-
Notifications
You must be signed in to change notification settings - Fork 0
/
summarise
47 lines (34 loc) · 2.92 KB
/
summarise
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
^PAM_unix\[[0-9]+\]: authentication failure; (\(uid=[0-9]+\)) -> (\S+) for ssh service
^sshd\[[0-9]+\]: Failed password for \S+ from ([0-9.]+) port [0-9]+ ssh2$
^sshd\[[0-9]+\]: Failed keyboard-interactive/pam for illegal user .+ from (.+) port [0-9]+ ssh2$
^sshd\[[0-9]+\]: pam_ldap: error trying to bind as user "(.+)" \(Invalid credentials\)$
^sshd\[[0-9]+\]: \(pam_unix\) check pass; user unknown
^sshd\[[0-9]+\]: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=(.+)$
^sshd\[[0-9]+\]: error: PAM: Authentication service cannot retrieve authentication info\. for .+ from (.+)$
^sshd\[[0-9]+\]: error: PAM: User not known to the underlying authentication module for illegal user .+ from (.+)$
^sshd\[[0-9]+\]: Illegal user .+ from (.+)$
^sshd\[[0-9]+\]: Invalid user .+ from (.+)$
^sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for (.+) failed - POSSIBLE BREAKIN ATTEMPT!$
^sshd\[[0-9]+\]: Address (\S+) maps to (\S+), but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!$
^postfix/smtp\[[0-9]+\]: connect to (.+): Connection timed out \(port 25\)$
^postfix/smtpd\[[0-9]+\]: warning: smtpd_peer_init: (.+) verification failed: Name or service not known$
^postfix/smtp\[[0-9]+\]: \S+: host (\S+) refused to talk to me: (.*)$
^postfix/qmgr\[[0-9]+\]: \S+: to=(\S+)(, orig_to=(\S+))?, relay=none, delay=[0-9]+, status=deferred (.+)$
^getty\[[0-9]+\]: (/dev/tty.+): cannot open as standard input: No such device$
^postfix/(local|pipe|virtual)\[[0-9]+\]: [[:alnum:]]+: to=([^[:space:]]+), (orig_to=[^[:space:]]+, )?relay=[^[:space:]]+, delay=[0-9]+, status=(.*)$
^postfix/smtpd\[[0-9]+\]: warning: [0-9.]+.(\S+): RBL lookup error: Host or domain name not found. Name service error for name=\S+ type=(.*)$
^postfix/qmgr\[[0-9]+\]: [0-9A-Z]+: to=([^[:space:]]+), orig_to=([^[:space:]]+), relay=none, delay=[0-9.]+, delays=[0-9/.]+, dsn=[0-9.]+, status=deferred \(delivery temporarily suspended: host [^ ]+ refused to talk to me:
^exim\[[0-9]+\]: [0-9-]+ [0-9:]+ Cannot open main log file "([^"]+)": (.*)$
# Some bind messages that started appearing with lenny, maybe we should ignore them
# The first appears to be related to ddos attacks that are not easy to prevent
^named\[[0-9]+\]: client ([0-9.]+)#[0-9]+: query \(cache\) '\./NS/IN' denied$
# The second is probably just broken nameservers, but maybe we should check
^named\[[0-9]+\]: too many timeouts resolving '[^']+' \(in ('[^']+')\?\): disabling EDNS$
# Another EDNS one I don't know what to do with
^named\[[0-9]+\]: too many timeouts resolving '[^']+' \(in '[^']+'\?\): reducing the advertised EDNS UDP packet size to 512 octets$
^named\[[0-9]+\]: client ([0-9.]+)#[0-9]+: zone transfer '[^']+' denied$
^named\[[0-9]+\]: connection refused resolving '[^']+': ([0-9.#]+)$
# Get this a lot from IPv6, ought to check if it's causing problems
^named\[[0-9]+\]: network unreachable resolving '[^']+':
# Generic summarisation -- ignores pid.
^([^[: ]+)\[[0-9]+\]:(.*)$