Differences between revisions 11 and 17 (spanning 6 versions)
Revision 11 as of 2015-04-29 06:18:43
Size: 2356
Editor: ?RichieB
Comment: Changed PID to 1, added 3 more lines
Revision 17 as of 2016-04-24 22:52:01
Size: 5024
Editor: ?raimue
Comment: Session id may also contain letters. I saw c1, c2, etc. in my auth.log.
Deletions are marked like this. Additions are marked like this.
Line 6: Line 6:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: (Reexecuting|Reloading)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: systemd [[:digit:]]+ running in system mode. \((\+[[:alnum:]]+ ?)+\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Expecting device [^[:space:]]+\.device\.\.\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Cleanup of Temporary Directories\.+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Run anacron jobs\.+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [[:digit:]]+ of user [^[:space:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Removed session [[:digit:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Stopping (Timers|Default|Basic System|Paths|Sockets)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Stopped target (Timers|Default|Basic System|Paths|Sockets)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Starting (Shutdown|Exit the Session\.\.|Timers|Default|Basic System|Paths|Sockets)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Reached target (Shutdown|Timers|Default|Basic System|Paths|Sockets)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1
\]: Received SIGRTMIN\+24 from PID [[:digit:]]+ \(kill\)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Startup finished in [[:digit:]]+ms\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: (Start|Stopp)(ing|ed) User Manager for UID [0-9]+\.+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: (Starting|Created|Stopping|Removed)( slice)? (user|system)-[\\[:alnum:]]+\.slice\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user [[:alnum:]]+( by \(uid=[0-9]+\))?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Reexecuting|Reloading)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: systemd [[:digit:]]+ running in system mode. \((\+[[:alnum:]]+ ?)+\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Expecting device [^[:space:]]+\.device\.\.\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Start(ing|ed) Cleanup of Temporary Directories\.+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Start(ing|ed) Run anacron jobs\.+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [[:alnum:]]+ of user [^[:space:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Removed session [[:alnum:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Stopping|Stopped target|Reached target) (Shutdown|Timers|Default|Basic System|Paths|Sockets)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Starting (Shutdown|Exit the Session\.\.|Timers|Default|Basic System|Paths|Sockets)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Received SIGRTMIN\+24 from PID [[:digit:]]+ \(kill\)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Startup finished in [[:digit:]]+ms\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Start|Stopp)(ing|ed) User Manager for UID [0-9]+\.+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Starting|Created|Stopping|Removed)( slice)? (user|system)-[\\[:alnum:]]+\.slice\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Time has been changed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd
: pam_unix\(systemd-user:session\): session (opened|closed) for user [^[:space:]]+( by \(uid=[0-9]+\))?$
Line 27: Line 26:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Reload(ing|ed) LSB: .*\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Reload(ing|ed) LSB: .*\.$
Line 29: Line 28:

Contributions by Blue Light:

systemd:
{{{
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user [^[:space:]]+( by \(uid=[0-9]+\))?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Failed to read PID from file /run/nginx\.pid: Invalid argument$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Received SIGRTMIN\+24 from PID [[:digit:]]+ \(kill\)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Startup finished in [[:digit:]]+ms\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Start(ing|ed) ((Daily )?Cleanup of Temporary Directories|Device-mapper event daemon|Hostname Service)\.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Time has been changed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Starting|Created|Stopping|Removed)( slice)? (user|system)-[\\[:alnum:]]+\.slice\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Start|Listen)ing (on )?(CUPS Printing Service Sockets|Device-mapper event daemon FIFOs)\.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Start|Stopp)(ing|ed) (Authenticate and Authorize Users to Run Privileged Tasks|Daemon for power management|PackageKit Daemon|RealtimeKit Scheduling Policy Service|User Manager for UID [0-9]+)\.+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: ((Reached|Stopped) target|((Start|Stopp)ing)) (Basic System|Default|Encrypted Volumes|Graphical Interface|Local File Systems( \(Pre\))?|Login Prompts|Mail Transport Agent|Multi-User System|Network|Network is Online|Paths|Remote File Systems|RPC Port Mapper|Shutdown|Sockets|Sound Card|Swap|System Initialization|Timers)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: ((Start|Stopp)ing) (A high performance web server and a reverse proxy server|Device-mapper event daemon|Exit the Session)\.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Start(ed|ing)|Stopping) (CUPS Printing Service|Disk Manager|Session [[:digit:]]+ of user [^ ]+)\.*$
}}}

