diff --git a/modules/journalwatch.nix b/modules/journalwatch.nix index 8e5d88e..07668e5 100644 --- a/modules/journalwatch.nix +++ b/modules/journalwatch.nix @@ -183,6 +183,8 @@ [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ - \S* \S+ \+0000 "(DELETE|GET|PATCH|POST|PUT) /ocs/(v1|v2)\.php" (200|201|202|204|304|401|403|404|412|500) [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ - \S* \S+ \+0000 "(GET|HEAD) /(ocm|ocs)-provider/index\.php" 200 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ - \S* \S+ \+0000 "(DELETE|GET|MKCOL|MOVE|PROPFIND|PUT) /public\.php" (200|201|204|207|401|403|404) + # + crond: USER www-data pid [0-9]+ cmd php -f /var/www/html/cron\.php ''; match = "IMAGE_NAME = /p1st/nextcloud:(25|26|27|stable)-fpm-alpine/"; } @@ -482,6 +484,13 @@ # _SYSTEMD_UNIT # + { # yodaNas + filters = '' + .* + ''; + match = "_SYSTEMD_UNIT = /(systemd-logind|syncthing)\\.service/"; + } + { # yodaNas filters = '' \s*The \S+ (A|AAAA) record points already to \S+ @@ -545,7 +554,7 @@ { # yodaYoga, yodaNas filters = '' - Accepted publickey for root from \S+ port \S+ ssh2: RSA SHA256:\S+ + Accepted publickey for (root|yoda) from \S+ port \S+ ssh2: RSA SHA256:\S+ pam_unix\(sshd:session\): session opened for user \S+ by \S+ Received disconnect from \S+ port \S+:11: disconnected by user Disconnected from user \S+ \S+ port \S+ @@ -673,6 +682,8 @@ { filters = '' + pam_unix\(sudo:session\): session opened for user root\(uid=0\) by (yoda)?\(uid=[0-9]+\) + pam_unix\(sudo:session\): session closed for user root # yodaTux. If the user `yoda` runs a command with `sudo`. \s+yoda : TTY=pts/[0-9] ; PWD=/\S+ ; USER=root ; COMMAND=/.+ # yodaNas. If the btrbk service is run. @@ -692,7 +703,30 @@ filters = '' \S+\.(service|scope|slice|mount): Consumed .+ CPU time, read .+ from disk, written .+ to disk(, .+|\.) \S+\.(service|scope|slice|mount): Consumed .+ CPU time(, .+)?, received .+ IP traffic, sent .+ IP traffic\. - \S+\.(service|scope|slice|mount): Consumed .+ CPU time, no IP traffic\. + \S+\.(service|scope|slice|mount): Consumed .+ CPU time(, .+)?, no IP traffic\. + # + .*smtpd-key\.service.* + # + Starting User Runtime Directory /run/user/(0|1000)\.\.\. + Finished User Runtime Directory /run/user/(0|1000)\. + Stopping User Runtime Directory /run/user/(0|1000)\.\.\. + Starting User Manager for UID (0|1000)\.\.\. + Started User Manager for UID (0|1000)\. + Stopping User Manager for UID (0|1000)\.\.\. + Started Session [0-9]+ of User (root|yoda)\. + session-[0-9]+\.scope: Deactivated successfully\. + # + Starting Load Kernel Module efi_pstore\.\.\. + Starting Create SUID/SGID Wrappers\.\.\. + Stopped target Reactivate sysinit units\. + Stopping Reactivate sysinit units\.\.\. + Reached target Reactivate sysinit units\. + Reached target Local File Systems\. + Reached target Remote File Systems\. + Finished Load Kernel Module efi_pstore\. + Finished Create SUID/SGID Wrappers\. + [a-zA-Z ]+ was skipped because of an unmet condition check \([^\)]+\)\. + Update is Completed was skipped because no trigger condition checks were met\. # Starting Takes BTRFS snapshots and maintains retention policies\.\.\.\. Finished Takes BTRFS snapshots and maintains retention policies\.\. @@ -714,7 +748,7 @@ { filters = ('' # Somebody evil iterating through different ports - refused connection: IN=\S+ OUT= MAC=\S+ SRC=\S+ DST=\S+ LEN=\S+ TC=0 HOPLIMIT=255 FLOWLBL=\S+ PROTO=TCP SPT=\S+ DPT=\S+ WINDOW=\S+ RES=0x00 SYN URGP=0 + refused connection: IN=\S+ OUT= MAC=\S+ SRC=\S+ DST=\S+ LEN=\S+ TC=[0-9]+ HOPLIMIT=[0-9]+ FLOWLBL=[0-9]+ PROTO=TCP SPT=[0-9]+ DPT=[0-9]+ WINDOW=[0-9]+ RES=0x00 SYN URGP=0\s+ # Ignore. systemd\[[0-9]\]: memfd_create\(\) called without MFD_EXEC or MFD_NOEXEC_SEAL set # Ignore.