not )?a(n)? [+A-Za-z0-9]+ partition
mounted-tests: debug: [/a-z0-9]+ type not recognised; skipping

# portmap: trying to use IPv6
kernel: \[[.0-9]+\] svc: failed to register lockdv1 RPC service \(errno 97\)

# postfix warnings
postfix/smtpd\[[0-9]+\]: warning: hostname [-.0-9a-zA-Z]+ does not resolve to address [.0-9]+
postfix/smtpd\[[0-9]+\]: warning: [-.a-zA-Z0-9]+\[[.0-9]+\]: SASL login authentication failed
postfix/smtpd\[[0-9]+\]: improper command pipelining after EHLO from unknown
postfix/smtpd\[[0-9]+\]: last message repeated [0-9]+ times
postfix/smtpd\[[0-9]+\]: SSL_accept error from unknown

# roundcube messages
roundcube: User [-._@a-zA-Z0-9]+ \[[.0-9]+\]; Message for
roundcube: IMAP Error: Login failed for [-._@a-zA-Z0-9]+ from [.0-9]+. LOGIN: Authentication failed.

# rsyslogd repeats
rsyslogd: last message repeated [0-9]+ times

# samba denied messages
smbd\[[0-9]+\]:   Denied connection from
smbd\[[0-9]+\]: \[[/0-9]+ [.:0-9]+, [ 0-9]+] lib/access.c:[0-9]+\(allow_access\)

# ssh generally benign messages
sshd\[[0-9]+\]: Accepted publickey for \w+ from [.0-9]+
sshd\[[0-9]+\]: Connection closed by [.0-9]+ \[preauth\]
sshd\[[0-9]+\]: subsystem request for sftp by user
sshd\[[0-9]+\]: error: listen: Address already in use
sshd\[[0-9]+\]: Received disconnect from

# systemd rules (from https://wiki.debian.org/systemd/logcheck, extended slightly)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Starting|Started) Session [[:digit:]]+ of user [^[:space:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: (Reexecuting|Reloading)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: systemd [[:digit:]]+ running in system mode. \((\+[[:alnum:]]+ ?)+\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Expecting device [^[:space:]]+\.device\.\.\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Cleanup of Temporary Directories\.+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Run anacron jobs\.+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [a-z0-9]+ of user [^[:space:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Removed session [a-z0-9]+\.$