# $Header: /etc/tenshi/tenshi.conf,v 1.10 2006/06/12 17:01:11 root Exp root $ ## ## tenshi config ## # general settings set uid tenshi set gid tenshi set pidfile /var/lib/tenshi/tenshi.pid # set logfile /var/log/messages # set tail /usr/bin/tail set fifo /var/log/tenshi.fifo # GNU coreutils # set tailargs -q --follow=name --retry -n 0 # FreeBSD / NetBSD # set tailargs -F -n 0 # OpenBSD # set tailargs -f -n 0 set sleep 5 set limit 800 set pager_limit 2 set mask ___ set mailserver localhost set mailtimeout 10 set subject tenshi report set hidepid on # sample filter # set filter /usr/bin/gpg # set filterargs --clearsign --batch -a -r sysadmin@localhost # queues # syntax: set queue set queue critical tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report set queue root tenshi@localhost sysadmin@localhost [now] set queue report tenshi@localhost sysadmin@localhost [0 8 * * *] set queue misc tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue pager tenshi@localhost pager:01787245424@smsmail.eplus.de [now] tenshi alert # regexp definitions # syntax: [,..] # note: If you are not using the hidepid option for some reason, the regexps # below will need to be slightly different, for example: # # mail ^sendmail: (.+): to=(.+),(.+)relay=(.+),(.+)stat=Sent(.+) # would need to be: # mail ^sendmail\[(.*)\]: to=(.+),(.+)relay=(.+),(.+)stat=Sent(.+) # in order to match the sendmail line and mask the PID. repeat ^(?:last message repeated|above message repeats) (\\d+) time trash ^hub.c trash ^usb.c trash ^uhci.c trash ^sda trash ^Initializing USB trash ^scsi0 : SCSI emulation trash ^Vendor: trash ^Type: trash ^Attached scsi removable trash ^SCSI device sda trash ^sda: Write trash ^/dev/scsi trash ^WARNING: USB trash ^USB Mass Storage trash ^/dev #trash ^ISO trash ^floppy0 trash ^end_request trash ^Directory trash ^I/O error: dev 08:(.+), sector ## Wolfram Schlich ## custom iptables FireWall (iptables log prefix 'ipt_FW') set queue iptables tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue iptables_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^(?:kernel: )?(?:ip(?:4|6)?t_FW|ip_conntrack|ip_ct_icmp|nf_ct_icmp) ## proxyscan.freenode.net trash ^kernel: ip(?:4|6)?t_FW .*SRC=82.96.96.3 iptables_crit ^kernel: ip_conntrack: table full, dropping packet\. # iptables ^kernel: ip(?:4|6)?t_FW .*: IN=.+ (OUT=.*) MAC=.* SRC=.+ DST=.+ LEN=(.+) TOS=(.+) PREC=(.+) TTL=(.+) ID=(.+) (?:DF)? PROTO=.+ SPT=.+ DPT=.+(?: LEN=.+| WINDOW=(.+) RES=(.+) SYN URGP=(.+) OPT \((.+)\))? # iptables ^kernel: ip(?:4|6)?t_FW .*: IN=.+ (OUT=.*) MAC=.* SRC=.+ DST=.+ (LEN=.+ TOS=.+ PREC=.+) TTL=(.+) ID=(.+)(?: DF)? PROTO=.+ SPT=.+ DPT=.+ (LEN=.+|WINDOW=.+) iptables ^kernel: ip(?:4|6)?t_FW .*: IN=.+ (OUT=.* MAC=.*) SRC=(.+) (DST=.+ LEN=.+ TOS=.+ PREC=.+ TTL=.+ ID=.+)(?: DF)? PROTO=.+ (SPT=.+) DPT=.+ (LEN=.+|WINDOW=.+) # iptables ^kernel: ip(?:4|6)?t_FW EXT_(?:MSRPC|SMB|CIFS|ED2K|ED2KSRV)_IN: IN=.+ (OUT=.+) SRC=.+ DST=.+ (LEN=.+) DPT=.+ (WINDOW=.+) # iptables ^kernel: ip(?:4|6)?t_FW EXT_(?:MSRPC|SMB|CIFS|ED2K|ED2KSRV)_IN: IN=.+ (OUT=.+) SRC=.+ (DST=.+) iptables ^kernel: ip(?:4|6)?t_FW EXT_(?:MSRPC|SMB|CIFS|ED2K|ED2KSRV)_IN: IN=.+ (OUT=.+) iptables ^(?:firewall\[(.+)\]|ip(?:4|6)?t_FW): start (?:initiated|finished)\. iptables ^(?:kernel: )?ip(?:4|6)?t_FW iptables ^(?:kernel: )?ip_conntrack iptables ^(?:kernel: )?ip_ct_icmp: iptables ^(?:kernel: )?nf_ct_icmp: group_end ## Wolfram Schlich ## Kernel ISDN set queue isdn tenshi@localhost sysadmin@localhost [0 8 * * 1] group ^kernel: (?:isdn(?:_net|_tty|_audio)?|dtmf|HiSax): trash ^kernel: isdn: .+,ch.+ cause: .+ trash ^kernel: isdn_(?:net|tty): Incoming call without OAD, assuming '0' trash ^kernel: isdn_(?:net|tty): call from .+ -> .+ ignored isdn ^kernel: isdn_(?:net|tty): call from .+, -> RING on .+ isdn ^kernel: isdn_audio: dtmf goertzel overflow, sk2=.+ isdn ^kernel: dtmf: tt='.+' isdn ^kernel: HiSax: .+ #CATCHALL:isdn ^kernel: isdn(?:_net|_tty)?: group_end group ^isdnlog: isdn ^isdnlog: isdnlog Version (.+) starting isdn ^isdnlog: exit now .+ isdn ^isdnlog: Got signal .+ isdn ^isdnlog: File .+ removed! isdn ^isdnlog: isdnlog: Can't open /dev/isdn/isdnctrl0 \(.+\) isdn ^isdnlog: Warning: Invalid token in string `.+'! isdn ^isdnlog: Rates Version (.+) \[(.+)\] loaded \[(.+) Providers, (.+) Zones, (.+) Areas, (.+) Services, (.+) Comments, (.+) eXceptions, (.+) Redirects, (.+) Rates from (.+)\] isdn ^isdnlog: Holiday Version (.+) \[(.+)\] loaded \[(.+) entries from (.+)\] isdn ^isdnlog: Zone V(.+): Provider (.+) File '(.+)' opened fine - (.+) isdn ^isdnlog: Dest V(.+): File '(.+)' opened fine - (.+) isdn ^isdnlog: isdn.conf:(.+) active channels, (.+) MSN/SI entries isdn ^isdnlog: \(ISDN subsystem with ISDN_MAX_CHANNELS > 16 detected, ioctl\(IIOCNETGPN\) is available\) isdn ^isdnlog: \(Data versions: iprofd=(.+) net_cfg=(.+) /dev/isdninfo=(.+)\) isdn ^isdnlog: \(HiSax driver detected\) isdn ^isdnlog: Everything is fine, isdnlog-(.+) is running in full featured mode\. isdn ^isdnlog: (... .. ..:..:..) \* Call to tei .+ from .+ on .+ RING \(Speech\) isdn ^isdnlog: (... .. ..:..:..) \* Call to tei .+ from .+ on .+ RING \(3.1 kHz audio\) isdn ^isdnlog: (... .. ..:..:..) \* Call to tei .+ from .+ on .+ HLC: CCITT, Telefonie isdn ^isdnlog: (... .. ..:..:..) \* Call to tei .+ from .+ on .+ HANGUP isdn ^isdnlog: (... .. ..:..:..) \* Call to tei .+ from .+ on .+ CLIP: .+ isdn ^isdnlog: (... .. ..:..:..) \* tei .+ calling .+ with .+ RING \(\) isdn ^isdnlog: (... .. ..:..:..) \* tei .+ calling .+ with .+ NOTIFICATION: Call is diverting isdn ^isdnlog: (... .. ..:..:..) \* ReturnError: not subscribed isdn ^isdnlog: (... .. ..:..:..) \* Interrogate Served User Numbers: isdn ^isdnlog: (... .. ..:..:..) Call to tei .+ from .+ on .+ Normal call clearing \((?:User|(?:Public|Private) network serving (?:remote|local) user)\) isdn ^isdnlog: (... .. ..:..:..) Call to tei .+ from .+ on .+ CONNECT \(Speech\) isdn ^isdnlog: (... .. ..:..:..) Call to tei .+ from .+ on .+ CONNECT \(3.1 kHz audio\) isdn ^isdnlog: (... .. ..:..:..) Call to tei .+ from .+ on .+ HANGUP isdn ^isdnlog: (... .. ..:..:..) Call to tei .+ from .+ on .+ HANGUP \((..:..:..)\) isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ NOTIFICATION: Call is a waiting call isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ NOTIFICATION: Call is diverting isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ NOTIFICATION: Remote hold isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ NOTIFICATION: Remote retrieval isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ CHARGE: .+ isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ COLP .+ isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ Interworking, unspecified \(.+\) isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ NEXT CI AFTER .+ isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ .+\.CI .+ isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ HINT: .+ isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ CCNR moeglich isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ No circuit/channel available \(.+\) isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ Number changed \(.+\) isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ Time:(.+) isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ Normal, unspecified \(Transit network\) isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ Normal call clearing \((?:User|(?:Public|Private) network serving (?:remote|local) user)\) isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ Normal call clearing \(User\) isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ CONNECT isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ MAKEL isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ MAKELRESUME isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ HANGUP isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ HANGUP \((..:..:..)\) isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ (?:HANGUP )?User busy \((?:User|(?:Public|Private) network serving (?:remote|local) user)\) isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ (?:HANGUP )?No route to destination \((?:User|(?:Public|Private) network serving (?:remote|local) user)\) isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ (?:HANGUP )?Destination out of order \((?:User|(?:Public|Private) network serving (?:remote|local) user)\) isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ (?:HANGUP )?Unallocated \(unassigned\) number \((?:User|(?:Public|Private) network serving (?:remote|local) user)\) isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ (?:HANGUP )?No user responding \((?:Public|Private) network serving (?:remote|local) user\) isdn ^isdnlog: (... .. ..:..:..) tei .+ calling .+ with .+ (?:HANGUP )?Invalid number format \(address incomplete\) \((?:User|(?:Public|Private) network serving (?:remote|local) user)\) #CATCHALL:isdn ^isdnlog: group_end ## Wolfram Schlich ## Kernel HostAP set queue hostap tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue hostap_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^kernel: (?:wlan.+:|wifi.+:|handle_ap_item|AP:|hostap_.+:|prism2_hw_init:) hostap_crit ^kernel: AP: drop packet to non-associated STA .+:.+:.+:.+:.+:.+ hostap_crit ^kernel: handle_ap_item - addr.+\(BSSID\)=.+:.+:.+:.+:.+:.+ not own MAC hostap ^kernel: handle_ap_item - data frame hostap_crit ^kernel: (?:wlan|wifi).+: Deauthenticate all stations hostap_crit ^kernel: (?:wlan|wifi).+: Could not find STA .+:.+:.+:.+:.+:.+ for this TX error \(@.+\) hostap_crit ^kernel: (?:wlan|wifi).+: STA .+:.+:.+:.+:.+:.+ did not ACK activity poll frame hostap ^kernel: (?:wlan|wifi).+: STA .+:.+:.+:.+:.+:.+ TX rate lowered to .+ hostap ^kernel: (?:wlan|wifi).+: STA .+:.+:.+:.+:.+:.+ TX rate raised to .+ hostap ^kernel: (?:wlan|wifi).+: .+:.+:.+:.+:.+:.+ assoc_cb - association failed hostap ^kernel: (?:wlan|wifi).+: .+:.+:.+:.+:.+:.+ assoc_cb - STA associated hostap ^kernel: (?:wlan|wifi).