systemd-hostnamed:
{{{
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-hostnamed\[[[:digit:]]+\]: Warning: nss-myhostname is not installed\. Changing the local hostname might make it unresolveable\. Please install nss-myhostname!$
}}}

systemd-logid:
{{{
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [[:alnum:]]+ of user [^ ]+\.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Removed session [[:alnum:]]+\.$
}}}

This is page to collect logcheck rules for systemd.

ignore.d.server/systemd:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Starting|Started) Session [[:digit:]]+ of user [^[:space:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Reexecuting|Reloading)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: systemd [[:digit:]]+ running in system mode. \((\+[[:alnum:]]+ ?)+\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Expecting device [^[:space:]]+\.device\.\.\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Start(ing|ed) Cleanup of Temporary Directories\.+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Start(ing|ed) Run anacron jobs\.+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [[:alnum:]]+ of user [^[:space:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Removed session [[:alnum:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Stopping|Stopped target|Reached target) (Shutdown|Timers|Default|Basic System|Paths|Sockets)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Starting (Shutdown|Exit the Session\.\.|Timers|Default|Basic System|Paths|Sockets)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Received SIGRTMIN\+24 from PID [[:digit:]]+ \(kill\)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Startup finished in [[:digit:]]+ms\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Start|Stopp)(ing|ed) User Manager for UID [0-9]+\.+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Starting|Created|Stopping|Removed)( slice)? (user|system)-[\\[:alnum:]]+\.slice\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Time has been changed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user [^[:space:]]+( by \(uid=[0-9]+\))?$

Reloads by logrotate are logged to syslog by systemd as well. The following systemd rules ignore the systemd part of them. Additional rules for the reloaded/restarted daemons are required:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Reload(ing|ed) LSB: .*\.$

Contributions by Blue Light:

systemd:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user [^[:space:]]+( by \(uid=[0-9]+\))?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Failed to read PID from file /run/nginx\.pid: Invalid argument$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Received SIGRTMIN\+24 from PID [[:digit:]]+ \(kill\)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Startup finished in [[:digit:]]+ms\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Start(ing|ed) ((Daily )?Cleanup of Temporary Directories|Device-mapper event daemon|Hostname Service)\.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Time has been changed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Starting|Created|Stopping|Removed)( slice)? (user|system)-[\\[:alnum:]]+\.slice\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Start|Listen)ing (on )?(CUPS Printing Service Sockets|Device-mapper event daemon FIFOs)\.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Start|Stopp)(ing|ed) (Authenticate and Authorize Users to Run Privileged Tasks|Daemon for power management|PackageKit Daemon|RealtimeKit Scheduling Policy Service|User Manager for UID [0-9]+)\.+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: ((Reached|Stopped) target|((Start|Stopp)ing)) (Basic System|Default|Encrypted Volumes|Graphical Interface|Local File Systems( \(Pre\))?|Login Prompts|Mail Transport Agent|Multi-User System|Network|Network is Online|Paths|Remote File Systems|RPC Port Mapper|Shutdown|Sockets|Sound Card|Swap|System Initialization|Timers)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: ((Start|Stopp)ing) (A high performance web server and a reverse proxy server|Device-mapper event daemon|Exit the Session)\.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Start(ed|ing)|Stopping) (CUPS Printing Service|Disk Manager|Session [[:digit:]]+ of user [^ ]+)\.*$

systemd-hostnamed:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-hostnamed\[[[:digit:]]+\]: Warning: nss-myhostname is not installed\. Changing the local hostname might make it unresolveable\. Please install nss-myhostname!$

systemd-logid:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [[:alnum:]]+ of user [^ ]+\.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Removed session [[:alnum:]]+\.$