Exemplo n.º 1
0
function event_finish($postfix_id, $to, $status, $bounce_error, $from = null, $buffer = null)
{
    if ($GLOBALS["EnableArticaSMTPStatistics"] == 0) {
        return;
    }
    $delivery_success = 'yes';
    if ($status == 'bounced') {
        $delivery_success = 'no';
    }
    if ($status == 'deferred') {
        $delivery_success = 'no';
    }
    if ($status == 'reject') {
        $delivery_success = 'no';
    }
    if ($status == 'expired') {
        $delivery_success = 'no';
    }
    if (preg_match("#Queued mail for delivery#", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if (preg_match("#Sender address rejected: need fully-qualified address#", $bounce_error)) {
        $status = "rejected";
        $delivery_success = "no";
        $bounce_error = "need fully-qualified address";
    }
    if (preg_match("#no mailbox here#", $bounce_error)) {
        $status = "rejected";
        $delivery_success = "no";
        $bounce_error = "Mailbox Unknown";
    }
    if (preg_match("#refused to talk to me.+?RBL rejection#", $bounce_error)) {
        $status = "rejected";
        $delivery_success = "no";
        $bounce_error = "RBL";
    }
    if (preg_match("#550.+?Service unavailable.+?blocked using.+?RBL#", $bounce_error)) {
        $status = "rejected";
        $delivery_success = "no";
        $bounce_error = "RBL";
    }
    if (preg_match("#554 : Recipient address rejected: Access denied#", $bounce_error)) {
        $status = "rejected";
        $delivery_success = "no";
        $bounce_error = "Access denied";
    }
    if (preg_match("#451 4.2.0 Mailbox has an invalid format#", $bounce_error)) {
        $status = "rejected";
        $delivery_success = "no";
        $bounce_error = "Mailbox corrupt";
    }
    if (preg_match("#delivered via#", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if (preg_match("#Content scanner malfunction#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Content scanner malfunction";
    }
    if (preg_match("#4\\.5\\.0 Failure#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Error";
    }
    if (preg_match("#250 2\\.0\\.0 Ok#", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if (preg_match("#Host or domain name not found#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Host or domain name not found";
    }
    if (preg_match("#4\\.5\\.0 Error in processing#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Error";
    }
    if (preg_match("#Sender address rejected.+?Domain not found#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Domain not found";
    }
    if (preg_match("#delivered to command: procmail -a#", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sent to procmail";
    }
    if (preg_match("#550 must be authenticated#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Authentication error";
    }
    if (preg_match("#250 Message.+?accepted by#", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if (preg_match("#Connection timed out#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "timed out";
    }
    if (preg_match("#connect\\s+to.+?Connection refused#", $bounce_error)) {
        if (preg_match("#connect to 127\\.0\\.0\\.1\\[127\\.0\\.0\\.1\\]:2003:#", $bounce_error)) {
            $file = "/etc/artica-postfix/croned.1/postfix.lmtp.127.0.0.1:2003.refused";
            if (file_time_min($file) > 5) {
                if ($GLOBALS["ZARAFA_INSTALLED"]) {
                    email_events("Postfix: Zarafa LMTP Error", "Postfix\n{$buffer}\nArtica will trying to start Zarafa", "postfix");
                    $cmd = "{$GLOBALS["NOHUP_PATH"]} /etc/init.d/artica-postfix start zarafa >/dev/null 2>&1 &";
                    shell_exec(trim($cmd));
                    @unlink($file);
                    file_put_contents($file, "#");
                    return;
                }
            }
        }
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Connection refused";
    }
    if (preg_match("#temporary failure.+?artica-msmtp:\\s+recipient address\\s+(.+?)\\s+not accepted by the server artica-msmtp#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "artica-filter error";
    }
    if (preg_match("#host.+?said: 550 No such user#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "No such user";
    }
    if (preg_match("#250 2\\.1\\.5 Ok#", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if ($bounce_error == "250 OK: data received") {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if ($bounce_error == "250 Ok: queued as") {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if (preg_match("#250\\s+ok#", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if (preg_match("#504.+?Recipient address rejected#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "recipient address rejected";
    }
    if (preg_match("#Address rejected#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Address rejected";
    }
    if (preg_match("#conversation with .+?timed out#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "timed out";
    }
    if (preg_match("#connect to\\s+(.+?)\\[.+?cyrus.+?lmtp\\]: Connection refused#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "mailbox service error";
        cyrus_generic_error($bounce_error, "Cyrus socket error");
    }
    if (preg_match("#host.+?\\[(.+?)\\]\\s+said:.+?<(.+?)>: Recipient address rejected: User unknown in local recipient table#", $bounce_error, $re)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "User unknown";
        $to = $re[2];
    }
    if (preg_match("#host.+?said:\\s+554.+?<(.+?)>:\\s+Recipient address rejected.+?not existing recipient#", $bounce_error, $re)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "not existing recipient";
        $to = $re[2];
    }
    if (preg_match("#said:.+?Authentication required#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Authentication required";
    }
    if (preg_match("#temporary failure.+?[0-9]+\\s+[0-9\\.]+\\s+Bad sender address syntax.+?could not send mail#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Bad sender address syntax";
    }
    if (preg_match("#connect.+?Permission denied#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "service permissions error";
    }
    if (preg_match("#Command died with status 255:.+?exec\\.artica-filter\\.php#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "artica-filter error";
    }
    if (preg_match("#host\\s+(.+?)\\[(.+?)\\]\\s+said:\\s+[0-9]+.+?Recipient address rejected: Access denied#", $bounce_error, $re)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Access denied";
        $smtp_sender = $re[2];
    }
    if (preg_match("#250.+?Ok#i", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if (preg_match("#Message accepted#i", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if (preg_match("#host.+?said:.+?Domain of sender address.+?does not exist#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Your domain does not exist";
    }
    if (preg_match("#connect to .+?No such file or dire#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "socket error";
    }
    if (preg_match("#lost connection with.+?\\[(.+?)\\] while receiving#", $bounce_error, $re)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "lost connection";
        $smtp_sender = $re[1];
    }
    if (preg_match("#host.+?\\[(.+?)\\] said:.+?Recipient address rejected#", $bounce_error, $re)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Recipient address rejected";
        $smtp_sender = $re[1];
    }
    if (preg_match("#loops back to myself#", $bounce_error, $re)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "loops back to myself";
    }
    if (preg_match("#Sender denied#", $bounce_error, $re)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Sender denied";
    }
    if (preg_match("#User unknown#", $bounce_error, $re)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "User unknown";
    }
    if (preg_match("#Bounce attack signature verification failed#", $bounce_error, $re)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Bounce attack";
    }
    if (preg_match("#mailbox unavailable#", $bounce_error, $re)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "No mailbox";
    }
    if (preg_match("#Message rejected#", $bounce_error, $re)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Message rejected";
    }
    if (preg_match("#250 2\\.0\\.0 from MTA#", $bounce_error, $re)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if (preg_match("#421-ts03#", $bounce_error, $re)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Your are blacklisted";
    }
    if (preg_match("#User does not exist#", $bounce_error, $re)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "No mailbox";
    }
    if (preg_match("#Recipient address rejected#", $bounce_error, $re)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "authentication required";
    }
    if ($bounce_error == "250 OK") {
        $bounce_error = "Sended";
        $delivery_success = "yes";
        $status = "Deliver";
    }
    if (preg_match("#lost connection with.+?\\[(.+?)\\]\\s+#", $bounce_error, $re)) {
        $bounce_error = "lost connection";
        $delivery_success = "no";
        $smtp_sender = $re[1];
    }
    if (preg_match("#status=bounced \\(message size.+?exceeds size limit.+?of server.+?\\[(.+?)\\]#", $bounce_error, $re)) {
        $bounce_error = "size exceed limit";
        $delivery_success = "no";
        $smtp_sender = $re[1];
    }
    if (preg_match("#lost connection with.+?\\[(.+?)\\]\\s+#", $bounce_error, $re)) {
        $bounce_error = "lost connection";
        $delivery_success = "no";
        $smtp_sender = $re[1];
    }
    if ($delivery_success == "no") {
        if ($bounce_error == "User unknown in relay recipient table") {
            $bounce_error = "User unknown";
        }
        events("event_finish() line " . __LINE__ . " bounce_error={$bounce_error}");
        if (preg_match("#connect to.+?\\[(.+?)lmtp\\].+?No such file or directory#", $bounce_error, $ra)) {
            events("Cyrus error found -> CyrusSocketErrot");
            cyrus_socket_error($bounce_error, $ra[1] . '/lmtp');
        }
        if (preg_match("#550\\s+User\\s+unknown\\s+<(.+?)>.+?in reply to RCPT TO command#", $bounce_error, $ra)) {
            mailbox_unknown($bounce_error, $ra[1]);
        }
    }
    $file = "/var/log/artica-postfix/RTM/{$postfix_id}.msg";
    $ini = new Bs_IniHandler($file);
    if ($smtp_sender == null) {
        if (preg_match("#from.+?\\[([0-9\\.]+)?\\]#", $buffer, $re)) {
            $ini->set("TIME", "smtp_sender", $re[1]);
        }
    } else {
        $ini->set("TIME", "smtp_sender", "{$smtp_sender}");
    }
    if ($from != null) {
        $ini->set("TIME", "mailfrom", $from);
    }
    $ini->set("TIME", "mailto", "{$to}");
    $ini->set("TIME", "bounce_error", "{$bounce_error}");
    $ini->set("TIME", "time_end", date("Y-m-d H:i:s"));
    $ini->set("TIME", "delivery_success", "{$delivery_success}");
    events("event_finish() [{$postfix_id}]: {$from} => {$to} err={$bounce_error} success={$delivery_success}");
    $ini->saveFile($file);
}
Exemplo n.º 2
0
function Parseline($buffer){
$buffer=trim($buffer);	

if(preg_match("#artica-filter#",$buffer)){return true;}
if(preg_match("#postfix\/#",$buffer)){return true;}
if(preg_match("#CRON\[#",$buffer)){return true;}
if(preg_match("#: CACHEMGR:#",$buffer)){return true;}
if(preg_match("#exec\.postfix-logger\.php:#",$buffer)){return true;}
if(preg_match("#artica-install\[#",$buffer)){return true;}
if(preg_match("#monitor action done#",$buffer)){return true;}
if(preg_match("#monitor service.+?on user request#",$buffer)){return true;}
if(preg_match("#CRON\[.+?\(root\).+CMD#",$buffer)){return true;}
if(preg_match("#winbindd\[.+?winbindd_listen_fde_handler#",$buffer)){return true;}
if(preg_match("#slapd.+?conn=[0-9]+\s+fd=.+?closed#",$buffer)){return;}
if(strpos($buffer,"*system*awstats#")>0){return true;}
if(strpos($buffer,"extra modules loaded after daemonizing/chrooting")>0){return;}
if(strpos($buffer,"/etc/cron.d/awstats")>0){return;}
if(strpos($buffer,"emailrelay:")>0){return;}
if(strpos($buffer,"pptpd-logwtmp.so loaded")>0){return;}
if(strpos($buffer,"Reinitializing monit daemon")>0){return;}
if(strpos($buffer,"Monit reloaded")>0){return;}
if(strpos($buffer,"Tarticaldap.logon")>0){return;}
if(strpos($buffer,"pulseaudio[")>0){return;}
if(strpos($buffer,"exec: /usr/bin/php5")>0){return;}
if(strpos($buffer,"Found decoder for ")>0){return;}
if(strpos($buffer,"Internal decoder for ")>0){return;}
if(strpos($buffer,"Loaded Icons")>0){return;}
if(strpos($buffer,"CP ConfReq")>0){return;}
if(strpos($buffer,"CP ConfAck")>0){return;}
if(strpos($buffer,"CP EchoReq")>0){return;}
if(strpos($buffer,"/usr/sbin/cron")>0){return;}
if(strpos($buffer,"no IPv6 routers present")>0){return;}
if(strpos($buffer,"AM.PDP-SOCK")>0){return;}
if(strpos($buffer,"disconnect from unknown")>0){return;}

//LDAP Dustbin
if(strpos($buffer,"SEARCH RESULT tag=")>0){return;}
if(strpos($buffer,'SRCH base="cn=')>0){return;}
if(strpos($buffer,'ACCEPT from IP=')>0){return;}
if(strpos($buffer,'closed (connection lost)')>0){return;}

//automount dustbin
if(strpos($buffer,"handle_packet: type")>0){return;}
if(strpos($buffer,"dev_ioctl_send_fail: token")>0){return;}
if(strpos($buffer,"lookup_mount: lookup(ldap)")>0){return;}
if(strpos($buffer,"handle_packet_missing_indirect: token")>0){return;}
if(strpos($buffer,"getuser_func: called with context")>0){return;}
if(strpos($buffer,"attempting to mount entry /automounts")>0){return;}
if(strpos($buffer,"lookup_one: lookup(ldap)")>0){return;}
if(strpos($buffer,"do_bind: lookup(ldap):")>0){return;}
if(strpos($buffer,"sun_mount: parse")>0){return;}
if(strpos($buffer,"]: failed to mount /")>0){return;}
if(strpos($buffer,"]: do_mount:")>0){return;}
if(strpos($buffer,"]: parse_mount: parse")>0){return;}
if(strpos($buffer,"mount_mount: mount(generic):")>0){return;}
if(strpos($buffer,">> Error connecting to")>0){return;}
if(strpos($buffer,">> Refer to the mount")>0){return;}
if(strpos($buffer,"getpass_func: context (nil)")>0){return;}

//ROOT Dustbin
if(strpos($buffer,"(root) CMD")>0){return;}
if(strpos($buffer,"RELOAD (/etc/cron")>0){return;}
//Cyrus DUSTBIN
if(strpos($buffer,"cyrus PLAIN User logged in")>0){return;}
if(strpos($buffer,"cyrus/ctl_cyrusdb")>0){return;}
if(strpos($buffer,"exited, status 0")>0){return;}
if(strpos($buffer,"fetching user_deny")>0){return;}
if(strpos($buffer,"seen_db: user")>0){return;}
if(strpos($buffer,"mystore: starting txn")>0){return;}
if(strpos($buffer,"mystore: committing")>0){return;}
if(strpos($buffer,"duplicate_mark:")>0){return;}
if(strpos($buffer,"root-servers.net:")>0){return;}
if(strpos($buffer,"KASINFO")>0){return;}

//pdns dustbin
if(strpos($buffer,"question for '")>0){return;}
if(strpos($buffer,"answer to question '")>0){return;}


//roundcube dustbin
if(strpos($buffer,"IMAP Error: Empty password")>0){return;}


//monit dustbin
if(strpos($buffer,"Monit has not changed")>0){return;}
if(strpos($buffer,": synchronized to ")>0){return;}
if(strpos($buffer,"monit HTTP server stopped")>0){return;}
if(strpos($buffer,"Shutting down monit HTTP server")>0){return;}
if(strpos($buffer,"Starting monit HTTP server at")>0){return;}
if(strpos($buffer,"Reinitializing monit - Control")>0){return;}
//squid dustbin:

if(strpos($buffer,"Unlinkd pipe opened on FD")>0){return;}
if(strpos($buffer,"Beginning Validation Procedure")>0){return;}

//EMAILRELAY DUSTBIN
if(strpos($buffer,"emailrelay: info: failing file")>0){return;}
if(strpos($buffer,"emailrelay: info: no more messages to send")>0){return; }
if(strpos($buffer,"emailrelay: warning: cannot do tls")>0){return; }
if(strpos($buffer,"]: monit daemon at")>0){return;}
if(strpos($buffer,"artica-ldap[")>0){return;}
 
//SAMBA DUSTBIN
if(strpos($buffer,"winbindd/winbindd_group.c")>0){return;}
if(strpos($buffer,"smb_register_idmap_alloc")>0){return;}
if(strpos($buffer,"Idmap module passdb already registered")>0){return;}
if(strpos($buffer,"Cleaning up brl and lock database after unclean shutdown")>0){return;}
if(strpos($buffer,"winbindd_sig_term_handler")>0){return;}
if(strpos($buffer,"cleanup_timeout_fn")>0){return;}

//Snort dustbin
if(strpos($buffer,"]: last message repeated")>0){return;}


//pdns dustbin
if(strpos($buffer,"Looking for CNAME")>0){return;}
if(strpos($buffer,"No CNAME cache hit of")>0){return;}
if(strpos($buffer,"Found cache hit")>0){return;}
if(strpos($buffer,": Resolved '")>0){return;}
if(strpos($buffer,": Trying IP")>0){return;}
if(strpos($buffer,".: Got 1 answers")>0){return;}
if(strpos($buffer,": accept answer")>0){return;}
if(strpos($buffer,": determining status")>0){return;}
if(strpos($buffer,": got negative caching")>0){return;}
if(strpos($buffer,": No cache hit for")>0){return;}
if(strpos($buffer,": Checking if we have NS")>0){return;}
if(strpos($buffer,": no valid/useful NS")>0){return;}
if(strpos($buffer,": NS (with ip, or non-glue)")>0){return;}
if(strpos($buffer,": We have NS in cache")>0){return;}
if(strpos($buffer,".: Nameservers:")>0){return;}
if(strpos($buffer,": Trying to resolve NS")>0){return;}
if(strpos($buffer,".: got NS record")>0){return;}
if(strpos($buffer,".: status=")>0){return;}
if(strpos($buffer,".: Starting additional")>0){return;}
if(strpos($buffer,".: Done with additional")>0){return;}
if(strpos($buffer,".: Found cache CNAME hit")>0){return;}
if(strpos($buffer,".: answer is in")>0){return;}
if(strpos($buffer,"is negatively cached via")>0){return;}
if(strpos($buffer,".: within bailiwick")>0){return;}
if(strpos($buffer,"]: Query: '")>0){return;}
if(strpos($buffer,"bdb_equality_candidates:")>0){return;}
if(strpos($buffer,"Cache consultations done")>0){return;}
if(strpos($buffer,".: Entire record")>0){return;}
if(strpos($buffer,"got upwards/level NS record")>0){return;}
if(strpos($buffer,"), rcode=0, in")>0){return;}
if(strpos($buffer,"]    ns1.")>0){return;}
if(strpos($buffer,"error resolving, possible error: Connection refused")>0){return;}

if(strpos($buffer,'BIND dn="cn=')>0){return;}
if(strpos($buffer,'RESULT tag=')>0){return;}
if(strpos($buffer,'SRCH base="')>0){return;}
if(strpos($buffer,'SRCH attr=')>0){return;}
if(strpos($buffer,'MOD attr=')>0){return;}
if(strpos($buffer,'MOD dn=')>0){return;}
if(strpos($buffer,' UNBIND')>0){return;}
if(strpos($buffer,": connection_input: conn=")>0){return;}
if(strpos($buffer,"attr=dNSTTL aRecord nSRecord cNAMERecord")>0){return;}
if(strpos($buffer,": monit HTTP server started")>0){return;}
if(strpos($buffer,"Awakened by the")>0){return;}


if(dhcpd($buffer)){return;}
if(preg_match("#squid\[[0-9]+\]:#",$buffer)){squid_parser($buffer);return;}
if(preg_match("#nss_wins\[[0-9]+\]:#",$buffer)){nss_parser($buffer);return;}

	$auth=new auth_tail();
	if($auth->ParseLog($buffer)){return;}
	$auth=null;
	
	
	if(preg_match("#pdns(?:\[\d{1,5}\])?: Not authoritative for '.*',.*sending servfail to\s+(.+?)\s+\(recursion was desired\)#",$buffer,$re)){
		events("--> PDNS Hack {$re[2]}");
		if($GLOBALS["PDNS_HACK"]==1){
			$GLOBALS["PDNS_HACK_DB"][$re[2]]=$GLOBALS["PDNS_HACK_DB"][$re[2]]+1;
			if($GLOBALS["PDNS_HACK_DB"][$re[2]]>$GLOBALS["PDNS_HACK_MAX"]){
				events("--> PDNS Hack {$re[2]} will be banned");
				@file_put_contents("/var/log/artica-postfix/pdns-hack-queue/".time(), $re[2]);
				unset($GLOBALS["PDNS_HACK_DB"][$re[2]]);
			}
		}
		return;
	}	
	
	
	if(preg_match("#auditd\[.+?Unable to set audit pid, exiting#", $buffer)){
		$file="/etc/artica-postfix/croned.1/Unable.to.set.audit.pid";
		if(IfFileTime($file,10)){
			email_events("Auditd: cannot start","audtid claims:\n$buffer\nIt seems that Auditd cannot start, if you run this computer on an OpenVZ VPS server, be sure that your Administrator has enabled audtid capability
			Take a look here http://bugzilla.openvz.org/show_bug.cgi?id=1157
			\nthis notification is not a good information.\nthe Auditd feature is now disabled\n",'system');
			@unlink($file);
			@file_put_contents("/etc/artica-postfix/settings/Daemons/EnableAuditd", "0");
			shell_exec(trim("{$GLOBALS["nohup"]} /etc/init.d/artica-postfix stop auditd >/dev/null 2>&1 &"));
			WriteFileCache($file);
		return;	
		}	
	}
	
	
	if(preg_match("#snort\[[0-9]+\]:\s+\[.+?\]\s+(.+?)\s+\[Classification: (.+?)\]\s+\[Priority:\s+([0-9]+)\]:\/s+\{(.+?)\}\s+(.+?):([0-9]+)\s+->\s+(.+?):([0-9]+)#",$buffer,$re)){
		$md5=md5($buffer);
		$filename="/var/log/artica-postfix/snort-queue/".time().".$md5.snort";
		@file_put_contents($filename,serialize($re));
		return;
	}
	
	
	if(preg_match("#snort\[.+?:\s+Can.+?t acquire.+?cooked-mode frame doesn.+?t have room for sll header#",$buffer,$re)){
		$file="/etc/artica-postfix/croned.1/snort.cant.bind";
		if(IfFileTime($file,10)){
			email_events("SNORT: Fatal error: could not acquire the network","snort claims:\n$buffer\nIt seems that snort is unable to hook your Interface Card, perhaps your server running in a Xen environnement or any virtual system\nthis notification is not a good information.\nYou should remove the IDS feature from Artica or remove SNORT package\nYour system cannot support IDS system.\nsee http://seclists.org/snort/2011/q2/52\nhttp://support.citrix.com/article/CTX116204",'system');
			@unlink($file);
			WriteFileCache($file);
		return;	
		}	
	}
	

	if(preg_match("#.+?roundcube-(.+?): FAILED login for (.+?) from ([0-9\.]+)#",$buffer,$re)){
		Roundcubehack($re[1],$re[2],$re[3]);
		return;
	}
	
	if(preg_match("#net:\s+failed to bind to server ldap.+?localhost#",$buffer)){
		events("--> exec.samba.php --fix-etc-hosts");
		shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.samba.php --fix-etc-hosts >/dev/null 2>&1 &");
		$file="/etc/artica-postfix/croned.1/net-ldap-bind";
		if(IfFileTime($file,5)){
			shell_exec("{$GLOBALS["nohup"]} /etc/init.d/artica-postfix start ldap >/dev/null 2>&1 &");
			WriteFileCache($file);
		return;	
		}	
	}
	
	
	if(preg_match("#(winbindd|smbd)\[.+?failed to bind to server.+?Invalid credentials#",$buffer)){
		events("SAMBA: Invalid credentials");
		
