# # sample checksyslog rulefile for example.com # # lines beginning with # or containing just a CR are ignored # # add regular expressions to this file that should be ignored # by checksyslog. If you're like me, most complicated regexp's # befuddle and confuse you, but you'll probably be able to # figure out how to add your own. # # Typical format: # # process\[\d+\]: string # # for troubleshooting, run checksyslog with the -v flag to see how the # rules are being interpreted. # # common declarations go here. you don't have to escape % if you # want to use it in an regular expression; the "preprocessor" (such as # it is) will build static matches for these a-la #define. the downside of # this is there's no warning for undefined declarations :) # my internal IP. note that you must escape metachars such as '.' %INT_IP=172\.16\.195\.\d+ # domain names %INT_DOM=int\.example\.com %DMZ_DOM=dmz\.example\.com # these are all my users %MAIL_USERS=(jwa|cat|dog|tim|john|woot) # but only these users use the shell %SHELL_USERS=(jwa|cat|dog|tim) # and only these users use samba %SAMBA_USERS=(jwa|dog|woot) # %PREPEND is a special case; it defines the string that all expressions are # prefixed with. As you can tell by looking at the rules below, it isn't # expanded. Commenting it out will cause nothing to be prepended to the # rules. # this particular %PREPEND insures that the input is something that faintly # resembles a syslog file %PREPEND=^(Jan .*.|Feb .*.|Mar .*.|Apr .*.|May .*.|Jun .*.|Jul .*.|Aug .*.|Sep .*.|Oct .*.|Nov .*.|Dec .*.) # no more lines with % allowed .. # # sendmail # sendmail\[\d+\]: .*.to= sendmail\[\d+\]: .*.from= (sendmail\[\d+\]: .*.relay=*.) && (!.*.reject.*.) sendmail\[\d+\]: aliases rebuilt by root sendmail\[\d+\]: aliases.*.longest sendmail\[\d+\]: Authentication-Warning:.*.owned process doing -bs sendmail\[\d+\]: NOQUEUE: SYSERR(root): getrequests: accept: Connection timed out sendmail\[\d+\]: .*.: clone .*., owner= # # postfix # postfix/smtpd\[\d+\]: connect from postfix/smtpd\[\d+\]: .*.: client= postfix/smtpd\[\d+\]: .*.: message-id= postfix/smtpd\[\d+\]: .*.: from= postfix/smtpd\[\d+\]: .*.: to= postfix/smtpd\[\d+\]: disconnect from postfix/qmgr\[\d+\]: .*.: from= postfix/smtp\[\d+\]: .*.: to= postfix/cleanup\[\d+\]: postfix/pickup\[\d+]: # oh good lord, I get so much spam.. postfix/smtpd\[\d+\]: reject: RCPT from.*.Sender address rejected: Domain not found postfix/smtpd\[\d+\]: reject: RCPT from.*.blocked using # # uw imapd # imapd\[\d+\]: imap service init from %INT_IP imapd\[\d+\]: Authenticated user=%MAIL_USERS host=.*.%INT_DOM imapd\[\d+\]: Logout user= imapd\[\d+\]: Autologout user= # # uw pop3 # ipop3d\[\d+\]: port 110 service init from %INT_IP ipop3d\[\d+\]: Auth user=%MAIL_USERS host=.*.%INT_DOM ipop3d\[\d+\]: Logout user= # # very noisy BIND # named\[\d+\]: Connection refused named\[\d+\]: .*.reloading nameserver named\[\d+\]: Lame delegation named\[\d+\]: Lame server named\[\d+\]: ns_forw: named\[\d+\]: .*.points to a CNAME named\[\d+\]: sysquery: named\[\d+\]: ns_resp named\[\d+\]: Response from unexpected source named\[\d+\]: Malformed response from named\[\d+\]: dangling CNAME pointer \(.*.\) named\[\d+\]: bad referral named\[\d+\]: recvfrom: No route to host named\[\d+\]: recvfrom: Network is unreachable named\[\d+\]: unrelated additional info .*. type A from \[\d+\.\d+\.\d+\.\d+\].53 named\[\d+\]: Cleaned cache of named\[\d+\]: NSTATS named\[\d+\]: USAGE named\[\d+\]: XSTATS named\[\d+\]: invalid RR type # wu-ftpd messages # (you might want to log all FTP commands, but if you run a # busy FTP site, or if you have another program reporting on # ftp activity, then logging all FTP commands is overkill.) # # this will show you USER, PASS, QUIT, STOR, RETR, MKD, RMD, DELE, and # probably a few others I've forgotten about :-) [but that's # the whole point of this!] # #ftpd\[\d+\]: CWD #ftpd\[\d+\]: PORT #ftpd\[\d+\]: LIST #ftpd\[\d+\]: NLST #ftpd\[\d+\]: SIZE #ftpd\[\d+\]: SYST #ftpd\[\d+\]: PASV #ftpd\[\d+\]: TYPE #ftpd\[\d+\]: ABOR #ftpd\[\d+\]: PWD #ftpd\[\d+\]: HELP #ftpd\[\d+\]: CDUP #ftpd\[\d+\]: NOOP # # xntpd messages # xntpd\[\d+\]: .