├── filters
    ├── evince.ignore
    ├── iptables.ignore
    ├── dmeventd.ignore
    ├── login.ignore
    ├── lightdm.ignore
    ├── sudo.ignore
    ├── msmtp.ignore
    ├── smbd.ignore
    ├── mtp-probe.ignore
    ├── mkinitcpio.ignore
    ├── pacman.ignore
    ├── journalctl.ignore
    ├── pdnsd.ignore
    ├── btrfs.ignore
    ├── lvm.ignore
    ├── pam.ignore
    ├── dracut.ignore
    ├── a11y.ignore
    ├── hdd-spindown.ignore
    ├── ntfs-3g.ignore
    ├── minidlnad.ignore
    ├── kernel-apparmor.ignore
    ├── colord.ignore
    ├── cron.ignore
    ├── fcron.ignore
    ├── polkitd.ignore
    ├── dbus.ignore
    ├── sshd.ignore
    ├── openntpd.ignore
    ├── thttpd.ignore
    ├── ntpd.ignore
    ├── udisksd.ignore
    ├── rtkitd.ignore
    ├── dnsmasq.ignore
    ├── smartd.ignore
    ├── dhcpcd.ignore
    ├── postfix.ignore
    ├── openvpn.ignore
    └── systemd.ignore
├── example
    ├── journalcheck.timer
    └── journalcheck.service
├── Makefile
├── LICENSE
├── journalcheck.sh
└── README.md


/filters/evince.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ org.gnome.evince.Daemon\[[0-9]+\]: .*$
2 | 


--------------------------------------------------------------------------------
/filters/iptables.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ iptables-flush\[[0-9]+\]: /usr/sbin/ip6?tables$
2 | 


--------------------------------------------------------------------------------
/filters/dmeventd.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dmeventd\[[0-9]+\]: dmeventd ready for processing\.$
2 | 


--------------------------------------------------------------------------------
/filters/login.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ login\[[0-9]+\]: LOGIN ON tty[0-9]+ BY [._[:alnum:]-]+$
2 | 


--------------------------------------------------------------------------------
/filters/lightdm.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ lightdm\[[0-9]+\]: pam_succeed_if\(lightdm-autologin:auth\): requirement "user ingroup autologin" was met by user ".*"$
2 | 


--------------------------------------------------------------------------------
/filters/sudo.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: +[_[:alnum:]-]+ : (a password is required ; )?TTY=pts/[0-9]+ ; PWD=.+ ; USER=[_[:alnum:]-]+ ; COMMAND=.+$
2 | 


--------------------------------------------------------------------------------
/example/journalcheck.timer:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Trigger journalcheck
 3 | 
 4 | [Timer]
 5 | OnBootSec=1min
 6 | OnUnitActiveSec=1h
 7 | 
 8 | [Install]
 9 | WantedBy=timers.target
10 | 


--------------------------------------------------------------------------------
/example/journalcheck.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=journalcheck
3 | 
4 | [Service]
5 | Type=oneshot
6 | User=lynix
7 | Environment=JC_LOGLEVEL=0..4
8 | ExecStart=/usr/bin/checkrun journalcheck
9 | 


--------------------------------------------------------------------------------
/filters/msmtp.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ msmtp\[[0-9]+\]: host=[._[:alnum:]-]+ tls=(on|off) auth=on user=.+ from=.+ recipients=.+ mailsize=[0-9]+ smtpstatus=250 smtpmsg=.+ exitcode=EX_OK$
2 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | DESTDIR ?= 
2 | PREFIX ?= /usr
3 | 
4 | install:
5 | 	install -D -m 755 journalcheck.sh $(DESTDIR)$(PREFIX)/bin/journalcheck
6 | 	install -D -m 644 -t $(DESTDIR)$(PREFIX)/lib/journalcheck filters/*.ignore
7 | 
8 | .PHONY: install
9 | 


--------------------------------------------------------------------------------
/filters/smbd.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]{8}\.[0-9]+,  0\] smbd/server\.c:[0-9]+\(main\)$
2 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: standard input is not a socket, assuming -D option$
3 | 


--------------------------------------------------------------------------------
/filters/mtp-probe.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ mtp-probe\[[0-9]+\]: bus: [0-9]+, device: [0-9]+ was not an MTP device$
2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ mtp-probe\[[0-9]+\]: checking bus [0-9]+, device [0-9]+: "/sys/devices/.*"$
3 | 


--------------------------------------------------------------------------------
/filters/mkinitcpio.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ mkinitcpio\[[0-9]+\]: -> Running build hook: \[sd-shutdown\]$
2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ mkinitcpio\[[0-9]+\]: ==> Build complete\.$
3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ mkinitcpio\[[0-9]+\]: ==> Starting build: none$
4 | 


--------------------------------------------------------------------------------
/filters/pacman.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pacman\[[0-9]+\]: :: Synchronizing package databases\.\.\.$
2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pacman\[[0-9]+\]: [._[:alnum:]-]+ is up to date$
3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pacman\[[0-9]+\]: downloading [._[:alnum:]-]+\.\.\.$
4 | 


--------------------------------------------------------------------------------
/filters/journalctl.ignore:
--------------------------------------------------------------------------------
1 | ^-- Boot [0-9a-f]{32} --$
2 | ^-- Journal begins at \w{3} [0-9-]{10} [0-9:]{8} [A-Z]+, ends at \w{3} [0-9-]{10} [0-9:]{8} [A-Z]+\. --$
3 | ^-- Logs begin at \w{3} [0-9-]{10} [0-9:]{8} [A-Z]+, end at \w{3} [0-9-]{10} [0-9:]{8} [A-Z]+\. --$
4 | ^-- No entries --$
5 | ^-- Reboot --$
6 | ^-- cursor: [^ ]+$
7 | 