+: .+:.+:.+:.+:.+:.+ assoc_cb - frame was not ACKed hostap ^kernel: (?:wlan|wifi).+: .+:.+:.+:.+:.+:.+ auth_cb - alg=.+ trans#=.+ status=.+ - STA authenticated hostap ^kernel: (?:wlan|wifi).+: .+:.+:.+:.+:.+:.+ auth_cb - STA authenticated hostap ^kernel: (?:wlan|wifi).+: .+:.+:.+:.+:.+:.+ auth_cb - STA not found hostap ^kernel: (?:wlan|wifi).+: .+:.+:.+:.+:.+:.+ auth_cb - frame was not ACKed hostap ^kernel: (?:wlan|wifi).+: .+:.+:.+:.+:.+:.+ auth_cb - alg=.+ trans#=.+ status=.+ - STA not found hostap ^kernel: (?:wlan|wifi).+: .+:.+:.+:.+:.+:.+ auth_cb - alg=.+ trans#=.+ status=.+ - frame was not ACKed hostap ^kernel: (?:wlan|wifi).+: .+:.+:.+:.+:.+:.+ auth \(alg=.+ trans#=.+ stat=.+ len=.+ fc=.+\) ==> .+ \(authentication denied\) hostap ^kernel: (?:wlan|wifi).+: disassociation: .+:.+:.+:.+:.+:.+ len=.+, reason_code=.+ hostap ^kernel: (?:wlan|wifi).+: deauthentication: .+:.+:.+:.+:.+:.+ len=.+ reason_code=.+ hostap ^kernel: (?:wlan|wifi).+: sending deauthentication info to STA .+:.+:.+:.+:.+:.+\(last=.+, jiffies=.+\) hostap ^kernel: (?:wlan|wifi).+: sending disassociation info to STA .+:.+:.+:.+:.+:.+\(last=.+, jiffies=.+\) hostap ^kernel: (?:wlan|wifi).+: no IPv6 routers present hostap ^kernel: (?:wlan|wifi).+: dropped received packet from non-associated STA .+:.+:.+:.+:.+:.+ \(type=.+, subtype=.+\) hostap ^kernel: wifi.+: NIC: id=.+ v.+ hostap ^kernel: wifi.+: PRI: id=.+ v.+ hostap ^kernel: wifi.+: STA: id=.+ v.+ hostap ^kernel: wifi.+: Intersil Prism2.5 PCI: mem=.+, irq=.+ hostap ^kernel: wifi.+: registered netdevice wlan.+ hostap ^kernel: wifi.+: Original COR value: .+ hostap ^kernel: hostap_pci: .+ - ....-..-.. \((.+)\) hostap ^kernel: hostap_pci: Registered netdevice wifi.+ hostap ^kernel: hostap_crypt: registered algorithm '.+' hostap ^kernel: prism2_hw_init: initialized in .+ ms #CATCHALL:hostap ^kernel: wlan.: #CATCHALL:hostap ^kernel: handle_ap_item group_end ## Wolfram Schlich ## Kernel Catchall set queue kernel tenshi@localhost sysadmin@localhost [*/30 * * * *] set queue kernel_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^kernel: # trash ^kernel: Additional sense: Illegal mode for this track # trash ^kernel: Info fld=.+, ILI Current .+: sense = .+ trash ^kernel: NET: (.+) messages suppressed\. trash ^kernel: process `.+' is using obsolete setsockopt .+ trash ^kernel: process `.+' is using deprecated sysctl \(syscall\) .+; Use .+ instead\. trash ^kernel: martian source .+ from .+, on dev .+ trash ^kernel: martian destination .+ from .+, dev .+ trash ^kernel: ll header: .+ trash ^kernel: printk: (.+) messages suppressed\. ## kernel_crit ^kernel: Out of Memory: Killed process .+ \(.+\)\. kernel_crit ^kernel: oom-killer: gfp_mask=.+ kernel_crit ^kernel: cpu .+ (?:cold|hot): low .+, high .+, batch .+ kernel_crit ^kernel: protections\[\]: .+ kernel_crit ^kernel: Free pages: .+kB \(.+kB HighMem\) kernel_crit ^kernel: Swap cache: add .+, delete .+, find .+/.+, race .+ kernel_crit ^kernel: Active:.+ inactive:.+ dirty:.+ writeback:.+ unstable:.+ free:.+ slab:.+ mapped:.+ pagetables:.+ kernel_crit ^kernel: (?:DMA|HighMem|Normal) free:.+kB min:.+kB low:.+kB high:.+kB active:.+kB inactive:.+kB present:.+kB kernel_crit ^kernel: (?:DMA|HighMem|Normal) per-cpu: kernel_crit ^kernel: (?:DMA|HighMem|Normal): .+\*4kB .+\*8kB .+\*16kB .+\*32kB .+\*64kB .+\*128kB .+\*256kB .+\*512kB .+\*1024kB .+\*2048kB .+\*4096kB = .+kB ## kernel_crit ^kernel: Bank .+: .+ kernel_crit ^kernel: MCE: The hardware reports a non fatal, correctable incident occurred on CPU .+\. kernel_crit ^kernel: device .+ (?:entered|left) promiscuous mode kernel_crit ^kernel: scsi: unknown opcode .+ kernel_crit ^kernel: SCSI error : <.+> return code = .+ kernel_crit ^kernel: end_request: I/O error, dev .+, sector .+ kernel_crit ^kernel: Buffer I/O error on device .+, logical block .+ kernel_crit ^kernel: [hs]d.: .+: status=.+ { .+Error } kernel_crit ^kernel: [hs]d.: kernel_crit ^kernel: ide.: kernel_crit ^kernel:.*error ## kernel ^kernel: PCI: Found IRQ .+ for device .+:.+:.+ kernel ^kernel: PCI: Sharing IRQ .+ with .+:.+:.+ kernel ^kernel: spurious 8259A interrupt: IRQ.+\. ## ## kernel_crit ^kernel: NETDEV WATCHDOG: .+: transmit timed out kernel_crit ^kernel: eth.+: link now .+ mbps, .+ duplex and up\. kernel_crit ^kernel: eth.+: link now down\. kernel_crit ^kernel: eth.+: after: tx_done_idx=.+ free_idx=.+ cmdsts=.+ kernel_crit ^kernel: eth.+: tx_timeout: tx_done_idx=.+ free_idx=.+ cmdsts=.+ trash ^kernel: eth.+: no IPv6 routers present kernel_crit ^kernel: TCP: Treason uncloaked! Peer .+:.+/.+ shrinks window .+:.+\. Repaired\. kernel_crit ^kernel: e100: eth.+: e100_watchdog: link up, .+Mbps, .+-duplex ## kernel_crit ^kernel: RPC: error .+ connecting to server .+ kernel_crit ^kernel: nfs_statfs: statfs error = 512 kernel_crit ^kernel: grsec: signal .+ sent to \(.+:(.+)\) UID\(.+\) EUID\(.+\), parent \(.+:(.+)\) UID\(.+\) EUID\(.+\) kernel_crit ^kernel: grsec: attempted resource overstep by requesting .+ for .+ against limit .+ by \(.+:(.+)\) UID\(.+\) EUID\(.+\), parent \(.+:(.+)\) UID\(.+\) EUID\(.+\) kernel ^kernel: grsec: mount .* to .* by \(.+:(.+)\) UID\(.+\) EUID\(.+\), parent \(.+:(.+)\) UID\(.+\) EUID\(.+\) kernel ^kernel: grsec: unmount of .* by \(.+:(.+)\) UID\(.+\) EUID\(.+\), parent \(.+:(.+)\) UID\(.+\) EUID\(.+\) kernel ^kernel: tcp_v4_rebuild_header\(\): shifting inet->saddr from .+ to .+ kernel ^kernel: cdrom: open failed\. kernel ^kernel: cdrom: .+: mrw address space DMA selected kernel ^kernel: spurious 8259A interrupt: IRQ.+\. kernel ^kernel: Adding .+k swap on .+\. Priority:.+ extents:.+ kernel ^kernel: sd.+: assuming drive cache: write through kernel ^kernel: sd.+: assuming Write Enabled ## kernel ^kernel: EXT3-fs: mounted filesystem with ordered data mode\. kernel ^kernel: EXT3 FS on .+, internal journal kernel ^kernel: EXT3-fs warning: checktime reached, running e2fsck is recommended kernel ^kernel: kjournald starting\. Commit interval .+ seconds kernel ^kernel: FAT: bogus number of reserved sectors kernel ^kernel: VFS: Can't find a valid FAT filesystem on dev .+\. kernel ^kernel: ISO 9660 Extensions: .+ kernel ^kernel: ISOFS: .+ ## ## kernel_crit ^kernel: usb .+-.+: control timeout on .+ kernel ^kernel: usb .+-.+: new full speed USB device using address .+ kernel ^kernel: usb .+-.+: USB disconnect, address .+ kernel ^kernel: USB Mass Storage support registered\. kernel ^kernel: USB Mass Storage device found at .+ kernel ^kernel: scsi.+: SCSI emulation for USB Mass Storage devices kernel ^kernel: Initializing USB Mass Storage driver\.\.\. kernel ^kernel: usbcore: registered new driver usb-storage kernel ^kernel: drivers/usb/class/usblp.c: usblp.+: removed kernel ^kernel: drivers/usb/class/usblp.c: usblp.+: ok kernel_crit ^kernel: drivers/usb/class/usblp.c: usblp.+: on fire kernel_crit ^kernel: drivers/usb/class/usblp.c: usblp.+: out of paper kernel_crit ^kernel: drivers/usb/class/usblp.c: usblp.+: error .+ reading printer status kernel ^kernel: drivers/usb/class/usblp.c: usblp.+: USB Bidirectional printer dev .+ if .+ alt .+ proto .+ vid .+ pid .+ kernel ^kernel: drivers/usb/class/usblp.c: usblp.+: nonzero read/write bulk status received: .+ ## #CATCHALL:kernel ^kernel: grsec: kernel ^kernel: group_end ## Wolfram Schlich set queue modutils tenshi@localhost sysadmin@localhost [*/30 * * * *] set queue modutils_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^modprobe: modutils_crit ^modprobe: FATAL: Module .+ is in use\. modutils_crit ^modprobe: modprobe: Can't locate module .+ modutils_crit ^modprobe: modprobe: Safe mode parameter starts with '-' #CATCHALL:modprobe ^modprobe: group_end ## Wolfram Schlich ## DevFS daemon set queue devfsd tenshi@localhost sysadmin@localhost [now] group ^devfsd: devfsd ^devfsd: group_end ## Wolfram Schlich ## hotplug/coldplug set queue hotplug tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue hotplug_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^.+\.agent: hotplug ^scsi.agent: disk at .+ hotplug ^.+\.agent: group_end ## Wolfram Schlich ## rc-scripts set queue rcscripts tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue rcscripts_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^rc-scripts: trash ^rc-scripts: Usage: trash ^rc-scripts: .+without arguments for full help trash ^rc-scripts: ERROR:.+wrong args\. \(.+/.+\) trash ^rc-scripts: WARNING:.+you are stopping a boot service\. rcscripts_crit ^rc-scripts: ERROR: rcscripts_crit ^rc-scripts: WARNING: rcscripts ^rc-scripts: group_end ## Wolfram Schlich ## PAM set queue pam tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue pam_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^(?:(?:.+)\(pam_unix\)|PAM-env): pam ^(?:.+)\(pam_unix\): authentication failure; logname=.* uid=.* euid=.* tty=.* ruser=.* rhost=.*(?: user=.*)? pam ^(?:.+)\(pam_unix\): check pass; user unknown pam ^PAM-env: Unknown PAM_ITEM: .+ #CATCHALL:pam (?:.+)\(pam_unix\): group_end ## Wolfram Schlich ## Misc critical ^su: pam_authenticate: Authentication failure critical ^su: pam_authenticate: Permission denied critical ^xscreensaver: FAILED LOGIN .+ ON DISPLAY ".+", FOR ".+" report ^(?:user|group)(?:add|mod|del): misc ^wall: wall: user .+ broadcasted .+ lines \(.+ chars\) misc ^wall: ## Wolfram Schlich ## Cron daemon set queue cron tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue cron_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^(?:CRON|/usr/sbin/cron|cron(?:tab)?): trash ^(?:CRON|(?:/usr/sbin/)?cron): \(CRON\) STARTUP \(.+\) trash ^(?:CRON|(?:/usr/sbin/)?cron): \(.+\) ORPHAN \(no passwd entry\) trash ^(?:CRON|(?:/usr/sbin/)?cron): \(\*system\*\) RELOAD \(.+\) trash ^(?:CRON|(?:/usr/sbin/)?cron): \(root\) CMD \(.*/usr/sbin/run-crons.*\) trash ^(?:CRON|(?:/usr/sbin/)?cron): \(root\) CMD \(.*/var/spool/cron/lastrun/cron\.(?:hourly|daily|weekly|monthly).*\) trash ^(?:CRON|(?:/usr/sbin/)?cron): \(.+\) MAIL \(mailed .+ bytes of output but got status .