-- MARK --
su: \(to (root|nobody|vnstat)\) root on none
su: \(to vnstat\) root on none
last message repeated

sshd.*: Accepted (rsa|password|publickey) for
sshd.*: Generating new
sshd.*: RSA key generation complete.
sshd\[.*\]: Did not receive identification string from
sshd\[.*\]: reverse mapping checking getaddrinfo
sshd\[[0-9]+\]: .* but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT
subsystem request for sftp

(PAM-unix2\[.*\]|pam_unix2): session (started|finished) for user (root|nobody), service su
/USR/SBIN/CRON.* rm -f /var/spool/cron/lastrun/cron.(hourly|daily|weekly|monthly)
/USR/SBIN/CRON.*/usr/sbin/(faxqclean|faxcron)
/USR/SBIN/CRON.*/usr/sbin/texpire
/USR/SBIN/CRON.*/usr/lib/news/bin/news.daily
/USR/SBIN/CRON.*/usr/bin/rnews
/USR/SBIN/CRON.*/etc/cron.*logdigest
/USR/SBIN/CRON.*/usr/lib/secchk/security-control.sh
/USR/SBIN/CRON.*/usr/lib/sa/sa
crontab.* ((BEGIN|END) EDIT|LIST)
modify_resolvconf: no matching 
modify_resolvconf: Service
dhclient: DHCP(DISCOVER|OFFER|REQUEST|ACK|RELEASE)
dhclient: (bound|caught|restored)
dhcpcd\[.*\]: (DHCP_ACK|sending DHCP_REQUEST|dhcpT[12]|dhcpIPaddrLease)
named\[.*\]: listening
named\[.*\]: Cleaned cache of
named\[.*\]: (USAGE|NSTATS|XSTATS)
named\[.*\]: (master|hint) zone ".*" \(IN\) loaded \(serial .*\)
named\[.*\]: Forwarding source address is
named\[.*\]: (group|user) = named
named\[.*\]:.*zone transfer
named\[.*\]:.*end of transfer
named\[.*\]: NOTIFY\(SOA\) for zone already xferring
named\[.*\]: zone .*/IN: transferred serial
named\[.*\]: Sent NOTIFY for
named\[.*\]: rcvd NOTIFY
named\[.*: received notify for zone
named\[.*: notify question section contains no SOA
named\[.*\]: Received NOTIFY answer
named.*approved [AI]XFR
named.*Request IXFR
named.*No IXFR log
named.*IXFR.*[Ss]uccess
named.*successfully merged
named.*suppressing duplicate notify
named.*: send AXFR query
named.*: slave zone .* loaded
named.*: zone is up to date
named.*[Ll]ame (server|delegation)
named.*points to a CNAME
named\[.*: client .*: query \(cache\) .* denied
named\[.*\]: clients-per-query (in|de)creased to
(adding|deleting) an (RR|rr)
rrset exists .*success\.
rrset doesn.*success\.
: delete all rrsets from a name
prerequisite not satisfied


postfix/smtp.*status=sent
postfix/smtp.*connect from
postfix/smtp.*disconnect from
postfix/smtp.*:.*: client=
postfix/local.*status=sent
postfix/qmgr.*queue active
postfix/qmgr.*: .*: removed
postfix/cleanup.*: message-id=
postfix/pickup.*from=.*>
postfix/(scache|anvil).*: statistics:
lost connection after (CONNECT|RCPT|AUTH)
sent non-SMTP
Relay access denied

yast\[.*\]:
YaST\[.*\]:

squid.*: Process ID
squid.*: With .* file descriptors available
squid.*: DNS Socket created on FD
squid.*: Adding nameserver
squid.*: Unlinkd pipe opened on FD
squid.*: Swap maxSize
squid.*: Target number of buckets:
squid.*: Using .* Store buckets
squid.*: Max (Mem |Swap) size:
squid.*: Rebuilding storage in /var/squid/cache
squid.*: Using Least Load store dir selection
squid.*: Set Current Directory to /var/squid/cache
squid.*: Loaded Icons.
squid.*: Ready to serve requests.
squid.*: Done (scanning|reading) /var/squid/cache swaplog
squid.*: Finished rebuilding storage from disk.
squid.*:  .* Entries scanned
squid.*:  .* Invalid entries.
squid.*:  .* With invalid flags.
squid.*:  .* Objects loaded.
squid.*:  .* Objects expired.
squid.*:  .* Objects cancelled.
squid.*:  .* Duplicate URLs purged.
squid.*:  .* Swapfile clashes avoided.
squid.*:   Took .* seconds
squid.*: Beginning Validation Procedure
squid.*:   Completed Validation Procedure
squid.*:   Validated .* Entries
squid.*:   store_swap_size =
squid.*: storeLateRelease: released .* objects
squid.*: Preparing for shutdown after .* requests
squid.*: Waiting .* seconds for active connections to finish
squid.*: FD .* Closing .* (connection|socket)
squid.*: Closing unlinkd pipe on FD
squid.*: storeDirWriteCleanLogs: Starting...
squid.*:   Finished.  Wrote .* entries.
squid.*Rotating
squid\[.*\]: logfileRotate:
Restarting Squid Cache
squid.*Shutting down...
squid.*Exiting normally.
squid.*:exited with status 0
squid.*:child process [0-9]* started
squid\[.*\]: Accepting SNMP messages
squid\[.*\]: Done reading .* swaplog
squid\[.*\]: (HTCP|WCCP) Disabled.
squid\[.*\]: Rebuilding storage in .CLEAN.
squid\[.*\]: Referer logging is disabled.
squid\[.*\]: Set Current Directory to
squid\[.*\]: Store rebuilding is
squid\[.*\]: User-Agent logging is disabled.
squid.*: NETDB state saved
wwwoffled\[.*\]: Detached from terminal
wwwoffled\[.*\]: WWWOFFLE Connection from host localhost
wwwoffled\[.*\]: WWWOFFLE Demon Version .* started.
wwwoffled\[.*\]: WWWOFFLE Finished Re-reading Configuration File.
wwwoffled\[.*\]: WWWOFFLE Purge finished.
wwwoffled\[.*\]: WWWOFFLE Purge\.
wwwoffled\[.*\]: WWWOFFLE Re-reading
wwwoffled\[.*\]: Exit
Cache.*size remains unchanged
Accepting HTTP connections
Accepting ICP messages
Configuring Parent
spamd.*clean message
spamd.*connection from
spamd.*identified spam
ddtcd.*: .*new status
dhcpd: (Internet|Copyright|All rights|For info)
dhcpd: (removed|added) reverse
dhcpd: Added new
dhcpd: DHCP(DISCOVER|OFFER|REQUEST|ACK|INFORM|RELEASE)
dhcpd: BOOT(REQUEST|REPLY)
dhcpd: Wrote
dhcpd: pool .* total .* free .* backup .* lts
dhcpd: delete IN PTR .* success
dhcpd: if IN (TXT|A) .* success
dhcpd: Ping timeout: 1$
dhcpd: Not searching LDAP since
fallback_discard
automount.*: (expiring|expired|attempting|using|shutting down|starting automounter)
authenticated (mount|unmount) request
rpc.mountd: export request
nfsd: doing automatic ADDCLIENT
arpwatch:
in.talkd.*: connect from
in.telnetd.*: connect from
in.comsat.*: connect from
smpppd.*: connected on local socket
smpppd.*: terminating on signal 15
smpppd.*: smpppd version .* started
pppd.*: (sent|rcvd) \[(LCP|IPCP|CHAP)
pppd.*: (primary|secondary)
pppd.*Terminating on signal 15.
pppd.*Couldn't increase M.U
pppd.*Connection terminated.
pppd.*Connect time
pppd.*Doing disconnect
pppd.*Exit.
pppd.*Plugin .* loaded.
pppd.*pppd .* started by root
pppd.*Sending PADI
pppd.*HOST_UNIQ successful match
pppd.*Got connection:
pppd.*Connecting PPPoE socket: 
pppd.*Using interface ppp0
pppd.*Connect: ppp. <--> eth.
pppd.*(local|remote) *IP address
pppd.*PPPoE Plugin Initialized
pppd.*Couldn't release PPP unit
ipppd.* closing fd
ipppd.* link . closed
ippp_ccp: freeing
(sent|recv) \[PAP AuthReq
Script /etc/ppp/ip-up started
mail and news send/fetch
poll.tcpip
ip-up: Reloading WWW-proxy
ip-(up|down) finished
modify_resolvconf: (restored|was not)
cbcp_lowerup
Setting MTU to
replacing old default route
using channel
authsrv.*AUTHENTICATE
cron.*CMD
cron.*RELOAD
cron.*STARTUP
ftp-gw.*: exit host
ftp-gw.*: permit host
ftpd.*ANONYMOUS FTP LOGIN
ftpd.*FTP LOGIN FROM
ftpd.*retrieved
ftpd.*stored
http-gw.*: exit host
http-gw.*: permit host
mail.local
netacl.*: exit host
netacl.*: permit host
popper.*Unable
popper: -ERR POP server at
popper: -ERR Unknown command: "uidl".
qmail.*new msg
qmail.*info msg
qmail.*starting delivery
qmail.*delivery
qmail.*end msg
rlogin-gw.*: exit host
rlogin-gw.*: permit host
#sendmail.*User Unknown
sendmail.*alias database.*rebuilt
sendmail.*aliases.*longest
sendmail.*from=
#sendmail.*lost input channel
sendmail.*message-id=
sendmail.*putoutmsg
sendmail.*return to sender
sendmail.*stat=
#sendmail.*timeout waiting
sendmail.*gethostbyaddr
smap.*host=
smapd.*daemon running
smapd.*delivered
telnetd.*ttloop:  peer died
tn-gw.*: exit host
tn-gw.*: permit host
x-gw.*: exit host
x-gw.*: permit host
ntpd.*Previous time adjustment didn't complete
ntpd.*time reset
ntpd.*precision
ntpd.*kernel time discipline
ntpd\[[0-9]*\]: kernel time sync status
Shutting network time protocol daemon (NTPD)..done
Try to set initial date and time via NTP..done
signal_no_reset: signal 13 had flags
vsftpd.*connect from
FAIL MKDIR
( <= | => | -> |Completed$|(Start|End) queue run)
socket for wildcard listening
no host name found for IP address
retry time not reached
Message is frozen
another process is handling
Message is frozen
Accepted hostbased for
distccd:.*dcc_set_lifetime
distccd:.*--bogus-option
pluto.*(shutting|deleting|established|initiating|forgetting|Peer ID is)
pluto.*Informational Exchange is for an unknown
pluto.*ISAKMP SA established
pluto.*: responding to (Main|Quick) Mode
pluto.*IPsec SA expired
pluto.*: received and ignored informational message
ipsec module
kernel: klips_info
kernel: IPSEC.*shut down
kernel: keyboard: Timeout - AT
kernel: ISO 9660 Extensions:
kernel: ISOFS: changing to secondary
kernel: lp0 (off-line|out of paper)
ipsec_setup: .*stopped
ipsec_setup: (Starting|Using)
ipsec_init: KLIPS startup
IPSEC SA not found
KLIPS debug .none
Informational Exchange
capidrv-1: patching
capidrv-1: incoming call .*
capidrv-1: DISCONNECT_IND
isdn_net: Service-Indicator not 7
isdn_(net|tty): Incoming call without OAD
isdn_net: call from
isdnlog: .* NOTIFICATION: Call is diverting
vboxd.*(connect from|connection closed.)
no IPv6 routers present
IPv6 addrconf
kernel: IPv6: sending pkt_too_big to self
OTP unavailable
DIGEST-MD5 server step