		$file="/etc/artica-postfix/croned.1/samba-ldap-credentials";
		if(IfFileTime($file,5)){
			email_events("Samba: could not connect to ldap Invalid credentials","samba claims:\n$buffer\nArtica will try to reconfigure password and restart Samba",'system');
			shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.samba.php --fix-etc-hosts >/dev/null 2>&1 &");
			@unlink($file);
			shell_exec("{$GLOBALS["nohup"]} /etc/init.d/artica-postfix restart samba >/dev/null 2>&1 &");
			WriteFileCache($file);
		return;	
		}	
	}
	
	if(preg_match("#winbindd\[.+?ADS uninitialized: No logon servers#",$buffer)){
		events("WINBINDD: ADS uninitialized: No logon servers");
		$file="/etc/artica-postfix/croned.1/winbindd-No-logon-servers";
		if(IfFileTime($file,5)){
				$wbinfo=$GLOBALS["CLASS_UNIX"]->find_program("wbinfo");
				exec("$wbinfo -u 2>&1",$results);
				$restart=false;
				while (list ($num, $ligne) = each ($results) ){events("WINBINDD: $ligne");if(preg_match("#Error#",$ligne)){$restart=true;}}
				WriteFileCache($file);

				if($restart){
					$imploded=@implode("\n",$results);
					events("WINBINDD: $imploded");
					email_events("Samba: Winbindd failed to uninitialize with Active Directory server",
					"samba claims:\n$buffer\nArtica will restart winbindd daemon\nwbinfo results:\n$imploded",'system');
					shell_exec(trim("{$GLOBALS["nohup"]} /etc/init.d/artica-postfix restart winbindd >/dev/null 2>&1"));
					@unlink($file);
					WriteFileCache($file);
				}
			}else{
				events("WINBINDD: Do nothing");
			}
		return;	
	}		
		
		

	
	if(preg_match("#lessfs\[.+?send_backlog : failed to connect to the slave#",$buffer,$re)){
		$file="/etc/artica-postfix/croned.1/lessfs.1";
		if(IfFileTime($file,5)){
			email_events("lessFS: Replication deduplication to connect to the slave ","lessFS claims:\n$buffer\nPlease check communications with the slave",'system');
			WriteFileCache($file);
		return;	
		}	
	}
	
	if(preg_match("#lessfs\[.+?send_backlog : invalid message size#",$buffer,$re)){
		$file="/etc/artica-postfix/croned.1/lessfs.2";
		if(IfFileTime($file,5)){
			email_events("lessFS: Replication deduplication failed to replicate ","lessFS claims:\n$buffer\nPlease check communications with the slave",'system');
			WriteFileCache($file);
		return;	
		}	
	}
	
	if(preg_match("#lessfs\[.+?replication_worker : replication is disabled, disconnect#",$buffer,$re)){
		$file="/etc/artica-postfix/croned.1/lessfs.2";
		if(IfFileTime($file,5)){
			email_events("lessFS: Replication deduplication failed: Slave is disabled ","lessFS claims:\n$buffer\nPlease check communications with the slave",'system');
			WriteFileCache($file);
		return;	
		}	
	}	
	
	if(preg_match("#lessfs\[.+?Could not recover database : (.+?)#",$buffer,$re)){
		$file="/etc/artica-postfix/croned.1/lessfs.3";
		if(IfFileTime($file,5)){
			email_events("lessFS: database {$re[1]} corrupted !!","lessFS claims:\n$buffer\nArtica will try to repair it...",'system');
			shell_exec("lessfsck -o -f -t -c /etc/lessfs.cfg &");
		}
		
	}
	
	if(preg_match("#automount\[.+?mount.+?unknown filesystem type.+?ext4#",$buffer,$re)){
		$file="/etc/artica-postfix/croned.1/automount.unknown.filesystem.type.ext4";
		if(IfFileTime($file,15)){
			email_events("automount: Failed to mount EXT4 !","automount claims:\n$buffer\nYou should upgrade your system in order to obtain the last kernel that enables ext4",'system');
			WriteFileCache($file);
		}
		return;
	}	
	
	if(preg_match("#automount\[.+?mount.+?failed to mount\s+(.+?)\s+on\s+(.+)$#",$buffer,$re)){
		$mount_dir=$re[1];
		$mount_dest=$re[2];
		$md5=md5("$mount_dir$mount_dest");
		$file="/etc/artica-postfix/croned.1/automount.$md5";
		if(IfFileTime($file,15)){
			email_events("automount: Failed to mount $mount_dir ","automount claims:\n$buffer\nCheck your connexions settings on automount section",'system');
			WriteFileCache($file);
		}
		return;
	}	
	
	

	if(preg_match("#modprobe: WARNING: Error inserting\s+(.+?)\s+\(.+?\):\s+No such device#",$buffer,$re)){
		email_events("kernel: missing {$re[1]} module","modprobe claims:\n$buffer\nTry to find the right package that store {$re[2]} file",'VPN');
		return;
	}
	
	
	if(preg_match("#pptp_callmgr.+?Could not open control connection to\s+([0-9\.]+)#",$buffer,$re)){
		vpn_msql_events("VPN connexion failed to {$re[1]}, unable to create connection tunnel",$buffer,"{$re[1]}");
		email_events("VPN connexion failed to {$re[1]}, unable to create connection tunnel ","$buffer",'VPN');
		return;
	}
	
	
	if(preg_match("#pppd\[.+?Can.+?t open options file.+?ppp\/peers\/(.+?):\s+No such file or directory#",$buffer,$re)){
		email_events("VPN connexion failed for {$re[1]} connection,No such file","pptp clients claims $buffer\artica will try to rebuild connections","VPN");
		vpn_msql_events("VPN (PPTPD) failed for {$re[1]} connection,No such file",$buffer,"{vpn_server}");
		shell_exec(LOCATE_PHP5_BIN2()." /usr/share/artica-postfix/exec.pptpd.php --clients &");
		return;
	}
	
	 if(preg_match("#pppd\[.+?peer refused to authenticate: terminating link#",$buffer,$re)){
		vpn_msql_events("VPN (PPTPD) authentification failed from remote host",$buffer,"{vpn_server}");
		return;
	}
	
	 if(preg_match("#pppd\[.+?peer refused to authenticate#",$buffer,$re)){
		vpn_msql_events("VPN (PPTPD) failed peer refused to authenticate",$buffer,"{vpn_server}");
		return;
	}	
	
	if(preg_match("#pppd\[.+?MS-CHAP authentication failed: E=691 Authentication failure#",$buffer,$re)){
		vpn_msql_events("VPN (CLIENT) failed server refused to authenticate (Authentication failure)",$buffer,"{vpn_server}");
		return;
	}	
	
	if(preg_match("#pppd\[.+?MPPE required but not available#",$buffer,$re)){
		vpn_msql_events("VPN (PPTPD) authentification failed MPPE required",$buffer,"{vpn_server}");
		return;
	}
	
	
	
	if(preg_match("#pptpd\[.+?CTRL: Client\s+(.+?)\s+control connection finished#",$buffer,$re)){
		vpn_msql_events("VPN (PPTPD) connection closed for {$re[1]}",$buffer,"{vpn_server}");
		return;
	}
	
	if(preg_match("#pppd\[.+?pptpd-logwtmp\.so ip-up ppp[0-9]+\s+(.+?)\s+([0-9\.]+)#",$buffer,$re)){
		vpn_msql_events("VPN (PPTPD) connection open for {$re[1]} ({$re[2]})","$buffer",'{vpn_server}');
		return;
	}
	
	if(preg_match("#slapd\[(.+?)\]:.+?OpenLDAP: slapd\s+([0-9\.]+)#",$buffer,$re)){
		email_events("OpenLDAP service version {$re[2]} successfully started PID {$re[1]}","$buffer",'system');
		return;
	}
	


if(preg_match("#monit\[.+?Sendmail error:\s+(.+)#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/monit-sendmail-failed-". md5($re[1]);
	if(IfFileTime($file,10)){
		events("MONIT -> SENDMAIL FAILED");
		email_events("Monit is unable to send notifications","Monit claim \"$buffer\"\ntry to analyze why postfix send this error:\n{$re[1]}",'system');
		WriteFileCache($file);
		return;	
	}
}


if(strpos($buffer,"pam_ldap: ldap_simple_bind Can't contact LDAP server")>0){
	$file="/etc/artica-postfix/croned.1/ldap-failed";
	if(IfFileTime($file,10)){
		events("pam_ldap -> LDAP FAILED");
		email_events("LDAP server is unavailable","System claim \"$buffer\" artica will try to restart LDAP server ",'system');
		WriteFileCache($file);
		shell_exec('/etc/init.d/artica-postfix restart ldap --monit &');
		return;	
	}	
}

if(preg_match("#net:\s+failed to bind to server.+?Error:\s+Can.?t\s+contact LDAP server#",$buffer)){
	$file="/etc/artica-postfix/croned.1/ldap-failed";
	if(IfFileTime($file,10)){
		events("NET -> LDAP FAILED");
		email_events("LDAP server is unavailable","System claim \"$buffer\" artica will try to restart LDAP server ",'system');
		WriteFileCache($file);
		shell_exec('/etc/init.d/artica-postfix restart ldap --monit &');
		return;	
	}	
}

if(preg_match("#winbindd\[.+?failed to bind to server\s+(.+?)\s+with dn.+?Error: Can.+?contact LDAP server#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/ldap-failed";
	if(IfFileTime($file,10)){
		events("winbindd -> LDAP FAILED");
		email_events("LDAP server is unavailable","Samba claim \"$buffer\" artica will try to restart LDAP server ",'system');
		WriteFileCache($file);
		shell_exec('/etc/init.d/artica-postfix restart ldap --monit &');
		return;	
	}
}


if(preg_match("#smbd\[.+?User\s+(.+?)with invalid SID\s+(.+?)\s+in passdb#",$buffer,$re)){
	events("SAMBA Invalid SID for {$re[1]}");
	$md5=md5("{$re[1]}{$re[2]}");
	$file="/etc/artica-postfix/croned.1/samba.invalid.sid.$md5";
	if(IfFileTime($file)){
		$unix=new unix();
		$localsid=$unix->GET_LOCAL_SID();
		$cmd=LOCATE_PHP5_BIN2()." /usr/share/artica-postfix/exec.samba.synchronize.php";
		$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET($cmd);
		email_events("Samba invalid SID for {$re[1]}","Samba claim \"$buffer\"\nUser:{$re[1]} with sid {$re[2]} has this server has the SID $localsid\nArtica will re-sync accounts",'system');
		WriteFileCache($file);
	}
	return true;
}

if(preg_match("#smbd\[.+?sid\s+(.+?)\s+does not belong to our domain#",$buffer,$re)){
	events("SAMBA Invalid global SID for {$re[1]}");
	$md5=md5("{$re[1]}");
	$file="/etc/artica-postfix/croned.1/samba.invalid.sid.$md5";
	if(IfFileTime($file)){
		$unix=new unix();
		$localsid=$unix->GET_LOCAL_SID();
		email_events("Samba global invalid SID for {$re[1]}","Samba claim \"$buffer\"\n{$re[1]} has this server has the real SID $localsid\nTry to rebuild the configuration trough artica web Interface",'system');
		WriteFileCache($file);
	}
	return true;
}


if(preg_match("#NetBIOS name\s+(.+?)\s+is too long. Truncating to (.+?)#",$buffer,$re)){
	events("SAMBA NetBIOS name {$re[1]} is too long");
	$file="/etc/artica-postfix/croned.1/NetBIOSNameTooLong";
	if(IfFileTime($file)){
		email_events("Samba NetBIOS name {$re[1]} is too long","Samba claim \"$buffer\" \nYou should change your server hostname",'system');
		WriteFileCache($file);
	}
	return true;
}	
	
	



if(preg_match('#net:\s+WARNING:\s+Ignoring invalid value.+?Bad Pasword#',$buffer,$re)){
	events("SAMBA unknown parameter Bad Pasword");
	$file="/etc/artica-postfix/croned.1/SambaBadPasword";
	if(IfFileTime($file)){
		email_events("Samba unknown parameter \"Bad Pasword\"","Samba claim \"$buffer\" Artica will reconfigure samba",'system');
		shell_exec(LOCATE_PHP5_BIN2()." /usr/share/artica-postfix/exec.samba.php --reconfigure &");
		WriteFileCache($file);
	}
	return true;
}

if(preg_match('#smbd\[.+Ignoring unknown parameter\s+"hide_unwriteable_files"#',$buffer,$re)){
	events("SAMBA unknown parameter hide_unwriteable_files");
	$file="/etc/artica-postfix/croned.1/hide_unwriteable_files";
	if(IfFileTime($file)){
		email_events("Samba unknown parameter hide_unwriteable_files","Samba claim \"$buffer\" Artica will correct the configuration file",'system');
		shell_exec(LOCATE_PHP5_BIN2()." /usr/share/artica-postfix/exec.samba.php --fix-HideUnwriteableFiles &");
		WriteFileCache($file);
	}
	return true;
}

if(preg_match('#load_usershare_shares: directory\s+(.+?)\s+is not owned by root or does not have the sticky bit#',$buffer,$re)){
	events("SAMBA load_usershare_shares {$re[1]}");
	$file="/etc/artica-postfix/croned.1/load_usershare_shares";
	if(IfFileTime($file)){
		email_events("Samba load_usershare_shares permissions issues","Samba claim \"$buffer\" Artica will correct the filesystem directory",'system');
		shell_exec("chmod 1775 $re[1]/ &");
		shell_exec("chmod chmod +t $re[1]/ &");
		WriteFileCache($file);
	}
	return true;	
}

if(preg_match("#amavis\[.+?:\s+\(.+?\)TROUBLE\s+in child_init_hook:#",$buffer,$re)){
	events("AMAVIS TROUBLE in child_init_hook");
	$file="/etc/artica-postfix/croned.1/amavis.".md5("AMAVIS:TROUBLE in child_init_hook");
	if(IfFileTime($file)){
		email_events("Amavis child error","Amavis claim \"$buffer\" the amavis daemon will be restarted",'postfix');
		shell_exec('/etc/init.d/artica-postfix restart amavis &');
		WriteFileCache($file);
	}
	return true;
}

if(preg_match("#amavis\[.+?:\s+\(.+?\)_DIE:\s+Suicide in child_init_hook#",$buffer,$re)){
	events("AMAVIS TROUBLE in child_init_hook");
	$file="/etc/artica-postfix/croned.1/amavis.".md5("AMAVIS:TROUBLE in child_init_hook");
	if(IfFileTime($file)){
		email_events("Amavis child error","Amavis claim \"$buffer\" the amavis daemon will be restarted",'postfix');
		shell_exec('/etc/init.d/artica-postfix restart amavis &');
		WriteFileCache($file);
	}
	return true;
}


if(preg_match("#smbd_audit:\s+(.+?)\|(.+?)\|(.+?)\|(.+?)\|(.+?)\|(.+?)\|(.+?)\|(.+?)$#",$buffer,$re)){
	events("{$re[5]}/{$re[8]} in xapian queue");
	WriteXapian("{$re[5]}/{$re[8]}"); 
	return true;
}




if(preg_match("#dansguardian.+?:\s+Error connecting to proxy#",$buffer,$re)){
		$file="/etc/artica-postfix/croned.1/squid.tostart.error";
		if(IfFileTime($file,2)){
			events("Squid not available...! Artica will start squid");
			email_events("Proxy error","DansGuardian claim \"$buffer\", Artica will start squid ",'system');
			$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart squid-cache');
			$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/etc/init.d/artica-postfix start dansguardian');
			WriteFileCache($file);
			return;
		}else{
			events("Proxy error, but take action after 10mn");
			return;
		}		
}


if(preg_match("#zarafa-server.+?INNODB engine is disabled#",$buffer)){
	$file="/etc/artica-postfix/croned.1/zarafa.INNODB.engine";
	if(IfFileTime($file,2)){
			events("Zarafa innodb errr");
			$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart mysql');
			$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart zarafa');
			WriteFileCache($file);
			return;
		}else{
			events("Zarafa innodb err, but take action after 10mn");
			return;
		}			
}


if(preg_match("#zarafa-spooler\[.+?Unable to open admin session. Error ([0-9a-zA-Z]+)#",$buffer,$re)){
	email_events("zarafa Spooler service error connecting to zarafa server ({$re[1]})","Zarafa claim \"$buffer\" ",'system');
	return;
}


if(preg_match("#(.+?)\[.+?segfault at.+?error.+?in.+?\[#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/segfault.{$re[1]}";
	if(IfFileTime($file,10)){
		events("{$re[1]}: segfault");
		email_events("{$re[1]}: segfault","Kernel claim \"$buffer\" ",'system');
		WriteFileCache($file);
		return;	
	}
}

if(preg_match("#kernel:.+?Out of memory:\s+kill\s+process\s+#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/kernel.Out.of.memory";
	if(IfFileTime($file,1)){
		events("Out of memory -> REBOOT !!!");
		email_events("Out of memory: reboot action performed","Kernel claim \"$buffer\" the server will be rebooted",'system');
		WriteFileCache($file);
		shell_exec("/etc/init.d/artica-postfix stop");
		shell_exec("reboot");
		return;	
	}
}

if(preg_match("#kernel:.+?ata.+?status:\s+{\s+DRDY#",$buffer,$re)){
	if($GLOBALS["NODRYREBOOT"]==1){
		events("Hard Disk problem: -> reboot banned");
		return ;
	}
	$file="/etc/artica-postfix/croned.1/kernel.DRDY";
	if(IfFileTime($file,5)){
		events("DRDY -> REBOOT !!!");
		exec("/bin/dmesg 2>&1",$results);
		$array["buffer"]=$buffer;
		$array["dmsg"]=$results;
		@mkdir("/etc/artica-postfix/reboot",644,true);
		@file_put_contents("/etc/artica-postfix/reboot/".time(),serialize($array));
		email_events("Hard Disk problem: reboot action performed","Kernel claim \"$buffer\" the server will be rebooted\n".@implode("\n",$results),'system');
		$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("/sbin/reboot");
		return;
	}
}




if(preg_match("#winbindd\[.+?resolve_name: unknown name switch type lmhost#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/winbindd.lmhost.failed";
	if(IfFileTime($file,10)){
		events("winbindd -> lmhost failed");
		WriteFileCache($file);
		$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.samba.php --fix-lmhost");
		return;	
	}	
}

if(preg_match("#nmbd\[.+?become_logon_server_success: Samba is now a logon server for workgroup (.+?)\s+on subnet\s+([A-Z0-9\._-]+)#",$buffer,$re)){
	email_events("Samba (file sharing) started domain {$re[1]}/{$re[2]}","Samba notice: \"$buffer\"",'system');
	return;	
}




if(preg_match("#zarafa-server.+?Unable to connect to database.+?MySQL server on.+?([0-9\.]+)#",$buffer)){
	$file="/etc/artica-postfix/croned.1/zarafa.MYSQL.CONNECT";
	if(IfFileTime($file,2)){
			events("Zarafa Mysql Error errr");
			email_events("MailBox server unable connect to database","Zarafa server  claim \"$buffer\" ",'mailbox');
			WriteFileCache($file);
			return;
		}else{
			events("MailBox server unable connect to database but take action after 10mn");
			return;
		}			
}

if(preg_match("#winbindd:\s+Exceeding\s+[0-9]+\s+client\s+connections.+?no idle connection found#",$buffer)){
	$file="/etc/artica-postfix/croned.1/Winbindd.connect.error";
	if(IfFileTime($file,2)){
			events("winbindd Error connections");
			email_events("Winbindd exceeding connections","Samba server  claim \"$buffer\" \nArtica will restart samba",'system');
			shell_exec('/etc/init.d/artica-postfix restart samba &');
			WriteFileCache($file);
			return;
		}else{
			events("Winbindd exceeding connections take action after 10mn");
			return;
		}			
}




// -------------------------------------------------------------------- MONIT


if(preg_match("#'(.+?)'\s+total mem amount of\s+([0-9]+).+?matches resource limit#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/mem.{$re[1]}.monit";
	if(IfFileTime($file,15)){
				events("{$re[1]} limit memory exceed");
				email_events("{$re[1]}: memory limit","Monitor claim \"$buffer\"",'system');
				WriteFileCache($file);
				return;
			}else{
				events("{$re[1]} limit memory exceed, but take action after 10mn");
				return;
			}			
	}
if(preg_match("#monit\[.+?'(.+?)'\s+trying to restart#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/restart.{$re[1]}.monit";
	if(IfFileTime($file,5)){
				events("{$re[1]} was restarted");
				email_events("{$re[1]}: stopped, try to restart","Monitor claim \"$buffer\"",'system');
				WriteFileCache($file);
				return;
			}else{
				events("{$re[1]}: stopped, try to restart, but take action after 10mn");
				return;
			}			
	}

if(preg_match("#monit\[.+?'(.+?)'\s+process is not running#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/restart.{$re[1]}.monit";
	if(IfFileTime($file,5)){
				events("{$re[1]} was stopped");
				email_events("{$re[1]}: stopped","Monitor claim \"$buffer\"",'system');
				WriteFileCache($file);
				return;
			}else{
				events("{$re[1]}: stopped, but take action after 10mn");
				return;
			}			
	}
	
	
if(preg_match("#pdns\[.+?:\s+binding UDP socket to.+?Address already in use#",$buffer,$re)){
$file="/etc/artica-postfix/croned.1/restart.pdns.bind.error";
	if(IfFileTime($file,5)){
				events("PowerDNS: Unable to bind UDP socket");
				email_events("PowerDNS: Unable to bind UDP socket","Artica will restart PowerDNS",'system');
				$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart pdns');
				WriteFileCache($file);
				return;
			}else{
				events("PowerDNS: Unable to bind UDP socket: but take action after 10mn");
				return;
			}			
	}	
	
