diff --git a/security/logcheck/Makefile b/security/logcheck/Makefile
index 861d6d6a5607..79c1fa818596 100644
--- a/security/logcheck/Makefile
+++ b/security/logcheck/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	logcheck
-DISTVERSION=	1.3.24
+DISTVERSION=	1.4.0
 CATEGORIES=	security
 MASTER_SITES=	DEBIAN_POOL
 DISTNAME=	${PORTNAME}_${PORTVERSION}
diff --git a/security/logcheck/distinfo b/security/logcheck/distinfo
index fb5637fa237d..1623f327cd29 100644
--- a/security/logcheck/distinfo
+++ b/security/logcheck/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1657957126
-SHA256 (logcheck_1.3.24.tar.xz) = 5e304adf2880967c3b155bcf98e4f0809417a16bf91adb372fa065f38ab2c0cf
-SIZE (logcheck_1.3.24.tar.xz) = 133200
+TIMESTAMP = 1671926319
+SHA256 (logcheck_1.4.0.tar.xz) = dfd95c980727108cc9b8921736af9388dea0f6157688c03e8e39de378107b3dc
+SIZE (logcheck_1.4.0.tar.xz) = 135232
diff --git a/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh b/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh
index 0d7a4ae3cac6..b54cf2add4de 100644
--- a/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh
+++ b/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh
@@ -1,11 +1,11 @@
---- rulefiles/linux/ignore.d.server/ssh.orig	2021-01-28 19:50:10 UTC
+--- rulefiles/linux/ignore.d.server/ssh.orig	2022-12-22 23:03:11 UTC
 +++ rulefiles/linux/ignore.d.server/ssh
 @@ -14,7 +14,7 @@
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Postponed keyboard-interactive(/pam)? for (invalid user )?[^[:space:]]+ from [^[:space:]]+ port [[:digit:]]{1,5}( (ssh|ssh2)( \[preauth\])?)?$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: [12]: Timeout, server not responding\.$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+(: | port [[:digit:]]{1,5}:)11: (disconnected by user|Closed due to user request\.|Bye Bye \[preauth\])$
--^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: .{0,256} \[preauth\]$
-+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: .{0,255} \[preauth\]$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: Client disconnect$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: Disconnect requested by Windows SSH Client\.$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnected from( (invalid|authenticating))?( user [^[:space:]]+)? [:[:xdigit:].]+ port [[:digit:]]{1,5}( \[preauth\])?$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Postponed keyboard-interactive(/pam)? for (invalid user )?[^[:space:]]+ from [^[:space:]]+ port [[:digit:]]{1,5}( (ssh|ssh2)( \[preauth\])?)?$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: [12]: Timeout, server not responding\.$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+(: | port [[:digit:]]{1,5}:)11: (disconnected by user|Closed due to user request\.|Bye Bye \[preauth\])$
+-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: .{0,256} \[preauth\]$
++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: .{0,255} \[preauth\]$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: Client disconnect$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: Disconnect requested by Windows SSH Client\.$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnected from( (invalid|authenticating))?( user [^[:space:]]+)? [:[:xdigit:].]+ port [[:digit:]]{1,5}( \[preauth\])?$
diff --git a/security/logcheck/files/patch-rulefiles_linux_ignore.d.paranoid_postfix b/security/logcheck/files/patch-rulefiles_linux_ignore.d.paranoid_postfix
index 26fc6c8cf1a0..5520fe1c68ee 100644
--- a/security/logcheck/files/patch-rulefiles_linux_ignore.d.paranoid_postfix
+++ b/security/logcheck/files/patch-rulefiles_linux_ignore.d.paranoid_postfix
@@ -1,10 +1,10 @@
---- rulefiles/linux/ignore.d.paranoid/postfix.orig	2015-12-10 18:14:10 UTC
+--- rulefiles/linux/ignore.d.paranoid/postfix.orig	2022-12-22 23:03:11 UTC
 +++ rulefiles/linux/ignore.d.paranoid/postfix
 @@ -1,5 +1,5 @@
--^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/(local|pipe|virtual)\[[[:digit:]]+\]: [[:alnum:]]+: to=[^[:space:]]+, (orig_to=[^[:space:]]+, |)relay=[^[:space:]]+, delay=[.[:digit:]]+, (delays=[.[:digit:]/]+, dsn=[.[:digit:]]+, )?status=[[:alnum:]]+ \(.*\)$
--^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: (resent-|)message-id=<[^[:space:]]+>$
-+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/(local|pipe|virtual)\[[[:digit:]]+\]: [[:alnum:]]+: to=[^[:space:]]+, (orig_to=[^[:space:]]+, )?relay=[^[:space:]]+, delay=[.[:digit:]]+, (delays=[.[:digit:]/]+, dsn=[.[:digit:]]+, )?status=[[:alnum:]]+ \(.*\)$