--------------------------------------------------------------------------------
/filters/pdnsd.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdnsd\[[0-9]+\]: \* [0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\| pdnsd: info: pdnsd-[-.0-9a-z]+ starting\.$
2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pdnsd\[[0-9]+\]: \* [0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\| pdnsd: warning: Caught signal 15\. Exiting\.$
3 | 


--------------------------------------------------------------------------------
/filters/btrfs.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ btrfs\[[0-9]+\]: scrub done for [0-9a-f-]+$
2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ btrfs\[[0-9]+\]: scrub started at .+ and finished after [0-9:]+$
3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ btrfs\[[0-9]+\]: total bytes scrubbed: [0-9.]+(G|M|T)iB with 0 errors$
4 | 


--------------------------------------------------------------------------------
/filters/lvm.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ lvm\[[0-9]+\]: (No longer m|M)onitoring snapshot [._[:alnum:]-]+$
2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ lvm\[[0-9]+\]: /dev/.+: open failed: No medium found$
3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ lvm\[[0-9]+\]: [0-9]+ logical volume\(s\) in volume group ".+" now active$
4 | 


--------------------------------------------------------------------------------
/filters/pam.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [._[:alnum:]-]+\[[0-9]+\]: pam_unix\([._[:alnum:]-]+:session\): session closed for user [._[:alnum:]-]+( by [._[:alnum:]-]+\(uid=[0-9]+\))?$
2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [._[:alnum:]-]+\[[0-9]+\]: pam_unix\([._[:alnum:]-]+:session\): session opened for user [._[:alnum:]-]+ by ([._[:alnum:]-]+)?\(uid=[0-9]+\)$
3 | 


--------------------------------------------------------------------------------
/filters/dracut.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dracut-cmdline\[[0-9]+\]: Using kernel command line parameters:$
2 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dracut-cmdline\[[0-9]+\]: dracut- dracut-.+$
3 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dracut-initqueue\[[0-9]+\]: Scanning devices .+ for LVM logical volumes .+$
4 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dracut-initqueue\[[0-9]+\]: inactive .+$
5 | 


--------------------------------------------------------------------------------
/filters/a11y.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ org\.a11y\.Bus\[[0-9]+\]: Activating service name='org\.a11y\.atspi\.Registry'$
2 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ org\.a11y\.Bus\[[0-9]+\]: Successfully activated service 'org\.a11y\.atspi\.Registry'$
3 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ org\.a11y\.atspi.Registry\[[0-9]+\]: SpiRegistry daemon is running with well-known name - org\.a11y\.atspi\.Registry$
4 | 


--------------------------------------------------------------------------------
/filters/hdd-spindown.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hdd-spindown\.sh\[[0-9]+\]: (suspending|spinning up) sd[a-z]$
2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hdd-spindown\.sh\[[0-9]+\]: recognized disk: .+ --> .+$
3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hdd-spindown\.sh\[[0-9]+\]: spawned monitor thread for sd[a-z]$
4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ hdd-spindown\.sh\[[0-9]+\]: user now (present|absent)$
5 | 


--------------------------------------------------------------------------------
/filters/ntfs-3g.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntfs-3g\[[0-9]+\]: Version [0-9.]+ external FUSE [0-9]+$
2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntfs-3g\[[0-9]+\]: Mounted /dev/.* \(Read-Write, label ".*", NTFS [0-9.]+\)$
3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntfs-3g\[[0-9]+\]: (Cmdline|Mount) options: .*$
4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntfs-3g\[[0-9]+\]: Global ownership and permissions enforced, configuration type 7$
5 | 


--------------------------------------------------------------------------------
/filters/minidlnad.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ minidlnad\[[0-9]+\]: [._[:alnum:]-]+\.c:[0-9]+: warn: HTTP listening on port [0-9]+$
2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ minidlnad\[[0-9]+\]: [._[:alnum:]-]+\.c:[0-9]+: warn: New media_dir detected; rescanning\.\.\.$
3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ minidlnad\[[0-9]+\]: [._[:alnum:]-]+\.c:[0-9]+: warn: Starting MiniDLNA version 1\.1\.4\.$
4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ minidlnad\[[0-9]+\]: [._[:alnum:]-]+\.c:[0-9]+: warn: received signal 15, good-bye$
5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ minidlnad\[[0-9]+\]: \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x[0-9a-f]+\] stream [0-9]+, timescale not set$
6 | 


--------------------------------------------------------------------------------
/filters/kernel-apparmor.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: AppArmor: AppArmor Filesystem Enabled$
2 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: AppArmor: AppArmor initialized$
3 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: AppArmor: AppArmor sha1 policy hashing enabled$
4 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: audit_printk_skb: [0-9]+ callbacks suppressed$
5 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: type=1006 audit\([0-9.:]+\): pid=[0-9]+ uid=0 old auid=[0-9]+ new auid=[0-9]+ old ses=[0-9]+ new ses=[0-9]+ res=1$
6 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: type=1400 audit\([0-9.:]+\): apparmor="STATUS" operation="profile_load" name=".+" pid=[0-9]+ comm="apparmor_parser"$
7 | 


--------------------------------------------------------------------------------
/filters/colord.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ colord\[[0-9]+\]: Daemon ready for requests$
2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ colord\[[0-9]+\]: Device added: .+$
3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ colord\[[0-9]+\]: Profile added: .+$
4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ colord\[[0-9]+\]: Using (config|(mapping|device) database) file .*$
5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ colord\[[0-9]+\]: loaded plugin .+$
6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ colord\[[0-9]+\]: loaded plugin libcd_plugin_scanner.so$
7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ colord\[[0-9]+\]: plugin /usr/lib/colord-plugins/libcd_plugin_sane.so not loaded: plugin refused to load$
8 | 


