Home /Logcheck Debian 10

Logcheck Debian 10

Debian Buster logcheck additions to the default rules:

bind:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: received control channel command 'stats'$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: dumpstats complete$

kernel:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? conntrack: generic helper won't handle protocol 47\. Please consider loading the specific helper module\.$

ntp:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: receive: KoD packet from ([.0-9]{7,15}|[0-9a-fA-F:.]{4,39}) has inconsistent xmt/org/rec timestamps\.  Ignoring\.$

rsyslogd:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd:  \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="https://www.rsyslog.com"\] rsyslogd was HUPed$

sshd:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnected from user [[:alnum:]]+ [:.[:xdigit:]]+ port [[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed password for [[:alnum:]]+ from [:.[:xdigit:]]+ port [[:digit:]]+ ssh2$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (Connection closed by|Disconnected from|Connection reset by) authenticating user [-.[:alnum:]]+ [:.[:xdigit:]]+ port [[:digit:]]+ \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (Connection closed by|Disconnected from) invalid user ([-.[:alnum:]]+|) [:.[:xdigit:]]+ port [[:digit:]]+ \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnected from [:.[:xdigit:]]+ port [[:digit:]]+ \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection (closed|reset) by [:.[:xdigit:]]+ port [[:digit:]]+ \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Did not receive identification string from ([:[:xdigit:].]+|UNKNOWN) port [[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+ port [:[:digit:]]+ (Bye Bye |disconnected by user |Client disconnecting normally | )\[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+ port [:[:digit:]]+ Normal Shutdown, Thank you for playing \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user ([-.[:alnum:]]+|) from ([:.[:xdigit:]]+|UNKNOWN) port [[:digit:]]+$

su:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: pam_systemd\(su:session\): Cannot create session: Already running in a session$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su: pam_unix\(su(-l)?:session\): session closed for user [._[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su: pam_unix\(su(-l)?:session\): session opened for user [._[:alnum:]-]+ by ([._[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su: pam_unix\(su(-l)?:auth\): authentication failure; logname=[._[:alnum:]-]+ uid=[0-9]+ euid=0 tty=pts/[0-9] ruser=[._[:alnum:]-]+ rhost=  user=root$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su: \(to root\) [._[:alnum:]-]+ on pts/[0-9]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su: FAILED SU \(to root\) [._[:alnum:]-]+ on pts/[0-9]$

systemd:
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: [-[:alnum:]]+.(service|socket|mount): Succeeded\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (user|user-runtime-dir)@[0-9]+\.service: Succeeded\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: user@[0-9]+\.service: Killing process [0-9]+ \(kill\) with signal SIGKILL\.
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (Started|Starting) Daily man-db regeneration\.(\.\.)?$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (Reloading|Reloaded) The Apache HTTP Server\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user [-_.[:alnum:]]+( by \(uid=0\))?$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (Created|Removed) slice User Slice of UID [-_.[:alnum:]]+\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (Listening on|Closed) GnuPG cryptographic agent (and passphrase cache)? \((access for web browsers|restricted)\)\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (Listening on|Closed) GnuPG network certificate management daemon\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (Listening on|Closed) GnuPG cryptographic agent \((ssh-agent emulation|access for web browsers)\)\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: Startup finished in [0-9]+ms\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: Received SIGRTMIN\+24 from PID [0-9]+ \(kill\)\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: session-[0-9]+\.scope: Succeeded\.$

systemd-login:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [[:digit:]]+ of user [-_.[:alnum:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Removed session [[:digit:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Session [[:digit:]]+ logged out\. Waiting for processes to exit\.$