	
//pdns_recursor[5011]: Failed to update . records, RCODE=2
if(preg_match("#pdns_recursor\[.+?:\s+Failed to update \. records, RCODE=2#",$buffer,$re)){
$file="/etc/artica-postfix/croned.1/restart.pdns.RCODE2.error";
	if(IfFileTime($file,5)){
				events("PowerDNS: Unable to query Public DNS");
				email_events("PowerDNS: Unable to query Public DNS","PowerDNS claim: $buffer,It seems that your Public DNS are not available or network is down",'system');
				WriteFileCache($file);
				return;
			}else{
				events("PowerDNS: Unable to query Public DNS: but take action after 10mn");
				return;
			}			
	}		
	

	
if(preg_match("#cpu system usage of ([0-9\.]+)% matches#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/cpu.system.monit";
	if(IfFileTime($file,15)){
				events("cpu exceed");
				email_events("cpu warning {$re[1]}%","Monitor claim \"$buffer\"",'system');
				WriteFileCache($file);
				return;
			}else{
				events("cpu exceed, but take action after 10mn");
				return;
			}			
	}

if(preg_match("#monit.+?'(.+)'\s+start:#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/monit.start.{$re[1]}";
	if(IfFileTime($file,5)){
				events("{$re[1]} start");
				email_events("{$re[1]} starting","Monitor currently starting service {$re[1]}",'system');
				WriteFileCache($file);
				return;
			}else{
				events("{$re[1]} start, but take action after 10mn");
				return;
			}			
	}		

if(preg_match("#monit\[.+?:\s+'(.+?)'\s+process is running with pid\s+([0-9]+)#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/monit.run.{$re[1]}";
	if(IfFileTime($file,5)){
				events("{$re[1]} running");
				email_events("{$re[1]} now running pid {$re[2]}","Monitor report $buffer",'system');
				WriteFileCache($file);
				return;
			}else{
				events("{$re[1]} running, but take action after 10mn");
				return;
			}			
	}		
	
if(preg_match("#nmbd.+?:\s+Cannot sync browser lists#",$buffer,$re)){
		$file="/etc/artica-postfix/croned.1/samba.CannotSyncBrowserLists.error";
		if(IfFileTime($file)){
			events("Samba cannot sync browser list, remove /var/lib/samba/wins.dat");
			@unlink("/var/lib/samba/wins.dat");
			WriteFileCache($file);
		}else{
			events("Samba error:$buffer, but take action after 10mn");
			return;
		}		
}

if(preg_match("#freshclam.+?:\s+Database updated \(([0-9]+)\s+signatures\) from .+?#",$buffer,$re)){
			email_events("ClamAV Database Updated {$re[1]} signatures","$buffer",'update');
			return;
		}
		
		
		
if(preg_match("#freshclam.+?Can.+?t\s+connect to port\s+([0-9]+)\s+of\s+host\s+(.+?)\s+#",$buffer,$re)){
	$host=$re[2].":".$re[1];
	$file="/etc/artica-postfix/croned.1/freshclam.error.".md5($host);
	if(IfFileTime($file)){
			email_events("Unable to update ClamAV Databases from $host","freshclam claim $buffer\nCheck is this server hav access to Internet\nCheck your proxy configuration",'update');
			WriteFileCache($file);
			return;
		}else{
			events("KAV4PROXY error:$buffer, but take action after 10mn");
			return;
		}		
	}		
		


if(preg_match("#KASERROR.+?NOLOGID.+?Can.+?find user mailflt3#",$buffer)){
	$file="/etc/artica-postfix/croned.1/KASERROR.NOLOGID.mailflt3";
		if(IfFileTime($file)){
			$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --mailflt3');
			WriteFileCache($file);
			return;
		}else{
			events("KASERROR error:$buffer, but take action after 10mn");
			return;
		}		
}

if(preg_match("#lmtp.+?status=deferred.+?lmtp\]:.+?(No such file or directory|Too many levels of symbolic links)#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/cyrus.lmtp.failed";
		if(IfFileTime($file)){
			email_events("cyrus-imapd socket error","Postfix claim \"$buffer\", Artica will restart cyrus",'system');
			$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --cyrus-checkconfig');
			$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart imap');
			$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.main.cf.php --imap-sockets");
			cyrus_socket_error($buffer,$re[1]."lmtp");
			WriteFileCache($file);
			return;
		}else{
			events("CYRUS error:$buffer, but take action after 10mn");
			return;
		}		
}


if(preg_match("#rsyncd\[.+?:\s+recv.+?\[(.+?)\].+?([0-9]+)$#",$buffer,$re)){
	$file=md5($buffer);
	@mkdir('/var/log/artica-postfix/rsync',null,true);
	$f["IP"]=$re[1];
	$f["DATE"]=date('Y-m-d H:00:00');
	$f["SIZE"]=$re[2];
	@file_put_contents("/var/log/artica-postfix/rsync/$file",serialize($f));
}

if(preg_match("#kavmilter.+?Can.+?t load keys: No active key#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/kavmilter.key.failed";
		if(IfFileTime($file)){
			email_events("Kaspersky Antivirus Mail license error","KavMilter claim \"$buffer\"",'system');
			WriteFileCache($file);
			return;
		}else{
			events("Kaspersky Antivirus Mail license error:$buffer, but take action after 10mn");
			return;
		}		
}

if(preg_match("#kavmd.+?Can.+?t load keys:.+?#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/kavmd.key.failed";
		if(IfFileTime($file)){
			email_events("Kaspersky Antivirus Mail license error","Kaspersky Antivirus Mail claim \"$buffer\"",'system');
			WriteFileCache($file);
			return;
		}else{
			events("Kaspersky Antivirus Mail license error:$buffer, but take action after 10mn");
			return;
		}		
}

if(preg_match("#kavmd.+?ERROR Engine problem#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/kavmd.engine.failed";
		if(IfFileTime($file)){
			email_events("Kaspersky Antivirus Mail Engine error","Kaspersky Antivirus Mail claim \"$buffer\"",'system');
			WriteFileCache($file);
			return;
		}else{
			events("Kaspersky Antivirus Mail Engine error:$buffer, but take action after 10mn");
			return;
		}		
}



if(preg_match("#kavmilter.+?WARNING.+?Your AV signatures are older than#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/kavmilter.upd.failed";
		if(IfFileTime($file)){
			email_events("Kaspersky Antivirus Mail AV signatures are older","KavMilter claim \"$buffer\"",'system');
			WriteFileCache($file);
			return;
		}else{
			events("Kaspersky Antivirus update license error:$buffer, but take action after 10mn");
			return;
		}		
}
if(preg_match("#dansguardian.+?Error compiling regexp#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/dansguardian.compiling.regexp";
		if(IfFileTime($file)){
			email_events("Dansguardian failed to start","Dansguardian claim \"$buffer\"",'system');
			WriteFileCache($file);
			return;
		}else{
			events("Dansguardian failed to start:$buffer, but take action after 10mn");
			return;
		}		
}

if(preg_match("#kavmilter.+?Invalid value specified for SendmailPath#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/kavmilter.SendmailPath.Invalid";
		if(IfFileTime($file)){
			events("Check SendmailPath for kavmilter");
			$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.kavmilter.php --SendmailPath");
			WriteFileCache($file);
			return;
		}else{
			events("Check SendmailPath for kavmilter:$buffer, but take action after 10mn");
			return;
		}		
}

if(preg_match("#KAVMilter Error.+?Group.+?Default.+?has error#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/kavmilter.Default.error";
		if(IfFileTime($file)){
			events("Check Group default for kavmilter");
			$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.kavmilter.php --default-group");
			WriteFileCache($file);
			return;
		}else{
			events("Check Group default for kavmilter:$buffer, but take action after 10mn");
			return;
		}		
}

if(preg_match("#kavmilter.+?Message INFECTED from (.+?)\(remote:\[(.+?)\).+?with\s+(.+?)$#",$buffer,$re)){
	events("KAVMILTER INFECTION <{$re[1]}> {$re[2]}");
	infected_queue("kavmilter",trim($re[1]),trim($re[2]),trim($re[3]));
	return;
}


if(preg_match("#pdns\[.+?\[LdapBackend.+?Ldap connection to server failed#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/pdns.ldap.error";
	if(IfFileTime($file)){
			events("PDNS LDAP FAILED");
			email_events("PowerDNS ldap connection failed","PowerDNS claim \"$buffer\"",'system');
			WriteFileCache($file);
			return;
		}else{
			events("PDNS FAILED:$buffer, but take action after 10mn");
			return;
		}		
}





if(preg_match("#master.+?cannot find executable for service.+?sieve#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/cyrus.sieve.error";
		if(IfFileTime($file)){
			events("Check sieve path");
			$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("/usr/share/artica-postfix/bin/artica-install --reconfigure-cyrus");
			WriteFileCache($file);
			return;
		}else{
			events("Check sieve path error :$buffer, but take action after 10mn");
			return;
		}		
}


if(preg_match("#smbd\[.+?write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer#",$buffer,$re)){
	$file="/etc/artica-postfix/croned.1/samba.Error.Connection.reset.by.peer.error";
		if(IfFileTime($file)){
			events("Check sieve Error Connection reset by peer");
			$text[]="Your MS Windows computers should not have access to the server cause network generic errors";
			$text[]="- Check these parameters:"; 
			$text[]="- Check if Apparmor or SeLinux are disabled on the server.";
			$text[]="- Check your hard drives by this command-line: hdparm -tT /dev/sda(0-9)";
			$text[]="- Check that 137|138|139|445 ports is open from workstation to this server";
			$text[]="- Check network switch or hub connection between this server and your workstations.";
			$text[]="- Try to add this registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk]\n\t\"TimeOutValue\"=dword:0000003c";
			email_events("Samba network error","Samba claim \"$buffer\"\n" .implode("\n",$text) ,'system');
			WriteFileCache($file);
			return;
		}else{
			events("Check sieve Error Connection reset by peer :$buffer, but take action after 10mn");
			return;
		}		
}


