Browse Source

Improve ssh local filters for logcheck

Emmanuel Bouthenot 9 years ago
parent
commit
afc8a4f9ea
1 changed files with 6 additions and 1 deletions
  1. 6 1
      roles/common/files/logcheck/sshd_local

+ 6 - 1
roles/common/files/logcheck/sshd_local

@@ -1,7 +1,12 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [-:\.[:alnum:]]+: [[:digit:]]+: (([\.[:alnum:]]+: Auth fail|ok|Goodbye|Bye|Unable to connect using the available authentication methods|) \[preauth\]|disconnected by user)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user .+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for [-:\.[:alnum:]]+ from [-:\.[:alnum:]]+ port [[:digit:]]+ ssh2(|: RSA [:0-9a-f]+)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: (Read from socket|Write) failed: Connection reset by peer \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: (Read from socket|Write) failed: Connection reset by peer( \[preauth\]|)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [-:\.[:alnum:]]+: [[:digit:]]+: .*: reject HostKey: [-:\.[:alnum:]]+ \[preauth\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures for (invalid user |)[-:\.[:alnum:]]+ from [-:\.[:alnum:]]+ port [[:digit:]]+ ssh2 \[preauth\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Change of username or service not allowed: \([[:alnum:]]+,ssh-connection\) -> \([[:alnum:]]+,ssh-connection\) \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: AuthorizedKeysCommand .+ returned status [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '.+' from [-:\.[:alnum:]]+ port [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no matching cipher found: client .+ server .+ \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd: .+: Unable to find key in LDAP for uid '\w+'$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd: .+: ssh key successfully retrieved for uid '\w+'$