{"id":901,"date":"2013-09-06T15:27:26","date_gmt":"2013-09-06T15:27:26","guid":{"rendered":"http:\/\/www.nooblet.org\/blog\/?p=901"},"modified":"2013-09-07T10:44:43","modified_gmt":"2013-09-07T10:44:43","slug":"logcheck-various-filters","status":"publish","type":"post","link":"https:\/\/www.nooblet.org\/blog\/2013\/logcheck-various-filters\/","title":{"rendered":"logcheck — various filters"},"content":{"rendered":"

As mentioned earlier<\/a>, I have a few of these logcheck filters I have created over the past few years. I use Debian and CentOS so other distros may not perfectly match.<\/p>\n

These work in conjunction with the default filters, hence their naming scheme of local_<service>.<\/p>\n

Dovecot<\/strong>
\nlogin, logout, mysql connections, lda delivery, ssl regen <\/p>\n

^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:alnum:]\\s]+, lip=[.:[:alnum:]\\s]+(, mpid=[[:digit:]]+)?(, (TLS( handshake)?|secured))?$\r\n^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)(-login)?(\\([-_.@[:alnum:]]+\\))?: (Connection closed|Disconnected( for inactivity|: (Logged out|Disconnected in IDLE))) bytes=[[:digit:]]+\\\/[[:digit:]]+$\r\n^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (dovecot: )?((deliver|lda)\\([-_.@[:alnum:]]+\\)|lda\\([-_.@\\w]+\\)): sieve: msgid=<?[^\\(]*>?( \\(((added by )?[^[:space:]]+|sfid-[_[:xdigit:]]+)\\)?)?[[:space:]]*: (stored mail into mailbox '.*'|marked message to be discarded if not explicitly delivered \\(discard action\\)|(forwarded to|sent vacation response to|discarding vacation response for message implicitly delivered to|not sending vacation response to system address|discarding vacation response to mailinglist recipient|discarded vacation reply to|discarding vacation response to (auto-submitted|precedence=bulk) message from|discarded duplicate (vacation response|forward) to) <[^[:space:]]*>)$\r\n^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \\(no auth attempts\\): rip=[.[:digit:]]+, lip=[.[:digit:]]+(, (TLS|SSL|secured))?.*$\r\n^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: mysql: Connected to [._[:alnum:]-]+ \\(postfix\\)$\r\n^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-params: (Generating )?SSL parameters( regeneration completed)?$<\/pre>\n
\"\"  local_dovecot<\/a><\/strong> (1.5 KiB, 2,434 hits)

\nManagesieve<\/strong> (part of Dovecot)
\nlogin, logout<\/p>\n
^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ managesieve-login: Login: user=<[_@\\.[:alnum:]-]+>, method=[[:alnum:]]+, rip=[[:digit:]\\.]+, lip=[[:digit:]\\.]+(, mpid=[[:digit:]\\.]+)?(, TLS)?$\r\n^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ managesieve\\([_@\\.[:alnum:]-]+\\): Disconnected: Logged out bytes=[[:digit:]]+\\\/[[:digit:]]+$<\/pre>\n
\"\"  local_managesieve<\/a><\/strong> (320 bytes, 2,375 hits)

\nOpenVPN<\/strong>
\nlogin related<\/p>\n
^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\\[[[:digit:]]+\\]: TCP connection established with (\\[AF_INET\\])?[.[:digit:]]{7,15}:[[:digit:]]{2,5}$\r\n^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\\[[[:digit:]]+\\]: (Local|Expected Remote) Options String: '[., _[:alnum:]-]+'$\r\n^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\\[[[:digit:]]+\\]: TCPv4_SERVER link (local \\(bound\\)|remote): (\\[AF_INET\\])?[.[:digit:]]{7,15}:[[:digit:]]{2,5}$<\/pre>\n
\"\"  local_openvpn<\/a><\/strong> (506 bytes, 2,383 hits)

\nPostFWD<\/strong>
\nstatistic log lines: dnsbl, rules, stats, cache, rate<\/p>\n
^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfwd\\[[[:digit:]]+\\]: \\[(DNSBL|RULES|STATS|CACHE|RATE)\\].*$<\/pre>\n
\"\"  local_postfwd<\/a><\/strong> (104 bytes, 2,430 hits)