--------------------------------------------------------------------------------
/filters/cron.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ CROND\[[0-9]+\]: \(.+\) CMD \(.+\)$
2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Anacron started on [0-9]{4}-[0-9]{2}-[0-9]{2}$
3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Job `.+' (started|terminated)$
4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Jobs will be executed sequentially$
5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Normal exit \([0-9]+ jobs? run\)$
6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ anacron\[[0-9]+\]: Will run job `.+' in [0-9]+ min\.$
7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ crontab\[[0-9]+\]: \([._[:alnum:]-]+\) ((BEGIN|END) EDIT|REPLACE|RELOAD) \(.+\)$
8 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ crontab\[[0-9]+\]: \([._[:alnum:]-]+\) LIST \(.+\)$
9 | 


--------------------------------------------------------------------------------
/filters/fcron.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fcron\[[0-9]+\]: Job .* completed( \(mailing output\))?$
2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fcron\[[0-9]+\]: Job .* started for user [._[:alnum:]-]+ \(pid [0-9]+\)$
3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fcron\[[0-9]+\]: Job /usr/sbin/run-cron /etc/cron\.hourly (started for user systab \(pid [0-9]+\)|completed)$
4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fcron\[[0-9]+\]: adding file [._[:alnum:]-]+$
5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fcron\[[0-9]+\]: fcron\[[0-9]+\] [0-9.]+ started$
6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fcron\[[0-9]+\]: updating configuration from /var/spool/fcron$
7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fcrontab\[[0-9]+\]: listing [^[:space:]]+'s fcrontab$
8 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ run-crons\[[0-9]+\]: \(root\) CMD \(.*\)$
9 | 


--------------------------------------------------------------------------------
/filters/polkitd.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ polkitd\[[0-9]+\]: (Registered|Unregistered) Authentication Agent for unix-(session|process):.+$
2 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ polkitd\[[0-9]+\]: Acquired the name org.freedesktop.PolicyKit1 on the system bus$
3 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ polkitd\[[0-9]+\]: Collecting garbage unconditionally\.\.\.$
4 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ polkitd\[[0-9]+\]: Finished loading, compiling and executing [0-9]+ rules$
5 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ polkitd\[[0-9]+\]: Loading rules from directory (/etc/polkit-1/rules.d|/usr/share/polkit-1/rules.d)$
6 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ polkitd\[[0-9]+\]: Lost the name org.freedesktop.PolicyKit1 - exiting$
7 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ polkitd\[[0-9]+\]: Reloading rules$
8 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ polkitd\[[0-9]+\]: Started polkitd version [0-9.]+$
9 | 


--------------------------------------------------------------------------------
/filters/dbus.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dbus-daemon\[[0-9]+\]: )?(dbus\[[0-9]+\]: \[system\] )?Reloaded configuration$
2 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dbus-daemon\[[0-9]+\]: )?dbus\[[0-9]+\]: \[system\] Activating via systemd: service name='.*' unit='.*\.service'$
3 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dbus-daemon\[[0-9]+\]: )?dbus\[[0-9]+\]: \[system\] Successfully activated service '.*'$
4 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dbus-daemon\[[0-9]+\]: Activating service name='[^']+'$
5 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dbus-daemon\[[0-9]+\]: Activating via systemd: service name='[^']+' unit='[^']+'$
6 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dbus-daemon\[[0-9]+\]: Successfully activated service '[^']+'$
7 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dbus\[[0-9]+\]: \[system\] Activating service name='.+' \(using servicehelper\)$
8 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dbus\[[0-9]+\]: \[system\] Activation via systemd failed for unit '.+': Unit .+ is masked\.$
9 | 


--------------------------------------------------------------------------------
/filters/sshd.ignore:
--------------------------------------------------------------------------------
1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: (error: )?Received disconnect from [0-9a-f:.]+: 11: disconnected by user$
2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted (password|publickey) for [._[:alnum:]-]+ from [0-9a-f:.]+ port [0-9]+ ssh2: .+$
3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Authname;Remote: .+;Name: .+ \[preauth\]$
4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Disconnected from [0-9a-f:.]+$
5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: SSH: Server;Ltype: Kex;Remote: .+;Enc: .+;MAC: .+;Comp: none \[preauth\]$
6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: SSH: Server;Ltype: Version;Remote: .+;Protocol: [0-9.]+;Client: OpenSSH_.+$
7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Server listening on ([0-9.]+|[0-9a-f:]+) port [0-9]+\.$
8 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: subsystem request for sftp by user [._[:alnum:]-]+$
9 | 


--------------------------------------------------------------------------------
/filters/openntpd.ignore:
--------------------------------------------------------------------------------
 1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: [0-9]+ out of [0-9]+ peers valid$
 2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: adjusting clock frequency by -?[0-9.]+ to [0-9.]+ppm$
 3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: adjusting local clock by -?[0-9.]+s$
 4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: bad peer from pool [._[:alnum:]-]+ \([0-9a-f.:]+\)
 5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: clock is now synced$
 6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: listening on [0-9a-f:.]+$
 7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: ntp engine ready$
 8 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: peer [0-9a-f.:]+ now (in)?valid$
 9 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: reply from [0-9a-f.:]+: negative delay -?[0-9.]+s, next query [0-9]+s$
10 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: set local clock to .+ \(offset [0-9.-]+s\)$
11 | 


