From 357604a4c0f56bb765ff73f0487b6cef6a054d80 Mon Sep 17 00:00:00 2001
From: Wojciech Kozlowski <wk@wojciechkozlowski.eu>
Date: Sat, 19 Aug 2023 00:07:31 +0200
Subject: [PATCH] Logcheck fixes for bookworm

---
 playbooks/files/system/base/logs/all       | 10 +++++-----
 playbooks/files/system/base/logs/asgard    | 21 +++++++++++----------
 playbooks/files/system/base/logs/yggdrasil | 18 +++++++++---------
 3 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/playbooks/files/system/base/logs/all b/playbooks/files/system/base/logs/all
index 6c2bc83..4b32e31 100644
--- a/playbooks/files/system/base/logs/all
+++ b/playbooks/files/system/base/logs/all
@@ -1,5 +1,5 @@
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ fstrim\[[0-9]+\]: [-_/[:alnum:]]+: [.[:digit:]]+ (M|G)iB \([[:digit:]]+ bytes\) trimmed on [-_/[:alnum:]]+$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (Starting|Stopping) [ +[:alnum:]/\-]+\.(\.\.)?$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: Finished (Cleanup of Temporary Directories|Online ext4 Metadata Check for All Filesystems|Discard unused blocks on filesystems from /etc/fstab)\.$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (apt-daily\.service|apt-daily-upgrade\.service|logrotate\.service|man-db\.service): Consumed ([0-9]{1,2}min )?[0-9]{1,2}\.[0-9]{3}s CPU time\.$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: rsyslog\.service: Sent signal SIGHUP to main process [[:digit:]]+ \(rsyslogd\) on client request\.$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ fstrim\[[0-9]+\]: [-_/[:alnum:]]+: [.[:digit:]]+ (M|G)iB \([[:digit:]]+ bytes\) trimmed on [-_/[:alnum:]]+$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ systemd\[[0-9]+\]: (Starting|Stopping) [ +[:alnum:]/\-]+\.(\.\.)?$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ systemd\[[0-9]+\]: Finished (Cleanup of Temporary Directories|Online ext4 Metadata Check for All Filesystems|Discard unused blocks on filesystems from /etc/fstab)\.$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ systemd\[[0-9]+\]: (apt-daily\.service|apt-daily-upgrade\.service|logrotate\.service|man-db\.service): Consumed ([0-9]{1,2}min )?[0-9]{1,2}\.[0-9]{3}s CPU time\.$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ systemd\[[0-9]+\]: rsyslog\.service: Sent signal SIGHUP to main process [[:digit:]]+ \(rsyslogd\) on client request\.$
diff --git a/playbooks/files/system/base/logs/asgard b/playbooks/files/system/base/logs/asgard
index 6ac63f8..2c7637c 100644
--- a/playbooks/files/system/base/logs/asgard
+++ b/playbooks/files/system/base/logs/asgard
@@ -1,10 +1,11 @@
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ conmon\[[0-9]+\]: .*$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ pod-[[:alnum:]\-]\[[0-9]+\]: .*$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ restic-batch\[[0-9]+\]: Backing up [-_[:alnum:]]+$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: Finished (Podman auto-update service|Pod service auto-update service|Prune dangling podman images|Backup snapshots using restic)\.$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: var-lib-containers-storage-overlay\.mount: Succeeded\.$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (restic-batch\.service): Consumed ([0-9]{1,2}min )?[0-9]{1,2}\.[0-9]{3}s CPU time\.$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ podman\[[0-9]+\]: [-[:digit:]]{10} [.:[:digit:]]{8,18} \+[[:digit:]]{4} [[:alpha:]]{3,4} m=\+[.[:digit:]]+ image (pull|(remove|prune) [[:alnum:]]{64})$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ podman\[[0-9]+\]: [[:alnum:]]{64}$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ kernel: \[\s*[0-9]+\.[0-9]+\] audit: type=1326 audit\([.:0-9]+\): auid=[0-9]+ uid=[0-9]+ gid=[0-9]+ ses=[0-9]+ subj=unconfined pid=[0-9]+ comm="(git|git-remote-http|git-receive-pac|gitea)" exe="(/app/gitea/gitea|/usr/bin/git|/usr/bin/git-receive-pack|/usr/libexec/git-core/git|/usr/libexec/git-core/git-remote-http|/usr/libexec/git-core/git-remote-https)" sig=0 arch=c000003e syscall=324 compat=0 ip=[[:alnum:]]+ code=0x50000$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ kernel: \[\s*[0-9]+\.[0-9]+\] audit: type=1326 audit\([.:0-9]+\): auid=[0-9]+ uid=[0-9]+ gid=[0-9]+ ses=[0-9]+ subj=unconfined pid=[0-9]+ comm="ffmpeg" exe="/usr/bin/ffmpeg" sig=0 arch=c000003e syscall=324 compat=0 ip=[[:alnum:]]+ code=0x50000$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ conmon\[[0-9]+\]: .*$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ pod-[[:alnum:]\-]+\[[0-9]+\]: .