Add logcheck rules for amavis, dovecot, postfix and ssh

roles/common/files/logcheck/amavisd-new_local

@@ -1,2 +1,2 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) NOTICE: reconnecting in response to: err=[[:digit:]]+, HY000, DBD::mysql::st execute failed: MySQL server has gone away at \(eval [[:digit:]]+\) line [[:digit:]]+, <GEN[[:digit:]]+> line [[:digit:]]+.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (CLEAN|BAD-HEADER-2) \{(RelayedInbound,?|RelayedOpenRelay,?|Quarantined,)+\}, .+ <[^>]+> -> (<[^>]+>,)+( Queue-ID: [[:alnum:]]+,)?( quarantine: [-/[:alnum:]]+,)? Message-ID: <[^>]+>, mail_id: [-_[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [/[:xdigit:]]+,( dkim_sd=.+,)? [[:digit:]]+ ms$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) (Blocked SPAM|Passed (CLEAN|BAD-HEADER-2)) \{(DiscardedInbound|RelayedInbound,?|RelayedOpenRelay,?|Quarantined,)+\}, .+ <[^>]*> -> (<[^>]+>,)+( Queue-ID: [[:alnum:]]+,)?( quarantine: [-/[:alnum:]]+,)? Message-ID: <[^>]+>, mail_id: [-_[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+,( queued_as: [/[:xdigit:]]+,)?( dkim_sd=.+,)? [[:digit:]]+ ms$

roles/common/files/logcheck/dovecot_local

@@ -2,7 +2,7 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)\(.*\): (Connection closed|Disconnected: Logged out) in=[0-9]+ out=[0-9]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (dovecot: )?(imap|pop3|managesieve)-login: (Disconnected|Aborted login) \((disconnected before greeting, waited|no auth attempts in) [0-9]+ secs\): user=<>, rip=[A-F0-9:\.]+, lip=[A-F0-9:\.]+, ((secured|TLS), )?session=<.*>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: auth client [0-9]+ disconnected with [0-9]+ pending requests: (Connection reset by peer|EOF)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3|managesieve)-login: (Disconnected|Aborted login) \((disconnected before auth was ready, waited|(no auth|auth failed, [0-9]+) attempts in) [0-9]+ secs\): user=<.*>,( method=.+,)? rip=[A-Z0-9:\.]+, lip=[A-Z0-9:\.]+,( secured,)?( TLS: Disconnected,)? session=<.*>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3|managesieve)-login: (Disconnected|Aborted login) \((disconnected before auth was ready, waited|(no auth|auth failed, [0-9]+) attempts in) [0-9]+ secs\): user=<.*>,( method=.+,)? rip=[A-Z0-9:\.]+, lip=[A-Z0-9:\.]+,( secured,)?( TLS( handshaking)?: Disconnected,)? session=<.*>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth-worker\([0-9]+\): mysql\(.+\): Connected to database .+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3|managesieve)\(.+\): (Disconnected(:| for inactivity|: Logged out|: Disconnected in IDLE)|Connection closed(:|: Connection reset by peer)) in=[0-9]+ out=[0-9]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: lda\(.+\): msgid=<.+>: saved mail to .+$

roles/common/files/logcheck/postfix_local

@@ -1,4 +1,4 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: warning: hostname .+ does not resolve to address .+(: Name or service not known)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: (Anonymous|(Unt|T)rusted) TLS connection established (to|from) [-\.[:alnum:]]+\[[:\.[:xdigit:]]+\]:([[:digit:]]+:)? TLSv[\.[:digit:]]+ with cipher [-[:alnum:]]+ \([[:digit:]]+/[[:digit:]]+ bits\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept error from [-\.[:alnum:]]+\[[:\.[:xdigit:]]+\]: (lost connection|Connection timed out)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept error from [-\.[:alnum:]]+\[[:\.[:xdigit:]]+\]:([[:digit:]]+:)? Connection reset by peer$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept error from [-\.[:alnum:]]+\[[:\.[:xdigit:]]+\]:([[:digit:]]+:)? (lost connection|Connection timed out|Connection reset by peer|Broken pipe)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: improper command pipelining after (AUTH|QUIT|HELO) from [-\.[:alnum:]]+\[[:\.[:xdigit:]]+\]: QUIT\\r\\n$

roles/common/files/logcheck/sshd_local

@@ -1,6 +1,6 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [-:\.[:alnum:]]+: [[:digit:]]+: (([\.[:alnum:]]+: Auth fail|ok|Goodbye|Bye|Unable to connect using the available authentication methods|) \[preauth\]|disconnected by user|Normal Shutdown, Thank you for playing \[preauth\]|.*: reject HostKey: [-:\.[:alnum:]]+ \[preauth\]|disconnect \[preauth\]|.*: Read timed out \[preauth\])$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user .+$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for [-:\.[:alnum:]]+ from [-:\.[:alnum:]]+ port [[:digit:]]+ ssh2(|: [RD]SA [:0-9a-f]+)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for [-:\.[:alnum:]]+ from [-:\.[:alnum:]]+ port [[:digit:]]+ ssh2(|: ([RD]SA|ED25519|ECDA) [:0-9a-f]+)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: (Read from socket|Write) failed: Connection reset by peer( \[preauth\]|)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures for (invalid user |)[-:\.[:alnum:]]+ from [-:\.[:alnum:]]+ port [[:digit:]]+ ssh2 \[preauth\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Change of username or service not allowed: \([[:alnum:]]+,ssh-connection\) -> \([[:alnum:]]+,ssh-connection\) \[preauth\]$
@@ -10,3 +10,4 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd: .+: Unable to find key in LDAP for uid '\w+'$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd: .+: ssh key successfully retrieved for uid '\w+'$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Postponed publickey for .+ from [-:\.[:alnum:]]+ port [[:digit:]]+ ssh2 \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [-:\.[:alnum:]]+: [[:digit:]]+: (Closed due to user request\.) \[preauth\]$