-+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: (resent-)?message-id=<[^[:space:]]+>$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/nqmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<[^[:space:]]*>, size=[[:digit:]]+, nrcpt=[[:digit:]]+ \(queue active\)$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/pickup\[[[:digit:]]+\]: [[:alnum:]]+: uid=[[:digit:]]+ from=[^[:space:]]+$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/qmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<[^[:space:]]*>, size=[[:digit:]]+, nrcpt=[[:digit:]]+ \(queue active\)$
+-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/(local|pipe|virtual)\[[[:digit:]]+\]: [[:alnum:]]+: to=[^[:space:]]+, (orig_to=[^[:space:]]+, |)relay=[^[:space:]]+, delay=[.[:digit:]]+, (delays=[.[:digit:]/]+, dsn=[.[:digit:]]+, )?status=[[:alnum:]]+ \(.*\)$
+-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: (resent-|)message-id=<[^[:space:]]+>$
++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/(local|pipe|virtual)\[[[:digit:]]+\]: [[:alnum:]]+: to=[^[:space:]]+, (orig_to=[^[:space:]]+, )?relay=[^[:space:]]+, delay=[.[:digit:]]+, (delays=[.[:digit:]/]+, dsn=[.[:digit:]]+, )?status=[[:alnum:]]+ \(.*\)$
++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: (resent-)?message-id=<[^[:space:]]+>$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/nqmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<[^[:space:]]*>, size=[[:digit:]]+, nrcpt=[[:digit:]]+ \(queue active\)$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/pickup\[[[:digit:]]+\]: [[:alnum:]]+: uid=[[:digit:]]+ from=[^[:space:]]+$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/qmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<[^[:space:]]*>, size=[[:digit:]]+, nrcpt=[[:digit:]]+ \(queue active\)$
diff --git a/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_dhcp b/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_dhcp
index 3c4eddf2e852..41604e1ac4f3 100644
--- a/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_dhcp
+++ b/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_dhcp
@@ -1,22 +1,22 @@
---- rulefiles/linux/ignore.d.server/dhcp.orig	2017-01-14 11:42:45 UTC
+--- rulefiles/linux/ignore.d.server/dhcp.orig	2022-12-22 23:03:11 UTC
 +++ rulefiles/linux/ignore.d.server/dhcp
 @@ -10,13 +10,13 @@
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPACK on [.0-9]{7,15} to [:[:alnum:]]+ (\([\(\)._[:alnum:]-]+\) )?via [._[:alnum:]-]+$
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCP(NAK|RELEASE|INFORM) (on|from) ([.0-9]{7,15}|[:[:alnum:].]+)$
+ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPACK on [.0-9]{7,15} to [:[:alnum:]]+ (\([\(\)._[:alnum:]-]+\) )?via [._[:alnum:]-]+$
+ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCP(NAK|RELEASE|INFORM) (on|from) ([.0-9]{7,15}|[:[:alnum:].]+)$
  #Added for dhcp 3
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPDISCOVER from [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [._[:alnum:]-]+(: load balance to peer [._[:alnum:]-]+)?$
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPOFFER on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [._[:alnum:]-]+$
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPREQUEST for [.0-9]{7,15} (\([.0-9]{7,15}\) |)from [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [._[:alnum:]-]+(: load balance to peer [._[:alnum:]-]+\.?|: lease owned by peer\.?|: wrong network\.?|: lease [.0-9]{7,15} unavailable\.?)?$
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPACK on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [._[:alnum:]-]+$
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPNAK on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [._[:alnum:]-]+$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPDISCOVER from [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [._[:alnum:]-]+(: load balance to peer [._[:alnum:]-]+)?$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPOFFER on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [._[:alnum:]-]+$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPREQUEST for [.0-9]{7,15} (\([.0-9]{7,15}\) )?from [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [._[:alnum:]-]+(: load balance to peer [._[:alnum:]-]+\.?|: lease owned by peer\.?|: wrong network\.?|: lease [.0-9]{7,15} unavailable\.?)?$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPACK on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [._[:alnum:]-]+$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPNAK on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [._[:alnum:]-]+$