imapd.*User logged in
imapd.* user .* opened
imapd.* login: .* plaintext\+TLS
imapd.*starttls
imapd.*accepted
imapd.*myfetch:
imapd.*mystore:
imap.*idle for too long
imapd.*committing txn
imapd:Loading hard-coded
imap.*SQUAT failed
master.*: (ready for work|process started|retrying with|setrlimit|exiting on SIGTERM)
imaps*\[.*\]: (accepted connection|Expunged)
imaps*: .* user .* opened
imaps*\[.*\]: (open|seen_db): user .* opened
imaps*\[.*\]: Connection timed out, closing connection
starttls: TLSv1 with cipher
User logged in
skiplist: checkpointed
checkpointing (mboxlist|cyrus database)
fstating sieve script
ctl_cyrusdb.*: removing log file
tls_prune: purged
duplicate_(prune|check|mark)
dupelim: eliminated
ctl_deliver.*mydelete
 imaps.*: (DBMSG|DBERROR db4): [[:digit:]]\+ lockers
about to exec /usr/lib/cyrus/
master.*status 0
(lmtpunix|imap|imaps)\[.*\].*executed
lmtpd.*accepted connection
lmtpd.*as postman
lmtp connection preauth
lmtpunix\[.*\]: (accepted connection|Delivered)
service-lmtpunix
archiving (log|database) file
mydelete: (starting|committing|aborting) txn
mystore: (starting|committing)
saslauthd.*(Cleaning|master|started)
cyr_expire.*: expunged
su: \(to cyrus\) root on none


