# Message repeats

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: printk: [0-9]+ messages suppressed

# Packet filtering and ll stuff

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: gShield \([[:alnum:]]+ drop\)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: gShield \(possible port scan\)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: ll header: [a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}

# Other kernel messages

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: NET: Registered protocol family 17
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: input: AT Translated Set 2 keyboard
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: tcptrack uses obsolete \(PF_INET,SOCK_PACKET\)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: htb: class [0-9]+ isn't work conserving
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: TCP: Treason uncloaked!
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: 3w-xxxx: SCSI_IOCTL_SEND_COMMAND deprecated, please update your 3ware tools\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: program smartctl is using a deprecated SCSI ioctl, please convert it to SG_IO$

# Should only be a security alert, not a system event too!

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: eth[0-9]+: Promiscuous mode enabled.

# No physical access
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ login\[[0-9]+\]: \(pam_unix\) check pass; user unknown
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ login\[[0-9]+\]: FAILED LOGIN \([0-9]+\) on .tty[0-9]+. FOR .[_[:alnum:]-]+., User not known to the underlying authentication module

# uptimed - I can just run uprecords
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ uptimed: milestone: [0-9]+ days

# crontab is my friend
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ crontab\[[0-9]+\]:

# gShield init
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gShield\.rc\[[0-9]+\]:

# Courier-IMAP

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: LOGIN, user=[-_.@[:alnum:]]+, ip=\[[.:[:alnum:]]+\], protocol=IMAP$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: Connection, ip=\[[.:[:alnum:]]+\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: LOGOUT, user=[-_.@[:alnum:]]+, ip=\[[.:[:alnum:]]+\], headers=[0-9]+, body=[0-9]+, rcvd=[0-9]+, sent=[0-9]+, time=[0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: LOGOUT, user=[-_.@[:alnum:]]+, ip=\[[.:[:alnum:]]+\], headers=[0-9]+, body=[0-9]+, rcvd=[0-9]+, sent=[0-9]+, time=[0-9]+, starttls=(0|1)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: DISCONNECTED, user=[-_.@[:alnum:]]+, ip=\[[.:[:alnum:]]+\], headers=[0-9]+, body=[0-9]+, rcvd=[0-9]+, sent=[0-9]+, time=[0-9]+$

# thttpd is very noisy

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ thttpd\[[0-9]+\]:

# BIND v9

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client.*transfer

# DHCP renewal

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: renewed lease for interface eth[0-3]

# Attacks against OpenSSH get old, fast

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [^[:space:]]+ failed - POSSIBLE BREAKIN ATTEMPT!
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed none for illegal user [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Illegal user [^[:space:]]+ from [\.0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: error: Could not get shadow information for NOUSER
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: error: Could not get shadow information for root
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive identification string from
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: User [^[:space:]]+ not allowed because not listed in AllowUsers

# syslog-ng tight restart window, for cron.daily and friends

^\w{3} [ 0-9]{2} 06:(2[0-9]|3[0-2]):[0-9]{2} [._[:alnum:]-]+ syslog-ng\[[0-9]+\]: SIGHUP received, restarting syslog-ng
^\w{3} [ 0-9]{2} 06:(2[0-9]|3[0-2]):[0-9]{2} [._[:alnum:]-]+ thttpd\[[0-9]+\]: (exiting|.*starting)
^\w{3} [ 0-9]{2} 06:4[5-9]:[0-9]{2} [._[:alnum:]-]+ ntpd\[[0-9]+\]: .*

# Because dhcpd3 is great (and tosses empty lines)

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: Discarding packet with bogus hlen
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd:$

# NFSv3

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpc.mountd: authenticated unmount

# Alsa (alsa-base), spurious warnings

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ modprobe: WARNING: /etc/modprobe.d/linux-sound-base_noOSS
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ modprobe: FATAL: Error running install command for sound_slot_1

# Something related to GNOME (I use GNOME?)

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ \([_[:alnum:]-]+-[0-9]+\): (SIGHUP|starting|Resolved address)

# KDE is being noisy

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ \[kdeinit\]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :[0-9]+\[[0-9]+\]: \(pam_unix\) session opened for user [_[:alnum:]-]+ by \(uid=0\)

# Other system messages

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: spurious 8259A interrupt: IRQ[0-9]+
^\w{3} [ :0-9]{11} (faith|nebula|sarah) kernel: Probing IDE interface ide[0-9]\.\.\.
^\w{3} [ :0-9]{11} (faith|nebula|sarah) kernel: ide1 at
^\w{3} [ :0-9]{11} (faith|nebula|sarah) kernel: hd[a-z]
^\w{3} [ :0-9]{11} (faith|nebula|sarah) kernel: Uniform CD-ROM driver
^\w{3} [ :0-9]{11} (faith|nebula|sarah) kernel: scsi:
^\w{3} [ :0-9]{11} (faith|nebula|sarah) kernel: sd
^\w{3} [ :0-9]{11} (faith|nebula|sarah) kernel: Device not ready. Make sure there is a disc in the drive.
^\w{3} [ :0-9]{11} (faith|nebula|sarah) kernel: (/dev/)?vmmon
^\w{3} [ :0-9]{11} (faith|nebula|sarah) kernel: end_request: I/O error, dev fd0, sector 0
^\w{3} [ :0-9]{11} (faith|nebula|sarah) kernel: floppy[0-9]
^\w{3} [ :0-9]{11} (faith|nebula|sarah) kernel: loop
^\w{3} [ :0-9]{11} (faith|nebula|sarah) kernel: ISO 9660
^\w{3} [ :0-9]{11} (faith|nebula|sarah) kernel: ISOFS: changing to secondary root