--------------------------------------------------------------------------------
/filters/thttpd.ignore:
--------------------------------------------------------------------------------
 1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ thttpd\[[0-9]+\]: [0-9a-f:.]+ - - "GET .+ HTTP/1\.1" (200 [0-9]+|304 0|404 0) ".*" ".+"$
 2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ thttpd\[[0-9]+\]: exiting due to signal 15$
 3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ thttpd\[[0-9]+\]: +fdwatch - [0-9]+ polls \([0-9.]+/sec\)$
 4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ thttpd\[[0-9]+\]: +libhttpd - [0-9]+ strings allocated, [0-9]+ bytes \([0-9.]+ bytes/str\)$
 5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ thttpd\[[0-9]+\]: +map cache - [0-9]+ allocated, [0-9]+ active \([0-9]+ bytes\), [0-9]+ free; hash size: [0-9]+; expire age: [0-9]+$
 6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ thttpd\[[0-9]+\]: +thttpd - [0-9]+ connections \([0-9.]+/sec\), [0-9]+ max simultaneous, [0-9]+ bytes \([0-9.]+/sec\), [0-9]+ httpd_conns allocated$
 7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ thttpd\[[0-9]+\]: thttpd/.+ starting on port [0-9]+$
 8 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ thttpd\[[0-9]+\]: +timers - [0-9]+ allocated, [0-9]+ active, [0-9]+ free$
 9 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ thttpd\[[0-9]+\]: up [0-9]+ seconds, stats for [0-9]+ seconds:$
10 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2015 Alexander Koch
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 
23 | 


--------------------------------------------------------------------------------
/filters/ntpd.ignore:
--------------------------------------------------------------------------------
 1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]:( .+ ntpd\[[0-9]+\]:)? Command line: 
 2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]:( .+ ntpd\[[0-9]+\]:)? Deferring DNS for .* 1$
 3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]:( .+ ntpd\[[0-9]+\]:)? Listen (normally|and drop) on .+$
 4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]:( .+ ntpd\[[0-9]+\]:)? Listening on routing socket on fd #[0-9]+ for interface updates$
 5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]:( .+ ntpd\[[0-9]+\]:)? [0-9a-f:]+ interface fe80::[0-9a-f:]+ -> [0-9a-f:]+$
 6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]:( .+ ntpd\[[0-9]+\]:)? new interface\(s\) found: waking up resolver$
 7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]:( .+ ntpd\[[0-9]+\]:)? ntp_io: estimated max descriptors: [0-9]+, initial socket boundary: [0-9]+$
 8 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]:( .+ ntpd\[[0-9]+\]:)? ntpd .+: Starting$
 9 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]:( .+ ntpd\[[0-9]+\]:)? peers refreshed$
10 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]:( .+ ntpd\[[0-9]+\]:)? proto: precision = [0-1]\.[0-9]+ usec \(.+\)$
11 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]:( .+ ntpd\[[0-9]+\]:)? signal_no_reset: signal 17 had flags 4000000$
12 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd_intres\[[0-9]+\]: DNS .* -> [0-9a-f:.]+$
13 | 


--------------------------------------------------------------------------------
/filters/udisksd.ignore:
--------------------------------------------------------------------------------
 1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ udisks-daemon\[[0-9]+\]: \(udisks-daemon:[0-9]+\): udisks-daemon-WARNING \*\*: No /proc/mdstat file: No such file or directory$
 2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ udisks-daemon\[[0-9]+\]: \*\*\*\* ((pci|scsi_host) )?(ADDING|UPDATING|IGNORING (ADD|REMOVE)|ADDED|CHANGING|CHANGED|MOUNTED|UNMOUNTED|REMOVING) /sys/devices/.+$
 3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ udisks-daemon\[[0-9]+\]: \*\*\*\* /proc/self/mountinfo changed$
 4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ udisks-daemon\[[0-9]+\]: \*\*\*\* EMITTING (ADDED|CHANGED|REMOVED) for .+$
 5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ udisks-daemon\[[0-9]+\]: \*\*\*\* Refreshing ATA SMART data for .+$
 6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ udisks-daemon\[[0-9]+\]: helper\(pid [0-9 ]+\): (launched job .*|completed with exit code 0)$
 7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ udisksd\[[0-9]+\]: Acquired the name org\.freedesktop\.UDisks2 on the system message bus$
 8 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ udisksd\[[0-9]+\]: Cleaning up mount point /run/media/.* \(device [0-9:]+ is not mounted\)$
 9 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ udisksd\[[0-9]+\]: Mounted /dev/.* at /run/media/.* on behalf of uid [0-9]+$
10 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ udisksd\[[0-9]+\]: Unmounted /dev/.* on behalf of uid [0-9]+$
11 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ udisksd\[[0-9]+\]: udisks daemon version [0-9.]+ starting$
12 | 


--------------------------------------------------------------------------------
/filters/rtkitd.ignore:
--------------------------------------------------------------------------------
 1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rtkit-daemon\[[0-9]+\]: Canary thread running\.$
 2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rtkit-daemon\[[0-9]+\]: Demoted [0-9]+ threads\.$
 3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rtkit-daemon\[[0-9]+\]: Demoting known real-time threads\.$
 4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rtkit-daemon\[[0-9]+\]: Exiting (canary|watchdog) thread\.$
 5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rtkit-daemon\[[0-9]+\]: Exiting cleanly\.$
 6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rtkit-daemon\[[0-9]+\]: Running\.$
 7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rtkit-daemon\[[0-9]+\]: Successfully called chroot\.$
 8 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rtkit-daemon\[[0-9]+\]: Successfully demoted thread [0-9]+ of process [0-9]+ \(.+\)\.$
 9 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rtkit-daemon\[[0-9]+\]: Successfully dropped privileges\.$
10 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rtkit-daemon\[[0-9]+\]: Successfully limited resources\.$
11 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rtkit-daemon\[[0-9]+\]: Successfully made thread [0-9]+ of process [0-9]+ \(.*\) owned by '[0-9]+' high priority at nice level [0-9.-]+\.$
12 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rtkit-daemon\[[0-9]+\]: Supervising [0-9]+ threads of [0-9]+ processes of [0-9]+ users\.$
13 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rtkit-daemon\[[0-9]+\]: The canary thread is apparently starving\. Taking action\.$
14 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rtkit-daemon\[[0-9]+\]: Watchdog thread running\.$
15 | 


