# swatch config for gentoo raq0.haller.ws perlcode my $re_timestamp = qr/ (?:[0-5]\d|60) : (?:[0-5]\d|60) : (?:[0-5]\d|60) /x; perlcode my $re_shortmonth = qr/ (?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) /x; perlcode my $re_day = qr/ (?:Sun|Mon|Tue|Wed|Thu|Fri|Sat) /x; perlcode my $re_syslogdate = qr/ $re_shortmonth (?:\s\s\d|\s\d\d) \s $re_timestamp /x; perlcode my $re_isodate = qr/ \d\d\d\d-\d\d-\d\d T $re_timestamp - \d{4} /x; perlcode my $re_facpri = qr/ \[ \w+ \] /x; perlcode my $re_hostname = qr/ [\w.-]{4,256} /x; perlcode my $re_date = $re_isodate; perlcode my $re_pid = qr/ \[ \d{1,6} \] /x; perlcode my $re_pidopt = qr/ (?: $re_pid )? /x; perlcode my $re_ip = qr/ \d{1,} \. \d{1,3} \. \d{1,3} \. \d{1,3} /x; perlcode my $re_username = qr/ \w{1,32} /x; perlcode my $re_filepath = qr{ [/\w .-]+ }x; perlcode my $re_prefix = "^$re_timestamp (GM|ES|ED)T $re_hostname $re_facpri"; # cron ignore /$re_prefix (cron|crontab|\/USR\/SBIN\/CRON)$re_pid: \((phaller|root)\) (CMD|RELOAD|BEGIN|REPLACE|END)/ ignore /$re_prefix CRON$re_pid: \(pam_unix\) session (opened|closed) for/ # postfix perlcode my $re = qr/$re_prefix postfix\/(anvil|cleanup|local|pickup|qmgr|smtp|smtpd)$re_pid:/; ignore /$re statistics:/ ignore /$re [0-9A-Fa-f]+: message-id=/ ignore /$re [0-9A-Fa-f]+: to=/ ignore /$re [0-9A-Fa-f]+: uid=/ ignore /$re [0-9A-Fa-f]+: from=/ ignore /$re [0-9A-Fa-f]+: removed/ ignore /$re SSL_accept:/ ignore /$re [0-9A-Fa-f]+: client=/ ignore /$re [0-9A-Fa-f]{4} / ignore /$re connect from/ ignore /$re disconnect from/ ignore /$re initializing the server-side TLS engine/ ignore /$re (timeout|lost connection) after (CONNECT|DATA|HELO|EHLO|MAIL|RCPT) from/ ignore /$re read from / ignore /$re [0-9A-Fa-f]+: to=/ ignore /$re setting up TLS connection from/ ignore /$re TLS connection established from/ ignore /$re write to/ ignore /$re warning: $re_ip: hostname .* verification failed: Name or service not known/ ignore /$re connect to .*: server refused to talk to me: 451 Message temporarily deferred/ ignore /$re warning: smtpd_peer_init: $re_ip: address not listed for hostname/ #18:45:43 EDT haller [warning] postfix/smtpd[31771]: warning: smtpd_peer_init: 201.78.188.132: address not listed for hostname # logins for me perlcode my $re = qr/$re_prefix/; ignore /$re sg$re_pid: user `phaller'/ ignore /$re sshd$re_pid: Accepted keyboard-interactive\/pam for phaller from .* ssh2/ ignore /$re sshd$re_pid: Accepted publickey for phaller/ ignore /$re sshd *\(pam_unix\) *$re_pid: session opened for user phaller by \(uid=0\)/ ignore /$re sshd *\(pam_unix\) *$re_pid: session closed for user phaller/ ignore /$re sshd$re_pid: \(pam_unix\) session opened for user phaller by \(uid=0\)/ ignore /$re sshd$re_pid: \(pam_unix\) session closed for user phaller/ # smartd perlcode my $re = qr/$re_prefix smartd$re_pid:/; ignore /$re smartd version 5.36 .i686-pc-linux-gnu. Copyright .C. 2002-6 Bruce Allen/ ignore /$re Home page is http:..smartmontools.sourceforge.net/ ignore /$re Opened configuration file .etc.smartd.conf/ ignore /$re Configuration file .etc.smartd.conf parsed./ ignore /$re Device: .dev.hda, opened/ ignore /$re Device: .dev.hda, found in smartd database./ ignore /$re Device: .dev.hda, enabled SMART