$mem=round(((memory_get_usage()/1024)/1000),2);	
events_not_filtered("Not Filtered:\"$buffer\" (line ".__LINE__.") memory: {$mem}MB");		
}
Exemplo n.º 3
0
function event_finish($postfix_id, $to, $status, $bounce_error, $from = null, $buffer = null)
{
    $delivery_success = 'yes';
    if ($status = 'bounced') {
        $delivery_success = 'no';
    }
    if ($status = 'deferred') {
        $delivery_success = 'no';
    }
    if ($status = 'reject') {
        $delivery_success = 'no';
    }
    if ($status = 'expired') {
        $delivery_success = 'no';
    }
    if (preg_match("#Queued mail for delivery#", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if (preg_match("#Sender address rejected: need fully-qualified address#", $bounce_error)) {
        $status = "rejected";
        $delivery_success = "no";
        $bounce_error = "need fully-qualified address";
    }
    if (preg_match("#no mailbox here#", $bounce_error)) {
        $status = "rejected";
        $delivery_success = "no";
        $bounce_error = "Mailbox Unknown";
    }
    if (preg_match("#refused to talk to me.+?RBL rejection#", $bounce_error)) {
        $status = "rejected";
        $delivery_success = "no";
        $bounce_error = "RBL";
    }
    if (preg_match("#550.+?Service unavailable.+?blocked using.+?RBL#", $bounce_error)) {
        $status = "rejected";
        $delivery_success = "no";
        $bounce_error = "RBL";
    }
    if (preg_match("#554 : Recipient address rejected: Access denied#", $bounce_error)) {
        $status = "rejected";
        $delivery_success = "no";
        $bounce_error = "Access denied";
    }
    if (preg_match("#451 4.2.0 Mailbox has an invalid format#", $bounce_error)) {
        $status = "rejected";
        $delivery_success = "no";
        $bounce_error = "Mailbox corrupt";
    }
    if (preg_match("#delivered via#", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if (preg_match("#Content scanner malfunction#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Content scanner malfunction";
    }
    if (preg_match("#4\\.5\\.0 Failure#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Error";
    }
    if (preg_match("#250 2\\.0\\.0 Ok#", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if (preg_match("#Host or domain name not found#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Host or domain name not found";
    }
    if (preg_match("#4\\.5\\.0 Error in processing#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Error";
    }
    if (preg_match("#Sender address rejected.+?Domain not found#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Domain not found";
    }
    if (preg_match("#delivered to command: procmail -a#", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sent to procmail";
    }
    if (preg_match("#550 must be authenticated#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Authentication error";
    }
    if (preg_match("#250 Message.+?accepted by#", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if (preg_match("#Connection timed out#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "timed out";
    }
    if (preg_match("#connect\\s+to.+?Connection refused#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Connection refused";
    }
    if (preg_match("#temporary failure.+?artica-msmtp:\\s+recipient address\\s+(.+?)\\s+not accepted by the server artica-msmtp#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "artica-filter error";
    }
    if (preg_match("#250 2\\.1\\.5 Ok#", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if ($bounce_error == "250 OK: data received") {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if ($bounce_error == "250 Ok: queued as") {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if (preg_match("#504.+?Recipient address rejected#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "recipient address rejected";
    }
    if (preg_match("#Address rejected#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Address rejected";
    }
    if (preg_match("#conversation with .+?timed out#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "timed out";
    }
    if (preg_match("#connect to\\s+(.+?)\\[.+?cyrus.+?lmtp\\]: Connection refused#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "mailbox service error";
        cyrus_generic_error($bounce_error, "Cyrus socket error");
    }
    if (preg_match("#host.+?\\[(.+?)\\]\\s+said:.+?<(.+?)>: Recipient address rejected: User unknown in local recipient table#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "User unknown";
        $to = $re[2];
    }
    if (preg_match("#said:.+?Authentication required#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Authentication required";
    }
    if (preg_match("#temporary failure.+?[0-9]+\\s+[0-9\\.]+\\s+Bad sender address syntax.+?could not send mail#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "Bad sender address syntax";
    }
    if (preg_match("#connect.+?Permission denied#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "service permissions error";
    }
    if (preg_match("#Command died with status 255:.+?exec\\.artica-filter\\.php#", $bounce_error)) {
        $status = "Error";
        $delivery_success = "no";
        $bounce_error = "artica-filter error";
    }
    if (preg_match("#250 2\\.5\\.0\\s+Ok#", $bounce_error)) {
        $status = "Deliver";
        $delivery_success = "yes";
        $bounce_error = "Sended";
    }
    if ($delivery_success == "no") {
        if ($bounce_error == "User unknown in relay recipient table") {
            $bounce_error = "User unknown";
        }
        events("event_finish() line " . __LINE__ . " bounce_error={$bounce_error}");
        if (preg_match("#connect to.+?\\[(.+?)lmtp\\].+?No such file or directory#", $bounce_error, $ra)) {
            events("Cyrus error found -> CyrusSocketErrot");
            cyrus_socket_error($bounce_error, $ra[1] . '/lmtp');
        }
        if (preg_match("#550\\s+User\\s+unknown\\s+<(.+?)>.+?in reply to RCPT TO command#", $bounce_error, $ra)) {
            mailbox_unknown($bounce_error, $ra[1]);
        }
    }
    $file = "/var/log/artica-postfix/RTM/{$postfix_id}.msg";
    $ini = new Bs_IniHandler($file);
    if (preg_match("#from.+?\\[([0-9\\.]+)?\\]#", $buffer, $re)) {
        $ini->set("TIME", "smtp_sender", $re[1]);
    }
    if ($from != null) {
        $ini->set("TIME", "mailfrom", $from);
    }
    $ini->set("TIME", "mailto", "{$to}");
    $ini->set("TIME", "bounce_error", "{$bounce_error}");
    $ini->set("TIME", "time_end", date("Y-m-d H:i:s"));
    $ini->set("TIME", "delivery_success", "{$delivery_success}");
    events("event_finish() [{$postfix_id}]: {$from} => {$to} err={$bounce_error} success={$delivery_success}");
    $ini->saveFile($file);
}
Exemplo n.º 4
0
function Parseline($buffer)
{
    if (is_file("/etc/artica-postfix/DO_NOT_DETECT_POSTFIX")) {
        return;
    }
    $buffer = trim($buffer);
    if ($buffer == null) {
        return null;
    }
    if (!isset($GLOBALS["maillog_tools"])) {
        $GLOBALS["maillog_tools"] = new maillog_tools();
    }
    if (preg_match("#qmgr\\[.*?:\\s+([0-9A-Z]+): removed#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_messageid_removed($re[1]);
        return;
    }
    if (is_file("{$GLOBALS["ARTICALOGDIR"]}/smtp-hack-reconfigure")) {
        smtp_hack_reconfigure();
    }
    if (strpos($buffer, 'config file "/etc/mail/greylist.conf"') > 0) {
        return;
    }
    if (strpos($buffer, "]: fatal: Usage:postmulti") > 0) {
        return;
    }
    if (strpos($buffer, "warning: non-SMTP command from unknown") > 0) {
        return;
    }
    if (strpos($buffer, "Do you need to run 'sa-update'?") > 0) {
        amavis_sa_update($buffer);
        return;
    }
    if (strpos($buffer, "Passed CLEAN {AcceptedOpenRelay}") > 0) {
        return;
    }
    if (strpos($buffer, "Passed BAD-HEADER-1 {RelayedInternal}") > 0) {
        return;
    }
    if (strpos($buffer, "Valid PID file (") > 0) {
        return;
    }
    if (strpos($buffer, "]: SA dbg:") > 0) {
        return;
    }
    if (strpos($buffer, ") SA dbg:") > 0) {
        return;
    }
    if (strpos($buffer, "enabling PIX workarounds: disable_esmtp delay_dotcrlf") > 0) {
        return;
    }
    if (strpos($buffer, "]: child: exiting: idle for") > 0) {
        return;
    }
    if (strpos($buffer, "]: master: child") > 0) {
        return;
    }
    if (strpos($buffer, ") 2822.From: <") > 0) {
        return;
    }
    if (strpos($buffer, ") Connecting to LDAP server") > 0) {
        return;
    }
    if (strpos($buffer, ") connect_to_ldap: connected") > 0) {
        return;
    }
    if (strpos($buffer, ") connect_to_ldap: bind") > 0) {
        return;
    }
    if (strpos($buffer, ") Passed CLEAN, AM.PDP-SOCK [") > 0) {
        return;
    }
    if (strpos($buffer, "mode select: signing") > 0) {
        return;
    }
    if (strpos($buffer, "Starting worker process for POP3 request") > 0) {
        return;
    }
    if (strpos($buffer, ": Accepted connection from") > 0) {
        return;
    }
    if (strpos($buffer, "]: Not authorized for command:") > 0) {
        return;
    }
    if (strpos($buffer, "milter-greylist: GeoIP failed to lookup ip") > 0) {
        return;
    }
    if (strpos($buffer, ": Number of messages in the queue") > 0) {
        return;
    }
    if (strpos($buffer, ") inspect_dsn: is a DSN") > 0) {
        return;
    }
    if (strpos($buffer, ": decided action=DUNNO NULL") > 0) {
        return;
    }
    if (strpos($buffer, "Mail::SpamAssassin::Plugin::Check") > 0) {
        return;
    }
    if (strpos($buffer, "vnStat daemon") > 0) {
        return;
    }
    if (strpos($buffer, "aliases.db: duplicate entry") > 0) {
        return;
    }
    if (strpos($buffer, "DKIM-Signature\" header added") > 0) {
        return;
    }
    if (strpos($buffer, "DKIM verification successful") > 0) {
        return;
    }
    if (strpos($buffer, ": decided action=PREPEND X-policyd-weight: using cached result;") > 0) {
        return;
    }
    if (strpos($buffer, " mode select: verifying") > 0) {
        return;
    }
    if (strpos($buffer, "Message canceled by rule") > 0) {
        return;
    }
    if (strpos($buffer, "no signing table match for") > 0) {
        return;
    }
    if (strpos($buffer, "Connection closed because of timeout") > 0) {
        return;
    }
    //if(strpos($buffer,") SPAM-TAG, <")>0){return;}
    if (strpos($buffer, ") mail checking ended: version_server=") > 0) {
        return;
    }
    if (strpos($buffer, ") check_header:") > 0) {
        return;
    }
    if (strpos($buffer, ") dkim: FAILED Author") > 0) {
        return;
    }
    if (strpos($buffer, ") dkim: VALID Sender signature") > 0) {
        return;
    }
    if (strpos($buffer, ") collect banned table") > 0) {
        return;
    }
    if (strpos($buffer, ") p.path") > 0) {
        return;
    }
    if (strpos($buffer, ") ask_av Using (ClamAV-clamd): CONTSCAN") > 0) {
        return;
    }
    if (strpos($buffer, ") ClamAV-clamd: Connecting to socket") > 0) {
        return;
    }
    if (strpos($buffer, ") ClamAV-clamd: Sending CONTSCAN") > 0) {
        return;
    }
    if (strpos($buffer, ") inspect_dsn:") > 0) {
        return;
    }
    if (strpos($buffer, "IO::Socket::INET") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp resp to greeting:") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp cmd> EHLO") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp resp to EHLO:") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp resp to RCPT (") > 0) {
        return;
    }
    if (strpos($buffer, "greylist: mi_stop=1") > 0) {
        return;
    }
    if (strpos($buffer, "smfi_main() returned 0") > 0) {
        return;
    }
    if (strpos($buffer, "Final database dump") > 0) {
        return;
    }
    if (strpos($buffer, "refreshing the Postfix") > 0) {
        return;
    }
    if (strpos($buffer, "class.auth.tail.inc") > 0) {
        return;
    }
    if (strpos($buffer, "authenticated, bypassing greylisting") > 0) {
        return;
    }
    if (strpos($buffer, "NEW message_id") > 0) {
        return;
    }
    if (strpos($buffer, "Passed CLEAN {") > 0) {
        return;
    }
    if (strpos($buffer, ") Blocked SPAM {") > 0) {
        return;
    }
    if (strpos($buffer, ") Blocked SPAMMY {") > 0) {
        return;
    }
    if (strpos($buffer, "does not resolve to address") > 0) {
        return;
    }
    if (strpos($buffer, "skipped, still being delivered") > 0) {
        return;
    }
    if (strpos($buffer, "(0,lock|fold_fix)") > 0) {
        return;
    }
    if (strpos($buffer, "Insecure dependency in open while running with -T") > 0) {
        return;
    }
    // ************************ DKIM DUTSBIN
    if (strpos($buffer, "no signing domain match for") > 0) {
        return;
    }
    if (strpos($buffer, "no signing subdomain match for") > 0) {
        return;
    }
    if (strpos($buffer, "no signing keylist match for") > 0) {
        return;
    }
    if (strpos($buffer, ": no signature data") > 0) {
        return;
    }
    if (strpos($buffer, " not internal") > 0) {
        return;
    }
    if (strpos($buffer, " not authenticated") > 0) {
        return;
    }
    // ************************ ZARAFA DUTSBIN
    if (strpos($buffer, "]: Still waiting for 1 threads to exit") > 0) {
        return;
    }
    if (preg_match("#zarafa-dagent\\[.*?Delivered message to#", $buffer)) {
        return;
    }
    if (strpos($buffer, ": Disconnecting client.") > 0) {
        return;
    }
    if (strpos($buffer, "thread exiting") > 0) {
        return;
    }
    if (strpos($buffer, "Started to create store") > 0) {
        return;
    }
    //if(strpos($buffer,") p00")>0){return;}
    //if(strpos($buffer,") TIMING [total")>0){return;}
    //if(strpos($buffer,") TIMING-SA total")>0){return;}
    if (strpos($buffer, "mailarchiver[") > 0) {
        return;
    }
    if (strpos($buffer, ") policy protocol:") > 0) {
        return;
    }
    if (strpos($buffer, "]: policy protocol:") > 0) {
        return;
    }
    if (strpos($buffer, ") run_av (ClamAV-clamd)") > 0) {
        return;
    }
    if (strpos($buffer, "Net::Server: Process Backgrounded") > 0) {
        return;
    }
    if (strpos($buffer, "Net::Server:") > 0) {
        return;
    }
    if (strpos($buffer, ": No ext program for") > 0) {
        return;
    }
    if (strpos($buffer, ": SA info: zoom: able to use") > 0) {
        return;
    }
    if (strpos($buffer, ": warm restart on HUP [") > 0) {
        return;
    }
    if (strpos($buffer, ": starting. (warm)") > 0) {
        return;
    }
    if (strpos($buffer, "user=postfix, EUID:") > 0) {
        return;
    }
    if (strpos($buffer, "No \$altermime,") > 0) {
        return;
    }
    if (strpos($buffer, "starting. /usr/local/sbin/amavisd") > 0) {
        return;
    }
    if (strpos($buffer, "initializing Mail::SpamAssassin") > 0) {
        return;
    }
    if (strpos($buffer, "Net::Server: Binding to UNIX socket file") > 0) {
        return;
    }
    if (strpos($buffer, "SpamControl: init_pre_chroot on SpamAssassin done") > 0) {
        return;
    }
    if (strpos($buffer, "Starting worker for LMTP request") > 0) {
        return;
    }
    if (strpos($buffer, "LMTP thread exiting") > 0) {
        return;
    }
    if (strpos($buffer, ") truncating a message passed to SA at") > 0) {
        return;
    }
    if (strpos($buffer, "loaded policy bank") > 0) {
        return;
    }
    if (strpos($buffer, "process_request: fileno sock") > 0) {
        return;
    }
    if (strpos($buffer, "AM.PDP  /var/amavis/") > 0) {
        return;
    }
    if (strpos($buffer, "KASWARNING [NOLOGID]: mfhelo: HELO already set") > 0) {
        return;
    }
    if (strpos($buffer, "Passed CLEAN {AcceptedInbound}") > 0) {
        return;
    }
    if (strpos($buffer, "Blocked MTA-BLOCKED {TempFailedOutbound}") > 0) {
        return;
    }
    if (strpos($buffer, ") body hash: ") > 0) {
        return;
    }
    //if(strpos($buffer,") spam_scan: score=")>0){return;}
    if (strpos($buffer, ") Cached virus check expired") > 0) {
        return;
    }
    if (strpos($buffer, ") blocking contents category is") > 0) {
        return;
    }
    if (strpos($buffer, ") do_notify_and_quar: ccat=") > 0) {
        return;
    }
    if (strpos($buffer, ") inspect_dsn: not a bounce") > 0) {
        return;
    }
    if (strpos($buffer, ") local delivery:") > 0) {
        return;
    }
    if (strpos($buffer, ") DSN: NOTIFICATION: ") > 0) {
        return;
    }
    if (strpos($buffer, ") SEND via PIPE:") > 0) {
        return;
    }
    if (strpos($buffer, "Discarding because filter instructed us to") > 0) {
        return;
    }
    if (strpos($buffer, ") Checking for banned types and") > 0) {
        return;
    }
    if (strpos($buffer, "skipping mailbox user") > 0) {
        return;
    }
    if (strpos($buffer, "artica-plugin:") > 0) {
        return;
    }
    if (strpos($buffer, "success delivered trough 192.168.1.228:33559") > 0) {
        return;
    }
    if (strpos($buffer, "skiplist: checkpointed /var/lib/cyrus/user") > 0) {
        return;
    }
    if (strpos($buffer, "starttls: TLSv1 with cipher AES256-SHA (256/256 bits new)") > 0) {
        return;
    }
    if (strpos($buffer, "lost connection after CONNECT from unknown") > 0) {
        return null;
    }
    if (strpos($buffer, "lost connection after DATA from unknown") > 0) {
        return null;
    }
    if (strpos($buffer, "lost connection after RCPT") > 0) {
        return null;
    }
    if (strpos($buffer, "created decompress buffer of") > 0) {
        return null;
    }
    if (strpos($buffer, "created compress buffer of") > 0) {
        return null;
    }
    if (strpos($buffer, "SQUAT returned") > 0) {
        return null;
    }
    if (strpos($buffer, ": lmtp connection preauth") > 0) {
        return null;
    }
    if (strpos($buffer, "indexing mailbox user") > 0) {
        return null;
    }
    if (strpos($buffer, "mystore: starting txn") > 0) {
        return null;
    }
    if (strpos($buffer, "duplicate_mark:") > 0) {
        return null;
    }
    if (strpos($buffer, "mystore: committing txn") > 0) {
        return null;
    }
    if (strpos($buffer, "cyrus/tls_prune") > 0) {
        return null;
    }
    if (strpos($buffer, "milter-greylist: reloading config file") > 0) {
        return null;
    }
    if (strpos($buffer, "milter-greylist: reloaded config file") > 0) {
        return null;
    }
    if (strpos($buffer, "skiplist: recovered") > 0) {
        return null;
    }
    if (strpos($buffer, "milter-reject NOQUEUE < 451 4.7.1 Greylisting in action, please come back in") > 0) {
        return null;
    }
    if (strpos($buffer, "extra modules loaded after daemonizing/chrooting") > 0) {
        return null;
    }
    if (strpos($buffer, "exec: /usr/bin/php5") > 0) {
        return;
    }
    if (strpos($buffer, "rec_get: type N") > 0) {
        return;
    }
    if (strpos($buffer, "Found decoder for ") > 0) {
        return;
    }
    if (strpos($buffer, "Internal decoder for ") > 0) {
        return;
    }
    if (strpos($buffer, "indexing mailboxes") > 0) {
        return;
    }
    if (strpos($buffer, "decided action=DUNNO multirecipient-mail - already accepted by previous query") > 0) {
        return;
    }
    if (strpos($buffer, "decided action=PREPEND X-policyd-weight: passed - too many local DNS-errors") > 0) {
        return;
    }
    if (strpos($buffer, "DSN: FILTER 554 Spam, spam level") > 0) {
        return;
    }
    if (strpos($buffer, "emailrelay: info: no more messages to send") > 0) {
        return;
    }
    if (strpos($buffer, "spamd: connection from ip6-localhost") > 0) {
        return;
    }
    if (strpos($buffer, "spamd: processing message") > 0) {
        return;
    }
    if (strpos($buffer, "spamd: clean message") > 0) {
        return;
    }
    if (strpos($buffer, "spamd: result:") > 0) {
        return;
    }
    if (strpos($buffer, "prefork: child states: I") > 0) {
        return;
    }
    if (strpos($buffer, "autowhitelisted for another") > 0) {
        return;
    }
    //if(strpos($buffer,"spamd: identified spam")>0){return;}
    if (strpos($buffer, "spamd: handled cleanup of child pid") > 0) {
        return;
    }
    if (strpos($buffer, "open_on_specific_fd") > 0) {
        return;
    }
    if (strpos($buffer, "rundown_child on") > 0) {
        return;
    }
    if (strpos($buffer, "switch_to_my_time") > 0) {
        return;
    }
    if (strpos($buffer, "%, total idle") > 0) {
        return;
    }
    if (strpos($buffer, "exec.mailarchive.php[") > 0) {
        return;
    }
    if (strpos($buffer, "do_notify_and_quarantine: spam level exceeds") > 0) {
        return;
    }
    if (strpos($buffer, ", DEAR_SOMETHING=") > 0) {
        return;
    }
    if (strpos($buffer, ", DIGEST_MULTIPLE=") > 0) {
        return;
    }
    if (strpos($buffer, ", BAD_ENC_HEADER=") > 0) {
        return;
    }
    if (strpos($buffer, "dkim: VALID") > 0) {
        return;
    }
    if (strpos($buffer, "SA info: pyzor:") > 0) {
        return;
    }
    if (strpos($buffer, "DSN: sender is credible") > 0) {
        return;
    }
    if (strpos($buffer, "mail_via_pipe") > 0) {
        return;
    }
    if (strpos($buffer, ") ...continue") > 0) {
        return;
    }
    if (strpos($buffer, "Cached spam check expired") > 0) {
        return;
    }
    if (strpos($buffer, ") cached") > 0) {
        return;
    }
    if (strpos($buffer, "extra modules loaded:") > 0) {
        return;
    }
    if (strpos($buffer, "from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok") > 0) {
        return;
    }
    if (strpos($buffer, "Use of uninitialized value") > 0) {
        return;
    }
    if (strpos($buffer, "DecodeShortURLs") > 0) {
        return;
    }
    if (strpos($buffer, "FWD via SMTP: <") > 0) {
        return;
    }
    if (strpos($buffer, "DKIM-Signature header added") > 0) {
        return;
    }
    if (strpos($buffer, "Passed CLEAN, MYNETS LOCAL") > 0) {
        return;
    }
    if (strpos($buffer, ") Passed CLEAN, [") > 0) {
        return;
    }
    if (strpos($buffer, ") Passed BAD-HEADER, [") > 0) {
        return;
    }
    if (strpos($buffer, ") Checking: ") > 0) {
        return;
    }
    if (strpos($buffer, ") WARN: MIME::Parser error: unexpected end of header") > 0) {
        return;
    }
    if (strpos($buffer, ") Open relay? Nonlocal recips but not originating") > 0) {
        return;
    }
    if (strpos($buffer, ": not authenticated") > 0) {
        return;
    }
    if (strpos($buffer, ": dk_eom() returned status") > 0) {
        return;
    }
    if (strpos($buffer, "ASN1_D2I_READ_BIO:not enough data") > 0) {
        return;
    }
    if (strpos($buffer, "SpamControl: init_pre_fork on SpamAssassin done") > 0) {
        return;
    }
    if (strpos($buffer, ": Selected group:") > 0) {
        return;
    }
    if (strpos($buffer, "Message entity scanning: message CLEAN") > 0) {
        return;
    }
    if (strpos($buffer, "New connection on thread") > 0) {
        return;
    }
    //if(strpos($buffer,"AM.PDP-SOCK/MYNETS")>0){return;}
    if (strpos($buffer, ": disconnect from") > 0) {
        return;
    }
    if (strpos($buffer, "sfupdates: KASINFO") > 0) {
        return;
    }
    if (strpos($buffer, ": lost connection after CONNECT") > 0) {
        return;
    }
    if (strpos($buffer, "enabling PIX workarounds: disable_esmtp delay_dotcrlf") > 0) {
        return;
    }
    if (strpos($buffer, "Message Aborted!") > 0) {
        return;
    }
    if (strpos($buffer, "WHITELISTED [") > 0) {
        return;
    }
    if (strpos($buffer, "COMMAND PIPELINING from") > 0) {
        return;
    }
    if (strpos($buffer, "COMMAND COUNT LIMIT from [") > 0) {
        return;
    }
    if (strpos($buffer, "]: warning: psc_cache_update:") > 0) {
        return;
    }
    if (strpos($buffer, "]: PREGREET") > 0) {
        return;
    }
    if (strpos($buffer, ": PASS OLD [") > 0) {
        return;
    }
    if (strpos($buffer, "]: DNSBL rank") > 0) {
        return;
    }
    if (strpos($buffer, "]: HANGUP after") > 0) {
        return;
    }
    if (strpos($buffer, ": DISCONNECT [") > 0) {
        return;
    }
    if (strpos($buffer, "KASNOTICE") > 0) {
        return;
    }
    if (strpos($buffer, "KASINFO") > 0) {
        return;
    }
    if (strpos($buffer, "]: PASS NEW [") > 0) {
        return;
    }
    if (strpos($buffer, "]: COMMAND TIME LIMIT from") > 0) {
        return;
    }
    if (strpos($buffer, "Client host triggers FILTER") > 0) {
        return;
    }
    if (strpos($buffer, "Starting worker process for IMAP request") > 0) {
        return;
    }
    if (strpos($buffer, "IMAP thread exiting") > 0) {
        return;
    }
    if (strpos($buffer, "]: seen_db: user ") > 0) {
        return;
    }
    if (strpos($buffer, "Client disconnected") > 0) {
        return;
    }
    if (strpos($buffer, "starting the Postfix mail system") > 0) {
