As mentioned earlier, I have a few of these logcheck filters I have created over the past few years. I use Debian and CentOS so other distros may not perfectly match.
These work in conjunction with the default filters, hence their naming scheme of local_<service>.
Dovecot
login, logout, mysql connections, lda delivery, ssl regen
1 2 3 4 5 6 |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:alnum:]\s]+, lip=[.:[:alnum:]\s]+(, mpid=[[:digit:]]+)?(, (TLS( handshake)?|secured))?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)(-login)?(\([-_.@[:alnum:]]+\))?: (Connection closed|Disconnected( for inactivity|: (Logged out|Disconnected in IDLE))) bytes=[[:digit:]]+\/[[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (dovecot: )?((deliver|lda)\([-_.@[:alnum:]]+\)|lda\([-_.@\w]+\)): sieve: msgid=<?[^\(]*>?( \(((added by )?[^[:space:]]+|sfid-[_[:xdigit:]]+)\)?)?[[:space:]]*: (stored mail into mailbox '.*'|marked message to be discarded if not explicitly delivered \(discard action\)|(forwarded to|sent vacation response to|discarding vacation response for message implicitly delivered to|not sending vacation response to system address|discarding vacation response to mailinglist recipient|discarded vacation reply to|discarding vacation response to (auto-submitted|precedence=bulk) message from|discarded duplicate (vacation response|forward) to) <[^[:space:]]*>)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \(no auth attempts\): rip=[.[:digit:]]+, lip=[.[:digit:]]+(, (TLS|SSL|secured))?.*$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: mysql: Connected to [._[:alnum:]-]+ \(postfix\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-params: (Generating )?SSL parameters( regeneration completed)?$ |
local_dovecot (1.5 KiB, 2,001 hits)
Managesieve (part of Dovecot)
login, logout
1 2 |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ managesieve-login: Login: user=<[_@\.[:alnum:]-]+>, method=[[:alnum:]]+, rip=[[:digit:]\.]+, lip=[[:digit:]\.]+(, mpid=[[:digit:]\.]+)?(, TLS)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ managesieve\([_@\.[:alnum:]-]+\): Disconnected: Logged out bytes=[[:digit:]]+\/[[:digit:]]+$ |
local_managesieve (320 bytes, 1,966 hits)
OpenVPN
login related
1 2 3 |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: TCP connection established with (\[AF_INET\])?[.[:digit:]]{7,15}:[[:digit:]]{2,5}$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: (Local|Expected Remote) Options String: '[., _[:alnum:]-]+'$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: TCPv4_SERVER link (local \(bound\)|remote): (\[AF_INET\])?[.[:digit:]]{7,15}:[[:digit:]]{2,5}$ |
local_openvpn (506 bytes, 1,956 hits)
PostFWD
statistic log lines: dnsbl, rules, stats, cache, rate
1 |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfwd\[[[:digit:]]+\]: \[(DNSBL|RULES|STATS|CACHE|RATE)\].*$ |
local_postfwd (104 bytes, 1,892 hits)
ProFTPd mod_ban (optional module)
obtained, detached, removed, showing ban list
1 2 |
^\w{3} [ :[:digit:]]{11} mod_ban\/[[:digit:]\.]+\[[[:digit:]]+\]: (obtained|detached|removed) shmid [[:digit:]]+ for BanTable '[/[:alpha:]\.]+'$ ^\w{3} [ :[:digit:]]{11} mod_ban\/[[:digit:]\.]+\[[[:digit:]]+\]: showing ban lists$ |
local_proftpd-banlog (230 bytes, 1,768 hits)
rSYSlog
start, exit, reload/hup, mark
1 2 3 4 5 6 7 8 |
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: imklog [0-9.]+, log source = /proc/kmsg started.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging \(proc\) stopped.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: -- MARK --$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cronmark: -- MARK --$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] start$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] exiting on signal [0-9]+.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed(, type 'lightweight'.)?$ |
local_rsyslog (954 bytes, 1,862 hits)
OpenSSH
closed user request, closed preauth 127.0.0.1
1 2 |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [[:digit:]\.]+: [[:digit:]]+: Closed due to user request\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by 127.0.0.1 \[preauth\]$ |
local_ssh (255 bytes, 1,994 hits)
swapspace
allocating, retiring, adding (kernel)
1 2 3 |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ /usr/sbin/swapspace: Allocating swapfile '[0-9]+' ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ /usr/sbin/swapspace: Retiring swapfile '[0-9]+' ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[0-9\.]+\] Adding [0-9]+k swap on [0-9]+. Priority:-[0-9]+ extents:[0-9]+ across:[0-9]+k SS |
local_swapspace (324 bytes, 1,940 hits)