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPINFORM from [.0-9]{7,15} via [._[:alnum:]-]+$
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPRELEASE of [.0-9]{7,15} from [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [._[:alnum:]-]+ \((not |)found\)$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPRELEASE of [.0-9]{7,15} from [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [._[:alnum:]-]+ \((not )?found\)$
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPACK to [.0-9]{7,15}( \(([:[:xdigit:]]+|<no client hardware address>)\) via [._[:alnum:]-]+)?$
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: ((balancing|balanced) )?pool [0-9a-f]{6,7} [.0-9]{7,15}/[:[:alnum:]]+ ? total [:[:alnum:]]+  free [:[:alnum:]]+  backup [:[:alnum:]]+  lts [:[:alnum:]-]+.*(  max-(own \(\+/-\)[[:digit:]]+|misbal [[:digit:]]+))?$
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: ICMP Echo reply while lease [.[:digit:]]{7,15} valid\.$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPDISCOVER from [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [._[:alnum:]-]+(: load balance to peer [._[:alnum:]-]+)?$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPOFFER on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [._[:alnum:]-]+$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPREQUEST for [.0-9]{7,15} (\([.0-9]{7,15}\) |)from [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [._[:alnum:]-]+(: load balance to peer [._[:alnum:]-]+\.?|: lease owned by peer\.?|: wrong network\.?|: lease [.0-9]{7,15} unavailable\.?)?$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPACK on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [._[:alnum:]-]+$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPNAK on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [._[:alnum:]-]+$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPDISCOVER from [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [._[:alnum:]-]+(: load balance to peer [._[:alnum:]-]+)?$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPOFFER on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [._[:alnum:]-]+$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPREQUEST for [.0-9]{7,15} (\([.0-9]{7,15}\) )?from [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [._[:alnum:]-]+(: load balance to peer [._[:alnum:]-]+\.?|: lease owned by peer\.?|: wrong network\.?|: lease [.0-9]{7,15} unavailable\.?)?$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPACK on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [._[:alnum:]-]+$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPNAK on [.0-9]{7,15} to [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [._[:alnum:]-]+$
+ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPINFORM from [.0-9]{7,15} via [._[:alnum:]-]+$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPRELEASE of [.0-9]{7,15} from [:[:alnum:]]+ (\([._[:alnum:]-]+\) |)via [._[:alnum:]-]+ \((not |)found\)$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPRELEASE of [.0-9]{7,15} from [:[:alnum:]]+ (\([._[:alnum:]-]+\) )?via [._[:alnum:]-]+ \((not )?found\)$
+ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: DHCPACK to [.0-9]{7,15}( \(([:[:xdigit:]]+|<no client hardware address>)\) via [._[:alnum:]-]+)?$
+ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: ((balancing|balanced) )?pool [0-9a-f]{6,7} [.0-9]{7,15}/[:[:alnum:]]+ ? total [:[:alnum:]]+  free [:[:alnum:]]+  backup [:[:alnum:]]+  lts [:[:alnum:]-]+.*(  max-(own \(\+/-\)[[:digit:]]+|misbal [[:digit:]]+))?$
+ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dhcpd[[[:digit:]]+]: ICMP Echo reply while lease [.[:digit:]]{7,15} valid\.$
diff --git a/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_nfs b/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_nfs
index 7e57daede02a..eab5161956e6 100644
--- a/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_nfs
+++ b/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_nfs
@@ -1,7 +1,7 @@
---- rulefiles/linux/ignore.d.server/nfs.orig	2015-12-10 18:14:10 UTC
