-
Notifications
You must be signed in to change notification settings - Fork 0
/
discard
39 lines (39 loc) · 2.78 KB
/
discard
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# Hey! There are at least two sets of named entries!
^named\[[0-9]+\]: reloading$
^named\[[0-9]+\]: Sent NOTIFY for [^[:space:]]+$
^named\[[0-9]+\]: zone [^[:space:]]+: transfered serial [0-9]+$
^named\[[0-9]+\]: rcvd NOTIFY\([^[:space:]]+, IN, SOA\) from \[[\.0-9]+\]\.[0-9]+$
# Not really bothering about postfix too much; can go to pflogsumm
^postfix/(local|pipe|virtual)\[[0-9]+\]: [[:alnum:]]+: to=[^[:space:]]+, (orig_to=[^[:space:]]+, |)relay=[^[:space:]]+, delay=[0-9]+, status=[[:alnum:]]+ \(.*\)$
^syslogd [.0-9#]+: restart\.$
^syslogd [.0-9]{5}#[0-9]+: restart \(remote reception\)\.$
^named\[[0-9]+\]: zone [._[:alnum:]-]+/IN: transferred serial [0-9]+$
^named\[[0-9]+\]: (client [.#[:digit:]]+: )?received notify for zone '[._[:alnum:]-]+'$
# innd/jabberd messages probably worth a look if we start using it
^kernel: lp[0-9]+ out of paper$
# Um, perhaps these are worth a Debian bug report?
^ntpd\[[0-9]+\]: time reset [+-]*[0-9]{1,2}\.[0-9]{6} s$
^ntpd\[[0-9]+\]: synchronisation lost$
^ntpd\[[0-9]+\]: no servers reachable$
^sshd\[[0-9]+\]: Server listening on [.0-9]+ port 22\.$
^sshd\[[0-9]+\]: refused connect from [:[:alnum:].]+ \([:[:alnum:].]+\)$
^anacron\[[0-9]+\]: Anacron [.[:alnum:]]+ started on [0-9-]+$
^postfix/postfix-script: (starting|stopping) the Postfix mail system$
^postfix/master\[[0-9]+\]: reload configuration$
# Some nice su/sudo stuff would be good.
^su\[[0-9]+\]: (\+|-) (pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$
^su\[[0-9]+\]: (\+|-) (pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:(?!root)[_[:alnum:]-]+$
^su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user (?!root)[[:alnum:]-]+ by \(uid=[0-9]+\)$
^su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user (?!root)[[:alnum:]-]+ by [[:alnum:]-]+\(uid=[0-9]+\)$
^su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by [[:alnum:]-]+\(uid=[0-9]+\)$
^sudo:[[:space:]]+[_[:alnum:]-]+ : TTY=(unknown|pts/[0-9]+|tty[0-9]+) ; PWD=.+ ; USER=[^[:space:]]+ ; COMMAND=/(usr|etc|bin|sbin)/.*$
^sudo:[[:space:]]+[_[:alnum:]-]+ : TTY=(unknown|pts/[0-9]+|tty[0-9]+) ; PWD=.+ ; USER=(?!root)[^[:space:]]+ ; COMMAND=/(usr|etc|bin|sbin)/.*$
^sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
^sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
^sudo:[[:space:]]+[_[:alnum:]-]+ : \(command continued\).*$
# Some dodgy regular expressions; I don't use dspam, so just remove them
^dspam\[[0-9]+\]: spam detected from [.0-9]+{7,15}$
^dspam\[[0-9]+\]: innocent message from [.0-9]+{7,15}$
# Dodgy pattern, replaced by one in extra
^named\[[0-9]+\]: lame server resolving '[^[:space:]]+' \(in '[^[:space:]]+'\?\): [.0-9.]+#[0-9]+$