\nProFTPd mod_ban<\/strong> (optional module<\/a>)
\nobtained, detached, removed, showing ban list<\/p>\n
^\\w{3} [ :[:digit:]]{11} mod_ban\\\/[[:digit:]\\.]+\\[[[:digit:]]+\\]: (obtained|detached|removed) shmid [[:digit:]]+ for BanTable '[\/[:alpha:]\\.]+'$\r\n^\\w{3} [ :[:digit:]]{11} mod_ban\\\/[[:digit:]\\.]+\\[[[:digit:]]+\\]: showing ban lists$<\/pre>\n
\"\"  local_proftpd-banlog<\/a><\/strong> (230 bytes, 2,199 hits)

\nrSYSlog<\/strong>
\nstart, exit, reload\/hup, mark<\/p>\n
^\\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: imklog [0-9.]+, log source = \/proc\/kmsg started.$\r\n^\\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging \\(proc\\) stopped.$\r\n^\\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: -- MARK --$\r\n^\\w{3} [ :0-9]{11} [._[:alnum:]-]+ cronmark: -- MARK --$\r\n^\\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \\[origin software=\"rsyslogd\" swVersion=\"[0-9.]+\" x-pid=\"[0-9]+\" x-info=\"http:\/\/www.rsyslog.com\"\\] start$\r\n^\\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \\[origin software=\"rsyslogd\" swVersion=\"[0-9.]+\" x-pid=\"[0-9]+\" x-info=\"http:\/\/www.rsyslog.com\"\\] exiting on signal [0-9]+.$\r\n^\\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \\[origin software=\"rsyslogd\" swVersion=\"[0-9.]+\" x-pid=\"[0-9]+\" x-info=\"http:\/\/www.rsyslog.com\"\\] rsyslogd was HUPed$\r\n^\\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \\[origin software=\"rsyslogd\" swVersion=\"[0-9.]+\" x-pid=\"[0-9]+\" x-info=\"http:\/\/www.rsyslog.com\"\\] rsyslogd was HUPed(, type 'lightweight'.)?$<\/pre>\n
\"\"  local_rsyslog<\/a><\/strong> (954 bytes, 2,344 hits)

\nOpenSSH<\/strong>
\nclosed user request, closed preauth 127.0.0.1<\/p>\n
^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\\[[[:digit:]]+\\]: Received disconnect from [[:digit:]\\.]+: [[:digit:]]+: Closed due to user request\\.$\r\n^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\\[[[:digit:]]+\\]: Connection closed by 127.0.0.1 \\[preauth\\]$<\/pre>\n
\"\"  local_ssh<\/a><\/strong> (255 bytes, 2,392 hits)

\nswapspace<\/strong>
\nallocating, retiring, adding (kernel)<\/p>\n
^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ \/usr\/sbin\/swapspace: Allocating swapfile '[0-9]+'\r\n^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ \/usr\/sbin\/swapspace: Retiring swapfile '[0-9]+'\r\n^\\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \\[[0-9\\.]+\\] Adding [0-9]+k swap on [0-9]+.  Priority:-[0-9]+ extents:[0-9]+ across:[0-9]+k SS<\/pre>\n\"\"  local_swapspace<\/a><\/strong> (324 bytes, 2,347 hits)
\n","protected":false},"excerpt":{"rendered":"
As mentioned earlier, I have a few of these logcheck filters I have created over the past few years. I use Debian and CentOS so other distros may not perfectly match. These work in conjunction with the default filters, hence their naming scheme of local_<service>. Dovecot login, logout, mysql connections, lda delivery, ssl regen ^\\w{3} […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[198,233,194],"class_list":["post-901","post","type-post","status-publish","format-standard","hentry","category-linux","tag-filters","tag-linux","tag-logcheck"],"_links":{"self":[{"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/posts\/901","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/comments?post=901"}],"version-history":[{"count":35,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/posts\/901\/revisions"}],"predecessor-version":[{"id":940,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/posts\/901\/revisions\/940"}],"wp:attachment":[{"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/media?parent=901"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/categories?post=901"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/tags?post=901"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}