don't warn about every use of su

[ansible.git] / roles / journalwatch / templates / patterns

# In this file, patterns for journalwatch are defined to blacklist all journal
# messages which are not errors.
#
# Lines starting with '#' are comments. Inline-comments are not permitted.
#
# The patterns are separated into blocks delimited by empty lines. Each block
# matches on a log entry field, and the patterns in that block then are matched
# against all messages with a matching log entry field.
#
# The syntax of a block looks like this:
#
# <field> = <value>
# <pattern>
# [<pattern>]
# [...]
#
# If <value> starts and ends with a slash, it is interpreted as a regular
# expression, if not, it's an exact match. Patterns are always regular
# expressions.
#
# Below are some useful examples. If you have a small set of users, you might
# want to adjust things like "user \w" to something like "user (root|foo|bar)".
#
# The regular expressions are extended Python regular expressions, for details
# see:
#
# https://docs.python.org/3.4/library/re.html#regular-expression-syntax
# https://docs.python.org/3.4/howto/regex.html
# http://doc.pyschools.com/html/regex.html
#
# The journal fields are explained in systemd.journal-fields(7).

_SYSTEMD_UNIT = systemd-logind.service
New session [a-z]?\d+ of user \w+\.
Removed session [a-z]?\d+\.

SYSLOG_IDENTIFIER = /(CROND|crond)/
pam_unix\(crond:session\): session (opened|closed) for user \w+
\(\w+\) CMD .*

SYSLOG_IDENTIFIER = systemd
(Stopped|Stopping|Starting|Started) .*
(Created slice|Removed slice) user-\d+\.slice\.
Received SIGRTMIN\+24 from PID .*
(Reached target|Stopped target) .*
Startup finished in \d+ms\.
{% if journalwatch is defined and journalwatch.strato_broken | default(False) %}
Failed to create /user.slice/user-\d+.slice/user@\d+.service/init.scope control group: Permission denied
Failed to allocate manager object: Permission denied
{% endif %}

_SYSTEMD_UNIT = init.scope
user@\d+\.service: Killing process \d+ \(kill\) with signal SIGKILL\.
{% if journalwatch is defined and journalwatch.strato_broken | default(False) %}
Failed to set devices.allow on /system.slice/[a-z-]+.service: Operation not permitted
{% endif %}

SYSLOG_IDENTIFIER = sudo
\s*[._\w-]+ : TTY=(unknown|console|(pts/|ttyp?|vc/)\d+) ; PWD=[^;]+ ; USER=[._\w-]+ ; COMMAND=.*

SYSLOG_IDENTIFIER = su
\(to [._\w-]+\) [._\w-]+ on none

_SYSTEMD_UNIT = postfix@-.service
warning: hostname [^\s]+ does not resolve to address [\da-fA-F.:]+(: Name or service not known)?
warning: [._\w-]+\[[\da-fA-F.:]+\]: SASL (LOGIN|PLAIN) authentication failed:.*
warning: non-SMTP command from \w+\[[\da-fA-F.:]+\]: .*
warning: TLS library problem: error:[0-9A-F]+:SSL routines:\w+:(no shared cipher|decryption failed or bad record mac|unknown protocol|version too low):[\w./]+:\d+:
{% if journalwatch is defined and journalwatch.postfix_slow | default(False) %}
warning: psc_cache_update: btree:/var/lib/postfix/[a-z_]+ (update|lookup) average delay is \d\d\d ms
{% endif %}
{% if journalwatch is defined and journalwatch.strato_broken | default(False) %}
warning: dnsblog reply timeout [0-9]+s for [\w._-]+
warning: dnsblog_query: lookup error for DNS query .*
{% endif %}

_SYSTEMD_UNIT = dovecot.service
auth: Warning: auth client \d+ disconnected with \d+ pending requests: (EOF|Connection reset by peer)

SYSLOG_IDENTIFIER = sshd
error: Received disconnect from [\da-fA-F.:]+ port \d+:\d+: .*
error: maximum authentication attempts exceeded for (invalid user \w*|\w+) from [\da-fA-F.:]+ port \d+ ssh2 \[preauth\]
fatal: ssh_packet_get_string: string is too large \[preauth\]

_SYSTEMD_UNIT = bind9.service
client [\da-fA-F.:]+#\d+( \([\w.-]+\))?: (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type|unexpected end of input))

_SYSTEMD_UNIT = opendkim.service
[A-Z0-9]+: (bad signature data|failed to parse [Aa]uthentication-[Rr]esults: header field)
[A-Z0-9]+: key retrieval failed \(s=[\w._-]+, d=[\w._-]+\)(: '[\w._-]+' record not found)?