        return;
    }
    if (strpos($buffer, "Postfix mail system is already running") > 0) {
        return;
    }
    if (strpos($buffer, ": Perl version") > 0) {
        return;
    }
    if (strpos($buffer, ": No decoder for") > 0) {
        return;
    }
    if (strpos($buffer, "Using primary internal av scanner") > 0) {
        return;
    }
    if (strpos($buffer, "starting.  /usr/local/sbin/amavisd") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp resp to data-dot (") > 0) {
        return;
    }
    if (strpos($buffer, ") TIMING-SA total") > 0) {
        return;
    }
    if (strpos($buffer, ") sending SMTP response:") > 0) {
        return;
    }
    if (strpos($buffer, ") TIMING [total") > 0) {
        return;
    }
    if (strpos($buffer, ") Amavis::") > 0) {
        return;
    }
    if (strpos($buffer, "] run_as_subprocess: child done") > 0) {
        return;
    }
    if (strpos($buffer, "]: vstream_buf_get_ready:") > 0) {
        return;
    }
    if (strpos($buffer, "]: > 127.0.0.1[") > 0) {
        return;
    }
    if (strpos($buffer, "]: Using secondary internal") > 0) {
        return;
    }
    if (strpos($buffer, "]: rec_get:") > 0) {
        return;
    }
    if (strpos($buffer, ") p004 1") > 0) {
        return;
    }
    if (strpos($buffer, ") p001 1") > 0) {
        return;
    }
    if (strpos($buffer, ") p002 1") > 0) {
        return;
    }
    if (strpos($buffer, ") p003 1") > 0) {
        return;
    }
    if (strpos($buffer, ") SPAM-TAG,") > 0) {
        return;
    }
    if (strpos($buffer, "]: send attr") > 0) {
        return;
    }
    if (strpos($buffer, ") (!)FWD from <") > 0) {
        return;
    }
    if (strpos($buffer, ") bounce rescued by:") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp session: setting") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp cmd> MAIL FROM:") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp cmd> RCPT TO:") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp connection cache") > 0) {
        return;
    }
    if (strpos($buffer, ") spam_scan: score=") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp session reuse,") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp cmd> NOOP") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp resp to NOOP") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp cmd> DATA") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp resp to MAIL") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp resp to DATA:") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp cmd> QUIT") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp session most") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp resp to RCPT") > 0) {
        return;
    }
    if (strpos($buffer, ") inspect_dsn:") > 0) {
        return;
    }
    if (strpos($buffer, "IO::Socket::INET") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp resp to greeting") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp cmd> EHLO") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp resp to EHLO:") > 0) {
        return;
    }
    if (strpos($buffer, ") smtp resp to RCPT (") > 0) {
        return;
    }
    if (strpos($buffer, "exiting on SIGTERM/SIGINT") > 0) {
        return;
    }
    if (strpos($buffer, ": ready for work") > 0) {
        return;
    }
    if (strpos($buffer, ": process started") > 0) {
        return;
    }
    if (strpos($buffer, "]: entered child_init_hook") > 0) {
        return;
    }
    if (strpos($buffer, "]: SpamControl: init_child on SpamAssassin done") > 0) {
        return;
    }
    if (preg_match("#kavmilter\\[.+?\\[tid.+?New message from:#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#assp\\[.+?LDAP Results#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#amavis\\[[0-9]+\\]:\\s+\\([0-9\\-]+\\) FWD from <#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#smtpd\\[.+?\\]: disconnect from#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#smtpd\\[.+?\\]: timeout after END-OF-MESSAGE#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#smtpd\\[.+?\\]:.+?enabling PIX workarounds#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#milter-greylist:.+?skipping greylist#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#milter-greylist:\\s+\\(.+?greylisted entry timed out#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#postfix\\/smtpd\\[.+?\\]:\\s+lost connection after#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#assp.+?\\[MessageOK\\]#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#assp.+?\\[NoProcessing\\]#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#passed trough amavis and event is saved#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#assp.+?AdminUpdate#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#last message repeated.+?times#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#cyrus\\/master.+?about to exec#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#cyrus\\/.+?open: user#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#cyrus\\/lmtpunix.+?accepted connection#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#cyrus\\/lmtpunix.+?Delivered:#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#cyrus\\/master.+?process.+?exited#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#lmtpunix.+?mystore: starting txn#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#lmtpunix.+?duplicate_mark#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#lmtpunix.+?mystore: committing txn#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#ctl_cyrusdb.+?archiving#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#assp.+?LDAP - found.+?in LDAPlist;#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#anvil.+?statistics: max#", $buffer, $re)) {
        return null;
    }
    if (preg_match("#smfi_getsymval failed for#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/imap\\[.+?Expunged\\s+[0-9]+\\s+message.+?from#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/imap\\[.+?seen_db:\\s+#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/[pop3|imap]\\[.+?SSL_accept\\(#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/[pop3|imap]\\[.+?starttls:#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/[pop3|imap]\\[.+?:\\s+inflate#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/imap.*?fetching\\s+user_.+? entry for '#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/.+?\\[.+?:\\s+accepted connection\$#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/.+?\\[.+?:\\s+deflate\\(#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/.+?\\[.+?:\\s+\\=>\\s+compressed to#", $buffer)) {
        return null;
    }
    if (preg_match("#filter-module\\[.+?:\\s+KASINFO#", $buffer)) {
        return null;
    }
    if (preg_match("#exec\\.mailbackup\\.php#", $buffer)) {
        return null;
    }
    if (preg_match("#kavmilter\\[.+?\\]:\\s+Loading#", $buffer)) {
        return null;
    }
    if (preg_match("#DBERROR: init.+?on berkeley#", $buffer)) {
        return null;
    }
    if (preg_match("#FATAL: lmtpd: unable to init duplicate delivery database#", $buffer)) {
        return null;
    }
    if (preg_match("#skiplist: checkpointed.+?annotations\\.db#", $buffer)) {
        return null;
    }
    if (preg_match("#duplicate_prune#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/cyr_expire\\[[0-9]+#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/imap.+?SSL_accept#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/pop3.+?SSL_accept#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/imap.+?:\\s+executed#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/ctl_cyrusdb.+?recovering cyrus databases#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus.+?executed#", $buffer)) {
        return null;
    }
    if (preg_match("#postfix\\/.+?refreshing the Postfix mail system#", $buffer)) {
        return null;
    }
    if (preg_match("#master.+?reload -- version#", $buffer)) {
        return null;
    }
    if (preg_match("#SQUAT failed#", $buffer)) {
        return null;
    }
    if (preg_match("#lmtpunix.+?sieve\\s+runtime\\s+error\\s+for#", $buffer)) {
        return null;
    }
    if (preg_match("#imapd:Loading hard-coded DH parameters#", $buffer)) {
        return null;
    }
    if (preg_match("#ctl_cyrusdb.+?checkpointing cyrus databases#", $buffer)) {
        return null;
    }
    if (preg_match("#idle for too long, closing connection#", $buffer)) {
        return null;
    }
    if (preg_match("#amavis\\[.+?Found#", $buffer)) {
        return null;
    }
    if (preg_match("#amavis\\[.+?Module\\s+#", $buffer)) {
        return null;
    }
    if (preg_match("#amavis\\[.+?\\s+loaded\$#", trim($buffer))) {
        return null;
    }
    if (preg_match("#amavis\\[.+?\\s+Internal decoder#", trim($buffer))) {
        return null;
    }
    if (preg_match("#amavis\\[.+?\\s+Creating db#", trim($buffer))) {
        return null;
    }
    if (preg_match("#smtpd\\[.+? warning:.+?address not listed for hostname#", $buffer)) {
        return null;
    }
    if (preg_match("#zarafa-dagent\\[.+?Delivered message to#", $buffer)) {
        return null;
    }
    if (preg_match("#postfix\\/policyd-weight\\[.+?SPAM#", $buffer)) {
        return null;
    }
    if (preg_match("#postfix\\/policyd-weight\\[.+?decided action=550#", $buffer)) {
        return null;
    }
    if (preg_match("#cyrus\\/lmtp\\[.+?Delivered#", $buffer)) {
        return null;
    }
    if (preg_match("#ESMTP::.+?\\/var\\/amavis\\/tmp\\/amavis#", $buffer)) {
        return null;
    }
    if (preg_match("#zarafa-dagent.+?Client disconnected#", $buffer)) {
        return null;
    }
    if (preg_match("#zarafa-dagent.+?Failed to resolve recipient#", $buffer)) {
        return null;
    }
    // MIMEDFANG
    if (strpos($buffer, "stderr: netset: cannot include") > 0) {
        return;
    }
    if (strpos($buffer, "MySQL: from=<") > 0) {
        return;
    }
    if (strpos($buffer, "MGREYSTATS") > 0) {
        $md5 = md5($buffer);
        @file_put_contents("{$GLOBALS["ARTICALOGDIR"]}/MGREYSTATS/{$md5}", $buffer);
        return;
    }
    if (stripos($buffer, "opendkim") > 0) {
        include_once dirname(__FILE__) . '/ressources/class.opendkim.maillog.inc';
        if (parse_opendkim($buffer)) {
            return;
        }
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#NOQUEUE: (discard|Quarantine): RCPT from\\s+(.*?):.*?Message infected \\[(.*?)\\];.*?\\[(.*?)\\].*?from=<(.*?)> to=<(.*?)>#", $buffer, $re)) {
        $date = date("Y-m-d H:i:s");
        $postgres = new postgres_sql();
        $hostname = $re[2];
        $ipaddr = $re[4];
        $reason = "Infected:{$re[3]}";
        $mailfrom = $re[5];
        $mailto = $re[6];
        $helo = $re[2];
        if ($hostname == "unknown") {
            $hostname = gethostbyaddr($ipaddr);
        }
        $VALUES = "('{$date}','{$hostname}','{$mailfrom}','{$mailto}','{$ipaddr}','{$reason}')";
        $postgres->QUERY_SQL("INSERT INTO smtprefused (zdate,hostname,mailfrom,mailto,ipaddr,reason) VALUES {$VALUES}");
        return true;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#NOQUEUE: MXCommand: connect: Connection refused: Is multiplexor running#", $buffer, $re)) {
        $file = "/etc/artica-postfix/pids/NOQUEUE.MXCommand.Connection.refused.multiplexor.running" . __LINE__ . ".err";
        $timefile = file_time_min($file);
        if ($timefile > 0) {
            events("Connection refused: Is multiplexor running ?? --> restart [OK] {$timefile}Mn");
            postfix_admin_mysql(1, "Policies service: (multiplexor running ?) Connection refused [action=restart]", $buffer, __FILE__, __LINE__);
            shell_exec("{$GLOBALS["NOHUP_PATH"]} /etc/init.d/mimedefang restart >/dev/null 2>&1 &");
            @unlink($file);
            @file_put_contents($file, time());
            return;
        }
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#Slave [0-9]+ stderr: bayes: cannot open bayes databases (.*?)\\/bayes_.*?: lock failed: Interrupted system call#", $buffer, $re)) {
        postfix_admin_mysql(1, "Spamassassin: bayes issue (lock failed) [action=notify]", $buffer, __FILE__, __LINE__);
        return;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#milter-reject: END-OF-MESSAGE from\\s+(.*?)\\[(.+?)\\]: 4.3.0 virus found (.*?); from=<(.*?)>\\s+to=<(.+?)>#", $buffer, $re)) {
        $date = date("Y-m-d H:i:s");
        $postgres = new postgres_sql();
        $hostname = $re[1];
        $ipaddr = $re[2];
        $reason = "Virus {$re[3]}";
        $mailfrom = $re[4];
        $mailto = $re[5];
        $VALUES = "('{$date}','{$hostname}','{$mailfrom}','{$mailto}','{$ipaddr}','{$reason}')";
        $postgres->QUERY_SQL("INSERT INTO smtprefused (zdate,hostname,mailfrom,mailto,ipaddr,reason) VALUES {$VALUES}");
        return true;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#NOQUEUE: reject: RCPT from (.*?):\\s+554.*?Client host \\[(.*?)\\] blocked using Spamassassin.*?from=<(.*?)> to=<(.*?)>#", $buffer, $re)) {
        $date = date("Y-m-d H:i:s");
        $postgres = new postgres_sql();
        $hostname = $re[1];
        $ipaddr = $re[2];
        $reason = "Antispam denied";
        $mailfrom = $re[3];
        $mailto = $re[4];
        $helo = $re[5];
        if ($hostname == "unknown") {
            $hostname = gethostbyaddr($ipaddr);
        }
        $VALUES = "('{$date}','{$hostname}','{$mailfrom}','{$mailto}','{$ipaddr}','{$reason}')";
        $postgres->QUERY_SQL("INSERT INTO smtprefused (zdate,hostname,mailfrom,mailto,ipaddr,reason) VALUES {$VALUES}");
        return true;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#NOQUEUE: Quarantine: RCPT from (.*?):\\s+554.*?Client host \\[(.*?)\\] blocked using Spamassassin.*?from=<(.*?)> to=<(.*?)>#", $buffer, $re)) {
        $date = date("Y-m-d H:i:s");
        $postgres = new postgres_sql();
        $hostname = $re[1];
        $ipaddr = $re[2];
        $reason = "Quarantine";
        $mailfrom = $re[3];
        $mailto = $re[4];
        $helo = $re[5];
        if ($hostname == "unknown") {
            $hostname = gethostbyaddr($ipaddr);
        }
        $VALUES = "('{$date}','{$hostname}','{$mailfrom}','{$mailto}','{$ipaddr}','{$reason}')";
        $postgres->QUERY_SQL("INSERT INTO smtprefused (zdate,hostname,mailfrom,mailto,ipaddr,reason) VALUES {$VALUES}");
        return true;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#NOQUEUE: milter-reject: RCPT from (.*?)\\[(.*?)\\]: 451.*?Greylisting in action.*?; from=<(.*?)> to=<(.*?)>.*?helo=<(.*?)>#", $buffer, $re)) {
        $date = date("Y-m-d H:i:s");
        $postgres = new postgres_sql();
        $hostname = $re[1];
        $ipaddr = $re[2];
        $reason = "Greylisted";
        $mailfrom = $re[3];
        $mailto = $re[4];
        $helo = $re[5];
        if ($hostname == "unknown") {
            $hostname = $helo;
        }
        $VALUES = "('{$date}','{$hostname}','{$mailfrom}','{$mailto}','{$ipaddr}','{$reason}')";
        $postgres->QUERY_SQL("INSERT INTO smtprefused (zdate,hostname,mailfrom,mailto,ipaddr,reason) VALUES {$VALUES}");
        return true;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#mimedefang.*?Could not connect to clamd daemon#", $buffer, $re)) {
        events("Antivirus issue while checking mail [action=restart clamd]");
        $file = "/etc/artica-postfix/pids/mimedefang.Could.not.connect.to.clamd.daemon";
        $timefile = file_time_min($file);
        if ($timefile > 0) {
            postfix_admin_mysql(0, "Antivirus issue while checking mail [action=restart clamd]", null, __FILE__, __LINE__);
            shell_exec("{$GLOBALS["NOHUP_PATH"]} /etc/init.d/clamav-daemon restart >/dev/null 2>&1 &");
            @unlink($file);
            @file_put_contents($file, time());
            return;
        }
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#warning: connect to Milter service unix:.*?mimedefang\\.sock: No such file or directory#", $buffer, $re)) {
        events("mimedefang.sock: No such file or directory --> restart ?");
        $file = "/etc/artica-postfix/pids/Milter.service.mimedefang." . __LINE__ . ".sock";
        $timefile = file_time_min($file);
        if ($timefile > 0) {
            events("mimedefang.sock: No such file or directory --> restart [OK] {$timefile}Mn");
            postfix_admin_mysql(1, "mimedefang.sock: No such file or directory [action=restart]", null, __FILE__, __LINE__);
            shell_exec("{$GLOBALS["NOHUP_PATH"]} /etc/init.d/mimedefang restart >/dev/null 2>&1 &");
            @unlink($file);
            @file_put_contents($file, time());
            return;
        }
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#warning: connect to Milter service unix:.*?milter-greylist\\.sock: Connection refused#", $buffer, $re)) {
        events("milter-greylist.sock: Connection refused --> restart ?");
        $file = "/etc/artica-postfix/pids/Milter.service.miltergreylist." . __LINE__ . ".sock";
        $timefile = file_time_min($file);
        if ($timefile > 0) {
            events("milter-greylist.sock: --> restart [OK] {$timefile}Mn");
            postfix_admin_mysql(1, "milter-greylist.sock: Connection refused [action=restart]", null, __FILE__, __LINE__);
            shell_exec("{$GLOBALS["NOHUP_PATH"]} /etc/init.d/milter-greylist restart >/dev/null 2>&1 &");
            @unlink($file);
            @file_put_contents($file, time());
            return;
        }
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#NOQUEUE: reject: RCPT from\\s+(.*?)\\[(.*?)\\]:\\s+554.*?blocked using\\s+(.*?); Client host blocked using\\s+(.*?),.*?from=<(.*?)> to=<(.*?)>.*?helo=<(.*?)>#", $buffer, $re)) {
        $date = date("Y-m-d H:i:s");
        $postgres = new postgres_sql();
        $hostname = $re[1];
        $ipaddr = $re[2];
        $Service = $re[3];
        $Service2 = $re[4];
        $mailfrom = $re[5];
        $mailto = $re[6];
        $helo = $re[7];
        if ($hostname == "unknown") {
            $hostname = $helo;
        }
        if (strlen($Service2) > 3) {
            $Service = $Service2;
        }
        $reason = "Rbl:{$Service}";
        $VALUES = "('{$date}','{$hostname}','{$mailfrom}','{$mailto}','{$ipaddr}','{$reason}')";
        $postgres->QUERY_SQL("INSERT INTO smtprefused (zdate,hostname,mailfrom,mailto,ipaddr,reason) VALUES {$VALUES}");
        return true;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#NOQUEUE: reject: RCPT from unknown\\[(.*?)\\]: 450 4.7.1 Client host rejected: cannot find your reverse hostname.*?from=<(.*?)> to=<(.*?)>.*?helo=<(.*?)>#", $buffer, $re)) {
        $date = date("Y-m-d H:i:s");
        $postgres = new postgres_sql();
        $ipaddr = $re[1];
        $mailfrom = $re[2];
        $mailto = $re[3];
        $hostname = $re[4];
        $reason = "Reverse not found";
        $VALUES = "('{$date}','{$hostname}','{$mailfrom}','{$mailto}','{$ipaddr}','{$reason}')";
        $postgres->QUERY_SQL("INSERT INTO smtprefused (zdate,hostname,mailfrom,mailto,ipaddr,reason) VALUES {$VALUES}");
        return true;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#NOQUEUE: reject:\\s+RCPT from unknown\\[([0-9\\.]+)\\].*?Client host rejected: cannot find your hostname.*?from=<(.*?)>\\s+to=<(.*?)>#", $buffer, $re)) {
        $date = date("Y-m-d H:i:s");
        $postgres = new postgres_sql();
        $hostname = $re[1];
        $ipaddr = $re[1];
        $mailfrom = $re[2];
        $mailto = $re[3];
        $reason = "Hostname not found";
        $VALUES = "('{$date}','{$hostname}','{$mailfrom}','{$mailto}','{$ipaddr}','{$reason}')";
        $postgres->QUERY_SQL("INSERT INTO smtprefused (zdate,hostname,mailfrom,mailto,ipaddr,reason) VALUES {$VALUES}");
        return true;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#NOQUEUE: reject:\\s+RCPT from (.*?)\\[([0-9\\.]+)\\].*?Client host rejected: Go Away.+?from=<(.*?)>\\s+to=<(.*?)>#", $buffer, $re)) {
        $date = date("Y-m-d H:i:s");
        $postgres = new postgres_sql();
        $hostname = $re[1];
        $ipaddr = $re[2];
        $mailfrom = $re[3];
        $mailto = $re[4];
        $reason = "Blacklisted";
        $VALUES = "('{$date}','{$hostname}','{$mailfrom}','{$mailto}','{$ipaddr}','{$reason}')";
        $postgres->QUERY_SQL("INSERT INTO smtprefused (zdate,hostname,mailfrom,mailto,ipaddr,reason) VALUES {$VALUES}");
        return true;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#NOQUEUE: reject: RCPT from unknown\\[(.*?)\\]: 450.*?<(.*?)>: Sender address rejected: Domain not found; from=<(.*?)> to=<(.*?)>.*?helo=<(.*?)>#", $buffer, $re)) {
        $date = date("Y-m-d H:i:s");
        $postgres = new postgres_sql();
        $hostname = $re[5];
        $ipaddr = $re[1];
        $mailfrom = $re[3];
        $mailto = $re[4];
        $reason = "Unknown sender domain";
        $VALUES = "('{$date}','{$hostname}','{$mailfrom}','{$mailto}','{$ipaddr}','{$reason}')";
        $postgres->QUERY_SQL("INSERT INTO smtprefused (zdate,hostname,mailfrom,mailto,ipaddr,reason) VALUES {$VALUES}");
        return true;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#NOQUEUE: reject: RCPT from (.*?)\\[(.*?)\\]: 450.*?Sender address rejected: Domain not found; from=<(.*?)> to=<(.*?)>#", $buffer, $re)) {
        $date = date("Y-m-d H:i:s");
        $postgres = new postgres_sql();
        $hostname = $re[1];
        $ipaddr = $re[2];
        $mailfrom = $re[3];
        $mailto = $re[4];
        $reason = "Unknown sender domain";
        $VALUES = "('{$date}','{$hostname}','{$mailfrom}','{$mailto}','{$ipaddr}','{$reason}')";
        $postgres->QUERY_SQL("INSERT INTO smtprefused (zdate,hostname,mailfrom,mailto,ipaddr,reason) VALUES {$VALUES}");
        return true;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#NOQUEUE: reject: RCPT from unknown\\[(.*?)\\]: 450.*?Client host rejected: cannot find your reverse hostname,.*?from=<(.*?)> to=<(.*?)>#", $buffer, $re)) {
        $date = date("Y-m-d H:i:s");
        $postgres = new postgres_sql();
        $hostname = "Unknown";
        $ipaddr = $re[1];
        $mailfrom = $re[2];
        $mailto = $re[3];
        $reason = "Unknown reverse hostname";
        $VALUES = "('{$date}','{$hostname}','{$mailfrom}','{$mailto}','{$ipaddr}','{$reason}')";
        $postgres->QUERY_SQL("INSERT INTO smtprefused (zdate,hostname,mailfrom,mailto,ipaddr,reason) VALUES {$VALUES}");
        return true;
    }
    if (preg_match("#reject#", $buffer)) {
        events("NOT TRAPPED \"{$buffer}\"");
    }
    if (preg_match("#unknown group name:\\s+postdrop#i", $buffer, $re)) {
        shell_exec("{$GLOBALS["GROUPADD"]} postdrop >/dev/null 2>&1");
        return;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#warning: SASL authentication problem: unable to open Berkeley db \\/etc\\/sasldb2: Permission denied#", $buffer, $re)) {
        $file = "/etc/artica-postfix/pids/SASL.authentication.problem." . __LINE__ . ".time";
        $timefile = file_time_min($file);
        if ($timefile > 3) {
            @file_put_contents("/etc/artica-postfix/settings/Daemons/smtpd_sasl_path", "smtpd");
            shell_exec("{$GLOBALS["postconf_bin_path"]} -e \"smtpd_sasl_path=smtpd\"");
            shell_exec("{$GLOBALS["NOHUP_PATH"]} /etc/init.d/postfix reload >/dev/null 2>&1 &");
            @unlink($file);
            @file_put_contents($file, time());
            return;
        }
    }
    if (preg_match("#smtpd.*?warning: No server certs available. TLS won't be enabled#", $buffer, $re)) {
        $file = "/etc/artica-postfix/pids/postfix.No.server.certs.available." . __LINE__ . ".time";
        $timefile = file_time_min($file);
        if ($timefile > 3) {
        }
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#fatal: scan_dir_push: open directory .*?: Permission denied#", $buffer, $re)) {
        shell_exec("{$GLOBALS["POSTFIX_BIN"]} set-permissions");
        shell_exec("{$GLOBALS["NOHUP_PATH"]} /etc/init.d/postfix restart >/dev/null 2>&1 &");
        return;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#warning: SASL authentication problem: unable to open Berkeley db\\s+(.+?):\\s+Permission denied#", $buffer, $re)) {
        $GLOBALS["CLASS_UNIX"]->chown_func("postfix", "postfix", "{$re[1]}");
        return;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#hash.*? open database\\s+(.*?)\\.db: No such file or directory#", $buffer, $re)) {
        if (!is_file($GLOBALS["postconf_bin_path"])) {
            return;
        }
        events("Missing hash database {$re[1]} -> build it");
        @file_put_contents($re[1], "\n");
        shell_exec("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["postconf_bin_path"]} hash:{$re[1]} >/dev/null 2>&1 &");
        return;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#cyrus.*?DBERROR: opening (.*?)\\.seen: cyrusdb error#", $buffer, $re)) {
        events("cyrus, corrupted seen file {$re[1]}.seen");
        @unlink("{$re[1]}.seen");
        return;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#connect to.*?\\[(.*?)lmtp\\]:\\s+Permission denied#", $buffer)) {