+\) cron ^(?:CRON|(?:/usr/sbin/)?cron): \(.+\) CMD \(.+\) cron ^crontab: \(.+\) LIST \(.+\) cron ^crontab: \(.+\) (?:BEGIN|END) EDIT \(.+\) cron ^crontab: \(.+\) REPLACE \(.+\) cron ^crontab: \(.+\) RELOAD \(.+\) #CATCHALL:cron ^CRON: group_end ## Wolfram Schlich ## Syslog daemon set queue syslog tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue syslog_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^syslogd syslog_crit ^syslogd: sendto: Operation not permitted syslog_crit ^syslogd: .+: No space left on device syslog ^syslogd .+: restart(?: \(remote reception\))?\. #CATCHALL:syslog ^syslogd: group_end ## Georg Weiss ## syslog-ng daemon set queue syslogng tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue syslogng_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^syslog-ng #syslogng_crit ^syslog-ng: syslogng ^syslog-ng: SIGHUP received, restarting syslog-ng syslogng ^syslog-ng: new configuration initialized syslogng ^syslog-ng: STATS: dropped 0 syslogng ^syslog-ng: Changing permissions on special file .+ #CATCHALL:syslogng ^syslog-ng: group_end ## Wolfram Schlich ## OpenSSH daemon set queue sshd tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue sshd_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^sshd(?:\(pam_unix\))?: trash ^sshd: Failed none for .+ from .+ port (.+) .+ sshd_crit ^sshd: debug.+: .+ sshd_crit ^sshd: reverse mapping checking getaddrinfo for .+ failed - POSSIBLE BREAKIN ATTEMPT! sshd_crit ^sshd: Address .+ maps to .+, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! sshd_crit ^sshd: Server listening on .+ port .+\. sshd_crit ^sshd: Received signal .+; terminating\. sshd_crit ^sshd\(pam_unix\): authentication failure; logname= sshd_crit ^sshd: error: Bind to port .+ on .+ failed: .+ sshd_crit ^sshd: error: channel_setup_fwd_listener: cannot listen to port: .+ sshd_crit ^sshd: error: bind: Address already in use sshd_crit ^sshd: bind: Address already in use sshd_crit ^sshd: fatal: Cannot bind any address\. sshd ^sshd: fatal: Write failed: .+ sshd ^sshd: fatal: Timeout before authentication for (.+) sshd ^sshd: fatal: mm_request_send: write sshd ^sshd: Postponed publickey for .+ from .+ port .+ .+ sshd ^sshd: Failed (?:password|publickey|keyboard-interactive) for (?:illegal user )?.+ from .+ port (.+) .+ sshd ^sshd: Illegal user (.*) sshd ^sshd: Invalid user (.*) from .+ sshd ^sshd: User .+ not allowed because none of user's groups are listed in AllowGroups sshd ^sshd: User .+ not allowed because account is locked sshd ^sshd: User .+ not allowed because shell .+ is not executable sshd ^sshd: subsystem request for sftp sshd ^sshd: error: Could not get shadow information for .+ sshd ^sshd: channel 3: open failed: connect failed: Port open failed sshd ^sshd: syslogin_perform_logout:.+ sshd ^sshd: Disconnecting: Timeout, your session not responding\. sshd ^sshd: Received disconnect from .+: .+: Timeout, server not responding\. sshd ^sshd: Did not receive identification string from .+ sshd ^sshd: Read error from remote host .+: .+ sshd ^sshd: Could not write ident string to .+ sshd ^sshd: scanned from .+ with .+\. Don't panic\. sshd ^sshd: Connection from (.+) sshd ^sshd: Connection closed (.+) sshd ^sshd: Closing connection (.+) sshd ^sshd: Found matching (.+) key: (.+) sshd ^sshd: Accepted rsa for .+ from .+ port (.+) sshd ^sshd: Accepted publickey for .+ from .+ port (.+) .+ sshd ^sshd: Accepted keyboard-interactive/pam for .+ from .+ port (.+) sshd ^sshd: Accepted password for .+ from .+ port (.+) .+ sshd ^sshd\(pam_unix\): session opened for user root by root\(uid=0\) sshd ^sshd\(pam_unix\): session opened for user root by \(uid=0\) sshd ^sshd\(pam_unix\): session closed for user (.+) sshd ^sshd\(pam_unix\): session opened for user (.+) #CATCHALL:sshd ^sshd: group_end group ^sftp-server: sshd ^sftp-server: Starting sftp-server logging for user (.+)\. sshd ^sftp-server: bad value .+ for SFTP_UMASK, turning umask control off. sshd ^sftp-server: opendir (.+) sshd ^sftp-server: readlink (.+) sshd ^sftp-server: realpath (.+) sshd ^sftp-server: reading file sshd ^sftp-server: writing file sshd ^sftp-server: remove file (.+) sshd ^sftp-server: open (.+) sshd ^sftp-server: rename old (.+) new (.+) sshd ^sftp-server: mkdir (.+) sshd ^sftp-server: process_setstat: utimes sshd ^sftp-server: sftp-server finished\. #CATCHALL:sshd ^sftp-server: group_end ## Wolfram Schlich ## STunnel set queue stunnel tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue stunnel_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^stunnel: trash ^stunnel: Connection closed: (.+) bytes sent to SSL, (.+) bytes sent to socket stunnel_crit ^stunnel: Connection reset: (.+) bytes sent to SSL, (.+) bytes sent to socket stunnel_crit ^stunnel: SSL_read: .+: error:.+:SSL routines:SSL3_READ_BYTES:reason\(.+\) stunnel_crit ^stunnel: Failed to initialize remote connection stunnel_crit ^stunnel: remote connect .+ \(.+:.+\): Connection refused \(+\) stunnel ^stunnel: readsocket: Connection reset by peer \(.+\) stunnel ^stunnel: .+ connected from (.+):(.+) group_end ## Wolfram Schlich ## ISC BIND nameserver set queue named tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue named_svc tenshi@localhost sysadmin@localhost [now] tenshi service report set queue named_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^named: trash ^named: using (.+) CPU.* trash ^named: no IPv[46] interfaces found named_svc ^named: starting BIND (.+) named_svc ^named: running named_svc ^named: listening on IPv[46] interface .+, .+#.+ named_svc ^named: no longer listening on named_svc ^named: stopping command channel on named_svc ^named: shutting down named_svc ^named: exiting named_svc ^named: command channel listening on .+#.+ named_svc ^named: loading configuration from '.+' named_crit ^named: loading configuration: unexpected token named_crit ^named: set maximum open files to -1: permission denied named_crit ^named: zone .+/.+: loading .+ file .+: .+ named_crit ^named: dns_master_load: .+:.+: .+: .+ named_crit ^named: dispatch .+: shutting down due to TCP receive error: connection reset named_crit ^named: .+:.+: expected IP address near '.+' named ^named: client .+#(.+): updating zone '.+/.+': update failed: '.+' prerequisite not satisfied \(.+\) named ^named: client .+#(.+): update '.+/.+' denied named ^named: client .+#(.+): error sending response: host unreachable named ^named: client .+#(.+): bad zone transfer request: '.+/.+': .+ named ^named: zone (.+)/.+: loaded serial (.+) named ^named: zone (.+)/.+: sending notifies \(serial (.+)\) named ^named: lame server resolving '.+' \(in '.+'\?\): .+#.+ named ^named: enforced delegation-only for '.+' \(.+\) named ^named: zone .+/.+: cannot refresh: no masters named ^named: client .+#(.+): transfer of '.+/.+': AXFR started #CATCHALL:named ^named: group_end ## Wolfram Schlich ## ISC DHCP daemon set queue dhcpd tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue dhcpd_svc tenshi@localhost sysadmin@localhost [now] tenshi service report set queue dhcpd_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^dhcpd: trash ^dhcpd: All rights reserved trash ^dhcpd: Copyright trash ^dhcpd: For info trash ^dhcpd: DHCPOFFER trash ^dhcpd: DHCPACK dhcpd_svc ^dhcpd: Internet (?:Software|Systems) Consortium DHCP Server V.+ dhcpd_crit ^dhcpd: receive_packet failed on .+: dhcpd_crit ^dhcpd: .+: temporary name server failure dhcpd_crit ^dhcpd: DHCPNAK dhcpd_crit ^dhcpd: DHCPDECLINE of .+ from ..:..:..:..:..:.. via .+: .+ dhcpd ^dhcpd: DHCPDISCOVER dhcpd ^dhcpd: DHCPREQUEST dhcpd ^dhcpd: DHCPINFORM from .+ via .+ dhcpd ^dhcpd: DHCPRELEASE of .+ from ..:..:..:..:..:.. via .+ \(.+\) dhcpd ^dhcpd: Wrote #CATCHALL:dhcpd ^dhcpd: group_end ## Wolfram Schlich ## VMware set queue vmware tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue vmware_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^vmnet-dhcpd: vmware ^vmnet-dhcpd: DHCPREQUEST for .+ from .+ via .+ vmware ^vmnet-dhcpd: DHCPACK on .+ to .+ via .+ vmware ^vmnet-dhcpd: DHCPDISCOVER from .+ via .+ #CATCHALL:vmware ^vmnet-dhcpd: group_end ## Wolfram Schlich ## ddclient set queue ddclient tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue ddclient_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^ddclient: trash ^ddclient: SUCCESS trash ^ddclient: (?:SENDING|RECEIVE|CONNECT|CONNECTED|INFO|UPDATE) ddclient_crit ^ddclient: WARNING ddclient_crit ^ddclient: FAILED #CATCHALL:ddclient ^ddclient: group_end ## Wolfram Schlich ## ARPwatch set queue arpwatch tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue arpwatch_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^arpwatch: trash ^arpwatch: listening on (.+) ## dns02.manitu.net trash ^arpwatch: flip flop 217\.11\.49\.200 arpwatch_crit ^arpwatch: exiting arpwatch_crit ^arpwatch: chdir\(.+\): No such file or directory arpwatch_crit ^arpwatch: \(using current working directory\) arpwatch_crit ^arpwatch: pcap_loop: recvfrom: Network is down arpwatch ^arpwatch: flip flop .+ .+:.+:.+:.+:.+:.+ \(.+:.+:.+:.+:.+:.+\) arpwatch ^arpwatch: reused old ethernet address .+ .+:.+:.+:.+:.+:.+ \(.+:.+:.+:.+:.+:.+\) arpwatch ^arpwatch: changed ethernet address .+ .+:.+:.+:.+:.+:.+ \(.+:.+:.+:.+:.+:.+\) arpwatch ^arpwatch: ethernet mismatch .+ .+:.+:.+:.+:.+:.+ \(.+:.+:.+:.+:.+:.+\) arpwatch ^arpwatch: hostname changed .+ .+:.+:.+:.+:.+:.+ (?:.+)? -> .+ arpwatch ^arpwatch: .+:.+:.+:.+:.+:.+ sent bad addr len \(hard .+, prot .+\) arpwatch ^arpwatch: bogon .+ .+:.+:.+:.+:.+:.+ arpwatch ^arpwatch: new station .+ .+:.+:.+:.+:.+:.+ arpwatch ^arpwatch: new activity .+ .+:.+:.+:.+:.+:.+ arpwatch ^arpwatch: report: pausing \(.+\) #CATCHALL:arpwatch ^arpwatch: group_end ## Wolfram Schlich ## XINETD set queue xinetd tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue xinetd_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^xinetd: xinetd_crit ^xinetd: Error parsing attribute server - DISABLING SERVICE \[file=.+\] \[line=.