--------------------------------------------------------------------------------
/filters/dnsmasq.ignore:
--------------------------------------------------------------------------------
 1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: DHCP(REQUEST|OFFER|RELEASE|INFORM)\(eth[0-9]\) [0-9.]+ [0-9a-f:]+$
 2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: DHCP, IP range [0-9.]+ -- [0-9.]+, lease time [0-9]+(d|h)$
 3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: DHCPACK\(eth[0-9]\) [0-9.]+ [0-9a-f:]+( [._[:alnum:]-]+)?$
 4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: DHCPDISCOVER\(eth[0-9]\)( [0-9.]+)? [0-9a-f:]+$
 5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: DHCPNAK\(eth[0-9]\) [0-9.]+ [0-9a-f:]+ (lease not found|wrong address)$
 6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: abandoning lease to [0-9a-f:]{17} of [0-9a-f.:]+$
 7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq\[[0-9]+\]: DBus support enabled: connected to system bus$
 8 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq\[[0-9]+\]: asynchronous logging enabled, queue limit is [0-9]+ messages$
 9 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq\[[0-9]+\]: compile time options: .+$
10 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq\[[0-9]+\]: dnsmasq: syntax check OK\.$
11 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq\[[0-9]+\]: exiting on receipt of SIGTERM$
12 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq\[[0-9]+\]: read /etc/hosts - [0-9]+ addresses$
13 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq\[[0-9]+\]: started, version .+ cachesize [0-9]+.$
14 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq\[[0-9]+\]: using local addresses only for domain [._[:alnum:]-]+$
15 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnsmasq\[[0-9]+\]: using nameserver [0-9a-f:.]+#53$
16 | 


--------------------------------------------------------------------------------
/journalcheck.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | #  journalcheck - Simple 'logcheck' replacement for journald
 4 | #  (C) Alexander Koch
 5 | 
 6 | #  This software is released under the terms of the MIT License, see LICENSE.
 7 | 
 8 | # to have filters work in foreign languages (french)
 9 | export LANG=POSIX
10 | 
11 | FILTERS_GLOBAL=${JC_FILTERS_GLOBAL:-"/usr/lib/journalcheck"}
12 | FILTERS_LOCAL=${JC_FILTERS_USER:-~/".journalcheck.d"}
13 | CURSOR_FILE=${JC_CURSOR_FILE:-~/".journalcheck.cursor"}
14 | NUM_THREADS=${JC_NUM_THREADS:-$(grep -c '^processor' "/proc/cpuinfo")}
15 | LOGLEVEL=${JC_LOGLEVEL:-"0..5"}
16 | 
17 | FILTER_FILE="$(mktemp)"
18 | LOG="$(mktemp)"
19 | 
20 | 
21 | function cleanup() {
22 | 	rm -f "$FILTER_FILE" "$LOG" "${LOG}_???"
23 | }
24 | trap cleanup EXIT
25 | 
26 | # merge filters to single file
27 | cat "$FILTERS_GLOBAL"/*.ignore > "$FILTER_FILE"
28 | if [ -d "$FILTERS_LOCAL" ]; then
29 | 	cat "$FILTERS_LOCAL"/*.ignore >> "$FILTER_FILE" 2>/dev/null
30 | fi
31 | 
32 | # fetch journal entries since last run (or system bootup)
33 | ARGS="--no-pager --show-cursor -l -p $LOGLEVEL"
34 | if [ -r "$CURSOR_FILE" ]; then
35 | 	ARGS+=" --after-cursor=$(cat "$CURSOR_FILE")"
36 | else
37 | 	ARGS+=" -b"
38 | fi
39 | journalctl $ARGS &> "$LOG"
40 | if [ $? -ne 0 ]; then
41 | 	echo "Error: failed to dump system journal" >&2
42 | 	exit 1
43 | fi
44 | 
45 | # save cursor for next iteration
46 | CURSOR="$(tail -n 1 "$LOG")"
47 | if [[ $CURSOR =~ ^--\ cursor:\  ]]; then
48 | 	echo "${CURSOR:11}" > "$CURSOR_FILE"
49 | elif [[ $CURSOR =~ ^--\ No\ entries\ --$ ]]; then
50 | 	exit 0
51 | else
52 | 	echo "Error: unable to save journal cursor" >&2
53 | fi
54 | 
55 | # split journal into NUM_THREADS parts, spawn worker for each part
56 | split -a 3 -n l/$NUM_THREADS -d "$LOG" "${LOG}_"
57 | for I in $(seq 0 $(($NUM_THREADS - 1))); do
58 | 	F="${LOG}_$(printf "%03d" "$I")"
59 | 	{ grep -Evf "$FILTER_FILE" "$F" > "${F}_"; mv "${F}_" "$F"; } &
60 | done
61 | 
62 | # wait for all worker threads to finish
63 | wait
64 | 
65 | # re-assemble filtered output to stdout, remove parts
66 | for I in $(seq 0 $(($NUM_THREADS - 1))); do
67 | 	cat "${LOG}_$(printf "%03d" "$I")"
68 | done
69 | 
70 | exit 0
71 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | journalcheck
 2 | ============
 3 | 
 4 | (C) Alexander Koch
 5 | 
 6 | ### A simple replacement for logcheck for usage with journald
 7 | 
 8 | Journalcheck aims at being a simple replacement for
 9 | [_logcheck_](http://logcheck.org) when using journald for system logs. It calls
10 | `journalctl` to obtain all messages that have been recorded since its last
11 | invocation, pipes the output through `egrep` with a given set of filters, and
12 | passes the remaining messages to stdout. Journalcheck therefore works with
13 | volatile system logs as well.
14 | 
15 | ## Dependencies
16 |  * systemd (`journalctl`)
17 |  * coreutils (`split`)
18 |  * grep (`egrep`)
19 | 
20 | ## Usage
21 | Journalcheck is best run as regular user (no need for root privileges!) via
22 | cron:
23 | ```
24 | MAILTO=user@localhost
25 | 
26 | # m  h  dom mon dow   command
27 | */30 *  *   *   *     journalcheck
28 | ```
29 | 
30 | With a local MTA/MDA set up correctly, you will receive all log entries not
31 | matching the white-list by mail. In addition to the ones shipped with
32 | journalcheck, it looks in _~/.journalcheck.d_ for user-defined filters.
33 | 
34 | For cron-less systems making use of systemd .timer units instead, there are
35 | example units in _example_. They rely on
36 | [checkrun.sh](https://github.com/lynix/checkrun.sh) for mail functionality.
37 | 
38 | ## Configuration
39 | Journalcheck is configurable through the following environment variables
40 | (default values in brackets):
41 | 
42 |  * `JC_FILTERS_GLOBAL` (*/usr/lib/journalcheck*): Directory for system-wide filters
43 |  * `JC_FILTERS_USER` (*~/.journalcheck.d*): Directory for user-defined filters
44 |  * `JC_CURSOR_FILE` (*~/.journalcheck.cursor*): Last run timestamp file
45 |  * `JC_NUM_THREADS` (no. of logical CPUs): Number of worker threads to spawn
46 |  * `JC_LOGLEVEL` (0..5): Priority (loglevel) filter
47 | 
48 | ## Help Wanted
49 | As I only have a limited set of machines and applications running to derive
50 | filters from, I rely heavily on contributions in order to provide a universal
51 | filter set. Pull requests are welcome!
52 | 
53 | ## License
54 | Journalcheck is released under the terms of the MIT License, see LICENSE file.
55 | 