        events("{$re[1]}/lmtp, permission denied, apply postfix:postfix");
        $GLOBALS["CLASS_UNIX"]->chown_func("postfix", "postfix", "{$re[1]}/lmtp");
        return;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#warning: connect \\#[0-9]+\\s+to subsystem private\\/cyrus: No such file or directory#", $buffer)) {
        events("Cyrus unconfigured, reconfigure it...");
        $file = "/etc/artica-postfix/pids/cyrus-subsystem." . __LINE__ . ".time";
        $timefile = file_time_min($file);
        if ($timefile > 3) {
            shell_exec_maillog("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.maincf.php --imap-sockets >/dev/null 2>&1 &");
        }
        @unlink($file);
        @file_put_contents($file, time());
        return;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#postfix-script\\[.+?: the Postfix mail system is not running#", $buffer)) {
        if ($GLOBALS["EnableStopPostfix"] == 0) {
            $file = "/etc/artica-postfix/pids/postfix-script.start.time";
            $timefile = file_time_min($file);
            if ($timefile > 1) {
                shell_exec_maillog("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["postfix_bin_path"]} start >/dev/null 2>&1 &");
            }
            @unlink($file);
            @file_put_contents($file, time());
        }
        return;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#master.*?fatal: bind (.+?)\\s+port\\s+([0-9]+):\\s+Address already in use#", $buffer, $re)) {
        $port = $re[2];
        events("Port conflict on {$port}");
        exec("{$GLOBALS["fuser"]} {$port}/tcp 2>&1", $results);
        while (list($num, $ligne) = each($results)) {
            if (preg_match("#:\\s+([0-9]+)#", $ligne, $re)) {
                $tokill = $re[1];
                events("Killing PID {$tokill}");
                shell_exec_maillog("{$GLOBALS["kill"]} -9 {$tokill}");
            }
        }
        if ($GLOBALS["EnableStopPostfix"] == 0) {
            $file = "/etc/artica-postfix/pids/postfix-script.start." . __LINE__ . ".time";
            $timefile = file_time_min($file);
            if ($timefile > 1) {
                shell_exec_maillog("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["postfix_bin_path"]} start >/dev/null 2>&1 &");
            }
            @unlink($file);
            @file_put_contents($file, time());
        }
        return;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (strpos($buffer, "fatal: mail system startup failed") > 0) {
        $sock = new sockets();
        if ($GLOBALS["EnableStopPostfix"] == 0) {
            $file = "/etc/artica-postfix/pids/postfix-script.start." . __LINE__ . ".time";
            $timefile = file_time_min($file);
            if ($timefile > 1) {
                shell_exec_maillog("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["postfix_bin_path"]} start >/dev/null 2>&1 &");
            }
            @unlink($file);
            @file_put_contents($file, time());
        }
        return;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (strpos($buffer, " amavis[") > 0) {
        $p = new amavis_maillog_buffer($buffer);
        if ($p->parse()) {
            $p = null;
            return;
        }
    }
    $p = new postfix_maillog_buffer($buffer);
    if ($p->parse()) {
        $p = null;
        return;
    }
    if (strpos($buffer, " zarafa-") > 0) {
        if (!class_exists("zarafa_maillog_buffer")) {
            include_once dirname(__FILE__) . "/ressources/class.zarafa.maillog.inc";
        }
        $p = new zarafa_maillog_buffer($buffer);
        if ($p->parse()) {
            $p = null;
            return;
        }
    }
    if ($GLOBALS["CLASS_SETTINGS"]->cyrus_imapd_installed) {
        if (!class_exists("cyrus_maillog")) {
            include_once dirname(__FILE__) . "/ressources/class.cyrus.maillog.inc";
        }
        $p = new cyrus_maillog($buffer);
        if ($p->ParseBuffer()) {
            $p = null;
            return;
        }
    }
    if (preg_match("#createuser\\[.+?User store\\s+'(.+?)'\\s+createdi#", $buffer, $re)) {
        $this->email_events("Zarafa server new store created for {$re[1]}", $buffer, "mailbox");
        return;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#clamav-milter.*?No clamd server appears to be available#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/clamav-milter." . md5("No clamd server appears to be available");
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            postfix_admin_mysql(0, "Milter Antivirus issue! [action=update signatures]", $buffer, __FILE__, __LINE__);
            $cmd = "{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.freshclam.php --execute >/dev/null 2>&1 &";
            @unlink($file);
            @file_put_contents($file, "#");
            events("{$cmd}");
            shell_exec_maillog($cmd);
        }
        return;
    }
    // ---------------------------------------------------------------------------------------------------------------
    if (preg_match("#milter-greylist:.+?bind failed: Address already in use#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/milter-greylist." . md5("cannot start MX sync, bind failed: Address already in use");
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("milter-greylist: double service issue", "milter-greylist\n{$buffer}\nArtica will restart milter-greylist service", "smtp");
            @unlink($file);
            @file_put_contents($file, "#");
            $cmd = "{$GLOBALS["NOHUP_PATH"]} /etc/init.d/milter-greylist restart >/dev/null 2>&1 &";
            events("{$cmd}");
            shell_exec_maillog($cmd);
        }
        return;
    }
    if (strpos($buffer, "inet_interfaces: no local interface found") > 0) {
        $file = "/etc/artica-postfix/croned.1/postfix.error.inet_interfaces";
        events("inet_interfaces issues {$buffer}");
        $timefile = file_time_min($file);
        if ($timefile > 10) {
            email_events("{$re[1]}: misconfiguration on inet_interfaces", "Postfix claim \n{$buffer}\n\nIf this event is resended\nplease Check Artica Technology support service.", "postfix");
            @unlink($file);
            @file_put_contents($file, "#");
            $cmd = trim("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.maincf.php --interfaces >/dev/null 2>&1 &");
            events("{$cmd}");
            shell_exec_maillog($cmd);
        }
        return;
    }
    if (preg_match("#mail_queue_enter.*?create file maildrop\\/.*?Permission denied#", $buffer, $re)) {
        chgrp("/var/spool/postfix/public", "postdrop");
        chgrp("/var/spool/postfix/maildrop", "maildrop");
        shell_exec("{$GLOBALS["CHMOD"]} 1730 /var/spool/postfix/maildrop");
        shell_exec("{$GLOBALS["postfix_bin_path"]} stop && {$GLOBALS["postfix_bin_path"]} start");
        return;
    }
    if (preg_match("#(.+?)\\/smtpd\\[.+?fatal:\\s+config variable inet_interfaces#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/postfix.error.inet_interfaces";
        events("inet_interfaces issues' '{$re[1]}'");
        $timefile = file_time_min($file);
        if ($timefile > 10) {
            email_events("{$re[1]}: misconfiguration on inet_interfaces", "Postfix claim \n{$buffer}\n\nIf this event is resended\nplease Check Artica Technology support service.", "postfix");
            @unlink($file);
            @file_put_contents($file, "#");
            if ($re[1] == "postfix") {
                $cmd = trim("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.maincf.php --interfaces >/dev/null 2>&1 &");
                events("{$cmd}");
                shell_exec_maillog($cmd);
            } else {
                $cmd = trim("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix-multi.php >/dev/null 2>&1 &");
                events("{$cmd}");
                shell_exec_maillog($cmd);
            }
        }
        return;
    }
    if (preg_match("#\\]:\\s+bayes: cannot open bayes databases\\s+(.+?)\\/bayes_.+?R\\/.+?: tie failed.+?Permission denied#", $buffer, $re)) {
        events("cannot open bayes databases , Permission denied' '{$re[1]}/bayes_*'");
        shell_exec_maillog("/bin/chown postfix:postfix {$re[1]}/bayes*");
        return;
    }
    if (preg_match("#\\]:\\s+bayes: cannot open bayes databases\\s+(.+?)\\/bayes_.+?R\\/O: tie failed#", $buffer, $re)) {
        events("cannot open bayes databases , unlink '{$re[1]}/bayes_seen' '{$re[1]}/bayes_toks'");
        if (is_file("{$re[1]}/bayes_seen")) {
            @unlink("{$re[1]}/bayes_seen");
        }
        if (is_file("{$re[1]}/bayes_toks")) {
            @unlink("{$re[1]}/bayes_toks");
        }
        return;
    }
    if (preg_match("#problem talking to server\\s+127\\.0\\.0\\.1:10040: Connection refused#", $buffer, $re)) {
        events("Postfix: Postfwd2 issue... -> Connection refused");
        $file = "/etc/artica-postfix/croned.1/postfix.postfwd2.Connection.refused";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("Postfix: postfwd2 plugin is not available", "Postfix claim \n{$buffer}\nArtica will try to start postfwd2.", "postfix");
            shell_exec_maillog(trim("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfwd2.php --start >/dev/null 2>&1"));
            @unlink($file);
            @file_put_contents($file, "#");
        } else {
            events("Postfix: Postfwd2 issue... -> Connection refused: {$timefile}Mn/5Mn");
        }
        return;
    }
    if (preg_match("#problem talking to server\\s+127\\.0\\.0\\.1:7777: Connection refused#", $buffer, $re)) {
        events("Postfix: policyd Daemon issue... -> Connection refused");
        $file = "/etc/artica-postfix/croned.1/postfix.policyd.Connection.refused";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("Postfix: policyd plugin is not available", "Postfix claim \n{$buffer}\nArtica will try to start policyd Daemon.", "postfix");
            shell_exec_maillog(trim("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfwd2.php --start >/dev/null 2>&1"));
            @unlink($file);
            @file_put_contents($file, "#");
        } else {
            events("Postfix: Postfwd2 issue... -> Connection refused: {$timefile}Mn/5Mn");
        }
        return;
    }
    if (preg_match("#postfix-(.+?)\\/smtpd\\[[0-9]+\\]:\\s+warning:\\s+connect to Milter service unix:(.+?):\\s+Connection refused#", $buffer, $re)) {
        events("Postfix: {$re[2]} socket issue Connection refused... (line " . __LINE__ . ")");
        $file = "/etc/artica-postfix/croned.1/postfix.{$re[1]}." . md5($re[2]) . ".sock.No.such.file.or.directory";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            $cmd = trim("{$GLOBALS["NOHUP_PATH"]} /bin/chown postfix:postfix {$re[2]} >/dev/null 2>&1 &");
            events("Postfix:{$re[1]}: {$cmd}");
            shell_exec_maillog($cmd);
        }
        return;
    }
    if (preg_match("#smtpd\\[.+?warning:\\s+connect to Milter service unix:\\/var\\/spool\\/postfix\\/var\\/run\\/amavisd-milter\\/amavisd-milter\\.sock: No such file or directory#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/postfix.amavisd-milter.sock.No.such.file.or.directory";
        $timefile = file_time_min($file);
        events("Postfix: Amavisd socket issue... (line " . __LINE__ . ")");
        if ($timefile > 5) {
            if (!is_file("/usr/local/sbin/amavisd-milter")) {
                email_events("Postfix: amavisd-milter is not installed !, change the postfix method", "postfix claim \n{$buffer}\nit seems that amavisd-milter is not installed\nArtica will re-install amavisd-milter or just\nChange amavis hooking to after-queue in order to use amavis main daemon.", "postfix");
                @unlink($file);
                @file_put_contents($file, "#");
                $cmd = trim("{$GLOBALS["NOHUP_PATH"]} /usr/share/artica-postfix/bin/artica-make APP_AMAVISD_MILTER >/dev/null 2>&1 &");
                shell_exec_maillog($cmd);
                return;
            }
            $cmd = trim("{$GLOBALS["NOHUP_PATH"]} /etc/init.d/amavis start >/dev/null 2>&1 &");
            shell_exec_maillog($cmd);
            return;
        }
        return;
    }
    if (preg_match("#\\[.+?:\\s+connect to 127\\.0\\.0\\.1\\[127\\.0\\.0\\.1\\]:2003:\\s+Connection refused#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/postfix.port.2003.Connection.refused";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("Postfix: Connect to zarafa LMTP port Connection refused zarafa-lmtp will be restarted", "postfix claim \n{$buffer}\nArtica will try to restart zarafa-lmtp daemon.", "postfix");
            shell_exec_maillog(trim("{$GLOBALS["NOHUP_PATH"]} /etc/init.d/artica-postfix restart zarafa-lmtp >/dev/null 2>&1 &"));
            @unlink($file);
            @file_put_contents($file, "#");
        } else {
            events("Postfix: Connect to zarafa LMTP port Connection refused: {$timefile}Mn/5Mn");
        }
        return;
    }
    if (preg_match("#smtp\\[.+?:\\s+connect to 127\\.0\\.0\\.1\\[127\\.0\\.0\\.1\\]:([0-9]+):\\s+Connection refused#", $buffer, $re)) {
        if (postfix_is_amavis_port($re[1])) {
            $file = "/etc/artica-postfix/croned.1/postfix.port.{$re[1]}.Connection.refused";
            $timefile = file_time_min($file);
            if ($timefile > 5) {
                email_events("Postfix: Connect to amavis port {$re[1]} Connection refused Amavis will be restarted", "postfix claim \n{$buffer}\nArtica will try to restart amavis daemon.", "postfix");
                shell_exec_maillog(trim("{$GLOBALS["NOHUP_PATH"]} /etc/init.d/amavis restart --by-exec-maillog >/dev/null 2>&1 &"));
                @unlink($file);
                @file_put_contents($file, "#");
            } else {
                events("Postfix: Connect to amavis port {$re[1]} Connection refused: {$timefile}Mn/5Mn");
            }
            return;
        }
    }
    if (preg_match("#cyrus\\/.+?\\[[0-9]+]#", $buffer)) {
        include_once dirname(__FILE__) . "/ressources/class.cyrus.maillog.inc";
        $cyrus = new cyrus_maillog();
        if ($cyrus->ParseBuffer($buffer)) {
            return;
        }
    }
    if (preg_match("#master\\[.+?fatal: bind 127.0.0.1 port 33559: Address already in use#", $buffer, $re)) {
        events("Postfix: bind 127.0.0.1 port 33559: Address already in use -> startit");
        shell_exec_maillog(trim("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["postfix_bin_path"]} start >/dev/null 2>&1 &"));
        return;
    }
    if (preg_match("#postqueue.+?warning: Mail system is down#", $buffer, $re)) {
        $sock = new sockets();
        $EnableStopPostfix = $sock->GET_INFO("EnableStopPostfix");
        if (!is_numeric($EnableStopPostfix)) {
            $EnableStopPostfix = 0;
        }
        if ($EnableStopPostfix == 0) {
            events("Postfix: Mail system is down:  -> startit");
            shell_exec_maillog(trim("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["postfix_bin_path"]} start >/dev/null 2>&1 &"));
        }
        return;
    }
    if (preg_match("#postscreen.+?warning: database\\s+(.+?):\\s+could not delete entry for#", $buffer, $re)) {
        events("Postscreen: Cache database failed");
        if (is_file($re[1])) {
            @unlink($re[1]);
            email_events("Postfix: postscreen_cache_map problem", "postfix claim \n{$buffer}\nArtica have deleted {$re[1]} file to fix this issue.", "postfix");
        }
    }
    if (preg_match("#fatal: dict_open: unsupported dictionary type: pcre:  Is the postfix-pcre package installed#i", $buffer, $re)) {
        events("Postfix: pcre missing");
        $file = "/etc/artica-postfix/croned.1/postfix.pcre.missing";
        $timefile = file_time_min($file);
        if ($timefile > 20) {
            email_events("Postfix: pcre missing", "postfix claim \n{$buffer}\nArtica will try to upgrade postfix.", "postfix");
            shell_exec_maillog(trim("{$GLOBALS["NOHUP_PATH"]} /usr/share/artica-postfix/bin/artica-make APP_POSTFIX >/dev/null 2>&1 &"));
            @unlink($file);
            @file_put_contents($file, "#");
        } else {
            events("Postfix: pcre missing: {$timefile}Mn/20Mn");
        }
        return;
    }
    if (preg_match("#zarafa-server.+?The recommended upgrade procedure is to use the zarafa7-upgrade commandline tool#", $buffer, $re)) {
        $cmd = trim("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.zarafa-migrate.php --upgrade-7 >/dev/null 2>&1 &");
        events("zarafa-server, need to upgrade... -> {$cmd}");
        shell_exec_maillog($cmd);
    }
    if (preg_match("#zarafa-gateway.+?POP3, POP3S, IMAP and IMAPS are all four disabled#", $buffer, $re)) {
        events("Zarafa-gateway No services enabled...???");
        $file = "/etc/artica-postfix/croned.1/zarafa-gateway.no.services";
        $timefile = file_time_min($file);
        if ($timefile > 10) {
            email_events("Zarafa mail server: No mailbox protocol ?", "Zarafa claim \n{$buffer}\nYou have disabled all mailboxes protocols.\nMeans that zarafa-gateway is not necessary ???\nAre you sure ??", "mailbox");
            @unlink($file);
            @file_put_contents($file, "#");
        } else {
            events("Postfix: Zarafa-gateway No services enabled...: {$timefile}Mn/10Mn");
        }
        return;
    }
    if (preg_match("#kavmilter\\[.+?Cannot read template file:\\s+(.+?)\$#", $buffer, $re)) {
        events("kavmilter: {$re[1]} missing");
        $md = md5($re[1]);
        $file = "/etc/artica-postfix/croned.1/kavmilter.template.{$md}";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("Kaspersky Milter: error template " . basename($re[1]), "kavmilter claim \n{$buffer}\nArtica will try to repair.", "postfix");
            shell_exec_maillog("/bin/touch {$re[1]}");
            shell_exec_maillog(trim("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.kavmilter.php --templates >/dev/null 2>&1 &"));
            @unlink($file);
            @file_put_contents($file, "#");
        } else {
            events("kavmilter: {$re[1]} missing: {$timefile}Mn/5Mn");
        }
        return;
    }
    if (preg_match("#kavmilter\\[.+?Can't load keys: No active key. Only skip actions allowed#", $buffer, $re)) {
        events("kavmilter: key missing");
        $md = md5($re[1]);
        $file = "/etc/artica-postfix/croned.1/kavmilter.no-active-key.error";
        $timefile = file_time_min($file);
        if ($timefile > 10) {
            email_events("Kaspersky Milter: no license !!", "kavmilter claim \n{$buffer}\nPlease disable kavmilter plugin or perform a license key activation", "postfix");
            @unlink($file);
            @file_put_contents($file, "#");
        } else {
            events("kavmilter: kavmilter: key missing: {$timefile}Mn/5Mn");
        }
        return;
    }
    if (preg_match("#warning:.+?then you may have to chmod a\\+r\\s+(.+?)\$#", $buffer, $re)) {
        events("chmod a+r {$re[1]}");
        shell_exec_maillog("/bin/chmod a+r {$re[1]}");
        return;
    }
    if (preg_match("#imaps\\[.+?Fatal error: tls_start_servertls.+?failed#", $buffer, $re)) {
        events("Cyrus-imap : IMAP SSL FAILED");
        $file = "/etc/artica-postfix/croned.1/imaps.error.tls_start_servertls";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            shell_exec_maillog(trim("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.cyrus.php --imaps-failed >/dev/null 2>&1 &"));
            @unlink($file);
            @unlink($file);
            @file_put_contents($file, "#");
        } else {
            events("Cyrus-imap wait:{$timefile}Mn/5Mn");
        }
        return;
    }
    if (preg_match("#fatal: file.+?main\\.cf: parameter setgid_group: unknown group name:\\s+(.+)#", $buffer, $re)) {
        events("Postfix : group name {$re[1]} problem");
        $file = "/etc/artica-postfix/croned.1/postfix.group.{$re[1]}.error";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("Postfix: group {$re[1]} is not available", "Postfix claim \n{$buffer}\nArtica will try create this group.", "postfix");
            $unix = new unix();
            $groupadd = $unix->find_program("groupadd");
            shell_exec_maillog("{$groupadd} {$re[1]}&");
            @unlink($file);
            @file_put_contents($file, "#");
        } else {
            events("Postfix: Postfix: group {$re[1]} is not available: {$timefile}Mn/5Mn");
        }
        return;
    }
    if (preg_match("#fatal: parameter inet_interfaces: no local interface found for ([0-9\\.]+)#i", $buffer, $re)) {
        events("Postfix : NIC {$re[1]} problem");
        $file = "/etc/artica-postfix/croned.1/postfix.interface.{$re[1]}.error";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("Postfix: Interface {$re[1]} is not available", "Postfix claim \n{$buffer}\nArtica will try to restore TCP/IP interfaces.", "postfix");
            @unlink("/etc/artica-postfix/MEM_INTERFACES");
            shell_exec_maillog(trim("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.virtuals-ip.php >/dev/null 2>&1 &"));
            @unlink($file);
            @unlink($file);
            @file_put_contents($file, "#");
        } else {
            events("Postfix: Interface {$re[1]} is not available: {$timefile}Mn/5Mn");
        }
        return;
    }
    if (preg_match("#qmgr\\[.+?fatal: incorrect version of Berkeley DB: compiled against.+?run-time linked against#i", $buffer, $re)) {
        events("Postfix : incorrect version of Berkeley DB");
        $file = "/etc/artica-postfix/croned.1/qmgr.error.Berkeley";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("Postfix: incorrect version of Berkeley DB", "Postfix claim \n{$buffer}\nArtica will upgrade/re-install your postfix version.", "postfix");
            @unlink($file);
            shell_exec_maillog(trim("{$GLOBALS["NOHUP_PATH"]} /usr/share/artica-postfix/bin/artica-make APP_POSTFIX 2>&1 &"));
            @unlink($file);
            @file_put_contents($file, "#");
        } else {
            events("Postfix : incorrect version of Berkeley DB wait:{$timefile}Mn/5Mn");
        }
        return;
    }
    if (preg_match('#smtpd\\[.+? warning: unknown smtpd restriction: "(.+?)"#', $buffer, $re)) {
        events("Postfix : incorrect parameters on smtpd restriction");
        $file = "/etc/artica-postfix/croned.1/smtpd.error.restriction." . md5($re[1]);
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("Postfix: incorrect parameters on smtpd restriction", "Postfix claim \n{$buffer}\nArtica will try to fix the problem.\nif this error is sended again, please contact Artica Support team.", "postfix");
            @unlink($file);
            shell_exec_maillog(trim("{$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.maincf.php --smtp-sender-restrictions &"));
            @unlink($file);
            @file_put_contents($file, "#");
        } else {
            events("Postfix : incorrect parameters on smtpd restriction wait:{$timefile}Mn/5Mn");
        }
        return;
    }
    if (preg_match('#spamc\\[.+?connect to spamd on (.+?)\\s+failed,.+?Connection refused#', $buffer, $re)) {
        events("Spamassassin : {$re[1]} Connection refused");
        $file = "/etc/artica-postfix/croned.1/spamc.error.cnx.refused." . md5($re[1]);
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("Spamassassin: Connection refused on {$re[1]}", "Spamassassin claim \n{$buffer}\nYou should have less issues and better performances using Amavisd-new instead Spamassassin only", "postfix");
            @unlink($file);
            @unlink($file);
            @file_put_contents($file, "#");
        } else {
            events("Spamassassin : {$re[1]} Connection refused wait:{$timefile}Mn/5Mn");
        }
        return;
    }
    if (preg_match("#smtpd\\[.+?warning: connect to 127.0.0.1:54423: Connection refused#", $buffer, $re)) {
        events("restart Artica-policy");
        shell_exec_maillog("/etc/init.d/artica-postfix restart artica-policy &");
        return;
    }
    if (preg_match("#nss_wins\\[.+?connect from (.+?)\\[(.+?)\\]#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->Postfix_Addconnection($re[1], $re[2]);
        return;
    }
    if (preg_match("#nss_wins\\[.+?warning: (.+?):\\s+address not listed for hostname\\s+(.+?)\$#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->Postfix_Addconnection_error($re[2], $re[1], "ADDR_NOT_LISTED1");
        return;
    }
    if (preg_match("#postscreen\\[.+?CONNECT from \\[(.+?)\\]#i", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->Postfix_Addconnection(null, $re[1]);
        return;
    }
    if (preg_match("#smtpd\\[.*?connect from\\s+(.*?)\\[(.+?)\\]#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->Postfix_Addconnection($re[1], $re[2]);
        return;
    }
    if (preg_match("#dnsblog\\[.+?addr\\s+(.+?)\\s+listed by domain#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->Postfix_Addconnection_error(null, $re[1], "RBL");
        return;
    }