+\] xinetd_crit ^xinetd: Port not specified and can't find service:.+ with getservbyname xinetd_crit ^xinetd: Failed to contact identity server at .+: .+ xinetd_crit ^xinetd: can't connect to remote host .+: .+ xinetd_crit ^xinetd: Exiting\.\.\. xinetd ^xinetd: removing .+ xinetd ^xinetd: Reading included configuration file: .+ \[file=.+\] \[line=.+\] xinetd ^xinetd: Server .+ is not executable \[file=.+\] \[line=.+\] xinetd ^xinetd: Started working: .+ available services xinetd ^xinetd: xinetd Version .+ started with .+ options compiled in\. xinetd ^xinetd: START: (.+) pid=(.+) from=(.+) xinetd ^xinetd: EXIT: (.+) (?:status|signal)=(.+) pid=(.+) duration=(.+)\(sec\) xinetd ^xinetd: USERID: .+ (?:UNIX|OTHER) : .+ xinetd ^xinetd: FAIL: .+ load from=.+ xinetd ^xinetd: refused connect from .+ due to excessive load xinetd ^xinetd: Bad line received from identity server at .+: .+, .+ : .+ : .+ xinetd ^xinetd: identd server reply missing ending CR-LF xinetd ^xinetd: warning: can't get client address: .+ #CATCHALL:xinetd ^xinetd: group_end ## Wolfram Schlich ## Cyrus SASL set queue sasl tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue sasl_svc tenshi@localhost sysadmin@localhost [now] tenshi service report set queue sasl_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^sasl(?:authd|passwd2): sasl_svc ^saslauthd: server_exit.+: master exited: .+ sasl_svc ^saslauthd: ipc_init.+: listening on socket: (.+) sasl_svc ^saslauthd: detach_tty.+: master pid is: (.+) sasl_crit ^saslauthd: do_auth(.*): auth failure: \[user=.*\] \[service=.*\] \[realm=.*\] \[mech=.*\] \[reason=.*\] sasl_crit ^saslauthd: DEBUG: auth_pam: pam_authenticate failed: Authentication failure sasl_crit ^saslauthd: do_request.+: NULL password received sasl_crit ^saslpasswd2: error deleting entry from sasldb: .+: .+ sasl_crit ^saslpasswd2: Couldn't delete entry in .+: gdbm_errno=.+ sasl_crit ^saslpasswd2: auxpropfunc error invalid parameter supplied sasl_crit ^saslpasswd2: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: .+ sasl ^saslpasswd2: setpass succeeded for login #CATCHALL:sasl ^saslauthd: group_end ## Wolfram Schlich ## Postfix MTA set queue postfix tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue postfix_svc tenshi@localhost sysadmin@localhost [now] tenshi service report set queue postfix_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^postfix/ postfix_svc ^postfix/postfix-script: starting the Postfix mail system postfix_svc ^postfix/postfix-script: stopping the Postfix mail system postfix_svc ^postfix/postfix-script: refreshing the Postfix mail system postfix_svc ^postfix/master: terminating postfix_svc ^postfix/master: daemon started postfix_svc ^postfix/master: reload configuration postfix_svc ^postfix/master: warning: .+: bad command startup -- throttling postfix_svc ^postfix/master: warning: process .+ pid (.+) exit status .+ postfix_svc ^postfix/master: warning: process .+ pid (.+) killed by signal .+ postfix_crit ^postfix/.+: warning: database .+ is older than source file .+ postfix_crit ^postfix/.+: table .+ has changed -- restarting postfix_crit ^postfix/postfix-script: fatal: usage: postfix_crit ^postfix/postdrop: warning: postfix_crit ^postfix/postmap: fatal: open .+: No such file or directory postfix_crit ^postfix/postmap: fatal: usage: (.+) postfix_crit ^postfix/postsuper: Deleted: .+ message postfix_crit ^postfix/postsuper: (.+): removed postfix_crit ^postfix/smtpd: fatal: postfix_crit ^postfix/local: (.+): to=<(.*)>, relay=local, delay=(.+), status=(?:deferred|bounced) \(.+\) postfix_crit ^postfix/qmgr: warning: backward time jump detected -- slewing clock postfix_crit ^postfix/qmgr: warning: backward time jump recovered -- back to normality postfix_crit ^postfix/qmgr: warning: premature end-of-input on private/smtp socket while reading input attribute name postfix_crit ^postfix/qmgr: warning: private/smtp socket: malformed response postfix_crit ^postfix/qmgr: warning: transport smtp failure -- see a previous warning/fatal/panic logfile record for the problem description postfix_crit ^postfix/pickup: warning: .+: message has been queued for .+ days postfix_crit ^postfix/sendmail: fatal: display queue mode requires no recipient postfix_crit ^postfix/trivial-rewrite: warning: do not list domain .+ in BOTH virtual_alias_domains and relay_domains postfix ^postfix/cleanup: (.+): message-id=(.+) postfix ^postfix/cleanup: (.+): resent-message-id=(.+) postfix ^postfix/cleanup: warning: (.+): queue file size limit exceeded postfix ^postfix/nqmgr: (.+): from=<(.*)>, size=(.+), nrcpt=(.+) \(queue active\) postfix ^postfix/nqmgr: (.+): removed postfix ^postfix/qmgr: (.+): from=<(.*)>, size=(.+), nrcpt=(.+) \(queue active\) postfix ^postfix/qmgr: (.+): removed postfix ^postfix/qmgr: (.+): skipped, still being delivered postfix ^postfix/qmgr: (.+): to=<(.*)>, relay=none, delay=.+, status=deferred \(.+\) postfix ^postfix/qmgr: (.+): from=<(.*)>, status=expired, returned to sender postfix ^postfix/smtpd: .+:error:.+:SSL routines: postfix ^postfix/smtpd: warning: .+\[.+\]: SASL .+ authentication failed postfix ^postfix/smtpd: warning: SASL authentication failure: Password verification failed postfix ^postfix/smtpd: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: .+ postfix ^postfix/smtpd: auxpropfunc error no mechanism available postfix ^postfix/smtpd: .+ option missing postfix ^postfix/smtpd: SSL_accept error from .+\[.+\]: .+ postfix ^postfix/smtpd: warning: Read failed in .+ with errno=.+: num_read=.+, want_read=.+ postfix ^postfix/smtpd: warning: .+: RBL lookup error: Host or domain name not found. Name service error for name=.+ type=A: Host not found, try again postfix ^postfix/smtpd: warning: Illegal address syntax from (.+)\[(.+)\] in MAIL command: .+ postfix ^postfix/smtpd: warning: (.+)\[(.+)\] sent non-SMTP command: .+ postfix ^postfix/smtpd: warning: smtpd_peer_init: .+: hostname .+ verification failed: .+ postfix ^postfix/smtpd: warning: smtpd_peer_init: .+: address not listed for hostname .+ postfix ^postfix/smtpd: warning: numeric result .+ in address->name lookup for .+ postfix ^postfix/smtpd: timeout after .+ from (.+)\[(.+)\] postfix ^postfix/smtpd: too many errors after .+ from .+\[.+\] postfix ^ postfix ^postfix/smtpd: connect from (.+)\[(.+)\] postfix ^postfix/smtpd: (.+): client=(.+)\[(.+)\](?:, sasl_method=(.+), sasl_username=.+)? postfix ^postfix/smtpd: lost connection after .+ from (.+)\[(.+)\] postfix ^postfix/smtpd: disconnect from (.+)\[(.+)\] postfix ^postfix/smtpd: setting up TLS connection from (.+)\[(.+)\] postfix ^postfix/smtpd: TLS connection established from (.+)\[(.+)\]: (?:TLSv1|SSLv3) with cipher (.+) \((.+)/(.+) bits\) postfix ^postfix/smtpd: Verified: subject_CN=(.*), issuer=(.*) postfix ^postfix/smtpd: verify error:num=.+:.+ postfix ^postfix/smtpd: Peer verification: CommonName in certificate does not match: .* != .* postfix ^postfix/smtpd: Unverified: subject_CN=(.*), issuer=(.*) postfix ^postfix/smtpd: Peer certficate could not be verified postfix ^postfix/smtpd: cert has expired postfix ^postfix/smtpd: (?:(?:NOQUEUE|.+): )?reject: (?:RCPT|VRFY) from (.+)\[(.+)\]: [45][0-9][0-9] (.+); from=<(.*)> to=<(.+)> proto=E?SMTP helo=<(.+)> postfix ^postfix/smtpd: fingerprint=(..):(..):(..):(..):(..):(..):(..):(..):(..):(..):(..):(..):(..):(..):(..):(..) postfix ^postfix/smtp: (.+): to=<.+>(?:, orig_to=<.+>)?, relay=(?:none|.+\[.+\]), delay=(.+), status=(?:deferred|bounced) \(.+\) postfix ^postfix/smtp: connect to .+\[.+\]: server dropped connection without sending the initial SMTP greeting \(port .+\) postfix ^postfix/smtp: connect to (.+)\[(.+)\]: Connection refused \(port .+\) postfix ^postfix/smtp: connect to (.+)\[(.+)\]: Connection timed out \(port .+\) postfix ^postfix/smtp: connect to (.+)\[(.+)\]: read timeout \(port .+\) postfix ^postfix/smtp: connect to (.+)\[(.+)\]: No route to host \(port .+\) postfix ^postfix/smtp: connect to (.+)\[(.+)\]: Network is unreachable \(port .+\) postfix ^postfix/smtp: (.+): host .+\[.+\] refused to talk to me: .+ postfix ^postfix/smtp: (.+): to=<(.+)>(?:, orig_to=<.+>)?, relay=(.+)\[(.+)\], delay=(.+), status=sent \((.+)\) postfix ^postfix/smtp: SSL_connect error to (.+): (.+) postfix ^postfix/smtp: warning: Read failed in .+ with errno=.+: num_read=.+, want_read=.+ postfix ^postfix/smtp: warning: (.+)\[(.+)\] offered AUTH option multiple times postfix ^postfix/smtp: warning: host (.+)\[(.+)\] replied to HELO/EHLO with my own hostname .+ postfix ^postfix/smtp: warning: host (.+)\[(.+)\] greeted me with my own hostname .+ postfix ^postfix/smtp: warning: numeric domain name in resource data of MX record for .+: .+ postfix ^postfix/smtp: Host offered STARTTLS: \[.+\] postfix ^postfix/smtp: setting up TLS connection to (.+) postfix ^postfix/smtp: TLS connection established to (.+): (?:TLSv1|SSLv3) with cipher (.+) \((.+)/(.+) bits\) postfix ^postfix/smtp: Verified: subject_CN=(.+), issuer=(.+) postfix ^postfix/smtp: Peer verification: CommonName in certificate does not match: .* != .* postfix ^postfix/smtp: Peer certficate could not be verified postfix ^postfix/smtp: verify error:num=.+:.+ postfix ^postfix/smtp: Unverified: subject_CN=(.*), issuer=(.*) postfix ^postfix/smtp: cert has expired postfix ^postfix/smtp: .+: host (.+)\[(.+)\] said: [45][0-9][0-9] .+ postfix ^postfix/smtp: .+: conversation with (.+)\[(.+)\] timed out while sending .+ postfix ^postfix/local: (.+): to=<(.+)>, relay=local, delay=(.+), status=sent \((.+)\) postfix ^postfix/pickup: (.+): uid=(.+) from=<(.*)> #CATCHALL:postfix_crit ^postfix/postfix-script: #CATCHALL:postfix_crit ^postfix/smtpd: warning: #CATCHALL:postfix ^postfix/master: #CATCHALL:postfix ^postfix/smtpd: #CATCHALL:postfix ^postfix/smtp: #CATCHALL:postfix ^postfix/local: #CATCHALL:postfix ^postfix/pickup: #CATCHALL:postfix ^postfix/nqmgr: #CATCHALL:postfix ^postfix/qmgr: #CATCHALL:postfix ^postfix/cleanup: #CATCHALL:postfix ^postfix/ group_end ## Wolfram Schlich ## Postfix Greylisting Daemon set queue postgrey tenshi@localhost sysadmin@localhost [0 8 * * 1] tenshi report set queue postgrey_svc tenshi@localhost sysadmin@localhost [now] tenshi service report set queue postgrey_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^postgrey: postgrey_svc ^postgrey: Process Backgrounded postgrey_svc ^postgrey: ..../../..