PAM-warn.*service=\[imap\]
saned from sane-backends
saned\[.*\]: check_host: access
saned\[.*\]: (init: )* access by .* accepted
saned\[.*\]: connect from
saned\[.*\]: quit: exiting
apm: set display

syslogd .*: restart.
kernel: klogd .* state change
kernel: Inspecting /boot/System.map
kernel: Loaded .* symbols from /boot/System.map
kernel: Loaded .* symbols from .* modules
kernel: Symbols match kernel version
syslog-ng.*: Changing permissions on special file /dev/
syslog-ng.*: SIGHUP received, restarting syslog-ng
syslog-ng.*: new configuration initialized
syslog-ng\[[0-9]*\]: Log statistics
STATS: dropped 0$

resmgr.*disconnect from
resmgr.*accepted connection from
resmgr: communication failure: Interrupted system call
resmgr logout failed

xinetd\[.*\]: (Reading|removing|Starting reconfiguration|Swapping defaults|readjusting service|Reconfigured)
Unknown (user|group): svn \[file=/etc/xinetd.d/svnserve
DISABLING SERVICE \[file=/etc/xinetd.d/svnserve

/usr/sbin/awstats-update
fou4s --auto
rsyncd.*: connect from
CPU1-fan
## REJECTED .* IN=ppp

zmd: Daemon \(WARN\): Not starting remote web server
zmd: ShutdownManager \(WARN\): Preparing to sleep
zmd: ShutdownManager \(WARN\): Going to sleep

Temperature_Celsius changed from
Temperature changed . Celsius
Seek_Time_Performance changed
scheduled (Short|Long) Self-Test
Throughput_Performance changed from 1.. to 1..
Raw_Read_Error_Rate changed

TLS Error: TLS key negotiation failed to occur within 60 seconds
TLS Error: TLS handshake failed
LZO compression initialized
read UDPv4 \[EHOSTUNREACH\]: No route to host \(code=113\)
# SIGUSR1\[soft,tls-error\] received, process restarting
Re-using SSL/TLS context
LZO compression initialized
Preserving previous TUN/TAP instance
UDPv4 link
LOG5.*: Connection closed

Audit daemon rotating
APPARMOR_HINT

smartd\[.*Airflow_Temperature_Cel changed

cvs: password mismatch

amavis.*_child on SpamAssassin done

COMMAND=/usr/lib/nagios

 fsr\[.*\]: Found .* mounted, writable, XFS filesystems
 fsr\[.*\]: START: pass=[0-9]+ ino=
 fsr\[.*\]: extents before:
 fsr\[.*\]: ino=[0-9]*$
 fsr\[.*\]: ino=[0-9]*: file modified defrag aborted
 fsr\[.*\]: /.* start inode=
 fsr\[.*\]: xfs_fsr -m /etc/mtab -t [0-9]*
 fsr\[.*\]: Completed all 10 passes
 fsr\[.*: file busy$
 fsr\[.* already fully defragmented\.$
 fsr\[.* xfs_fsr startpass
 fsr\[.* No improvement
 fsr\[.* zero size, ignoring

 rrpm 

 atd.*: PAM audit_log_acct_message\(\) failed: Operation not permitted

 yum: (Installed|Updated|Erased):