+--- rulefiles/linux/ignore.d.server/nfs.orig	2022-12-22 23:03:11 UTC
 +++ rulefiles/linux/ignore.d.server/nfs
 @@ -1,2 +1,2 @@
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpc\.mountd: authenticated (un|)mount request from [._[:alnum:]-]+:[0-9]+ for (/[._[:alnum:]-]*)+ \((/[._[:alnum:]-]*)+\)$
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mountd\[[0-9]+\]: authenticated (un|)mount request from [._[:alnum:]-]+:[0-9]+ for (/[._[:alnum:]-]*)+ \((/[._[:alnum:]-]*)+\)$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rpc\.mountd: authenticated (un)?mount request from [._[:alnum:]-]+:[0-9]+ for (/[._[:alnum:]-]*)+ \((/[._[:alnum:]-]*)+\)$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mountd\[[0-9]+\]: authenticated (un)?mount request from [._[:alnum:]-]+:[0-9]+ for (/[._[:alnum:]-]*)+ \((/[._[:alnum:]-]*)+\)$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ rpc\.mountd: authenticated (un|)mount request from [._[:alnum:]-]+:[0-9]+ for (/[._[:alnum:]-]*)+ \((/[._[:alnum:]-]*)+\)$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ mountd\[[0-9]+\]: authenticated (un|)mount request from [._[:alnum:]-]+:[0-9]+ for (/[._[:alnum:]-]*)+ \((/[._[:alnum:]-]*)+\)$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ rpc\.mountd: authenticated (un)?mount request from [._[:alnum:]-]+:[0-9]+ for (/[._[:alnum:]-]*)+ \((/[._[:alnum:]-]*)+\)$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ mountd\[[0-9]+\]: authenticated (un)?mount request from [._[:alnum:]-]+:[0-9]+ for (/[._[:alnum:]-]*)+ \((/[._[:alnum:]-]*)+\)$
diff --git a/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_postfix b/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_postfix
index 6eee98f03dd2..4d445e12735b 100644
--- a/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_postfix
+++ b/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_postfix
@@ -1,20 +1,20 @@
---- rulefiles/linux/ignore.d.server/postfix.orig	2019-03-01 15:22:43 UTC
+--- rulefiles/linux/ignore.d.server/postfix.orig	2022-12-22 23:03:11 UTC
 +++ rulefiles/linux/ignore.d.server/postfix
 @@ -8,7 +8,7 @@
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/anvil\[[[:digit:]]+\]: statistics: max (message|recipient|connection) (count|rate) [/[:digit:]s]+ for \(([.:[:xdigit:]]+)?(smtp(s)?|25|submission|587):([.:[:xdigit:]]+|unknown)\) at \w{3} [ :[:digit:]]{11}$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/anvil\[[[:digit:]]+\]: statistics: max cache size [[:digit:]]+ at \w{3} [ :[:digit:]]{11}$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/bounce\[[[:digit:]]+\]: [[:xdigit:]]+: sender (delay|non-delivery|delivery status) notification: [[:xdigit:]]+$
--^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: (resent-|)message-id=<?[^>]+>?( \(added by [^[:space:]]+\))?$
-+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: (resent-)?message-id=<?[^>]+>?( \(added by [^[:space:]]+\))?$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: milter-discard: END-OF-MESSAGE from [-._[:alnum:]]+\[([.[:digit:]]+|[:[:xdigit:]]+)\]: milter triggers DISCARD action; from=<[^[:space:]]*> to=<[^[:space:]]*> proto=E?SMTP helo=<[^[:space:]]+>$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:upper:][:digit:]]+: reject: header [^[:space:]]+:.+ from=<[^[:space:]]*>( to=<[^[:space:]]+>)? proto=E?SMTP helo=<[^[:space:]]+>: .+$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:xdigit:]]+: milter-reject: END-OF-MESSAGE from [-._[:alnum:]]+\[[.[:digit:]]+\]: [45]\.7\.1 (virus [-._/[:alnum:]]+ detected by ClamAV - http://www\.clamav\.net|Command rejected); from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/anvil\[[[:digit:]]+\]: statistics: max (message|recipient|connection) (count|rate) [/[:digit:]s]+ for \(([.:[:xdigit:]]+)?(smtp(s)?|25|submission|587):([.:[:xdigit:]]+|unknown)\) at \w{3} [ :[:digit:]]{11}$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/anvil\[[[:digit:]]+\]: statistics: max cache size [[:digit:]]+ at \w{3} [ :[:digit:]]{11}$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/bounce\[[[:digit:]]+\]: [[:xdigit:]]+: sender (delay|non-delivery|delivery status) notification: [[:xdigit:]]+$
+-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: (resent-|)message-id=<?[^>]+>?( \(added by [^[:space:]]+\))?$