-..:..:.. postgrey \(type Net::Server::Multiplex\) starting! pid\((.+)\) postgrey_svc ^postgrey: Setting uid to ".+" postgrey_svc ^postgrey: Setting gid to ".+" postgrey_svc ^postgrey: Binding to TCP port .+ on host .+ postgrey ^postgrey: cleaning up old entries\.\.\. postgrey ^postgrey: cleaning up old logs\.\.\. postgrey ^postgrey: postgrey: cleaning .+ database finished. before: .+, after: .+ postgrey ^postgrey: delayed (.+) seconds: client=(.+), from=(.*), to=(.+) postgrey ^postgrey: whitelisted: (.+) group_end ## Wolfram Schlich ## Sendmail set queue sendmail tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue sendmail_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^sendmail: sendmail ^sendmail: (.+): to=(.+),(.+)relay=(.+),(.+)stat=Sent(.+) sendmail ^sendmail: (.+): to=(.+),(.+)relay=(.+),(.+)stat=Sent sendmail ^sendmail: (.+): from=(.+),(.+)relay=(.+) sendmail ^sendmail: STARTTLS=client(.+) sendmail ^sendmail group_end group ^sm-mta: trash ^sm-mta:.+User unknown sendmail ^sm-mta: (.+): to=(.+),(.+)delay=(.+) sendmail ^sm-mta: (.+): to=(.+),(.+)relay=(.+),(.+)stat=Sent(.+) sendmail ^sm-mta: (.+): to=(.+),(.+)relay=(.+),(.+)stat=Sent sendmail ^sm-mta: (.+): to=(.+),(.+)relay=local(.+)stat=Sent(.+) sendmail ^sm-mta: (.+): to=(.+),(.+)relay=local(.+)stat=Sent sendmail ^sm-mta: (.+): to=(.+),(.+)stat=Sent(.+) sendmail ^sm-mta: (.+): to=(.+),(.+)stat=Sent sendmail ^sm-mta: (.+): from=(.+),(.+)relay=local(.+) sendmail ^sm-mta: (.+): from=(.+),(.+)relay=(.+) sendmail ^sm-mta: STARTTLS=server(.+) sendmail ^sm-mta: STARTTLS=client(.+) sendmail ^sm-mta: ETRN sendmail ^sm-mta group_end ## Wolfram Schlich ## sSMTP set queue ssmtp tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue ssmtp_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^sSMTP: ssmtp ^sSMTP: Sent mail for (.+) \((.+)\) #ssmtp ^sSMTP: #ssmtp_crit ^sSMTP: group_end ## Wolfram Schlich ## Fetchmail POP/IMAP mail retrieval amd delivery agent set queue fetchmail tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue fetchmail_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^fetchmail: trash ^fetchmail:.+flushed trash ^fetchmail: awakened at trash ^fetchmail: sleeping at fetchmail_crit ^fetchmail: starting fetchmail (.+) daemon fetchmail_crit ^fetchmail: restarting fetchmail \(.+ changed\) fetchmail_crit ^fetchmail: terminated with signal .+ fetchmail_crit ^fetchmail: SMTP error: [45][0-9][0-9] .+ fetchmail_crit ^fetchmail: SMTP transaction error while fetching from .+ fetchmail_crit ^fetchmail: SMTP connect to .+ failed fetchmail_crit ^fetchmail: mail from .+ bounced to .+ fetchmail_crit ^fetchmail: Authorization failure on .+(?: \(previously authorized\))? fetchmail_crit ^fetchmail: Authorization OK on .+ fetchmail_crit ^fetchmail: Unknown login or authentication error on .+ fetchmail_crit ^fetchmail: Query status=.+(?: \(.+\))? fetchmail_crit ^fetchmail: client/server protocol error while fetching from .+ fetchmail_crit ^fetchmail: fetchmail: getaddrinfo(.+) fetchmail_crit ^fetchmail: timeout after .+ seconds waiting to connect to server .+ fetchmail_crit ^fetchmail: timeout after .+ seconds waiting for server .+ fetchmail_crit ^fetchmail: socket error while fetching from .+ fetchmail_crit ^fetchmail: fetchlimit .+ reached; .+ messages left on server .+ account .+ fetchmail_crit ^fetchmail: lock busy on server error while fetching from .+ fetchmail_crit ^fetchmail: Lock-busy error on .+ fetchmail_crit ^fetchmail: lock busy! Is another session active\? fetchmail_crit ^fetchmail: \[IN-USE\] .+ lock busy! Is another session active\? \(.+\) fetchmail_crit ^fetchmail: Can't get lock\. Mailbox in use fetchmail_crit ^fetchmail: SSL connection failed\. fetchmail_crit ^fetchmail: SIGPIPE thrown from an MDA or a stream socket error fetchmail_crit ^fetchmail: mail from .+ bounced to .+ fetchmail ^fetchmail: couldn't find canonical DNS name of .+ \(.+\) fetchmail ^fetchmail: (.+) message(?:s)? for (.+) at (.+) \((.+) octets\)\. fetchmail ^fetchmail: reading message (.+):(.+) of (.+) \((.+) octets\) #CATCHALL:fetchmail ^fetchmail: group_end ## Wolfram Schlich ## Dovecot IMAP set queue dovecot tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue dovecot_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^(?:dovecot|pop3-login): dovecot_crit ^dovecot: Dovecot .+ starting up dovecot_crit ^dovecot: Killed with signal .+ dovecot ^dovecot: pop3-login: SSL_accept\(\) syscall failed: EOF \[(.+)\] dovecot ^dovecot: pop3-login: Login: user=<(.+)>, method=(.+), rip=(.+), lip=(.+), TLS dovecot ^pop3-login: Login: (.+) \[(.+)\] dovecot ^dovecot: pop3\((.+)\): Logout. top=(.*)/(.*), retr=(.*)/(.*) del=(.*)/(.*), size=(.*) dovecot ^dovecot: pop3-login: Disconnected: Inactivity: rip=(.+), lip=(.+), TLS #CATCHALL:dovecot ^dovecot: group_end ## Wolfram Schlich ## Courier IMAP ## IMAP daemon with SSL set queue courier tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue courier_svc tenshi@localhost sysadmin@localhost [now] tenshi service report set queue courier_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^imapd-ssl: courier_crit ^imapd-ssl: authdaemon: .+ courier_crit ^imapd-ssl: authentication error: .+ courier_crit ^imapd-ssl: chdir Maildir: No such file or directory courier_crit ^imapd-ssl: maildirwatch_started: Input/output error courier_crit ^imapd-ssl: DEBUG: .+, ip=\[.+\] courier_crit ^imapd-ssl: Invalid SASL response courier_crit ^imapd-ssl: malloc: No child processes courier_crit ^imapd-ssl: .+: No such file or directory courier_crit ^imapd-ssl: Check for proper operation and configuration courier_crit ^imapd-ssl: of the File Access Monitor daemon \(famd\)\. courier_crit ^imapd-ssl: Failed to create cache file: maildirwatch \(.+\) courier_crit ^imapd-ssl: FAMNextEvent: Input/output error courier_crit ^imapd-ssl: Error: Input/output error courier ^imapd-ssl: Unexpected SSL connection shutdown. courier ^imapd-ssl: couriertls: accept: error:.+:.+:.+:.+ courier ^imapd-ssl: couriertls: accept: Connection timed out courier ^imapd-ssl: couriertls: accept: Connection reset by peer courier ^imapd-ssl: couriertls: read: Connection timed out courier ^imapd-ssl: couriertls: read: Connection reset by peer courier ^imapd-ssl: Connection, ip=\[(.+)\] courier ^imapd-ssl: LOGIN, user=(.+), ip=\[(.+)\], protocol=IMAP courier ^imapd-ssl: LOGIN FAILED, ip=\[.+\] courier ^imapd-ssl: LOGIN FAILED, user=(.+), ip=\[.+\] courier ^imapd-ssl: LOGOUT(?:, user=(.+))?, ip=\[(.+)\](?:, headers=(.+), body=(.+))? courier ^imapd-ssl: DISCONNECTED, user=(.+), ip=\[(.+)\], headers=(.+), body=(.+) courier ^imapd-ssl: TIMEOUT, user=(.+), ip=\[(.+)\], headers=(.+), body=(.+), time=(.+), starttls=(.+) #CATCHALL:courier ^imapd-ssl: group_end ## POP3 daemon with SSL group ^pop3d-ssl: courier_crit ^pop3d-ssl: couriertls: accept: error:.+:.+:.+:.+ courier_crit ^pop3d-ssl: authdaemon: .+ courier_crit ^pop3d-ssl: authentication error: .+ courier ^pop3d-ssl: Unexpected SSL connection shutdown. courier ^pop3d-ssl: Connection, ip=\[(.+)\] courier ^pop3d-ssl: Disconnected, ip=\[(.+)\] courier ^pop3d-ssl: LOGIN, user=(.+), ip=\[(.+)\] courier ^pop3d-ssl: LOGIN FAILED, ip=\[.+\] courier ^pop3d-ssl: LOGIN FAILED, user=(.+), ip=\[.+\] courier ^pop3d-ssl: LOGOUT(?:, user=(.+))?, ip=\[(.+)\](?:, headers=(.+), body=(.+))? courier ^pop3d-ssl: DISCONNECTED, user=(.+), ip=\[(.+)\], top=(.+), retr=(.+), time=(.+) #CATCHALL:courier ^pop3d-ssl: group_end ## Auth daemon group ^authdaemond(?:.plain): courier_svc ^authdaemond(?:.plain): modules=".+", daemons=.+ courier_svc ^authdaemond(?:.plain): Installing .+ courier_svc ^authdaemond(?:.plain): Installation complete: .+ courier_svc ^authdaemond(?:.plain): stopping authdaemond children courier_crit ^authdaemond(?:.plain): failed to connect to mysql server \(server=.+, userid=.+\): .+ group_end ## Wolfram Schlich ## UW-IMAP set queue uwimap tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue uwimap_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^ipop3d: uwimap_crit ^ipop3d: Login excessive login failures user=.+ auth=.+ host=.+ \[.+\] uwimap_crit ^ipop3d: AUTHENTICATE LOGIN failure host=(.+) uwimap_crit ^ipop3d: AUTHENTICATE PLAIN failure host=(.+) uwimap_crit ^ipop3d: Login failed uwimap_crit ^ipop3d: Unable to accept SSL connection, host=.+ uwimap_crit ^ipop3d: Killed user=.+ host=(.+) \[(.+)\] uwimap_crit ^ipop3d: Error opening or locking INBOX user=.+ host=(.+) \[(.+)\] uwimap_crit ^ipop3d: Mailbox is open by another process, access is readonly uwimap_crit ^ipop3d: Mailbox vulnerable - directory .+ must have .+ protection uwimap_crit ^ipop3d: Expunge ignored on readonly mailbox uwimap ^ipop3d: Login user=(.+) uwimap ^ipop3d: Logout user=(.+) uwimap ^ipop3d: pop3s SSL service init from (.+) uwimap ^ipop3d: pop3 service init from (.+) uwimap ^ipop3d: Auth user=(.+) uwimap ^ipop3d: Command stream end of file, while reading uwimap ^ipop3d: Command stream end of file while reading uwimap ^ipop3d: Connection reset by peer while reading (authentication|line) user=(.+) host=(?:UNKNOWN|(.+) \[(.+)\]) uwimap ^ipop3d: Moved (.+) bytes of new mail to (.+) from (.+) host=(.+) uwimap ^ipop3d: Trying to get mailbox lock from process (.+) uwimap ^ipop3d: Mailbox (.+) is locked, will override in .+ seconds... uwimap ^ipop3d: Autologout user=.+ host=(?:.+ )?\[.+\] uwimap ^ipop3d: PAM pam_putenv: delete non-existent entry; .+ group_end group ^imapd: uwimap_crit ^imapd: Login failed uwimap_crit ^imapd: AUTHENTICATE LOGIN failure host=(.+) uwimap_crit ^imapd: AUTHENTICATE PLAIN failure host=(.+) uwimap ^imapd: imap service init from (.