*$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ restic-batch\[[0-9]+\]: Backing up [-_[:alnum:]]+$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ systemd\[[0-9]+\]: Finished (Podman auto-update service|Pod service auto-update service|Prune dangling podman images|Backup snapshots using restic)\.$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ systemd\[[0-9]+\]: var-lib-containers-storage-overlay\.mount: Succeeded\.$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ systemd\[[0-9]+\]: (restic-batch\.service): Consumed ([0-9]{1,2}min )?[0-9]{1,2}\.[0-9]{3}s CPU time\.$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ podman\[[0-9]+\]: [-[:digit:]]{10} [.:[:digit:]]{8,18} \+[[:digit:]]{4} [[:alpha:]]{3,4} m=\+[.[:digit:]]+ image (remove|prune) [[:alnum:]]{64}$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ podman\[[0-9]+\]: [-[:digit:]]{10} [.:[:digit:]]{8,18} \+[[:digit:]]{4} [[:alpha:]]{3,4} m=\+[.[:digit:]]+ image pull(  [._/:[:alnum:]\-]+)?$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ podman\[[0-9]+\]: [[:alnum:]]{64}$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ kernel: \[\s*[0-9]+\.[0-9]+\] audit: type=1326 audit\([.:0-9]+\): auid=[0-9]+ uid=[0-9]+ gid=[0-9]+ ses=[0-9]+ subj=unconfined pid=[0-9]+ comm="(git|git-remote-http|git-receive-pac|gitea)" exe="(/app/gitea/gitea|/usr/bin/git|/usr/bin/git-receive-pack|/usr/libexec/git-core/git|/usr/libexec/git-core/git-remote-http|/usr/libexec/git-core/git-remote-https)" sig=0 arch=c000003e syscall=324 compat=0 ip=[[:alnum:]]+ code=0x50000$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ kernel: \[\s*[0-9]+\.[0-9]+\] audit: type=1326 audit\([.:0-9]+\): auid=[0-9]+ uid=[0-9]+ gid=[0-9]+ ses=[0-9]+ subj=unconfined pid=[0-9]+ comm="ffmpeg" exe="/usr/bin/ffmpeg" sig=0 arch=c000003e syscall=324 compat=0 ip=[[:alnum:]]+ code=0x50000$
diff --git a/playbooks/files/system/base/logs/yggdrasil b/playbooks/files/system/base/logs/yggdrasil
index 6d96166..6722e3e 100644
--- a/playbooks/files/system/base/logs/yggdrasil
+++ b/playbooks/files/system/base/logs/yggdrasil
@@ -1,9 +1,9 @@
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ kernel: \[\s*[0-9]+\.[0-9]+\] perf: interrupt took too long \([0-9]+ > [0-9]+\), lowering kernel\.perf_event_max_sample_rate to [0-9]+$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ restic-batch\[[0-9]+\]: (Mounting|Unmounting) [-_/@:[:alnum:]]+ (to|from) [-_/@:[:alnum:]]+$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: Finished (Snapshot ZFS filesystems|Prune ZFS snapshots|Replicate snapshots using syncoid)\.$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (sanoid\.service|syncoid-batch\.service|sanoid-prune\.service): Consumed ([0-9]{1,2}min )?[0-9]{1,2}\.[0-9]{3}s CPU time\.$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: mnt-var-lib-yggdrasil-data-[\\[:alnum:]]+-[\\[:alnum:]]+\.mount: Succeeded\.$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: mnt-var-lib-yggdrasil-data-pod\\x2d[\\[:alnum:]]+-[\\[:alnum:]]+\.mount: Succeeded\.$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ sanoid\[[0-9]+\]: INFO: .*$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ sanoid\[[0-9]+\]: taking snapshot .*$
-^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ smbd: pam_unix\(samba:session\): session closed for user nobody$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ kernel: \[\s*[0-9]+\.[0-9]+\] perf: interrupt took too long \([0-9]+ > [0-9]+\), lowering kernel\.perf_event_max_sample_rate to [0-9]+$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ restic-batch\[[0-9]+\]: (Mounting|Unmounting) [-_/@:[:alnum:]]+ (to|from) [-_/@:[:alnum:]]+$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ systemd\[[0-9]+\]: Finished (Snapshot ZFS filesystems|Prune ZFS snapshots|Replicate snapshots using syncoid)\.$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ systemd\[[0-9]+\]: (sanoid\.service|syncoid-batch\.service|sanoid-prune\.service): Consumed ([0-9]{1,2}min )?[0-9]{1,2}\.[0-9]{3}s CPU time\.$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ systemd\[[0-9]+\]: mnt-var-lib-yggdrasil-data-[\\[:alnum:]]+-[\\[:alnum:]]+\.mount: Succeeded\.$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ systemd\[[0-9]+\]: mnt-var-lib-yggdrasil-data-pod\\x2d[\\[:alnum:]]+-[\\[:alnum:]]+\.mount: Succeeded\.$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ sanoid\[[0-9]+\]: INFO: .*$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ sanoid\[[0-9]+\]: taking snapshot .*$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ smbd: pam_unix\(samba:session\): session closed for user nobody$