++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: (resent-)?message-id=<?[^>]+>?( \(added by [^[:space:]]+\))?$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: milter-discard: END-OF-MESSAGE from [-._[:alnum:]]+\[([.[:digit:]]+|[:[:xdigit:]]+)\]: milter triggers DISCARD action; from=<[^[:space:]]*> to=<[^[:space:]]*> proto=E?SMTP helo=<[^[:space:]]+>$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:upper:][:digit:]]+: reject: header [^[:space:]]+:.+ from=<[^[:space:]]*>( to=<[^[:space:]]+>)? proto=E?SMTP helo=<[^[:space:]]+>: .+$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:xdigit:]]+: milter-reject: END-OF-MESSAGE from [-._[:alnum:]]+\[[.[:digit:]]+\]: [45]\.7\.1 (virus [-._/[:alnum:]]+ detected by ClamAV - http://www\.clamav\.net|Command rejected); from=<[^[:space:]]*> to=<[^[:space:]]+> proto=E?SMTP helo=<[^[:space:]]+>$
 @@ -60,7 +60,7 @@
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtp\[[[:digit:]]+\]: warning: [^[:space:]]+ offered null AUTH mechanism list$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtp\[[[:digit:]]+\]: warning: mailer loop: best MX for [^[:space:]]+ is local$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtp\[[[:digit:]]+\]: warning: no MX host for [^[:space:]]+ has a valid (A|address) record$
--^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: ((Anonymous|Trusted|Verified) )?TLS connection established (to|from) [^[:space:]]+: (TLSv1(\.[[:digit:]])?|SSLv[23]) with cipher [^[:space:]]+ \([/[:digit:]]+ bits\)$
-+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: ((Anonymous|Trusted|Verified) )?TLS connection established (to|from) [^[:space:]]+: (TLSv1(\.[[:digit:]])?|SSLv[23]) with cipher [^[:space:]]+ \([/[:digit:]]+ bits\)( key-exchange [^[:space:]]+ server-signature [^[:space:]]+ \([/[:digit:]]+ bits\) server-digest [^[:space:]]+)?$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: (Peer|Server) certificate could not be verified$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: Unverified: subject_CN=.*$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: Verified: subject_CN=.*, issuer=.*$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/smtp\[[[:digit:]]+\]: warning: [^[:space:]]+ offered null AUTH mechanism list$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/smtp\[[[:digit:]]+\]: warning: mailer loop: best MX for [^[:space:]]+ is local$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/smtp\[[[:digit:]]+\]: warning: no MX host for [^[:space:]]+ has a valid (A|address) record$
+-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: ((Anonymous|Trusted|Verified) )?TLS connection established (to|from) [^[:space:]]+: (TLSv1(\.[[:digit:]])?|SSLv[23]) with cipher [^[:space:]]+ \([/[:digit:]]+ bits\)$
++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: ((Anonymous|Trusted|Verified) )?TLS connection established (to|from) [^[:space:]]+: (TLSv1(\.[[:digit:]])?|SSLv[23]) with cipher [^[:space:]]+ \([/[:digit:]]+ bits\)( key-exchange [^[:space:]]+ server-signature [^[:space:]]+ \([/[:digit:]]+ bits\) server-digest [^[:space:]]+)?$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: (Peer|Server) certificate could not be verified$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: Unverified: subject_CN=.*$
+ ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: Verified: subject_CN=.*, issuer=.*$
diff --git a/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_sudo b/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_sudo
index 4ecaa3e137b6..73e8653ac7e3 100644
--- a/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_sudo
+++ b/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_sudo
@@ -1,11 +1,11 @@
---- rulefiles/linux/ignore.d.server/sudo.orig	2021-01-30 08:46:14 UTC
+--- rulefiles/linux/ignore.d.server/sudo.orig	2022-12-22 23:03:11 UTC
 +++ rulefiles/linux/ignore.d.server/sudo
 @@ -1,4 +1,4 @@
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+(\(uid=[[:digit:]]+\))? by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+(\(uid=[[:digit:]]+\))? by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+(\(uid=[[:digit:]]+\))? by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+(\(uid=[[:digit:]]+\))? by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
diff --git a/security/logcheck/files/patch-rulefiles_linux_violations.d_kernel b/security/logcheck/files/patch-rulefiles_linux_violations.d_kernel
index f8d4fcfa5672..4e1498d15694 100644
--- a/security/logcheck/files/patch-rulefiles_linux_violations.d_kernel