+) uwimap ^imapd: Login user=(.+) uwimap ^imapd: Logout user=(.+) uwimap ^imapd: port (.+) service init from (.+) uwimap ^imapd: imaps SSL service init from (.+) uwimap ^imapd: Command stream end of file, while reading uwimap ^imapd: Command stream end of file while reading uwimap ^imapd: Authenticated user=(.+) #CATCHALL:uwimap ^imapd: Autologout(.+) uwimap ^imapd: group_end ## Wolfram Schlich ## H+BEDV AntiVir MailGate SMTP mail virus scanner set queue avmailgate tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue avmailgate_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^(?:avgate(?:d|fwd)|avmailgate.bin) avmailgate_crit ^(?:avgated|avmailgate.bin): Bad (?:recipient|mail from) address .+: .+ avmailgate_crit ^(?:avgated|avmailgate.bin): Bad (?:recipient|mail from) domain .+: .+ avmailgate_crit ^(?:avgated|avmailgate.bin): MAIL FROM: invalid address avmailgate_crit ^(?:avgated|avmailgate.bin): could not open \(.+\): Permission denied avmailgate_crit ^(?:avgated|avmailgate.bin): Relaying denied for rcpt .+ avmailgate ^(?:avgated|avmailgate.bin): Mail from (?:(.+)@(.+))? to (.+)@(.+) will (?:NOT )?be scanned. avmailgate ^(?:avgated|avmailgate.bin): connection from (.+) avmailgate ^(?:avgated|avmailgate.bin): connection to (.+) closed avmailgate ^(?:avgated|avmailgate.bin): spooled to (.+)-(.+) avmailgate ^(?:avgated|avmailgate.bin): configuration file: .+ avmailgate ^(?:avgated|avmailgate.bin): library directory: .+ avmailgate ^(?:avgated|avmailgate.bin): version: .+ avmailgate ^(?:avgated|avmailgate.bin): addressfilter (?:is|not) active avmailgate ^(?:avgated|avmailgate.bin): table order is: .+,.+ avmailgate ^(?:avgated|avmailgate.bin): ready to accept connections on port .+ #CATCHALL:avmailgate ^avgated: avmailgate_crit ^(?:avgatefwd|avmailgate.bin): warning: .+ is deprecated. Please use .+ instead\. avmailgate_crit ^(?:avgatefwd|avmailgate.bin): child\(.+\) failed, exit status=.+ avmailgate_crit ^(?:avgatefwd|avmailgate.bin): Message 'outgoing/qf-.+-.+' control file could not be removed \(.+\) avmailgate_crit ^(?:avgatefwd|avmailgate.bin): Mail bounced to .+ avmailgate ^(?:avgatefwd|avmailgate.bin): Alert! the file "(.+)" contains ".+" .+ avmailgate ^(?:avgatefwd|avmailgate.bin): Potential malicious code has been found - mail will be blocked. avmailgate ^(?:avgatefwd|avmailgate.bin): (?:Virus )?Scanner will process message 'incoming/qf-(.+)-(.+)'\. avmailgate ^(?:avgatefwd|avmailgate.bin): Message '(?:outgoing/df-)?(.+)-(.+)' successfully forwarded to: .+ avmailgate ^(?:avgatefwd|avmailgate.bin): Message '(?:outgoing/xf-)?(.+)-(.+)' scheduled for delivery now\. avmailgate ^(?:avgatefwd|avmailgate.bin): Message '(?:incoming/xf-)?(.+)-(.+)' scheduled for scanning now\. avmailgate ^(?:avgatefwd|avmailgate.bin): detected worm - not sending notice mail\(s\) to sender and/or recipient\(s\)! avmailgate ^(?:avgatefwd|avmailgate.bin): All or some files in archive are encrypted! avmailgate ^(?:avgatefwd|avmailgate.bin): configuration file: .+ avmailgate ^(?:avgatefwd|avmailgate.bin): engine version: .+ avmailgate ^(?:avgatefwd|avmailgate.bin): library directory: .+ avmailgate ^(?:avgatefwd|avmailgate.bin): proxy is active avmailgate ^(?:avgatefwd|avmailgate.bin): running in full featured mode avmailgate ^(?:avgatefwd|avmailgate.bin): starting proxy\.\.\. avmailgate ^(?:avgatefwd|avmailgate.bin): version: .+ avmailgate ^(?:avgatefwd|avmailgate.bin): vdf version: .+ #CATCHALL:avmailgate ^avgatefwd: #CATCHALL:avmailgate ^avmailgate.bin group_end ## Wolfram Schlich ## H+BEDV AntiVir set queue antivir tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue antivir_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^antivir: trash ^antivir: AntiVir is up-to-date trash ^antivir: AntiVir successfully updated itself trash ^antivir: reloaded AntiVir mail scanner (?:\(proxy\) )?successfully antivir_crit ^antivir: invalid value ".*" for numeric option ".+", ignored antivir_crit ^antivir: Error: unable to open lock file antivir_crit ^antivir: (?:Warning|Error): unable to load VDF file antivir_crit ^antivir: Error: failed to connect to (.+) \(.+\) antivir_crit ^antivir: Error: failed to retrieve update information antivir_crit ^antivir: Error: failed to download file \(.+\) antivir_crit ^antivir: Error: unable to create directory .+ antivir_crit ^antivir: Error: unexpected HTTP response antivir_crit ^antivir: Error: integrity selftest FAILED antivir_crit ^antivir: Error: unable to initialize backend \(.+\) antivir_crit ^antivir: Error: unable to resolve IP for remote location \(.+\) antivir_crit ^antivir: Error: chmod failed on .+ \(.+\) antivir_crit ^antivir: Error: no executable access \(.+\) antivir_crit ^antivir: Error: file stream unexpectedly ended, attempting resume \(still .+ bytes to go\) antivir_crit ^antivir: Warning: the file "antivir.vdf" is more than 14 days old antivir_crit ^antivir: Warning: trying update using current engine: .+ antivir_crit ^antivir: Warning: trying update using current vdf: .+ antivir_crit ^antivir: AntiVir FAILED to update itself antivir_crit ^antivir: AntiVir could not check for updates antivir_crit ^antivir: AntiVir could not check for update information #CATCHALL:antivir_crit ^antivir: Error: antivir ^antivir: Info: received termination signal, shutting down process antivir ^antivir: Info: new versions found, restarting daemon antivir ^antivir: Warning: unable to extract (.+) --> .+ --> .+ \(.+\) \[.+\] antivir ^antivir: AntiVir ALERT: \[(.+)\] (.+) <<< (.+) antivir ^antivir: AntiVir WARNING: File was not completely scanned: (.+) \(.+\) #CATCHALL:antivir ^antivir: group_end ## Wolfram Schlich ## SpamAssassin set queue spamassassin tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue spamassassin_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^spamd: spamassassin_crit ^spamd: spamd starting spamassassin_crit ^spamd: server started on port (.+)/tcp \(running version (.+)\) spamassassin_crit ^spamd: service unavailable: Error fetching user preferences via SQL spamassassin_crit ^spamd: failed to load user \(.+\) scores from SQL database: SQL Error: spamassassin ^result: (.+) scantime=(.+),size=(.+),mid=<(.+)>,autolearn=(.+) spamassassin ^spamd: clean message \(.+/.+\) for (.+):(.+) in (.+) seconds, (.+) bytes\. spamassassin ^spamd: connection from (.+) \[(.+)\] at port (.+) spamassassin ^spamd: processing message \<(.+)\>(?: aka \<(.+)\>)? for (.+):(.+)\. spamassassin ^spamd: result: (.+) (.+) (.+) (.*)scantime=(.+),size=(.+),mid=\<(.+)\>,bayes=(.+),autolearn=(.+) group_end ## Wolfram Schlich ## Dante SOCKS Proxy set queue dante tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue dante_svc tenshi@localhost sysadmin@localhost [now] tenshi service report set queue dante_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^sockd: dante_svc ^sockd: sockdexit\(\): terminating dante_svc ^sockd: dante/server v.+ running dante_svc ^sockd: sockdexit\(\): terminating on signal .+ dante_svc ^sockd: sighup\(\) dante_crit ^sockd: recv_io\(\): recvmsg\(\): .+ \(errno = .+\) dante_crit ^sockd: sockshost2sockaddr\(\): gethostbyname\(.+\): .+ dante_crit ^sockd: an internal error was detected at .+:.+ value = .+, version = .+ dante_crit ^sockd: run_request\(\): sending ack to mother failed: .+ \(errno = .+\) dante_crit ^sockd: addressisbindable\(\): can't find interface: .+: .+ \(errno = .+\) dante ^sockd: created new requestchild dante ^sockd: created new iochild dante ^sockd: created new negotiatorchild dante ^sockd: block\((.+)\): tcp/connect \[: username%.+@.+\..+\..+\..+\.(.+) -> .+ dante ^sockd: pass\((.+)\): tcp/connect \]: .+ -> pam%.+@.+\..+\..+\..+\.(.+) -> .+, .+ -> .+ -> .+: Connection refused dante ^sockd: pass\((.+)\): tcp/connect \]: .+ -> pam%.+@.+\..+\..+\..+\.(.+) -> .+, .+ -> .+ -> .+: client closed dante ^sockd: pass\((.+)\): tcp/connect \]: .+ -> pam%.+@.+\..+\..+\..+\.(.+) -> .+, .+ -> .+ -> .+: client error dante ^sockd: pass\((.+)\): tcp/connect \]: .+ -> pam%.+@.+\..+\..+\..+\.(.+) -> .+, .+ -> .+ -> .+: remote closed dante ^sockd: pass\((.+)\): tcp/connect \]: .+ -> pam%.+@.+\..+\..+\..+\.(.+) -> .+, .+ -> .+ -> .+: remote error dante ^sockd: pass\((.+)\): tcp/connect \[: pam%.+@.+\..+\..+\..+\.(.+) -> .+ dante ^sockd: pass\((.+)\): tcp/accept \[: .+\..+\..+\..+\.(.+) -> .+ #CATCHALL:dante ^sockd: #CATCHALL:dante_crit ^sockd: group_end ## Wolfram Schlich ## APC UPS Daemon set queue apcupsd tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue apcupsd_svc tenshi@localhost sysadmin@localhost [now] tenshi service report set queue apcupsd_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^apcupsd: trash ^apcupsd: (.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+) apcupsd_svc ^apcupsd: apcupsd .+ (.+ .+ .+) .+ startup succeeded apcupsd_svc ^apcupsd: NIS server startup succeeded apcupsd_svc ^apcupsd: apcupsd exiting, signal .+ apcupsd_svc ^apcupsd: apcupsd shutdown succeeded apcupsd_crit ^apcupsd: Terminating due to configuration file errors\. apcupsd_crit ^apcupsd: (apcupsd )?error shutdown completed apcupsd_crit ^apcupsd: .+: Bogus configuration value .* apcupsd_crit ^apcupsd: (apcupsd )?FATAL ERROR .+ apcupsd_crit ^apcupsd: getupsvar: failed for .+\. apcupsd_crit ^apcupsd: fetch_data: tcp_open failed for (.+) port (.+) apcupsd_crit ^apcupsd: Power failure\. apcupsd_crit ^apcupsd: Running on UPS batteries\. apcupsd_crit ^apcupsd: Mains returned. No longer on UPS batteries\. apcupsd_crit ^apcupsd: Power is back. UPS running on mains\. apcupsd_crit ^apcupsd: Communications with UPS lost\. apcupsd ^apcupsd: Communications with UPS restored\. #CATCHALL:apcupsd ^apcupsd: group_end ## Wolfram Schlich ## Network UPS Tools set queue nut tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue nut_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^(?:upsd|newapc): nut_crit ^upsd: Startup successful nut_crit ^upsd: Signal .+: exiting nut_crit ^upsd: Host .+ disconnected \(.+\) nut_crit ^upsd: Can't connect to UPS \[.