Attribute Autosave./ ignore /$re Device: .dev.hda, enabled SMART Automatic Offline Testing./ ignore /$re Device: .dev.hda, appears to lack SMART Self-Test log; disabling -l selftest .override with -T permissive Directive/ ignore /$re Device: .dev.hda, appears to lack SMART Error log; disabling -l error .override with -T permissive Directive/ ignore /$re Device: .dev.hda, is SMART capable. Adding to "monitor" list./ ignore /$re Monitoring 1 ATA and 0 SCSI devices/ ignore /$re smartd has fork..ed into background mode. New PID=/ ignore /$re file .var.run.smartd.pid written containing PID/ # swatch perlcode my $re = qr/$re_prefix sudo:/; ignore /$re .*COMMAND=.usr.bin.swatch --config-file swatch.conf -f .var.log.$re_day.messages/ # tinydns perlcode my $re = qr/$re_prefix logger:/; ignore /$re 00000000000000000000ffffd8dca037/ # requests from myself ignore /$re .* . 00(01|10|1c) (lap0|raq0|notes|www|money|software|a.mx|a.ns|b.ns).haller.ws/ ignore /$re .* . 00(1c|26) (www|mail|a.mx|a.ns|b.ns).(haller.ws)/ ignore /$re .* . 00(01|02|05|06|0f|10|1c|26|fc|ff) (haller.ws)/ ignore /$re tcpserver: end \d+ status 0/ ignore /$re tcpserver: status: 0.40/ ignore /$re tcpserver: status: 1.40/ ignore /$re tcpserver: pid \d+ from 216.220.160.(55|66)/ ignore /$re tcpserver: ok \d+ 0:::ffff:216.220.171.42:53 :::ffff:216.220.160.(55|66)::/ # apache perlcode my $re = qr/$re_prefix apache2$re_pid: $re_facpri/; ignore /$re Graceful restart requested, doing restart/ ignore /$re Digest: generating secret for digest authentication/ ignore /$re Digest: done/ ignore /$re Apache configured -- resuming normal operations/ ignore /$re \[client $re_ip\] Digest: user phaller: nonce expired/ # tarpit'ing webspam causes the following: ignore /$re \(\d+\)Broken pipe: core_output_filter: writing data to the network/ # postgres perlcode my $re = $re_prefix; ignore /$re su$re_pid: Successful su for postgres by root/ ignore /$re su$re_pid: . pts.6 root:postgres/ ignore /$re su(pam_unix)$re_pid: session opened for user postgres by .uid=0/ ignore /$re postgres$re_pid: .1-1. LOG: received fast shutdown request/ ignore /$re postgres$re_pid: .1-1. LOG: shutting down/ ignore /$re postgres$re_pid: .2-1. LOG: database system is shut down/ ignore /$re su.pam_unix.$re_pid: session closed for user postgres/ ignore /$re postgres$re_pid: .1-1. LOG: database system was shut down at/ ignore /$re postgres$re_pid: .2-1. LOG: checkpoint record is at/ ignore /$re postgres$re_pid: .3-1. LOG: redo record is at .*; undo record is at .*; shutdown TRUE/ ignore /$re postgres$re_pid: .4-1. LOG: next transaction ID: \d+; next OID/ ignore /$re postgres$re_pid: .5-1. LOG: database system is ready/ # syslog-ng ignore /$re_prefix syslog-ng$re_pid: syslog-ng version [\d.a-z]+ (?:starting|going down)/ ignore /$re_prefix syslog-ng$re_pid: STATS: dropped 0/ ignore /$re_prefix syslog-ng$re_pid: Connection broken to/ ignore /$re_prefix syslog-ng$re_pid: io\.c: .+Connection refused/ ignore /$re_prefix syslog-ng$re_pid: Error connecting to remote host/ ignore /$re_prefix syslog-ng$re_pid: new configuration initialized/ ignore /$re_prefix syslog-ng$re_pid: SIGHUP received, restarting syslog-ng/ #watchfor /SRC=($re_ip) / # throttle delay=4:00:00,key=$1 watchfor /./ echo