--------------------------------------------------------------------------------
/filters/smartd.ignore:
--------------------------------------------------------------------------------
 1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Configuration file /etc/smartd\.conf parsed\.$
 2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Configuration file /etc/smartd\.conf was parsed, found DEVICESCAN, scanning devices$
 3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Copyright \(C\) .+$
 4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/.+ \[SAT\], (not )?found in smartd database(: .*)?.$
 5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/.+ \[SAT\], SMART Prefailure Attribute: 3 Spin_Up_Time changed from [0-9]+ to [0-9]+$
 6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/.+ \[SAT\], SMART Usage Attribute: [0-9]+ [a-zA-Z_]+ changed from [0-9]+ to [0-9]+$
 7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/.+ \[SAT\], [ ._[:alnum:]-]+, S/N:[[:alnum:]-]+, WWN:[._[:alnum:]-]+, FW:[._[:alnum:]-]+, [0-9.]+ (G|T)B$
 8 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/.+ \[SAT\], can't monitor .+ - no Attribute [0-9]+$
 9 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/.+ \[SAT\], is SMART capable\. Adding to "monitor" list\.$
10 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/.+ \[SAT\], opened$
11 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/.+ \[SAT\], previous self-test completed without error$
12 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/.+ \[SAT\], self-test in progress, [0-9]+% remaining$
13 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/.+ \[SAT\], starting scheduled (Short|Long) Self-Test\.$
14 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/.+, type changed from 'scsi' to 'sat'$
15 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Monitoring [0-9]+ ATA and [0-9]+ SCSI devices$
16 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Opened configuration file /etc/smartd\.conf$
17 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: smartd [0-9.]+ [0-9-]+ r[0-9]+ \[x86_64-linux-.*\] \(local build\)$
18 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: smartd is exiting \(exit status 0\)$
19 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: smartd received signal 15: Terminated$
20 | 


--------------------------------------------------------------------------------
/filters/dhcpcd.ignore:
--------------------------------------------------------------------------------
 1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: DUID [0-9a-f:]+$
 2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: (adding|deleting) (route to|address|default route via) [0-9a-f.:]+(/[0-9]+)?$
 3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: DHCP lease expired$
 4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: IAID [0-9a-f:]+$
 5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: Router Advertisement from [0-9a-f:]+$
 6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: acknowledged [0-9.]+ from [0-9.]+$
 7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: adding host route to [0-9.]+ via [0-9.]+$
 8 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: carrier (acquired|lost)$
 9 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: checking for [0-9.]+$
10 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: fe80::[0-9a-f:]+: expired default Router$
11 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: leased [0-9.]+ for ([0-9]+ seconds|infinity)$
12 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: no IPv6 Routers available$
13 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: offered [0-9.]+ from [0-9.]+$
14 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: probing static address [0-9a-f.:/]+$
15 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: rebinding lease of [0-9.]+$
16 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: removing interface$
17 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: sending IPv6 Router Solicitation$
18 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: sendmsg: Cannot assign requested address$
19 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: soliciting a DHCP lease$
20 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: soliciting an IPv6 router$
21 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: [._[:alnum:]-]+: waiting for carrier$
22 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: dhcpcd exited$
23 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: forked to background, child pid [0-9]+$
24 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: received SIGTERM, stopping$
25 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: sending signal TERM to pid [0-9]+$
26 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: version [0-9.]+ starting$
27 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dhcpcd\[[0-9]+\]: waiting for pid [0-9]+ to exit$
28 | 