+\] \(.+\): .+ nut_crit ^upsd: Data for UPS \[.+\] is stale - check driver nut_crit ^newapc: Communication with UPS lost nut_crit ^newapc: Serial port read timed out nut ^newapc: Serial port read ok again nut ^newapc: Startup successful nut ^newapc: Signal 15: exiting nut ^upsd: Connected to UPS \[.+\]: .+ nut ^upsd: Connection from .+ nut ^upsd: Client on .+ logged out group_end ## Wolfram Schlich ## APC UPS Network Management Card set queue apcupsnmc tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue apcupsnmc_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^UPS: apcupsnmc ^UPS: Passed internal self-test\. .+ #CATCHALL:apcupsnmc ^UPS: group_end ## Wolfram Schlich ## vacation set queue vacation tenshi@localhost sysadmin@localhost [0 8 * * 1] group ^vacation: vacation ^vacation: vacation: no ".+" line\. #CATCHALL:vacation ^vacation: group_end ## Wolfram Schlich ## Gentoo rsync mirror set queue rsync tenshi@localhost sysadmin@localhost [0 8 * * 1] group ^rsync: rsync ^rsync: re-rsyncing the gentoo-portage tree rsync ^rsync: re-rsyncing the gentoo distfiles #CATCHALL:rsync ^rsync: group_end ## Wolfram Schlich , Georg Weiss ## NTP daemon set queue ntpd tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue ntpd_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^ntpd: trash ^ntpd: ntpd .+@.+ .+ .+ .+ .+:.+:.+ .+ .+ \(.+\) trash ^ntpd: precision = .+ usec ntpd_crit ^ntpd: no servers reachable ntpd_crit ^ntpd: ntpd exiting on signal .+ ntpd_crit ^ntpd: sendto\(.+\): Operation not permitted ntpd_crit ^ntpd: sendto\(.+\): Invalid argument ntpd_crit ^ntpd: adjtime failed: Invalid argument ntpd_crit ^ntpd: ntpd: Terminating ntpd_crit ^ntpd: ntpd: ntp engine exiting ntpd_crit ^ntpd: Listening on interface .+, .+#.+ ntpd ^ntpd: frequency initialized .+ PPM from .+ ntpd ^ntpd: kernel time sync status .+ ntpd ^ntpd: kernel time sync enabled .+ ntpd ^ntpd: kernel time sync disabled .+ ntpd ^ntpd: kernel time discipline status .+ ntpd ^ntpd: synchronized to .+, stratum .+ ntpd ^ntpd: time reset .+ ntpd ^ntpd: signal_no_reset: signal .+ had flags .+ ntpd ^ntpd: peer (.+) now valid ntpd ^ntpd: adjusting local clock by .+ #CATCHALL:ntpd ^ntpd: group_end ## Wolfram Schlich ## Mounts set queue mount tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue mount_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^mount mount ^mount.smbfs: \[(.+/.+/.+) (.+:.+:.+), (.+)\] (.+):(.+)\((.+)\) mount ^mount.smbfs:.+mount.smbfs: entering daemon mode for service (.+), pid=(.+) mount ^mount.smbfs: group_end ## Wolfram Schlich ## Automount daemon set queue automount tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue automount_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^automount: trash ^automount: starting automounter version (.+), path = (.+), maptype = (.+), mapname = (.+) trash ^automount: Map argc = .+ trash ^automount: Map argv\[.+\] = .+ trash ^automount: mount\(bind\): Testing if "mount --bind" works correctly\.\.\. trash ^automount: using kernel protocol version .+ trash ^automount: running expiration on path .+ trash ^automount: expired .+ trash ^automount: parse\((.+)\): gathered options: (.+) trash ^automount: parse\((.+)\): core of entry: (.+) trash ^automount: expanded entry: (.+) trash ^automount: lookup\((.+)\): looking up (.+) trash ^automount: lookup\((.+)\): (.+) -> (.+) automount_crit ^automount: mount\((.+)\): failed to mount .+ \(type .+\) on .+ automount_crit ^automount: >> Can't get .+ lock .+ failed: .+ automount_crit ^automount: >> umount: .+: device is busy automount ^automount: mount\((.+)\): calling (.+) automount ^automount: mount\((.+)\): mounted (.+) type (.+) on (.+) automount ^automount: attempting to mount entry (.+) automount ^automount: do_mount (.+) (.+) type (.+) options (.+) using module (.+) group_end ## Wolfram Schlich ## Portmapper group ^portmap: misc ^portmap: group_end ## Wolfram Schlich ## NFS set queue nfs tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue nfs_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^(?:kernel: nfsd|rpc.(?:mount|stat)d): # nfs_crit ^... nfs ^rpc.mountd: authenticated (?:un)?mount request from .+:(.+) for .+ \(.+\) nfs ^rpc.statd: Version .+ Starting nfs ^rpc.statd: statd running as root. chown .+ to choose different user nfs ^rpc.(?:mount|stat)d: Caught signal .+, un-registering and exiting\. nfs ^kernel: nfsd: unexporting all filesystems nfs ^kernel: nfsd: last server has exited group_end ## Wolfram Schlich ## Samba fileserver set queue samba tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue samba_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^[ns]mbd: trash ^[ns]mbd:\s+[*]+$ trash ^[ns]mbd:\s+$ samba ^[ns]mbd: \[(.+/.+/.+) (.+:.+:.+), (.+), pid=(.+), effective\((.+, .+)\), real\((.+, .+)\)\] .+:.+\(.+\) samba ^[ns]mbd: group_end ## Wolfram Schlich ## PPTP daemon (tunnel) set queue pptpd tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue pptpd_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^pptpd: pptpd_crit ^pptp: .+ log\[usage:pptp.c:.+\]: pptp called with wrong arguments, program not started\. pptpd_crit ^pptp: .+ log\[ctrlp_disp:pptp_ctrl.c:.+\]: Received (?:Start|Stop) Control Connection Reply pptpd_crit ^pptp: .+ log\[ctrlp_disp:pptp_ctrl.c:.+\]: Client connection established\. pptpd_crit ^pptp: .+ log\[ctrlp_disp:pptp_ctrl.c:.+\]: Received Outgoing Call Reply\. pptpd_crit ^pptp: .+ log\[ctrlp_rep:pptp_ctrl.c:.+\]: Sent control packet type is .+ '.+' pptpd_crit ^pptp: .+ log\[pptp_read_some:pptp_ctrl.c:.+\]: read returned zero, peer has closed pptpd_crit ^pptp: .+ log\[call_callback:pptp_callmgr.c:.+\]: Closing connection pptpd_crit ^pptp: .+ log\[main:pptp.c:.+\]: The synchronous pptp option is NOT activated pptpd_crit ^pptp: .+ log\[decaps_gre:pptp_gre.c:.+\]: accepting packet .+ pptpd_crit ^pptp: .+ log\[pptp_conn_close:pptp_ctrl.c:.+\]: Closing PPTP connection pptpd_crit ^pptp: .+ log\[ctrlp_disp:pptp_ctrl.c:.+\]: Outgoing call established \(call ID .+, peer's call ID .+\)\. pptpd_crit ^pptp: .+ warn\[decaps_gre:pptp_gre.c:.+\]: short read \(.+\): Protocol not available pptpd_crit ^pptp: .+ warn\[decaps_hdlc:pptp_gre.c:.+\]: short read \(.+\): Input/output error pptpd_crit ^pptp: .+ warn\[decaps_hdlc:pptp_gre.c:.+\]: pppd may have shutdown, see pppd log pptpd_crit ^ #CATCHALL:pptpd ^pptp: group_end ## Wolfram Schlich ## PPP daemon (modem, ISDN, DSL/PPPoE) set queue pppd tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue pppd_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^ip-(?:up|down)(?:.local)?: pppd ^ip-(?:up|down)(?:.local)?: group_end group ^pppd: trash ^pppd: Setting MTU to (.+). trash ^pppd: Couldn't increase MRU to (.+) trash ^pppd: Couldn't increase MTU to (.+) trash ^pppd: .+ plugin version .+ compiled against pppd .+ trash ^pppd: Plugin .+ loaded. pppd_crit ^pppd: unrecognized option '.+' pppd_crit ^pppd: Failed to open .+: .+ pppd_crit ^pppd: Hangup \(SIGHUP\) pppd_crit ^pppd: Modem hangup pppd_crit ^pppd: (?:rcvd|sent) \[(?:CCP|LCP|IPCP) .+ id=.+ .+\] pppd_crit ^pppd: using channel .+ pppd_crit ^pppd: Removed stale lock on .+ \(pid .+\) pppd_crit ^pppd: pppd .+ started by .+, uid .+ pppd_crit ^pppd: Doing disconnect pppd_crit ^pppd: Connection terminated. pppd_crit ^pppd: Terminating on signal .+\. pppd_crit ^pppd: Exit\. pppd_crit ^pppd: .+: cannot open shared object file: .+ pppd_crit ^pppd: Couldn't load plugin .+ pppd_crit ^pppd: Couldn't get channel number: Transport endpoint is not connected pppd_crit ^pppd: LCP: timeout sending Config-Requests pppd_crit ^pppd: PAP authentication failed pppd_crit ^pppd: Serial link appears to be disconnected\. pppd_crit ^pppd: No response to .+ echo-requests pppd_crit ^pppd: No response to .+ authenticate-requests pppd_crit ^pppd: In file .+: unrecognized option '.+' pppd_crit ^pppd: Protocol-Reject for unsupported protocol .+ pppd_crit ^pppd: Remote message: Tunnel startup failure pppd_crit ^pppd: Remote message: Authentication failed pppd_crit ^pppd: Unexpected packet: .+ pppd_crit ^pppd: Failed to negotiate PPPoE connection: .+ pppd_crit ^pppd: Couldn't get channel number: Transport endpoint is not connected pppd_crit ^pppd: LCP: timeout sending Config-Requests pppd ^pppd: PPP session is .+ pppd ^pppd: Connecting PPPoE socket: (.+) pppd ^pppd: Connect time (.+) minutes\. pppd ^pppd: Connect: (.+) <--> (.+) pppd ^pppd: Got connection: (.+) pppd ^pppd: LCP terminated by peer pppd ^pppd: HOST_UNIQ successful match pppd ^pppd: Sending PADI pppd ^pppd: PAP authentication succeeded pppd ^pppd: peer from calling number .+ authorized pppd ^pppd: local IP address (.+) pppd ^pppd: remote IP address (.+) pppd ^pppd: primary DNS address (.+) pppd ^pppd: secondary DNS address (.+) pppd ^pppd: Sent (.+) bytes, received (.+) bytes\. pppd ^pppd: Using interface (.+) pppd ^pppd: kernel does not support PPP filtering pppd ^pppd: PPPoE Plugin Initialized pppd ^pppd: Tag error: .+ #CATCHALL:pppd ^pppd: group_end ## Wolfram Schlich ## ISDN Voice Answering Machine set queue ivam2 tenshi@localhost sysadmin@localhost [0 8 * * 1] group ^ivamd: ivam2 ^ivamd: Starting up ivam2 version .+ <(.+)>\. ivam2 ^ivamd: Start up complete\. ivam2 ^ivamd: Path set to '.+'\. ivam2 ^ivamd: Allocating 2 channels\. ivam2 ^ivamd: Found user '.+' \(UID .+\) and group '.+' \(GID .+\)\. ivam2 ^ivamd: Successfully dropped root privileges\. ivam2 ^ivamd: Lockfile is stale\. Overriding it\. ivam2 ^ivamd: Loading MSN table '.+'\. ivam2 ^ivamd: MSN table '.+' successfully read\. ivam2 ^ivamd: MSN table entry from '.+' matched\. ivam2 ^ivamd: Sucessfully opened DTMF FIFO '.+'\. ivam2 ^ivamd: \[.+\] Will accept call after .+ rings \(.+ seconds\)\. ivam2 ^ivamd: \[.+\] Trying to open modem on TTY device \.\.\. ivam2 ^ivamd: \[.+\] TTY device successfully opened\. ivam2 ^ivamd: \[.+\] Initializing modem\. ivam2 ^ivamd: \[.+\] Modem successfully initialised, waiting for calls\. ivam2 ^ivamd: \[.+\] Listening on '.