+++ b/security/logcheck/files/patch-rulefiles_linux_violations.d_kernel
@@ -1,6 +1,6 @@
---- rulefiles/linux/violations.d/kernel.orig	2015-12-10 18:14:10 UTC
+--- rulefiles/linux/violations.d/kernel.orig	2022-12-22 23:03:11 UTC
 +++ rulefiles/linux/violations.d/kernel
 @@ -1,2 +1,2 @@
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? [[:alnum:]]+: media error \(bad sector\): status=0x[[:xdigit:]]+ { DriveReady SeekComplete Error }$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? [[:alnum:]]+: media error \(bad sector\): status=0x[[:xdigit:]]+ \{ DriveReady SeekComplete Error \}$
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? end_request: I/O error, dev [[:alnum:]]+, sector [[:digit:]]+
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? [[:alnum:]]+: media error \(bad sector\): status=0x[[:xdigit:]]+ { DriveReady SeekComplete Error }$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? [[:alnum:]]+: media error \(bad sector\): status=0x[[:xdigit:]]+ \{ DriveReady SeekComplete Error \}$
+ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? end_request: I/O error, dev [[:alnum:]]+, sector [[:digit:]]+
diff --git a/security/logcheck/files/patch-rulefiles_linux_violations.d_sudo b/security/logcheck/files/patch-rulefiles_linux_violations.d_sudo
index 4e765b35b41d..c2cd0159f915 100644
--- a/security/logcheck/files/patch-rulefiles_linux_violations.d_sudo
+++ b/security/logcheck/files/patch-rulefiles_linux_violations.d_sudo
@@ -1,7 +1,7 @@
---- rulefiles/linux/violations.d/sudo.orig	2018-05-30 21:59:13 UTC
+--- rulefiles/linux/violations.d/sudo.orig	2022-12-22 23:03:11 UTC
 +++ rulefiles/linux/violations.d/sudo
 @@ -1,3 +1,3 @@
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_[[:alnum:]]+\(sudo:[[:alnum:]]+\): .*$
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: .*$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo(\[[0-9]+\])?: .*$
+ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
+ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_[[:alnum:]]+\(sudo:[[:alnum:]]+\): .*$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo: .*$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo(\[[0-9]+\])?: .*$
diff --git a/security/logcheck/files/patch-rulefiles_linux_violations.ignore.d_logcheck-sudo b/security/logcheck/files/patch-rulefiles_linux_violations.ignore.d_logcheck-sudo
index 427e399fa2ae..0b1678bfbd30 100644
--- a/security/logcheck/files/patch-rulefiles_linux_violations.ignore.d_logcheck-sudo
+++ b/security/logcheck/files/patch-rulefiles_linux_violations.ignore.d_logcheck-sudo
@@ -1,13 +1,13 @@
---- rulefiles/linux/violations.ignore.d/logcheck-sudo.orig	2018-05-30 21:59:13 UTC
+--- rulefiles/linux/violations.ignore.d/logcheck-sudo.orig	2022-12-22 23:03:11 UTC
 +++ rulefiles/linux/violations.ignore.d/logcheck-sudo
 @@ -1,5 +1,5 @@
--^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5\(sudo:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]-]+@[.A-Z]+$
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+( ; GROUP=[._[:alnum:]-]+)? ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
--^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$
-+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?: pam_krb5\(sudo:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]-]+@[.A-Z]+$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+( ; GROUP=[._[:alnum:]-]+)? ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
-+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$
+-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo: pam_krb5\(sudo:auth\): user [._[:alnum:]-]+ authenticated as [._[:alnum:]-]+@[.A-Z]+$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+( ; GROUP=[._[:alnum:]-]+)? ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [._[:alnum:]-]+\(uid=[0-9]+\) by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [._[:alnum:]-]+$
++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?: pam_krb5\(sudo:auth\): user [._[:alnum:]-]+ authenticated as [._[:alnum:]-]+@[.A-Z]+$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+( ; GROUP=[._[:alnum:]-]+)? ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?: pam_[[:alnum:]]+\(sudo:session\): session opened for user [._[:alnum:]-]+\(uid=[0-9]+\) by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sudo(\[[[:digit:]]+\])?: pam_[[:alnum:]]+\(sudo:session\): session closed for user [._[:alnum:]-]+$