*.system event.*.status xntpd\[\d+\]: .*.peer.*.event.*.status xntpd\[\d+\]: .*.time.*.reset xntpd\[\d+\]: synchronisation lost xntpd\[\d+\]: synchronized to.*.stratum=\d xntpd\[\d+\]: .*.offset xntpd\[\d+\]: Network is unreachable xntpd\[\d+\]: connection refused xntpd\[\d+\]: Connection refused xntpd\[\d+\]: time reset \(step\) .*. s xntpd\[\d+\]: kernel pll status change # # PAM login # PAM_pwdb\[\d+\]: \(login\) session opened for user %SHELL_USERS PAM_pwdb\[\d+\]: \(login\) session closed for user %SHELL_USERS # # PPP/chat # #pppd\[\d+\]: #chat\[\d+\]: # # nntpcache -- bit bucket # nntpcache.*.\[\d+\]: # # ssh (OpenSSH_2.5.1p1) # sshd\[\d+\]: Generating new \d+ bit RSA key\. sshd\[\d+\]: Generating \d+ bit RSA key\. sshd\[\d+\]: RSA key generation complete\. sshd\[\d+\]: Accepted password for %SHELL_USERS from %INT_IP port \d+ PAM_pwdb\[\d+\]: \(sshd\) session opened for user %SHELL_USERS by %SHELL_USERS\(uid=0\) sshd\[\d+\]: Accepted rsa for %SHELL_USERS from %INT_IP port \d+ PAM_unix\[\d+\]: \(sshd\) session opened for user %SHELL_USERS by %SHELL_USERS\(uid=0\) # # /bin/login # login: LOGIN ON .*. BY %SHELL_USERS FROM .*.%INT_DOM # # PAM+samba, because windows sucks & has case-insensitive passwords # PAM_pwdb\[\d+\]: authentication failure; \(uid=0\) -> %SAMBA_USERS for samba service # # snort # snort\[\d+\]: PING-ICMP Time Exceeded: snort\[\d+\]: PING-ICMP Source Quench: snort\[\d+\]: spp_portscan: snort\[\d+\]: IDS169 - PING Windows Type: snort\[\d+\]: IDS152 - PING BSD: snort\[\d+\]: IDS246 - MISC - Large ICMP Packet: snort\[\d+\]: IDS115 - MISC-Traceroute UDP: snort\[\d+\]: IDS118 - MISC-Traceroute ICMP: snort\[\d+\]: .*.Napster snort\[\d+\]: BETA - Anon FTP:.*.205\.156\.51\.200:21 # crond CRON\[\d+\]: \(root\) # identd identd\[\d+\]: Connection from .*.%INT_DOM identd\[\d+\]: Successful lookup: # # Linux disk stuff # kernel: Detected scsi CD-ROM sr0 at scsi0, channel 0, id 6, lun 0 kernel: sr_photocd: ioctl error \(SONY/PIONEER\): 0x28000000 kernel: Disc change detected\. kernel: VFS: Disk change detected on device kernel: CDROM not ready\. Make sure there is a disc in the drive\. kernel: Device not ready\. Make sure there is a disc in the drive\. kernel: inserting floppy driver for kernel: Floppy drive\(s\): fd0 is 1\.44M kernel: FDC 0 is a National Semiconductor PC87306 # # Linux ipmasq stuff # #kernel: ICMP: failed checksum from \d+\.\d+\.\d+\.\d+\! #kernel: MASQ: reverse ICMP: failed checksum from \d+\.\d+\.\d+\.\d+\! #kernel: MASQ: failed TCP/UDP checksum from .*. # # Linux sound stuff # kernel: Sound: Recording overrun # ssyslogd # INITIALIZED BY AUDITOR # Download: \[PEO\] Ok # # Solaris automountd bitching about linux # automountd\[\d+\]: No network locking on %INT_IP: contact admin to install server change # # Linux nfsd # mountd\[\d+\]: NFS mount of /jsi/common attempted from %INT_IP mountd\[\d+\]: /jsi/common has been mounted by %INT_IP mountd\[\d+\]: authenticated mount request from .*.%INT_DOM mountd\[\d+\]: authenticated unmount request from .*.%INT_DOM kernel: lockd: failed to monitor nsm_mon_unmon: rpc failed, status=-13 kernel: svc: unknown program 100227 \(me 100003\) kernel: svc: unknown version \(3\) # Useless message unless it's in context last message repeated.*.times # generic tcpd catchall [a-z].*.\[\d+\]: connect from.*.%INT_DOM [a-z].*.\[\d+\]: connect from.*@localhost # fubared dns stuff that gethostbyname() etc complains about gethostby\*.getanswer: asked for .*., got .*. gethostbyaddr: # # Sundry "local" things # # dog's dhcp client dhcpd: .*. 00:20:78:18:2f:c2 # packet capture \d+:15:\d+ fw PAM_pwdb\[\d+\]: \(sshd\) session opened for user root \d+:15:\d+ fw sshd\[\d+\]: Accepted rsa for ROOT from 172\.16\.195\.2 port \d+ # rsync every 4 hours (00|04|08|12|16|20):35:\d+ www sshd\[\d+\]: Accepted rsa for web-owner from 172\.16\.195\.2 (00|04|08|12|16|20):35:\d+ www PAM_pwdb\[\d+\]: \(sshd\) session opened for user web-owner by \(uid=0\) # apache log pull (for analysis) # 4am 04:\d+:\d+ www sshd\[\d+\]: Accepted rsa for www-log from 172\.16\.195\.2 port \d+ 04:\d+:\d+ www PAM_pwdb\[\d+]: \(sshd\) session opened for user www-log by \(uid=0\) # EOF