+'\. ivam2 ^ivamd: \[.+\] Incoming call from \[.+\] to \[.+\] ivam2 ^ivamd: \[.+\] Accepting call\. ivam2 ^ivamd: \[.+\] Call accepted for hang up\. ivam2 ^ivamd: \[.+\] Call accepted, changing to voice mode\. ivam2 ^ivamd: \[.+\] Voice connection established\. ivam2 ^ivamd: \[.+\] Child too slow, output buffer overflow, flushing\. ivam2 ^ivamd: \[.+\] Waiting for child drain\. ivam2 ^ivamd: \[.+\] Waiting for child EOF\. ivam2 ^ivamd: Got child EOF\. ivam2 ^ivamd: \[.+\] Got child EPIPE\. ivam2 ^ivamd: Child exited with return code .+\. ivam2 ^ivamd: Executing child process '.+'\. ivam2 ^ivamd: child: Found and enabled pipe hack\. ivam2 ^ivamd: child: Sucessfully recorded new message '.+' from .+ for MSN .+\. ivam2 ^ivamd: child: Starting new message notification program \('.+'\)\. ivam2 ^ivamd: child: Program finished \(return value is .+\)\. ivam2 ^ivamd: child: .+ ivam2 ^ivamd: \[.+\] Recieved hangup sequence from peer\. ivam2 ^ivamd: \[.+\] Hanging up\. ivam2 ^ivamd: \[.+\] Peer hung up prematurely\. ivam2 ^ivamd: \[.+\] Reinitializing in .+ seconds\. ivam2 ^ivamd: \[.+\] Failed to open device: .+ ivam2 ^ivamd: Failed to allocate the requested channels. Got .+ of .+\. ivam2 ^ivamd: Failed to remove lock file: Permission denied ivam2 ^ivamd: Failed to remove PID file \(Permission denied\)\. ivam2 ^ivamd: Shutting down\. ivam2 ^ivamd: \[.+\] Closing modem\. ivam2 ^ivamd: Shut down complete\. ivam2 ^ivamd: Recieved signal .+ #CATCHALL:ivam2 ^ivamd: group_end ## Wolfram Schlich ## Watchdog daemon set queue watchdog tenshi@localhost sysadmin@localhost [0 8 * * 1] group ^watchdog: watchdog ^watchdog: starting daemon \((.+)\): .+ #CATCHALL:watchdog ^watchdog: group_end ## Wolfram Schlich ## Uptime daemon set queue uptimed tenshi@localhost sysadmin@localhost [0 8 * * 1] group ^uptimed: uptimed ^uptimed: created bootid: (.+) uptimed ^uptimed: milestone: (.+) uptimed ^uptimed: moving up to position (.+): (.+) day(?:s| ), (.+):(.+):(.+) uptimed ^uptimed: new uptime record: .+ #CATCHALL:uptimed ^uptimed: group_end ## Wolfram Schlich ## Horde application framework set queue horde tenshi@localhost sysadmin@localhost [0 8 * * 1] group ^HORDE: horde ^HORDE: \[imp\] Login success for .+ \[(.+)\] to \{.+\} \[(.+)\] horde ^HORDE: \[imp\] Logout for .+ \[(.+)\] from \{.+\} \[(.+)\] horde ^HORDE: \[imp\] FAILED LOGIN .+ to .+:.+\[.+\] as .+ \[(.+)\] horde ^HORDE: \[horde\] DB Error: .+ #CATCHALL:horde ^HORDE: group_end ## Wolfram Schlich ## Bacula backup solution (http://www.bacula.org) set queue bacula tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue bacula_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^(bconsole|btape|bls|bacula-dir|bacula-sd|bacula-fd): bacula_crit ^(bconsole|btape|bls|bacula-dir|bacula-sd|bacula-fd):.+Fatal error: .+ bacula_crit ^(bconsole|btape|bls|bacula-dir|bacula-sd|bacula-fd):.+ERROR TERMINATION group_end ## Wolfram Schlich ## Mailman set queue mailman tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue mailman_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^Mailman mail-wrapper: mailman_crit ^Mailman mail-wrapper: Group mismatch error\. .+ mailman_crit ^Mailman mail-wrapper: Usage:.+ group_end ## Wolfram Schlich ## Mailman set queue gnome tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue gnome_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^gconfd gnome_crit ^gconfd \(.+-(.+)\): Failed gnome ^gconfd \(.+-(.+)\): group_end ## Wolfram Schlich ## Jabberd2 set queue jabberd2 tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue jabberd2_warn tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue jabberd2_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^jabberd/ jabberd2_crit ^jabberd/.+: starting up jabberd2_crit ^jabberd/.+: shutting down jabberd2_crit ^jabberd/.+: process id is (.+), written to .+ jabberd2_crit ^jabberd/router: \[.+\] offline jabberd2_crit ^jabberd/router: \[.+\] default route offline jabberd2_crit ^jabberd/c2s: \[.+\] auth failed: username=.+, resource=.+ jabberd2_crit ^jabberd/sm: user not found, can't start session: jid=.+ jabberd2_warn ^jabberd/c2s: \[.+\] \[.+, port=.+\] error: .+ jabberd2_warn ^jabberd/s2s: \[.+\] \[.+, port=.+\] error: .+ jabberd2_warn ^jabberd/.+: \[.+\] \[.+\] write error: .+ \(.+\) jabberd2 ^jabberd/.+: dns lookup for .+ failed jabberd2 ^jabberd/.+: attempting connection to router at .+, port=.+ jabberd2 ^jabberd/.+: attempting reconnect(?: \(.+ left\))? jabberd2 ^jabberd/.+: connection to router closed jabberd2 ^jabberd/.+: connection to router established jabberd2 ^jabberd/.+: \[.+, port=.+\] is being .+ rate limited jabberd2 ^jabberd/.+: \[.+\] \[.+\] is being .+ rate limited jabberd2 ^jabberd/router: loaded user table \(.+ users\) jabberd2 ^jabberd/router: \[(.+), port=(.+)\] listening for incoming connections jabberd2 ^jabberd/router: \[(.+), port=(.+)\] connect jabberd2 ^jabberd/router: \[(.+), port=(.+)\] disconnect jabberd2 ^jabberd/router: \[(.+), port=(.+)\] authenticated as .+ jabberd2 ^jabberd/router: \[(.+)\] online \(bound to (.+), port (.+)\) jabberd2 ^jabberd/router: \[(.+)\] set as default route jabberd2 ^jabberd/resolver: ready to resolve jabberd2 ^jabberd/resolver: \[(.+)\] resolved to (.+) \((.+)\) jabberd2 ^jabberd/resolver: \[.+\] could not be resolved jabberd2 ^jabberd/c2s: \[(.+), port=(.+)\] listening for (SSL )?connections jabberd2 ^jabberd/c2s: initialised auth module '(.+)' jabberd2 ^jabberd/c2s: ready for connections jabberd2 ^jabberd/c2s: \[(.+)\] \[(.+), port=(.+)\] connect jabberd2 ^jabberd/c2s: \[(.+)\] \[(.+), port=(.+)\] disconnect jabberd2 ^jabberd/c2s: \[(.+)\] configured; realm=\(.+\) jabberd2 ^jabberd/c2s: \[(.+)\] created user: user=.+; realm=.+ jabberd2 ^jabberd/c2s: \[(.+)\] registration succeeded, requesting user creation: jid=.+ jabberd2 ^jabberd/c2s: \[(.+)\] auth succeeded: username=.+, resource=.+ jabberd2 ^jabberd/c2s: \[(.+)\] requesting session: jid=.+ jabberd2 ^jabberd/c2s: \[(.+)\] password changed: jid=.+ jabberd2 ^jabberd/s2s: \[(.+), port=(.+)\] listening for connections jabberd2 ^jabberd/s2s: ready for connections jabberd2 ^jabberd/s2s: \[(.+), port=(.+)\] connect jabberd2 ^jabberd/s2s: \[(.+)\] \[(.+), port=(.+)\] incoming connection jabberd2 ^jabberd/s2s: \[(.+)\] \[(.+), port=(.+)\] outgoing connection jabberd2 ^jabberd/s2s: \[(.+)\] \[(.+), port=(.+)\] disconnect jabberd2 ^jabberd/s2s: \[(.+)\] \[(.+), port=(.+)\] sending dialback auth request for route '.+' jabberd2 ^jabberd/s2s: \[(.+)\] \[(.+), port=(.+)\] received dialback auth request for route '.+' jabberd2 ^jabberd/s2s: \[(.+)\] \[(.+), port=(.+)\] checking dialback verification from .+: sending (?:in)?valid jabberd2 ^jabberd/s2s: \[(.+)\] \[(.+), port=(.+)\] dialback for incoming route '.+' timed out jabberd2 ^jabberd/s2s: \[(.+)\] \[(.+), port=(.+)\] incoming stream online \(id (.+\)) jabberd2 ^jabberd/s2s: \[(.+)\] \[(.+), port=(.+)\] no dialback started jabberd2 ^jabberd/s2s: \[(.+)\] \[(.+), port=(.+)\] incoming route '.+' is now (?:in)?valid jabberd2 ^jabberd/s2s: \[(.+)\] \[(.+), port=(.+)\] outgoing route '.+' is now (?:in)?valid(?:, SSL negotiated) jabberd2 ^jabberd/s2s: outgoing route '.+' is now (?:in)?valid; destination=.+, port (.+) jabberd2 ^jabberd/s2s: incoming route '.+' is now (?:in)?valid; source=.+, port (.+) jabberd2 ^jabberd/s2s: outgoing route '.+' is now (?:in)?valid(?:, SSL negotiated) jabberd2 ^jabberd/sm: version: jabberd sm .+ jabberd2 ^jabberd/sm: initialised storage driver '(.+)' jabberd2 ^jabberd/sm: ready for sessions jabberd2 ^jabberd/sm: created user: jid=.+ jabberd2 ^jabberd/sm: session started: jid=.+ jabberd2 ^jabberd/sm: session ended: jid=.+ jabberd2 ^jabberd/sm: session replaced: jid=.+ #CATCHALL:jabberd2 ^jabberd/c2s: #CATCHALL:jabberd2 ^jabberd/s2s: #CATCHALL:jabberd2 ^jabberd/sm: #CATCHALL:jabberd2 ^jabberd/resolver: #CATCHALL:jabberd2 ^jabberd/router: group_end ## Wolfram Schlich ## sudo set queue sudo tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue sudo_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^(?:/usr/bin)?sudo: sudo_crit ^(?:/usr/bin)?sudo:.*incorrect password attempt sudo ^(?:/usr/bin)?sudo: group_end ## Wolfram Schlich ## squid set queue squid tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue squid_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^squid: squid ^squid: Squid Parent: child process .+ started squid ^squid: Squid Parent: child process .+ exited with status .+ group_end ## Wolfram Schlich ## in.tftpd set queue intftpd tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue intftpd_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^in\.tftpd: intftpd ^in\.tftpd: RRQ from .+ filename .+ group_end ## Wolfram Schlich ## login group ^login(?:\(pam_unix\))?: critical ^login\(pam_unix\): session opened for user root by root\(uid=0\) critical ^login\(pam_unix\): session opened for user root by \(uid=0\) critical ^login\(pam_unix\): authentication failure; logname=.* uid=0 euid=0 tty=.+ ruser=.* rhost=.* critical ^login\(pam_unix\): check pass; user unknown critical ^login: FAILED LOGIN .+ FROM .+ FOR .+, Authentication failure report ^login\(pam_unix\): session closed for user (.+) report ^login\(pam_unix\): session opened for user (.+) group_end ## Wolfram Schlich ## system accounts set queue accounts tenshi@localhost sysadmin@localhost [0 8 * * 1] set queue accounts_crit tenshi@localhost sysadmin@localhost [now] tenshi CRITICAL report group ^(?:gpasswd): accounts ^gpasswd: add member .+ to group .+ by .+ group_end ## other report ^passwd\(pam_unix\): group ^su\(pam_unix\): root ^su\(pam_unix\): session opened for user root root ^su\(pam_unix\): session closed for user root(.+) report ^su\(pam_unix\): session opened for user (.+) report ^su\(pam_unix\): session closed for user (.+) critical,pager ^Oops critical,pager ^Linux critical,pager ^init ## default catchall set queue unmatched tenshi@localhost sysadmin@localhost [0 8 * * 1] unmatched .*