--------------------------------------------------------------------------------
/filters/postfix.ignore:
--------------------------------------------------------------------------------
 1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: (resent-|)message-id=<?[^>]+>?( \(added by [^[:space:]]+\))?$
 2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]: [[:alnum:]]+: to=<[^[:space:]]+>, relay=local, delay=[[:digit:].]+, delays=([[:digit:].]+|/)+, dsn=[[:digit:].]+, status=sent \(forwarded as [[:alnum:]]+\)$
 3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/local\[[[:digit:]]+\]: [[:alnum:]]+: to=<[^[:space:]]+>, orig_to=<[^[:space:]]+>, relay=local, delay=[[:digit:].]+, delays=([[:digit:].]+|/)+, dsn=[[:digit:].]+, status=sent \(forwarded as [[:alnum:]]+\)$
 4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[0-9]+\]: daemon started -- version [0-9.]+, configuration /etc/postfix$
 5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: daemon started -- version [.[:alnum:]]+$
 6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: reload configuration$
 7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: terminating on signal 15$
 8 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/pickup\[[[:digit:]]+\]: [[:alnum:]]+: uid=[[:digit:]]+ from=<[^[:space:]]+>$
 9 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postfix-script: refreshing the Postfix mail system$
10 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postfix-script\[[[:digit:]]+\]: (starting|stopping) the Postfix mail system$
11 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/qmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<[^[:space:]]*>, size=[[:digit:]]+, nrcpt=[[:digit:]]+ \(queue active\)$
12 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/qmgr\[[[:digit:]]+\]: [[:alnum:]]+: removed$
13 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtp\[[[:digit:]]+\]: [[:alnum:]]+: to=<[^[:space:]]+>, orig_to=<[^[:space:]]+>, relay=.+, delay=[[:digit:].]+, delays=([[:digit:].]+|/)+, dsn=[[:digit:].]+, status=sent \((delivered to mailbox|250 2.0.0 Ok: queued as .+)\)$
14 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:alnum:]]+: client=[._[:alnum:]-]+\[[0-9a-f:.]+\]$
15 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: connect from [._[:alnum:]-]+\[[0-9a-f:.]+\]$
16 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: disconnect from [._[:alnum:]-]+\[[0-9a-f:.]+\]( (ehlo|mail|rcpt|data|quit|commands)=[0-9]+)*$
17 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept:(error in )?SSL(v2/v3|v3) read client (hello|certificate) (A|B)$
18 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept:SSLv3 (read|write) finished A$
19 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept:SSLv3 flush data$
20 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept:SSLv3 read client (hello|key exchange) A$
21 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept:SSLv3 write (certificate|server hello|key exchange|server done|change cipher spec) A$
22 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept:before/accept initialization$
23 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept:error in SSL(v2/v3|v3) read certificate verify A$
24 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: starting TLS engine$
25 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/virtual\[[[:digit:]]+\]: [[:alnum:]]+: to=[^[:space:]]+, orig_to=[^[:space:]]+, relay=[^[:space:]]+, delay=[[:digit:]]+, status=[[:alnum:]]+ \(.*\)$
26 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/virtual\[[[:digit:]]+\]: [[:alnum:]]+: to=[^[:space:]]+, relay=[^[:space:]]+, delay=[[:digit:]]+, status=[[:alnum:]]+ \(.*\)$
27 | 


--------------------------------------------------------------------------------
/filters/openvpn.ignore:
--------------------------------------------------------------------------------
 1 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn@[._[:alnum:]-]+\[[0-9]+\]: /usr/bin/ip addr del dev tun[0-9]+ [0-9a-f:.]+/[0-9]+$
 2 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn@[._[:alnum:]-]+\[[0-9]+\]: Closing TUN/TAP interface$
 3 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn@[._[:alnum:]-]+\[[0-9]+\]: SIGTERM received, sending exit notification to peer$
 4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn@[._[:alnum:]-]+\[[0-9]+\]: SIGTERM\[soft,exit-with-notification\] received, process exiting$
 5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn@[._[:alnum:]-]+\[[0-9]+\]: event_wait : Interrupted system call \(code=4\)$
 6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: (Incoming|Outgoing) Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication$
 7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: /bin/ifconfig tun[0-9]+ [0-9.]+ netmask [0-9.]+ mtu [0-9]+ broadcast [0-9.]+$
 8 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: /usr/bin/ip addr add dev tun[0-9]+ [0-9.]+/[0-9]+ broadcast [0-9.]+$
 9 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: /usr/bin/ip link set dev tun[0-9]+ up mtu [0-9]+$
10 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: /usr/sbin/ip addr del dev tun[0-9]+ [0-9.]+/[0-9]+$
11 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: Closing TUN/TAP interface$
12 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: Control Channel Authentication: tls-auth using INLINE static key file$
13 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: Control Channel MTU parms \[ L:[0-9]+ D:[0-9]+ EF:[0-9]+ EB:[0-9]+ ET:[0-9]+ EL:[0-9]+ ]$
14 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA$
15 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: Data Channel (De|En)crypt: Cipher 'BF-CBC' initialized with 128 bit key$
16 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: Data Channel (De|En)crypt: Using 160 bit message hash 'SHA1' for HMAC authentication$
17 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: Data Channel MTU parms \[ L:[0-9]+ D:[0-9]+ EF:[0-9]+ EB:[0-9]+ ET:[0-9]+ EL:[0-9]+ AF:[0-9]+/[0-9]+ \]$
18 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: Expected Remote Options hash \(VER=V4\): '[0-9a-f]{8}'$
19 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: Initialization Sequence Completed$
20 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: LZO compression initialized$
21 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: Local Options hash \(VER=V4\): '[0-9a-f]{8}'$
22 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: NOTE: OpenVPN [0-9.]+ requires '--script-security 2' or higher to call user-defined scripts or executables$
23 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: OpenVPN .* built on .*$
24 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: TCP/UDP: Closing socket$
25 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: TUN/TAP device tun[0-9]+ opened$
26 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: UDPv4 link local: \[undef\]$
27 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: UDPv4 link remote: \[AF_INET\][0-9.]+:[0-9]+$
28 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: VERIFY OK: depth=[0-9]+, CN=.*$
29 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: VERIFY OK: nsCertType=SERVER$
30 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: \[.*\] Peer Connection Initiated with \[AF_INET\][0-9.]+:[0-9]+$
31 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: do_ifconfig, tt->ipv6=[0-1], tt->did_ifconfig_ipv6_setup=[0-1]$
32 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ openvpn\[[0-9]+\]: library versions: .*$
33 | 


