Ver Fonte

Add logcheck overrides for dovecot, postfix and ssh

Emmanuel Bouthenot há 10 anos atrás
pai
commit
49b5155096

+ 3 - 3
roles/common/files/logcheck/dovecot_local

@@ -1,7 +1,7 @@
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Login: user=<.+>, method=.+, rip=[0-9:\.]+, lip=[0-9:\.]+, mpid=[0-9]+, .+, session=<.+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Login: user=<.+>, method=.+, rip=[A-F0-9:\.]+, lip=[A-F0-9:\.]+, mpid=[0-9]+, .+, session=<.+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)\(.*\): (Connection closed|Disconnected: Logged out) in=[0-9]+ out=[0-9]+$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (dovecot: )?(imap|pop3|managesieve)-login: (Disconnected|Aborted login) \((disconnected before greeting, waited|no auth attempts in) [0-9]+ secs\): user=<>, rip=[:.0-9]+, lip=[:.0-9]+, ((secured|TLS), )?session=<.*>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (dovecot: )?(imap|pop3|managesieve)-login: (Disconnected|Aborted login) \((disconnected before greeting, waited|no auth attempts in) [0-9]+ secs\): user=<>, rip=[A-F0-9:\.]+, lip=[A-F0-9:\.]+, ((secured|TLS), )?session=<.*>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: auth client [0-9]+ disconnected with [0-9]+ pending requests: (Connection reset by peer|EOF)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3|managesieve)-login: (Disconnected|Aborted login) \(auth failed, [0-9]+ attempts in [0-9]+ secs\): user=<.+>, method=.+, rip=[:.0-9]+, lip=[:.0-9]+, session=<.*>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3|managesieve)-login: (Disconnected|Aborted login) \(auth failed, [0-9]+ attempts in [0-9]+ secs\): user=<.+>, method=.+, rip=[A-Z0-9:\.]+, lip=[A-Z0-9:\.]+, session=<.*>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth-worker\([0-9]+\): mysql\(.+\): Connected to database .+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3|managesieve)\(.+\): (Disconnected(:| for inactivity|: Logged out|: Disconnected in IDLE)|Connection closed(:|: Connection reset by peer)) in=[0-9]+ out=[0-9]+$

+ 1 - 1
roles/common/files/logcheck/postfix_local

@@ -1,2 +1,2 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: warning: hostname .+ does not resolve to address .+(: Name or service not known)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: (Unt|T)rusted TLS connection established (to|from) [-\.[:alnum:]]+\[[:\.[:xdigit:]]+\]:([[:digit:]]+:)? TLSv[\.[:digit:]]+ with cipher [-[:alnum:]]+ \([[:digit:]]+/[[:digit:]]+ bits\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: (Anonymous|(Unt|T)rusted) TLS connection established (to|from) [-\.[:alnum:]]+\[[:\.[:xdigit:]]+\]:([[:digit:]]+:)? TLSv[\.[:digit:]]+ with cipher [-[:alnum:]]+ \([[:digit:]]+/[[:digit:]]+ bits\)$

+ 1 - 1
roles/common/files/logcheck/sshd_local

@@ -1,3 +1,3 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Received disconnect from .*: [0-9]+: disconnected by user$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: subsystem request for sftp by user .+$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for \w+ from [-:\.[:alnum:]]+ port [0-9]+ ssh2: RSA [:0-9a-f]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for [[:alnum:]]+ from [-:\.[:alnum:]]+ port [[:digit:]]+ ssh2(|: RSA [:0-9a-f]+)$