    if (preg_match("#nss_wins\\[.+?warning: (.+?):\\s+hostname\\s+(.+?)\\s+verification failed: Name or service not known#", $buffer, $re)) {
        //"verification failed: Name or service not known"
        $GLOBALS["maillog_tools"]->Postfix_Addconnection_error($re[2], $re[1], "VERIFY_FAILED1");
        return;
    }
    if (preg_match("#nss_wins\\[.+?timeout after DATA.+?from\\s+(.+?)\\[(.+?)\\]#", $buffer, $re)) {
        //"verification failed: Name or service not known"
        $GLOBALS["maillog_tools"]->Postfix_Addconnection_error($re[1], $re[2], "TIMEOUT");
        return;
    }
    if (strpos($buffer, "connect to Milter service inet:127.0.0.1:1052: Connection refused") > 0) {
        events("KavMilter stopped !");
        $md5 = md5("connect to Milter service inet:127.0.0.1:1052: Connection refused");
        $file = "/etc/artica-postfix/croned.1/postfix.milter.{$md5}";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("Postfix: Kaspersky Antivirus For Postfix daemon is not available", "Postfix claim \n{$buffer}\nArtica will restart it's daemon.", "postfix");
            @unlink($file);
            shell_exec_maillog("/etc/init.d/kavmilterd restart &");
            file_put_contents($file, "#");
        } else {
            events("connect to Milter service inet:127.0.0.1:1052: Connection refused :{$timefile}Mn/5Mn to wait");
        }
        return;
    }
    if (preg_match("#problem talking to server .+?:10040: Connection timed out#", $buffer)) {
        events("postfwd2 problem Connection timed out !");
        $md5 = md5("problem talking to server .+?:10040: Connection timed out");
        $file = "/etc/artica-postfix/croned.1/postfix.postfwd2.{$md5}";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("Postfix: postfwd2 Postfix daemon is not available", "Postfix claim \n{$buffer}\nArtica will restart it's daemon.", "postfix");
            @unlink($file);
            shell_exec_maillog($GLOBALS["PHP5_BIN"] . " /usr/share/artica-postfix/exec.postfwd2.php --restart &");
            file_put_contents($file, "#");
        } else {
            events("connect to talking to server .+?:10040 :{$timefile}Mn/5Mn to wait");
        }
        return;
    }
    if (preg_match("#postfix.+?fatal: non-null host address bits in.+?([0-9\\.\\/]+)\", perhaps you should use \"(.+?)\"\\s+instead#", $buffer, $re)) {
        events("NetWork & Nics, need to change from {$re[1]} to {$re[2]}");
        $md5 = md5("{$re[1]}{$re[2]}");
        $file = "/etc/artica-postfix/croned.1/postfix.network.{$md5}";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("Postfix: Bad network parameter you have set {$re[1]} you need to set {$re[2]} instead !", "Postfix claim \n{$buffer}\n", "postfix");
            @unlink($file);
            file_put_contents($file, "#");
        } else {
            events("Bad network parameter you have set {$re[1]} you need to set {$re[2]} instead :{$timefile}Mn");
        }
        return;
    }
    if (preg_match("#postfix\\/master\\[.+?fatal:\\s+open lock file\\s+(.+?): unable to set exclusive lock: Resource temporarily unavailable#", $buffer, $re)) {
        events("postfix: {$re[1]}, unable to set exclusive lock");
        $re[1] = trim($re[1]);
        $md5 = md5("postfix: {$re[1]} unable to set exclusive lock");
        $file = "/etc/artica-postfix/croned.1/postfix.error.{$md5}";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            exec("{$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.maincf.php --repair-locks", $results);
            email_events("Postfix: {$re[1]} unable to set exclusive lock", "Postfix claim \n{$buffer}\nArtica tried to repair it\n" . @implode("\n", $results), "postfix");
            if (is_file($re[1])) {
                @unlink($re[1]);
            }
            @unlink($file);
            file_put_contents($file, "#");
        } else {
            events("postfix: {$re[1]} unable to set exclusive lock instead wait:{$timefile}Mn");
        }
        return;
    }
    // ##########################  emailrelay
    if (preg_match("#emailrelay:\\s+error:\\s+polling:\\s+cannot stat\\(\\)\\s+file:\\s+(.+)#", $buffer, $re)) {
        events("emailrelay: " . basename($re[1]) . " corrupted file");
        shell_exec_maillog("{$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.emailrelay.php --corrupted \"{$re[1]}\" &");
        return;
    }
    if (preg_match("#emailrelay\\[(.+?)\\].+?emailrelay: error:\\s+(.+)#", $buffer, $re)) {
        if (strpos("{$buffer}", "cannot stat") > 0) {
            return;
        }
        events("emailrelay PID {$re[1]} Error:Mass Mailing {$re[2]}");
        email_events("emailrelay PID {$re[1]} Error:Mass Mailing {$re[2]}", "emailrelay claim \n{$buffer}\nCheck your configuration file", "emailrelay");
        return;
    }
    if (preg_match("#emailrelay\\[(.+?)\\].+?emailrelay: warning:\\s+(.+)#", $buffer, $re)) {
        if (strpos("{$buffer}", "cannot stat") > 0) {
            return;
        }
        events("emailrelay PID {$re[1]} Error:Mass Mailing {$re[2]}");
        email_events("emailrelay PID {$re[1]} Error:Mass Mailing {$re[2]}", "emailrelay claim \n{$buffer}\nCheck your configuration file", "emailrelay");
        return;
    }
    // ##########################
    if (strpos($buffer, "warning: to change inet_interfaces, stop and start Postfix") > 0) {
        events("inet_interfaces: restarting postfix");
        shell_exec_maillog("{$GLOBALS["postfix_bin_path"]} stop && {$GLOBALS["postfix_bin_path"]} start &");
        return;
    }
    if (preg_match("#(.+?)\\/smtpd.+?fatal: bad string length.+? inet_interfaces =#", $buffer, $re)) {
        if ($re[1] == "postfix") {
            $instance = "master";
            $cmd = "{$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.maincf.php --interfaces";
        } else {
            if (preg_match("#postfix-(.+)#", $re[1], $ri)) {
                $cmd = "{$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix-multi.php --instance-reconfigure {$ri[1]}";
                $instance = $ri[1];
            }
        }
        events("{$instance}:inet_interfaces is null ?? in postfix configuration file, try to repair");
        $file = "/etc/artica-postfix/croned.1/postfix.{$instance}.inet_interfaces.null";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            events("{$cmd}");
            email_events("{$instance}: inet_interfaces missing data parameter", "Postfix claim \n{$buffer}\nArtica will change value to \"all\"", "postfix");
            shell_exec_maillog("{$cmd} &");
            @unlink($file);
            file_put_contents($file, "#");
        } else {
            events("{$instance}: inet_interfaces is null ?? but require 5mn to wait current:{$timefile}Mn");
        }
        return;
    }
    if (preg_match("#bounce\\[.+?fatal: bad string length 0 < 1: myorigin#", $buffer, $re)) {
        events("myorigin is null ?? in postfix configuration file, try to repair");
        $file = "/etc/artica-postfix/croned.1/postfix.myorigin.null";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("Postfix: myorigin missing data parameter", "Postfix claim \n{$buffer}\nArtica will change value", "postfix");
            shell_exec_maillog("{$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.maincf.php --networks &");
            @unlink($file);
            file_put_contents($file, "#");
        } else {
            events("myorigin is null ?? but require 5mn to wait current:{$timefile}Mn");
        }
        return;
    }
    if (preg_match("#local\\[.+?warning: dict_ldap_connect: Unable to bind to server (.+?)\\s+#", $buffer, $re)) {
        events("{$re[1]} unavailable");
        $file = "/etc/artica-postfix/croned.1/postfix.ldap.failed";
        $timefile = file_time_min($file);
        if ($timefile > 5) {
            email_events("Postfix: LDAP server {$re[1]} unavailable", "Postfix claim \n{$buffer}\nplease check the LDAP server database", "postfix");
            @unlink($file);
            file_put_contents($file, "#");
        } else {
            events("{$re['1']}} unavailable but require 5mn to wait current:{$timefile}Mn");
        }
        return;
    }
    if (preg_match("#postqueue\\[.+?fatal: bad string length 0.+?:\\s+(.+?)\\s+#", $buffer, $re)) {
        events("{$re[1]} is null ?? in postfix configuration file");
        $file = "/etc/artica-postfix/croned.1/postfix.postdrop.permissions";
        if (file_time_min($file) > 5) {
            email_events("Postfix: {$re[1]} missing data parameter", "Postfix claim \n{$buffer}\nContact your support team in order to fix this issue.", "postfix");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#zarafa-server\\[.+?Server shutdown complete.#", $buffer, $re)) {
        events("Zarafa stopped");
        email_events("Zarafa: Zarafa was successfully stopped", "{$buffer}", "mailbox");
        return;
    }
    if (preg_match("#zarafa-server\\[.+?Startup succeeded on pid#", $buffer, $re)) {
        events("Zarafa started");
        email_events("Zarafa: Zarafa was successfully started", "{$buffer}", "mailbox");
        return;
    }
    if (preg_match("#zarafa-server\\[.+?SQL Failed: Can't connect to MySQL server on '(.+?)'#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/zarafa.mysql.error";
        events("Zarafa mysql server {$re[1]} error connect to MySQL");
        if (file_time_min($file) > 5) {
            email_events("Zarafa: Zarafa Can't connect to MySQL server {$re[1]}", "Zarafa claims, {$buffer}\nArtica will try to fix it\nYou will recieve an other notification", "mailbox");
            shell_exec_maillog($GLOBALS["PHP5_BIN"] . " /usr/share/artica-postfix/exec.status.php --zarafa-watchdog &");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#zarafa-server\\[.+?Unable to find company id for object\\s+(.+?)\$#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/zarafa.{$re[1]}.error";
        if (file_time_min($file) > 5) {
            events("{$re[1]}: user is not stored in artica Database");
            shell_exec_maillog("{$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.zarafa.build.stores.php --emergency \"{$re[1]}\" &");
            email_events("Zarafa: Zarafa was successfully started", "Zarafa claims, {$buffer}\nArtica will try to fix it", "mailbox");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#postfix\\/master\\[.+?fatal: bind 0\\.0\\.0\\.0 port 25: Address already in use#", $buffer, $re)) {
        email_events("Postfix will be restarted", "Postfix claims, {$buffer}", "postfix");
        shell_exec_maillog("/etc/init.d/postfix restart-single &");
        return;
    }
    if (preg_match("#zarafa-(.+?)\\[.+?Starting zarafa-.+?, pid\\s+([0-9]+)#", $buffer, $re)) {
        email_events("Zarafa: {$re[1]} successfully started pid {$re[2]}", $buffer, "system");
        return;
    }
    if (preg_match("#zarafa-dagent\\[.+?Failed to resolve recipient (.+?)\$#", $buffer, $re)) {
        $re[1] = trim($re[1]);
        $file = "/etc/artica-postfix/croned.1/zarafa.{$re[1]}.error";
        if (file_time_min($file) > 10) {
            $zarafa_admin = $GLOBALS["CLASS_UNIX"]->find_program("zarafa-admin");
            exec("{$zarafa_admin} -l 2>&1", $results);
            email_events("Zarafa: {$re[1]} no such user", "Zarafa failed to find {{$re[1]}}\n{$buffer}\nHere it is the results of already registered users:\n" . @implode("\n", $results), "mailbox");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#zarafa-dagent\\[.+?Unable to login for user (.+?), error code: ([0-9a-zA-Z]+)#", $buffer, $re)) {
        $re[1] = trim($re[1]);
        $file = "/etc/artica-postfix/croned.1/zarafa.{$re[1]}.error";
        if (file_time_min($file) > 10) {
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.zarafa.build.stores.php --orphans");
                $textadd = "Please check if this user exists in the LDAP database, artica will check orphans users and stores in background mode";
                email_events("Zarafa: {$re[1]} user failed to login", "Zarafa failed to login {{$re[1]}}\n{$buffer}\nHere it is the results of already registered users:\n" . @implode("\n", $results), "\n{$textadd}", "mailbox");
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#zarafa-server\\[.+?Unable to start server on port 236: Address already in use#", $buffer, $re)) {
        events("Zarafa-server error port 236 failed");
        $file = "/etc/artica-postfix/croned.1/zarafa.236.error";
        if (file_time_min($file) > 10) {
            email_events("Zarafa: unable to start port already open", "Zarafa claim \n{$buffer}\nArtica will try to restart it", "mailbox");
            shell_exec_maillog("/etc/init.d/artica-postfix restart zarafa-server &");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#zarafa-gateway\\[.+?Unable to listen on port 110#", $buffer, $re)) {
        events("Zarafa-server error port 110 failed");
        $file = "/etc/artica-postfix/croned.1/zarafa.110.error";
        if (file_time_min($file) > 10) {
            email_events("Zarafa: unable to start port 110 already open", "Zarafa claim \n{$buffer}\nArtica will try to restart it", "mailbox");
            shell_exec_maillog("/etc/init.d/artica-postfix restart zarafa-server &");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#zarafa-licensed\\[.+?License is for(.+?)users#", $buffer, $re)) {
        events("Zarafa license={$re[1]}");
        @file_put_contents("/etc/artica-postfix/settings/Daemons/ZarafaLicenseInfos", $re[1]);
    }
    if (preg_match("#postfix\\/postdrop\\[.+?warning: mail_queue_enter: create file maildrop\\/.+?:\\s+Permission denied#", $buffer, $re)) {
        events("Permission denied on maildrop queue");
        $file = "/etc/artica-postfix/croned.1/postfix.postdrop.permissions";
        if (file_time_min($file) > 10) {
            email_events("Postfix: Permissions problems on postdrop queue", "Postfix claim \n{$buffer}\nArtica will try to fix it", "postfix");
            shell_exec_maillog("{$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.maincf.php --postdrop-perms &");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#smtp\\[.+?host\\s+(.+?)\\[.+?said:\\s+421\\s+4\\.2\\.1\\s+MSG=.+?\\(DNS:NR\\)#", $buffer, $re)) {
        events("mail Refused from {$re[1]}");
        $file = "/etc/artica-postfix/croned.1/postfix.{$re[1]}.refused";
        if (file_time_min($file) > 10) {
            email_events("Postfix: your messages has been refused from {$re[1]}", "Postfix claim \n{$buffer}\nCheck your smtp configuration in order to be compliance for {$re[1]}", "postfix");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#smtpd\\[.+?NOQUEUE: reject:\\s+RCPT from\\s+(.+?)\\[(.+?)\\]:.+?<(.+?)>:\\s+Recipient address rejected: Mail appeared to be SPAM or forged.+?from=<(.+?)>#", $buffer, $re)) {
        events("mail Refused from {$re[1]} for {$re[4]}");
        $file = "/etc/artica-postfix/croned.1/postfix.{$re[1]}.refused";
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("Forged", $re[4], $re[3], $re[2], $re[1]);
        if (file_time_min($file) > 10) {
            email_events("Postfix: your messages has been refused from {$re[1]} ({$re[2]}) it seems your Forged your messages", "Postfix claim \n{$buffer}\nCheck your smtp configuration in order to be compliance for {$re[1]}", "postfix");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match('#ClamAV-clamd.*?FAILED.*?output="(.*?):.*?Permission denied#', $buffer, $re)) {
        $filename = $re[1];
        $dirname = dirname($filename);
        @chmod($dirname, 0777);
        return;
    }
    if (preg_match("#\\[.+?NOQUEUE: reject: RCPT from.+?\\[(.+?)\\]:.+?Mail appeared to be SPAM or forged.+?from=<(.+?)>\\s+to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("Forged", $re[2], $re[3], null, $re[1]);
        return;
    }
    if (preg_match("#postscreen\\[.+?NOQUEUE: reject: RCPT from\\s+\\[(.+?)\\].+?Service currently unavailable;\\s+from=<(.*?)>,\\s+to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("PostScreen", $re[2], $re[3], null, $re[1]);
        return;
    }
    if (preg_match("#\\[.+?:\\s+NOQUEUE: reject: RCPT from.+?\\[(.+?)\\]:.+?Sender address rejected: blacklisted sender;\\s+from=<(.*)>\\s+to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("blacklisted", $re[2], $re[3], $re[1]);
        return;
    }
    if (preg_match("#\\]: NOQUEUE: reject: RCPT from.+?\\[(.+?)\\]:.+?Banned destination domain.+?from=<(.*?)>\\s+to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("Banned domain", $re[2], $re[3], $re[1]);
        return;
    }
    if (preg_match("#smtpd\\[.+?NOQUEUE: reject: RCPT from.+?\\[(.+?)\\]:.+?Recipient address rejected: Your MTA is listed in too many DNSBLs.+?from=<(.+?)>\\s+to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("DNSBL", $re[1], $re[3], $re[4]);
        return;
    }
    if (preg_match("#smtpd\\[.*?warning: connect to 127\\.0\\.0\\.1:7777: Connection refused#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/postfix.connexion-refused." . __LINE__ . ".error";
        events("Postfix connexion refused from iredMail");
        if (file_time_min($file) > 10) {
            $cmd = "{$GLOBALS["NOHUP_PATH"]} /etc/init.d/iredmail restart >/dev/null 2>&1 &";
            shell_exec_maillog(trim($cmd));
            email_events("Postfix: Unable to connect to iRedMail", "Postfix claim\n{$buffer}\nArtica will restart iredMail service", "postfix");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#postfix\\/smtp.+?connect to\\s+(.+?)\\[(.+?)\\]:([0-9]+):\\s+Connection refused#", $buffer, $re)) {
        $md5 = md5($re[1]);
        $file = "/etc/artica-postfix/croned.1/postfix.connexion-refused.{$md5}.error";
        events("Postfix connexion refused from {$re[1]}");
        if (file_time_min($file) > 10) {
            email_events("Postfix: Unable to connect to {$re[1]} on port {$re[3]}", "Postfix claim\n{$buffer}\nPlease check if {$re[2]} is available", "postfix");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#NOQUEUE: reject: RCPT from.+?\\[(.+?)\\]:.+?Relay access denied;\\s+from=<(.+?)>\\s+to=<(.+?)>#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/postfix.relay.access.denied";
        if (file_time_min($file) > 30) {
            $GLOBALS["CLASS_UNIX"]->send_email_events("Postfix Relay access denied", "Artica will recompile Postfix in case of bad settings", "postfix");
            shell_exec("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.maincf.php --urgency >/dev/null 2>&1 &");
            @unlink($file);
            @file_put_contents($file, time);
        }
        events("Relay access denied :{$re[1]} from {$re[2]} to {$re[2]}");
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("Relay access denied", $re[2], $re[3], $re[1]);
        return;
    }
    if (preg_match("#cleanup\\[.+?:\\s+(.+?):\\s+reject: body.+?\\s+from.+?\\[(.+?)\\];\\s+from=<(.*?)>\\s+to=<(.+?)>.+?Message Body rejected#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_milter_reject($re[1], "Banned words", $re[1], $re[2], $buffer);
        return;
    }
    if (preg_match("#postscreen.+?NOQUEUE: reject: RCPT from \\[(.+?)\\].+?Service unavailable;.+?blocked using.+?; from=<(.+?)>, to=<(.+?)>#", $buffer, $re)) {
        events("PostScreen RBL :{$re[1]} from {$re[2]} to {$re[2]}");
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("PostScreen RBL", $re[2], $re[3], $re[1]);
        return;
    }
    if (strpos($buffer, "warning: cannot get certificate from file /etc/ssl/certs/postfix/ca.crt") > 0) {
        $file = "/etc/artica-postfix/croned.1/postfix.certificate.error";
        events("Postfix certificate problems");
        if (file_time_min($file) > 10) {
            email_events("Postfix: SSL certificate error", "Postfix claim\n{$buffer}\nArtica try to rebuild the certificate.", "postfix");
            shell_exec_maillog("/usr/share/artica-postfix/bin/artica-install --change-postfix-certificate &");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#NOQUEUE: reject: CONNECT from.+?\\[(.+?)\\].+?: Client host rejected: Server configuration error;#", $buffer, $re)) {
        events("postfix fatal error {$re[1]} rejected");
        $file = "/etc/artica-postfix/croned.1/postfix.Server.configuration.error";
        if (file_time_min($file) > 10) {
            email_events("Postfix: Server configuration error mails from {$re[1]} has been rejected", "Postfix claim\n{$buffer}\nPlease check your configuration.", "postfix");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#postfix.+?NOQUEUE: reject: RCPT from.+?\\[(.+?)\\]: 554.+?: Relay access denied; from=<> to=<(.+?)>#", $buffer, $re)) {
        events("Access denied :{$re[1]} from unknown to {$re[2]}");
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("Access denied", "unknown", $re[2], $re[1]);
        return;
    }
    if (preg_match("#NOQUEUE: reject: RCPT from.+?\\[(.+?)\\]:.+?Client host rejected: Access denied;\\s+from=<(.+?)>\\s+to=<(.+?)>#", $buffer, $re)) {
        events("Access denied :{$re[1]} from {$re[2]} to {$re[2]}");
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("Access denied", $re[2], $re[3], $re[1]);
        return;
    }
    if (preg_match("#postfix.+?:\\s+(.+):\\s+milter-discard: END-OF-MESSAGE\\s+from.+?\\[(.+?)\\]:\\s+milter triggers DISCARD action;\\s+from=<(.*?)>\\s+to=<(.+?)>\\s+#", $buffer, $re)) {
        events("Rejected :{$re[1]} from {$re[2]} to {$re[2]}");
        $GLOBALS["maillog_tools"]->event_DISCARD($re[1], $re[3], $re[4], $buffer, $re[2]);
        return;
    }
    if (preg_match("#smtpd\\[.+?NOQUEUE: reject: MAIL from.+?\\[(.+?)\\]:.+?Sender address rejected: Domain not found;\\s+from=<(.+?)>#", $buffer, $re)) {
        events("Domain not found :{$re[1]} from {$re[2]}");
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("Domain not found", $re[2], null, $re[1]);
        return;
    }
    if (preg_match("#smtpd\\[.+?NOQUEUE: reject: MAIL from.+?\\[(.+?)\\]:.+?Sender address rejected: Access denied;\\s+from=<(.+?)>#", $buffer, $re)) {
        events("Access denied :{$re[1]} from {$re[2]}");
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("Access denied", $re[2], null, $re[1]);
        return;
    }
    //SMTP HACK ######################################################################################################
    if (preg_match("#postfix.+?timeout after.+?from.+?\\[(.+?)\\]#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->Postfix_Addconnection_error(null, $re[1], "Timeout");
        if ($GLOBALS["SMTP_HACK_CONFIG_RATE"]["SMTPHACK_TIMEOUT"] > 0) {
            $GLOBALS["SMTP_HACK"][$re[1]]["SMTPHACK_TIMEOUT"] = $GLOBALS["SMTP_HACK"][$re[1]]["SMTPHACK_TIMEOUT"] + 1;
            events("Postfix Hack: timeout from {$re[1]} {$GLOBALS["SMTP_HACK"][$re[1]]["SMTPHACK_TIMEOUT"]} attempts/{$GLOBALS["SMTP_HACK_CONFIG_RATE"]["SMTPHACK_TIMEOUT"]}");
            if ($GLOBALS["SMTP_HACK"][$re[1]]["SMTPHACK_TIMEOUT"] >= $GLOBALS["SMTP_HACK_CONFIG_RATE"]["SMTPHACK_TIMEOUT"]) {
                smtp_hack_perform($re[1], $GLOBALS["SMTP_HACK"][$re[1]], "SMTPHACK_TIMEOUT");
                unset($GLOBALS["SMTP_HACK"][$re[1]]);
            }
        }
        return null;
    }
    if (preg_match("#postfix.+?: too many errors after.+?from.+?\\[(.+?)\\]#", $buffer, $re)) {
        if ($GLOBALS["SMTP_HACK_CONFIG_RATE"]["SMTPHACK_TOO_MANY_ERRORS"] > 0) {
            $GLOBALS["SMTP_HACK"][$re[1]]["SMTPHACK_TOO_MANY_ERRORS"] = $GLOBALS["SMTP_HACK"][$re[1]]["SMTPHACK_TOO_MANY_ERRORS"] + 1;
            events("Postfix Hack: too many errors from {$re[1]} {$GLOBALS["SMTP_HACK"][$re[1]]["SMTPHACK_TOO_MANY_ERRORS"]} attempts/{$GLOBALS["SMTP_HACK_CONFIG_RATE"]["SMTPHACK_TOO_MANY_ERRORS"]}");
            if ($GLOBALS["SMTP_HACK"][$re[1]]["SMTPHACK_TOO_MANY_ERRORS"] >= $GLOBALS["SMTP_HACK_CONFIG_RATE"]["SMTPHACK_TOO_MANY_ERRORS"]) {
                smtp_hack_perform($re[1], $GLOBALS["SMTP_HACK"][$re[1]], "SMTPHACK_TOO_MANY_ERRORS");
                unset($GLOBALS["SMTP_HACK"][$re[1]]);
            }
        }
        return null;
    }
    if (preg_match("#postfix.+?: warning: (.+?): hostname.+?verification failed: Temporary failure in name resolution#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->Postfix_Addconnection_error(null, $re[1], "verification failed");
        if ($GLOBALS["SMTP_HACK_CONFIG_RATE"]["SMTPHACK_RESOLUTION_FAILURE"] > 0) {
            $GLOBALS["SMTP_HACK"][$re[1]]["SMTPHACK_RESOLUTION_FAILURE"] = $GLOBALS["SMTP_HACK"][$re[1]]["SMTPHACK_RESOLUTION_FAILURE"] + 1;
            events("Postfix Hack: Temporary failure in name resolution from {$re[1]} {$GLOBALS["SMTP_HACK"][$re[1]]["SMTPHACK_RESOLUTION_FAILURE"]} attempts/{$GLOBALS["SMTP_HACK_CONFIG_RATE"]["SMTPHACK_RESOLUTION_FAILURE"]}");
            if ($GLOBALS["SMTP_HACK"][$re[1]]["SMTPHACK_RESOLUTION_FAILURE"] >= $GLOBALS["SMTP_HACK_CONFIG_RATE"]["SMTPHACK_RESOLUTION_FAILURE"]) {
                smtp_hack_perform($re[1], $GLOBALS["SMTP_HACK"][$re[1]], "SMTPHACK_RESOLUTION_FAILURE");
                unset($GLOBALS["SMTP_HACK"][$re[1]]);
            }
        }
        return null;
    }