--------------------------------------------------------------------------------
/filters/systemd.ignore:
--------------------------------------------------------------------------------
 1 |  *Enforced usage limit is thus [0-9.]+(M|G), of which [0-9.]+(M|G) are still available\.$
 2 |  *Leaving at least [0-9.]+(M|G) free \(of currently available [0-9.]+(G|M) of space\)\.$
 3 |  *Maximum allowed usage is set to [0-9.]+(M|G)\.$
 4 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-cryptsetup\[[0-9]+\]: Set cipher aes, mode xts-plain(64)?, key size [0-9]+ bits for device [._[:alnum:]/-]+\.$
 5 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-fsck\[[0-9]+\]: /sbin/fsck.btrfs: BTRFS file system.$
 6 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-fsck\[[0-9]+\]: [._[:alnum:]-]+: clean, [0-9]+/[0-9]+ files, [0-9]+/[0-9]+ blocks$
 7 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-journal\[[0-9]+\]: (Runtime|Permanent) journal is using [0-9.]+M \(max allowed [0-9.]+(M|G), trying to leave [0-9.]+(M|G) free of [0-9.]+G available → current limit [0-9.]+(M|G)\)\.$
 8 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-journal\[[0-9]+\]: Journal (started|stopped)$
 9 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-journal\[[0-9]+\]: Missed [0-9]+ kernel messages$
10 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-journal\[[0-9]+\]: Permanent journal \(/var/log/journal/\) is currently using [0-9.]+M\.$
11 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-journald\[[0-9]+\]: (Runtime|System) journal \(/(run|var)/log/journal/\) is currently using [0-9.]+(M|G)\.$
12 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-journald\[[0-9]+\]: Journal (started|stopped)$
13 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-journald\[[0-9]+\]: Received SIGTERM from PID 1 \(systemd\).$
14 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-journald\[[0-9]+\]: Time spent on flushing to /var is [0-9.]+ms for [0-9]+ entries\.$
15 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: (New seat seat[0-9]+\.|Watching system buttons on /dev/input/event[0-9]+ \(Power Button\))$
16 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: Linked /tmp/\.X11-unix/X[0-9]+ to /run/user/[0-9]+/X11-display\.$
17 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: New session c?[0-9]+ of user [._[:alnum:]-]+\.$
18 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: Operation finished\.$
19 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: Removed session c?[0-9]+\.$
20 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: System is (powering down|rebooting)\.$
21 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: Watching system buttons on .+ \(.+\)$
22 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-modules-load\[[0-9]+\]: (Inserted module '[._[:alnum:]-]+'|Module '[._[:alnum:]-]+' is (already loaded|builtin))$
23 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-networkd-wait-online\[[0-9]+\]: ignoring: lo$
24 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-networkd\[[0-9]+\]: Enumeration completed$
25 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-networkd\[[0-9]+\]: [._[:alnum:]-]+: Configured$
26 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-networkd\[[0-9]+\]: [._[:alnum:]-]+: DHCPv4 address [0-9.]+/[0-9]+ via [0-9.]+$
27 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-networkd\[[0-9]+\]: [._[:alnum:]-]+: Gained (carrier|IPv6LL)$
28 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-networkd\[[0-9]+\]: [._[:alnum:]-]+: Renamed to [._[:alnum:]-]+$
29 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-resolved\[[0-9]+\]: Switching to system DNS server [0-9a-f:.]+\.$
30 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-resolved\[[0-9]+\]: Using system hostname '[._[:alnum:]-]+'\.$
31 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-shutdown\[1\]: Sending SIGTERM to remaining processes\.\.\.$
32 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-sleep\[[0-9]+\]: Suspending system\.\.\.$
33 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-sleep\[[0-9]+\]: System resumed\.$
34 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-sysctl\[[0-9]+\]: Overwriting earlier assignment of kernel/sysrq in file '/usr/lib64/sysctl.d/60-gentoo.conf'.$
35 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[0-9]+\]: Network configuration changed, trying to establish connection\.$
36 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[0-9]+\]: Synchronized to time server [0-9a-f:.]+:123 \([._[:alnum:]-]+\).$
37 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-udevd\[[0-9]+\]: starting version [0-9]+$
38 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: (Activated|Deactivated) swap .*\.$
39 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: (Activating|Deactivating) swap .*\.\.\.$
40 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: .+: Unit is bound to inactive unit .+\. Stopping, too\.$
41 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: .+: Unit not needed anymore\. Stopping\.$
42 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: .+\.automount: Got automount request for [._[:alnum:]/-]+, triggered by [0-9]+ \(.+\)$
43 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Detected architecture x86-64\.$
44 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Expecting device .*\.device\.\.\.$
45 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Found device .*\.$
46 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Hardware watchdog '.+', version [0-9]+$
47 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Inserted module '.+'$
48 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Reexecuting\.$
49 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Reloading\.$
50 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Set hardware watchdog to [0-9]+min\.$
51 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Set hostname to <[._[:alnum:]-]+>\.$
52 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Set up .*\.$
53 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Shutting down\.$
54 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Smack is not enabled in the kernel, not loading access rules\.$
55 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Switching root\.$
56 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Unset automount .+\.automount\.$
57 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: systemd [0-9]+ running in system mode\. \(.+\)$
58 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: systemd-tmpfiles-clean.timer: time change, recalculating next elapse.$
59 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: ((Starting|Stopping)|(Reached|Stopped) Target) (Paths|Timers|Sockets|Basic System|Default|Shutdown)\.$
60 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: (Created|Removed) slice .*$
61 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: (Mounted|Unmounted) .+\.$
62 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: (Mounting|Unmounting) .+\.\.\.$
63 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: (Starting|Started|Stopping|Stopped) .*$
64 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Closed .+\.$
65 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Listening on .+\.$
66 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Reached target .*\.$
67 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Received SIGRTMIN\+24 from PID [0-9]+ \(.+\).$
68 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Starting Exit the Session\.\.\.$
69 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Startup finished in .+\.$
70 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Time has been changed$
71 | ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Unit type \.busname is not supported on this system\.$
72 | 


--------------------------------------------------------------------------------