From 364ed3c6a795c1cf3e47665157f3ff481bd395d1 Mon Sep 17 00:00:00 2001 From: Oleg Broytman Date: Thu, 14 Nov 2019 15:28:01 +0300 Subject: [PATCH] Feat(logcheck): Add ignore patterns after upgrading to Debian 10 --- .../roles/logcheck/files/ignore.d/local-kernel | 1 + .../roles/logcheck/files/ignore.d/local-named | 5 ++++- .../roles/logcheck/files/ignore.d/local-rsyslog | 2 +- playbooks/roles/logcheck/files/ignore.d/local-ssh | 14 ++++++++++---- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/playbooks/roles/logcheck/files/ignore.d/local-kernel b/playbooks/roles/logcheck/files/ignore.d/local-kernel index d200924..8050f90 100644 --- a/playbooks/roles/logcheck/files/ignore.d/local-kernel +++ b/playbooks/roles/logcheck/files/ignore.d/local-kernel @@ -1,3 +1,4 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] CIFS VFS: SMB signature verification returned error ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] CIFS VFS: Server [0-9.]+ has not responded in 120 seconds\. Reconnecting\.\.\. ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] Peer [0-9.:/]+ unexpectedly shrunk window [0-9]+:[0-9]+ \(repaired\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: \[[ 0-9.]+\] TCP: request_sock_TCP: Possible SYN flooding on port [0-9]+\. Sending cookies\. Check SNMP counters\. diff --git a/playbooks/roles/logcheck/files/ignore.d/local-named b/playbooks/roles/logcheck/files/ignore.d/local-named index 0fef09e..0899ad9 100644 --- a/playbooks/roles/logcheck/files/ignore.d/local-named +++ b/playbooks/roles/logcheck/files/ignore.d/local-named @@ -1,6 +1,9 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: +validating .+: no valid signature found ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: DNS format error from ([0-9]{1,3}\.){3}[0-9]{1,3}#[0-9]{1,5} resolving -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client ([0-9]{1,3}\.){3}[0-9]{1,3}#[0-9]{1,5} \([._[:alnum:]-]+\): query (\(cache\) )?'.+' denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: _default: sending trust-anchor-telemetry query ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client ([0-9]{1,3}\.){3}[0-9]{1,3}#[0-9]{1,5}: message parsing failed +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client .*([0-9]{1,3}\.){3}[0-9]{1,3}#[0-9]{1,5} \([._[:alnum:]-]+\): query (\(cache\) )?'.+' denied ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client 192\.168\.3\.20#[0-9]+ \([._[:alnum:]-]+\): error sending response: host unreachable$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: clients-per-query (de|in)creased to +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: managed-keys-zone: Key [0-9]+ for zone \. acceptance timer complete: key now trusted ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: skipping nameserver '[A-Za-z0-9._-]+' because it is a CNAME, while resolving diff --git a/playbooks/roles/logcheck/files/ignore.d/local-rsyslog b/playbooks/roles/logcheck/files/ignore.d/local-rsyslog index f7be8aa..fdae37b 100644 --- a/playbooks/roles/logcheck/files/ignore.d/local-rsyslog +++ b/playbooks/roles/logcheck/files/ignore.d/local-rsyslog @@ -1,2 +1,2 @@ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (liblogging-stdlog|rsyslogd): {1,2}\[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (liblogging-stdlog|rsyslogd): {1,2}\[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="https?://www.rsyslog.com"\] rsyslogd was HUPed$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd[0-9-]+: action 'action 17' (suspended|resumed) diff --git a/playbooks/roles/logcheck/files/ignore.d/local-ssh b/playbooks/roles/logcheck/files/ignore.d/local-ssh index 54f4ccd..ffc3f29 100644 --- a/playbooks/roles/logcheck/files/ignore.d/local-ssh +++ b/playbooks/roles/logcheck/files/ignore.d/local-ssh @@ -1,17 +1,23 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: (error: )?Received disconnect from ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: (packet_write_wait|ssh_dispatch_run_fatal): Connection from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+: Broken pipe \[preauth\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Bad packet length [0-9]+\. \[preauth\] ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Bad protocol version identification -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Connection (closed|reset) by ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ \[preauth\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Connection (closed|reset) by ((authenticating|invalid) user .+)?([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ \[preauth\] ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive identification string from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnected from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ \[preauth\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnected from (authenticating|invalid) user .+([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ \[preauth\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnected from user .+([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnecting (authenticating|invalid) user .+([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+: (Too many authentication failures \[preauth\]|Change of username or service not allowed: \(admin,ssh-connection\)) ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnecting: Change of username or service not allowed: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnecting: Too many authentication failures -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for invalid user.+from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Invalid user.+from ([0-9]{1,3}\.){3}[0-9]{1,3} +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for invalid user .+from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Invalid user .+from ([0-9]{1,3}\.){3}[0-9]{1,3} ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: PAM service\(sshd\) ignoring max retries ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Unable to negotiate with ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+: no matching (host key type|key exchange method) found\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: error: maximum authentication attempts exceeded for .+ from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ ssh2 \[preauth\] ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: (Read from socket|Write) failed: Connection reset by peer ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: no hostkey alg \[preauth\] -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: input_userauth_request: invalid user.+\[preauth\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: input_userauth_request: invalid user .+\[preauth\]$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: pam_unix\(sshd:auth\): bad username +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: ssh_dispatch_run_fatal: Connection from authenticating user .+([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+: message authentication code incorrect \[preauth\] -- 2.39.5