Improve logcheck rules

roles/common/files/logcheck/amavisd-new_local

@@ -1,3 +1,2 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) NOTICE: reconnecting in response to: err=[[:digit:]]+, HY000, DBD::mysql::st execute failed: MySQL server has gone away at \(eval [[:digit:]]+\) line [[:digit:]]+, <GEN[[:digit:]]+> line [[:digit:]]+.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed CLEAN \{RelayedOpenRelay\}, <[^>]+> -> <[^>]+>, Message-ID: <[^>]+>, mail_id: [-_[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+, [[:digit:]]+ ms$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed BAD-HEADER-2 \{RelayedOpenRelay,Quarantined\}, <[^>]+> -> <[^>]+>, quarantine: [-/[:alnum:]]+, Message-ID: <[^>]+>, mail_id: [[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+, [[:digit:]]+ ms$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (CLEAN|BAD-HEADER-2) \{(RelayedInbound,?|RelayedOpenRelay,?|Quarantined,)+\}, .+ <[^>]+> -> (<[^>]+>,)+( Queue-ID: [[:alnum:]]+,)?( quarantine: [-/[:alnum:]]+,)? Message-ID: <[^>]+>, mail_id: [-_[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [/[:xdigit:]]+,( dkim_sd=.+,)? [[:digit:]]+ ms$

roles/common/files/logcheck/apache2_local

@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ apache2\[[[:digit:]]+\]: Reloading web server: apache2\.$

roles/common/files/logcheck/dovecot_local

@@ -2,6 +2,8 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)\(.*\): (Connection closed|Disconnected: Logged out) in=[0-9]+ out=[0-9]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (dovecot: )?(imap|pop3|managesieve)-login: (Disconnected|Aborted login) \((disconnected before greeting, waited|no auth attempts in) [0-9]+ secs\): user=<>, rip=[A-F0-9:\.]+, lip=[A-F0-9:\.]+, ((secured|TLS), )?session=<.*>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: auth client [0-9]+ disconnected with [0-9]+ pending requests: (Connection reset by peer|EOF)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3|managesieve)-login: (Disconnected|Aborted login) \(auth failed, [0-9]+ attempts in [0-9]+ secs\): user=<.+>, method=.+, rip=[A-Z0-9:\.]+, lip=[A-Z0-9:\.]+, session=<.*>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3|managesieve)-login: (Disconnected|Aborted login) \((disconnected before auth was ready, waited|(no auth|auth failed, [0-9]+) attempts in) [0-9]+ secs\): user=<.*>,( method=.+,)? rip=[A-Z0-9:\.]+, lip=[A-Z0-9:\.]+,( secured,)?( TLS: Disconnected,)? session=<.*>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth-worker\([0-9]+\): mysql\(.+\): Connected to database .+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3|managesieve)\(.+\): (Disconnected(:| for inactivity|: Logged out|: Disconnected in IDLE)|Connection closed(:|: Connection reset by peer)) in=[0-9]+ out=[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: lda\(.+\): msgid=<.+>: saved mail to .+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: lda\(.+\): sieve: msgid=<.+>: stored mail into mailbox .+$

roles/common/files/logcheck/gogs_local

@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ gogs\[[[:digit:]]+\]:

roles/common/files/logcheck/openvpn_local

@@ -11,3 +11,4 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: UDPv4 link remote: \[AF_INET\].+:.+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: TLS: Initial packet from \[AF_INET\].+:.+, sid=.+ .+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: \[server\] Peer Connection Initiated with \[AF_INET\].+:.+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: Extracted DHCP router address: .+$

