<?xml version="1.0"?>
<!-- 

    CAUTION:
    It is not advised to edit this file! You may miss any future
    revisions made to it. Instead, create/edit notice_local.xml and
    add your rules to it following the same XML layout as presented in
    this file. All members of notice_local.xml will be added
    indiscriminately, i.e. you don't have to specify the id of the
    <notice> in notices.conf: any notices added in notice_local.xml
    will be enabled in the module automatically.

    $Revision: 1.4.2.5 $

-->
<notices>
  <notice id="gconfd">
    <regex>gconfd.*: Failed to get lock.*Failed to create</regex>
    <regex>gconfd.*: Error releasing lockfile</regex>
    <regex>gconfd.*: .* Could not lock temporary file</regex>
    <regex>gconfd.*: .* another process has the lock</regex>
    <report>GConf locking errors</report>
  </notice>
  
  <notice id="fatalx">
    <regex>Fatal X error</regex>
    <report>Fatal X errors</report>
  </notice>

  <notice id="sftp">
    <regex>sftp-server.*</regex>
    <regex>subsystem request for sftp</regex>
    <report>SFTP activity</report>
  </notice>

  <notice id="floppy">
    <regex>floppy0:|\(floppy\)</regex>
    <report>Misc floppy errors</report>
  </notice>

  <notice id="ypserv">
    <regex>ypserv.*:\srefused\sconnect\sfrom\s(\S+):\d+\sto\sprocedure\s(\S+)</regex>
    <report>%s denied for %s</report>
  </notice>
  
  <notice id="linux_boot" critical="yes">
    <regex>kernel:\sLinux\sversion\s(\S*)</regex>
    <report>Rebooted with Linux kernel %s</report>
  </notice>
  
  <notice id="ssh_scan" critical="yes">
    <regex>sshd\[\S*: Did not receive identification string from (\S*)</regex>
    <report>SSH scan from %s</report>
  </notice>

  <notice id="cdrom_vfs">
    <regex>VFS: busy inodes on changed media</regex>
    <report>dirty CDROM mount</report>
  </notice>
  
  <notice id="cdrom">
    <regex>kernel: cdrom: This disc doesn</regex>
    <regex>kernel: .*Make sure there is a disc in the drive.</regex>
    <report>Misc CDROM errors</report>
  </notice>

  <notice id="dirty_floppy">
    <regex>attempt to access beyond end of device</regex>
    <regex>rw=\d+, want=\d+, limit=\d+</regex>
    <regex>Directory sread .* failed</regex>
    <regex>kernel: bread in fat_access failed</regex>
    <report>Dirty floppy mount [non-indicative]</report>
  </notice>

  <notice id="nfs_timeout" critical="yes">
    <regex>nfs: server (\S+) not responding</regex>
    <regex>nfs: server (\S+) OK</regex>
    <report>NFS timeouts to server %s</report>
  </notice>
  
  <notice id="insmod">
    <regex>insmod: Hint: insmod errors</regex>
    <report>insmod errors</report>
  </notice>

  <notice id="selinux-denied">
    <regex>audit\S+:\s+avc:\s+denied\s+\{\s([^\}]+)\s\}.*exe=(\S+).*scontext=(\S+)</regex>
    <report>SELinux: denied "%s" for "%s" (scontext=%s)</report>
  </notice>

  <notice id="crond">
    <regex>CROND\S+: \((\S+)\) CMD \(([^\)]+)\)</regex>
    <regex>crond\S+: \((\S+)\) CMD \(([^\)]+)\)</regex>
    <report>Cron: user '%s' (%s)</report>
  </notice>

  <notice id="promisc" critical="yes">
    <regex>device (\S+) entered promiscuous mode</regex>
    <regex>(\S+): Promiscuous mode enabled</regex>
    <regex>(\S+): enabled promiscuous mode</regex>
    <report>device %s entered promiscuous mode</report>
  </notice>

</notices>