roles/common/files/logcheck/postfix_local

@@ -1,3 +1,4 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: warning: hostname .+ does not resolve to address .+(: Name or service not known)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: (Anonymous|(Unt|T)rusted) TLS connection established (to|from) [-\.[:alnum:]]+\[[:\.[:xdigit:]]+\]:([[:digit:]]+:)? TLSv[\.[:digit:]]+ with cipher [-[:alnum:]]+ \([[:digit:]]+/[[:digit:]]+ bits\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept error from [-\.[:alnum:]]+\[[:\.[:xdigit:]]+\]: (lost connection|Connection timed out)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept error from [-\.[:alnum:]]+\[[:\.[:xdigit:]]+\]:([[:digit:]]+:)? Connection reset by peer$

roles/common/files/logcheck/pure-ftpd_local

@@ -1,5 +1,5 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([?.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Anonymous user logged in$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([?.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] SSL/TLS: Enabled TLSv1/SSLv3 with DHE-RSA-AES128-SHA, 128 secret bits cipher$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([?.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] SSL/TLS: Enabled TLSv1/SSLv3 with .+, [[:digit:]]+ secret bits cipher$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([?.[:alnum:]-]+@[:._[:alnum:]-]+\) \[INFO\] Logout.$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([?.[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\] Can't create directory: File exists$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\] Restarting at [0-9]+$
@@ -12,3 +12,4 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([?.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Timeout - try typing a little faster next time$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: pam_listfile\(pure-ftpd:auth\): Refused user .+ for service pure-ftpd$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([?.[:alnum:]-]+@[?._[:alnum:]-]+\) \[ERROR\] Unable to identify the local socket: Transport endpoint is not connected$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd\[[[:digit:]]+\]: (Stopp|Start)ing ftp server: (Running: [/[:alnum:]]+)?pure-ftpd

roles/common/files/logcheck/rsyslog_local

@@ -2,3 +2,4 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd\-?[[:digit:]]+: action 'action [[:digit:]]+' resumed \(module 'builtin:ompipe'\) \[try http://www.rsyslog.com/e/[[:digit:]]+ \]$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd\-?[[:digit:]]+: action 'action [[:digit:]]+' suspended, next retry is .+ \[try http://www.rsyslog.com/e/[[:digit:]]+ \]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: /dev/xconsole$

roles/common/files/logcheck/sshd_local

@@ -1,6 +1,6 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [-:\.[:alnum:]]+: [[:digit:]]+: (([\.[:alnum:]]+: Auth fail|ok|Goodbye|Bye|Unable to connect using the available authentication methods|) \[preauth\]|disconnected by user|Normal Shutdown, Thank you for playing \[preauth\]|.*: reject HostKey: [-:\.[:alnum:]]+ \[preauth\]|disconnect \[preauth\])$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user .+$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for [-:\.[:alnum:]]+ from [-:\.[:alnum:]]+ port [[:digit:]]+ ssh2(|: RSA [:0-9a-f]+)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for [-:\.[:alnum:]]+ from [-:\.[:alnum:]]+ port [[:digit:]]+ ssh2(|: [RD]SA [:0-9a-f]+)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: (Read from socket|Write) failed: Connection reset by peer( \[preauth\]|)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures for (invalid user |)[-:\.[:alnum:]]+ from [-:\.[:alnum:]]+ port [[:digit:]]+ ssh2 \[preauth\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Change of username or service not allowed: \([[:alnum:]]+,ssh-connection\) -> \([[:alnum:]]+,ssh-connection\) \[preauth\]$

roles/common/files/logcheck/systemd_local

@@ -1,2 +1 @@
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Start(ed|ing) Cleanup of Temporary Directories\.(\.\.)?$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Start|Stop|Reload)(ed|p?ing) LSB: .+\.(\.\.)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Start|Stopp?|Reload)(ed|ing) (LSB: )?.+\.(\.\.)?$

roles/common/tasks/security.yml

@@ -27,12 +27,14 @@
   with_items:
     - amavisd-new
     - ansible
+    - apache2
     - bind
     - dhclient
     - dnsmasq
     - dovecot
     - dropbear
     - git-daemon
+    - gogs
     - ipmi
     - irqbalance
     - kernel