    if (preg_match("#smtpd\\[.+?:\\s+reject:\\s+CONNECT from\\s+(.+?)\\[([0-9\\.]+)\\]:\\s+554.+?Service unavailable;.+?blocked#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->Postfix_Addconnection_error($re[1], $re[2], "RBL");
        if ($GLOBALS["SMTP_HACK_CONFIG_RATE"]["RBL"] > 0) {
            $GLOBALS["SMTP_HACK"][$re[1]]["RBL"] = $GLOBALS["SMTP_HACK"][$re[2]]["RBL"] + 2;
            events("Postfix Hack: {$re[1]} RBL !! {$re[2]}={$GLOBALS["SMTP_HACK"][$re[2]]["RBL"]} attempts");
            if ($GLOBALS["SMTP_HACK"][$re[2]]["RBL"] >= $GLOBALS["SMTP_HACK_CONFIG_RATE"]["RBL"]) {
                smtp_hack_perform($re[2], $GLOBALS["SMTP_HACK"][$re[2]], "RBL");
                unset($GLOBALS["SMTP_HACK"][$re[2]]);
            }
        }
        return null;
    }
    if (preg_match("#smtpd\\[.+?warning:\\s+(.+?):\\s+hostname\\s+(.+?)\\s+verification failed: Name or service not known#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->Postfix_Addconnection_error($re[2], $re[1], "Name or service not known");
        if ($GLOBALS["SMTP_HACK_CONFIG_RATE"]["NAME_SERVICE_NOT_KNOWN"] > 0) {
            $GLOBALS["SMTP_HACK"][$re[1]]["NAME_SERVICE_NOT_KNOWN"] = $GLOBALS["SMTP_HACK"][$re[1]]["NAME_SERVICE_NOT_KNOWN"] + 1;
            events("Postfix Hack: {$re[1]} Name or service not known {$re[1]}={$GLOBALS["SMTP_HACK"][$re[1]]["NAME_SERVICE_NOT_KNOWN"]} attempts");
            if ($GLOBALS["SMTP_HACK"][$re[1]]["NAME_SERVICE_NOT_KNOWN"] >= $GLOBALS["SMTP_HACK_CONFIG_RATE"]["NAME_SERVICE_NOT_KNOWN"]) {
                smtp_hack_perform($re[1], $GLOBALS["SMTP_HACK"][$re[1]], "NAME_SERVICE_NOT_KNOWN");
                unset($GLOBALS["SMTP_HACK"][$re[1]]);
            }
        }
        return;
    }
    if (preg_match('#warning.+?\\[([0-9\\.]+)\\]:\\s+SASL LOGIN authentication failed: authentication failure#', $buffer, $re)) {
        $GLOBALS["maillog_tools"]->Postfix_Addconnection_error($re[1], $re[1], "Login failed");
        $ipaddr = $re[1];
        if (!isset($GLOBALS["SMTP_HACK"][$ipaddr]["SASL_LOGIN"])) {
            $GLOBALS["SMTP_HACK"][$ipaddr]["SASL_LOGIN"] = 0;
        }
        $Count = intval($GLOBALS["SMTP_HACK"][$ipaddr]["SASL_LOGIN"]);
        if ($GLOBALS["SMTP_HACK_CONFIG_RATE"]["SASL_LOGIN"] > 0) {
            $Count++;
            events("Postfix Hack:bad SASL login {$Count} retries/{$GLOBALS["SMTP_HACK_CONFIG_RATE"]["SASL_LOGIN"]} max attempts");
            if ($Count >= $GLOBALS["SMTP_HACK_CONFIG_RATE"]["SASL_LOGIN"]) {
                events("Postfix Hack:smtp_hack_perform -> {$ipaddr} SASL_LOGIN");
                smtp_hack_perform($ipaddr, $GLOBALS["SMTP_HACK"][$ipaddr], "SASL_LOGIN");
                unset($GLOBALS["SMTP_HACK"][$ipaddr]);
                return;
            }
        }
        $GLOBALS["SMTP_HACK"][$ipaddr]["SASL_LOGIN"] = $Count;
        return null;
    }
    if (preg_match("#NOQUEUE: reject:.+?from.+?\\[([0-9\\.]+)\\]:.+?Service unavailable.+?blocked using.+?from=<(.+?)> to=<(.+?)> proto#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("RBL", $re[2], $re[3], $re[1]);
        if ($GLOBALS["SMTP_HACK_CONFIG_RATE"]["RBL"] > 0) {
            $GLOBALS["SMTP_HACK"][$re[1]]["RBL"] = $GLOBALS["SMTP_HACK"][$re[1]]["RBL"] + 1;
            events("Postfix Hack: {$re[1]} RBL !! from=<{$re[2]}> to=<{$re[3]}> {$re[1]}={$GLOBALS["SMTP_HACK"][$re[1]]["RBL"]} attempts");
            if ($GLOBALS["SMTP_HACK"][$re[1]]["RBL"] >= $GLOBALS["SMTP_HACK_CONFIG_RATE"]["RBL"]) {
                smtp_hack_perform($re[1], $GLOBALS["SMTP_HACK"][$re[1]], "RBL");
                unset($GLOBALS["SMTP_HACK"][$re[1]]);
            }
        }
        return null;
    }
    if (preg_match("#smtpd.+?reject: RCPT from.+?\\[(.+?)\\]:\\s+550.+?:.+Recipient address rejected:.+?because of previous errors.+?from=<(.+?)>\\s+to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("RBL", $re[2], $re[3], $re[1]);
        if ($GLOBALS["SMTP_HACK_CONFIG_RATE"]["RBL"] > 0) {
            $GLOBALS["SMTP_HACK"][$re[1]]["RBL"] = $GLOBALS["SMTP_HACK"][$re[1]]["RBL"] + 1;
            events("Postfix Hack: {$re[1]} RBL !! from=<{$re[2]}> to=<{$re[3]}> {$re[1]}={$GLOBALS["SMTP_HACK"][$re[1]]["RBL"]} attempts");
            if ($GLOBALS["SMTP_HACK"][$re[1]]["RBL"] >= $GLOBALS["SMTP_HACK_CONFIG_RATE"]["RBL"]) {
                smtp_hack_perform($re[1], $GLOBALS["SMTP_HACK"][$re[1]], "RBL");
                unset($GLOBALS["SMTP_HACK"][$re[1]]);
            }
        }
        return null;
    }
    if (preg_match("#smtpd.+?reject: RCPT from.+?\\[(.+?)\\]:\\s+554.+?:.+Sender address rejected:.+?FORGED MAIL.+?from=<(.+?)>\\s+to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("FORGED", $re[2], $re[3], $re[1]);
        if ($GLOBALS["SMTP_HACK_CONFIG_RATE"]["RBL"] > 0) {
            $GLOBALS["SMTP_HACK"][$re[1]]["RBL"] = $GLOBALS["SMTP_HACK"][$re[1]]["RBL"] + 1;
            events("Postfix Hack: {$re[1]} RBL !! from=<{$re[2]}> to=<{$re[3]}> {$re[1]}={$GLOBALS["SMTP_HACK"][$re[1]]["RBL"]} attempts");
            if ($GLOBALS["SMTP_HACK"][$re[1]]["RBL"] >= $GLOBALS["SMTP_HACK_CONFIG_RATE"]["RBL"]) {
                smtp_hack_perform($re[1], $GLOBALS["SMTP_HACK"][$re[1]], "RBL");
                unset($GLOBALS["SMTP_HACK"][$re[1]]);
            }
        }
        return null;
    }
    if (preg_match("#:\\s+NOQUEUE: reject: RCPT from.+?\\[(.+?)\\]:\\s+550.+?:\\s+Recipient address rejected: Mail appears to be SPAM or forged.+?from=<(.+?)>\\s+to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("RBL", $re[2], $re[3], $re[1]);
        if ($GLOBALS["SMTP_HACK_CONFIG_RATE"]["RBL"] > 0) {
            $GLOBALS["SMTP_HACK"][$re[1]]["RBL"] = $GLOBALS["SMTP_HACK"][$re[1]]["RBL"] + 1;
            events("Postfix Hack: {$re[1]} RBL !! from=<{$re[2]}> to=<{$re[3]}> {$re[1]}={$GLOBALS["SMTP_HACK"][$re[1]]["RBL"]} attempts");
            if ($GLOBALS["SMTP_HACK"][$re[1]]["RBL"] >= $GLOBALS["SMTP_HACK_CONFIG_RATE"]["RBL"]) {
                smtp_hack_perform($re[1], $GLOBALS["SMTP_HACK"][$re[1]], "RBL");
                unset($GLOBALS["SMTP_HACK"][$re[1]]);
            }
        }
        return null;
    }
    if (preg_match("#smtpd.+?reject: RCPT from unknown\\[(.+?)\\]:\\s+550.+?:.+Recipient address rejected:.+?DNSBLs.+?from=<(.+?)>\\s+to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("RBL", $re[2], $re[3], $re[1]);
        if ($GLOBALS["SMTP_HACK_CONFIG_RATE"]["RBL"] > 0) {
            $GLOBALS["SMTP_HACK"][$re[1]]["RBL"] = $GLOBALS["SMTP_HACK"][$re[1]]["RBL"] + 1;
            events("Postfix Hack: {$re[1]} RBL !! from=<{$re[2]}> to=<{$re[3]}> {$re[1]}={$GLOBALS["SMTP_HACK"][$re[1]]["RBL"]} attempts");
            if ($GLOBALS["SMTP_HACK"][$re[1]]["RBL"] >= $GLOBALS["SMTP_HACK_CONFIG_RATE"]["RBL"]) {
                smtp_hack_perform($re[1], $GLOBALS["SMTP_HACK"][$re[1]], "RBL");
                unset($GLOBALS["SMTP_HACK"][$re[1]]);
            }
        }
        return null;
    }
    if (preg_match("#NOQUEUE: reject:.+?from.+?\\[([0-9\\.]+)\\]:.+?<(.+?)>:\\s+Recipient address rejected: User unknown in local recipient table;\\s+from=<(.+?)>\\s+to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("User unknown", $re[2], $re[3], $re[1]);
        if ($GLOBALS["SMTP_HACK_CONFIG_RATE"]["USER_UNKNOWN"] > 0) {
            $GLOBALS["SMTP_HACK"][$re[1]]["USER_UNKNOWN"] = $GLOBALS["SMTP_HACK"][$re[1]]["USER_UNKNOWN"] + 1;
            events("Postfix Hack: : {$re[1]} User unknown from=<{$re[2]}> to=<{$re[3]}> {$GLOBALS["SMTP_HACK"][$re[1]]["USER_UNKNOWN"]} attempts/{$GLOBALS["SMTP_HACK_CONFIG_RATE"]["USER_UNKNOWN"]}");
            if ($GLOBALS["SMTP_HACK"][$re[1]]["USER_UNKNOWN"] >= $GLOBALS["SMTP_HACK_CONFIG_RATE"]["USER_UNKNOWN"]) {
                smtp_hack_perform($re[1], $GLOBALS["SMTP_HACK"][$re[1]], "USER_UNKNOWN");
                unset($GLOBALS["SMTP_HACK"][$re[1]]);
            }
        }
        return null;
    }
    if (preg_match("#smtpd\\[.+?warning: Illegal address syntax from.+?\\[(.+?)\\] in MAIL#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->Postfix_Addconnection_error(null, $re[1], "Illegal address");
        if ($GLOBALS["SMTP_HACK_CONFIG_RATE"]["BLOCKED_SPAM"] > 0) {
            $GLOBALS["SMTP_HACK"][$re[1]]["BLOCKED_SPAM"] = $GLOBALS["SMTP_HACK"][$re[1]]["BLOCKED_SPAM"] + 1;
            events("Postfix Hack: {$re[1]} Illegal address syntax {$GLOBALS["SMTP_HACK"][$re[1]]["BLOCKED_SPAM"]} attempts/{$GLOBALS["SMTP_HACK_CONFIG_RATE"]["BLOCKED_SPAM"]}");
            if ($GLOBALS["SMTP_HACK"][$re[1]]["BLOCKED_SPAM"] >= $GLOBALS["SMTP_HACK_CONFIG_RATE"]["BLOCKED_SPAM"]) {
                smtp_hack_perform($re[1], $GLOBALS["SMTP_HACK"][$re[1]], "BLOCKED_SPAM");
                unset($GLOBALS["SMTP_HACK"][$re[1]]);
            }
        }
        return null;
    }
    if (preg_match("#postfix\\/lmtp\\[.+?:\\s+(.+?):\\s+to=<(.+)>,\\s+relay=([0-9\\.]+)\\[.+?:[0-9]+,.+?status=deferred.+?430 Authentication required#", $buffer, $re)) {
        events("postfix LMTP error to {$re[2]}");
        $file = "/etc/artica-postfix/croned.1/postfix.lmtp.auth.failed";
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "Mailbox Authentication required", $re[3], $re[2]);
        if (file_time_min($file) > 5) {
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                email_events("Postfix: LMTP Error", "Postfix\n{$buffer}\nArtica will reconfigure LMTP settings", "postfix");
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["PHP5_BIN"]} {$GLOBALS["MYPATH"]}/exec.postfix.maincf.php --mailbox-transport");
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#postfix\\/lmtp\\[.+?:\\s+connect to ([0-9\\.]+)\\[.+?:[0-9]+:\\s+Connection refused#", $buffer)) {
        events("postfix LMTP error");
        $file = "/etc/artica-postfix/croned.1/postfix.lmtp.cnx.refused";
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "LMTP Error", "127.0.0.1", $re[2]);
        if (file_time_min($file) > 5) {
            if ($GLOBALS["ZARAFA_INSTALLED"]) {
                email_events("Postfix: Zarafa LMTP Error", "Postfix\n{$buffer}\nArtica will trying to start Zarafa", "postfix");
                $cmd = "{$GLOBALS["NOHUP_PATH"]} /etc/init.d/artica-postfix start zarafa >/dev/null 2>&1 &";
                shell_exec_maillog(trim($cmd));
                @unlink($file);
                file_put_contents($file, "#");
                return;
            }
            email_events("Postfix: LMTP Error", "Postfix\n{$buffer}\nArtica will reconfigure LMTP settings", "postfix");
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["PHP5_BIN"]} {$GLOBALS["MYPATH"]}/exec.postfix.maincf.php --mailbox-transport");
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#postfix\\/.+?:\\s+warning:\\s+problem talking to server\\s+[0-9\\.]+:12525:\\s+Connection refused#", $buffer)) {
        events("postfix policyd-weight error");
        $file = "/etc/artica-postfix/croned.1/postfix.policyd-weight.conect.failed";
        if (file_time_min($file) > 10) {
            email_events("Postfix: Policyd-weight server connection problem", "Postfix\n{$buffer}\nArtica will reconfigure restart policyd-weight service", "postfix");
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("/etc/init.d/policyd-weight start");
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#KASERROR.+?keepup2date\\s+failed.+?no valid license info found#", $buffer, $re)) {
        events("Kas3, license error, uninstall kas3");
        $file = "/etc/artica-postfix/croned.1/kas3.license.error";
        if (file_time_min($file) > 5) {
            email_events("Kaspersky Antispam: license error", "Kaspersky Updater claim\n{$buffer}\nArtica will uninstall Kaspersky Anti-spam", "postfix");
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("/usr/share/artica-postfix/bin/artica-install --kas3-remove");
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#postfix\\/postfix-script\\[.+?\\]: fatal: the Postfix mail system is not running#", $buffer, $re)) {
        if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["postfix_bin_path"]} start");
        }
        return;
    }
    if (preg_match("#zarafa-server\\[.+?: SQL Failed: Table.+?zarafa\\.(.+?)'\\s+doesn.+?exist#", $buffer, $re)) {
        events("Zarafa, missing table {$re[1]}");
        zarafa_rebuild_db($re[1], $buffer);
        return;
    }
    if (preg_match("#zarafa-server\\[.+?INNODB engine is not support.+?Please enable the INNODB engine#", $buffer, $re)) {
        events("Zarafa, INNODB not enabled, restart mysql {$re[1]}");
        $file = "/etc/artica-postfix/croned.1/zarafa.INNODB.error";
        if (file_time_min($file) > 5) {
            email_events("Zarafa server: innodb is not enabled", "Zarafa-server claim\n{$buffer}\nArtica will restart mysql", "mailbox");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#zarafa-server\\[.+?:\\s+Cannot instantiate user plugin: ldap_bind_s: Invalid credentials#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/zarafa.ldap_bind_s.error";
        events("zarafa-server -> ldap_bind_s: Invalid credentials");
        if (file_time_min($file) > 5) {
            email_events("Zarafa server cannot connect to ldap server", "Zarafa-server claim\n{$buffer}\nArtica will restart and reconfigure zarafa", "mailbox");
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("/etc/init.d/artica-postfix restart zarafa");
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#smtp\\[.+? fatal: specify a password table via the.+?smtp_sasl_password_maps.+?configuration parameter#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/postfix.smtp_sasl_password_maps.error";
        events("postfix -> smtp_sasl_password_maps");
        if (file_time_min($file) > 5) {
            email_events("Postfix configuration problem", "Postfix claim\n{$buffer}\nArtica will disable SMTP Sasl feature", "postfix");
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.maincf.php --disable-smtp-sasl");
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#amavis\\[.+?TROUBLE.+?in child_init_hook: BDB can't connect db env.+?No such file or directory#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/amavis.BDB.error";
        events("amavis BDB ERROR");
        if (file_time_min($file) > 5) {
            email_events("AMAVIS BDB Error", "amavis claim\n{$buffer}\nArtica will restart amavis service", "postfix");
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("/etc/init.d/amavis restart");
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#amavis\\[.*?\\]:.*?DIE.*?BDB\\s+can't connect db.*?\\/var(.+?): No such file or directory#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/amavis.BDB.error";
        events("amavis BDB ERROR");
        if (file_time_min($file) > 5) {
            email_events("AMAVIS BDB Error", "amavis claim\n{$buffer}\nArtica will restart amavis service", "postfix");
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("/etc/init.d/amavis restart");
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#amavis\\[.+?custom checks error:\\s+Insecure dependency in connect while running with -T switch at .+?/IO/Socket\\.pm line 114#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/amavis.Compress-Raw-Zlib.error";
        events("amavis Compress-Raw-Zlib error -> check Compress-Raw-Zlib version");
        if (file_time_min($file) > 5) {
            email_events("AMAVIS dependency Error", "amavis claim\n{$buffer}\nArtica will try to check depencies, especially \\Compress-Raw-Zlib\"", "postfix");
            //THREAD_COMMAND_SET("/etc/init.d/amavis restart");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#amavis\\[.+?connect_to_ldap: bind failed: LDAP_INVALID_CREDENTIALS#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/amavis.LDAP.error";
        events("amavis LDAP ERROR");
        if (file_time_min($file) > 5) {
            email_events("AMAVIS LDAP connexion Error", "amavis claim\n{$buffer}\nArtica will restart amavis service to reconfigure it", "postfix");
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("/etc/init.d/amavis restart");
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#Decoding of p[0-9]+\\s+\\(.+?data, at least.+?failed, leaving it unpacked: Compress::Raw::Zlib version\\s+(.+?)\\s+required.+?this is only version\\s+(.+?)\\s+#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/amavis.Compress.Raw.Zlib.error";
        events("amavis Compress::Raw::Zlib need to be upgraded");
        if (file_time_min($file) > 20) {
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                email_events("AMAVIS Compress::Raw::Zlib need to be upgraded from {$re[1]} to {$re[2]}", "amavis claim\n{$buffer}\nArtica will install a newest Compress::Raw::Zlib version", "postfix");
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("/usr/share/artica-postfix/bin/artica-make APP_COMPRESS_ROW_ZLIB");
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#smtp\\[.+?:\\s+fatal: valid hostname or network address required in server description:(.+?)#", $buffer, $re)) {
        mail_events("{$re[1]} Bad configuration parameters", "Postfix claim\n{$buffer}\nPlease come back to the interface and check your configuration!", "postfix");
        return;
    }
    if (preg_match("#.+?postfix-.+?\\/master\\[.+?:\\s+fatal:\\s+bind\\s+[0-9\\.]+\\s+port\\s+25:\\s+Address already in use#", $buffer, $re)) {
        events("Address already in use -> restart postfix");
        if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
            email_events("Postfix will be restarted", "Line: " . __LINE__ . "\nPostfix claims, {$buffer}", "postfix");
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("/etc/init.d/postfix restart-single");
        }
        return null;
    }
    if (preg_match("#postfix\\/.+?warning:\\s+(.+?)\\s+and\\s+(.+?)\\s+differ#", $buffer, $re)) {
        if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("/bin/cp -pf {$re[2]} {$re[1]}");
        }
        return;
    }
    if (preg_match("#smtpd\\[.+?warning:\\s+connect to Milter service unix:(.+?):\\s+Permission denied#", $buffer, $re)) {
        events("chown postfix:postfix {$re[1]}");
        shell_exec_maillog("/bin/chown postfix:postfix {$re[1]} &");
        return;
    }
    if (preg_match("#spamd\\[[0-9]+.+?Can.+?locate\\s+Mail\\/SpamAssassin\\/CompiledRegexps\\/body_[0-9]+\\.pm#", $buffer, $re)) {
        SpamAssassin_error_saupdate($buffer);
        return null;
    }
    if (preg_match("#zarafa-monitor.+?:\\s+Unable to get store entry id for company\\s+(.+?), error code#", $buffer, $re)) {
        zarafa_store_error($buffer);
        return null;
    }
    if (preg_match("#postfix\\/lmtp.+?:\\s+(.+?):\\s+to=<(.+?)>.+?lmtp.+?deferred.+?451.+?Mailbox has an invalid format#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "Mailbox corrupted", null, $re[2]);
        mailbox_corrupted($buffer, $re[2]);
        return null;
    }
    if (preg_match("#postfix\\/lmtp.+?(.+?):\\s+to=<(.+?)>.+?lmtp.+?status=deferred.+?452.+?Over quota#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "Over quota", null, $re[2]);
        mailbox_overquota($buffer, $re[2]);
        return null;
    }
    if (preg_match("#postfix\\/.+?:(.+?):\\s+milter-reject: END-OF-MESSAGE\\s+.+?Error in processing.+?ALL VIRUS SCANNERS FAILED;.+?from=<(.+?)>\\s+to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_milter_reject($re[1], "antivirus failed", $re[1], $re[2], $buffer);
        clamav_error_restart($buffer);
        return null;
    }
    if (preg_match("#postfix\\/.+?:(.+?):\\s+to=<(.+?)>,.+?\\[(.+?)\\].+?status=deferred.+?virus_scan FAILED#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "antivirus failed", $re[3], $re[2]);
        return null;
    }
    if (preg_match("#smtp\\[[0-9]+\\]:\\s+(.+?):\\s+to=<(.+?)>,\\s+relay=127\\.0\\.0.+:[0-9]+,.+?deferred.+?451.+?during fwd-connect\\s+\\(Negative greeting#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "Internal timed-out", "127.0.0.1", $re[2]);
        $file = "/etc/artica-postfix/croned.1/timedout-amavis";
        events("fwd-connect ERROR");
        if (file_time_min($file) > 5) {
            events("fwd-connect ERROR -> restarting Postfix");
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["postfix_bin_path"]} stop");
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["postfix_bin_path"]} start");
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return;
    }
    if (preg_match("#master\\[.+?:\\s+fatal:\\s+binds\\+(.+?)\\s+port\\s+(.+?).+?Address already in use#", $buffer, $re)) {
        postfix_bind_error($re[1], $re[2], $buffer);
        return null;
    }
    if (preg_match("#kavmilter\\[.+?:\\s+KAVMilter Error\\(13\\):\\s+Active key expired.+?Exiting#", $buffer, $re)) {
        kavmilter_expired($buffer);
        return null;
    }
    if (preg_match("#postfix.+?\\[.+?fatal: open\\s+\\/etc\\/postfix-(.+?)\\/main\\.cf:\\s+No such file or directory#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/instance-{$re[1]}.no-such-file";
        events("{$re[1]} -> bad main.cf " . dirname($re[1]));
        if (file_time_min($file) > 5) {
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                email_events("Postfix missing main.cf for {$re[1]} instance", "Postfix claim\n{$buffer}\nArtica will reconfigure this instance", "postfix");
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix-multi.php --instance-reconfigure {$re[1]}");
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return null;
    }
    if (preg_match("#postmulti.+?fatal:.+?Failed to obtain all required /etc/postfix-(.+?)\\/main\\.cf parameters#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/instance-{$re[1]}.no-maincf-params";
        events("{$re[1]} -> bad main.cf " . dirname($re[1]));
        if (file_time_min($file) > 5) {
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                email_events("Postfix missing main.cf for {$re[1]} instance", "Postfix claim\n{$buffer}\nArtica will reconfigure this instance", "postfix");
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix-multi.php --instance-reconfigure {$re[1]}");
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return null;
    }
    if (preg_match("#postfix-(.+?)\\/postqueue\\[.+?warning: Mail system is down#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/instance-{$re[1]}.down";
        $ftime = file_time_min($file);
        events("{$re[1]} -> system down ({$ftime}mn)");
        if ($ftime >= 5) {
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $cmd = "{$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix-multi.php --instance-start {$re[1]}";
                email_events("Postfix {$re[1]} instance stopped", "Postfix claim\n{$buffer}\nArtica will start this instance", "postfix");
                events("{$cmd}");
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET($cmd);
            }
            @unlink($file);
            file_put_contents($file, "#");
        }
        return null;
    }
    if (preg_match("#postfix-(.+?)\\/master\\[.+?daemon started#", $buffer, $re)) {
        events("{$re[1]} -> system start");
        email_events("Postfix {$re[1]} instance started", "Postfix notify\n{$buffer}\n", "postfix");
        return null;
    }
    if (preg_match("#postfix\\[.+?fatal: parameter inet_interfaces: no local interface found for ([0-9\\.]+)#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/inet_interfaces-{$re[1]}.down";
        $ftime = file_time_min($file);
        events("{$re[1]} -> interface down ({$ftime}mn)");
        if ($ftime >= 5) {
            email_events("Postfix interface {$re[1]} down", "Postfix claim\n{$buffer}\n\n\t\tCheck your configuration settings in order to see\n\t\twhy \"{$re[1]}\" is not loaded", "postfix");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return null;
    }
    if (preg_match("#postmulti-script\\[.+?warning: (.+?): please verify contents and remove by hand#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/" . md5("{$re[1]}") . ".delete";
        $ftime = file_time_min($file);
        events("{$re[1]} -> delete");
        if ($ftime >= 5) {
            if (is_dir($re[1])) {
                if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                    $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("/bin/rm -rf {$re[1]} &");
                }
                @unlink($file);
                file_put_contents($file, "#");
            }
        }
        return null;
    }
    if (preg_match("#.+?\\/(.+?)\\[.+?:\\s+fatal:\\s+open\\s+(.+?):\\s+No such file or directory#", $buffer, $re)) {
        postfix_nosuch_fileor_directory($re[1], $re[2], $buffer);
        return null;
    }
    if (preg_match("#.+?\\/(.+?)\\[.+?:\\s+fatal:\\s+open\\s+(.+?)\\.db:\\s+Bad file descriptor#", $buffer, $re)) {
        postfix_baddb($re[1], $re[2], $buffer);
        return null;
    }
    if (preg_match("#postfix\\/qmgr.+?:\\s+(.+?):\\s+from=<(.*?)>,\\s+status=expired, returned to sender#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_finish($re[1], null, "expired", "expired", $re[2], $buffer);
        return null;
    }
    if (preg_match("#postfix postmulti\\[[0-9+]\\]: fatal: No matching instances#", $buffer, $re)) {
        multi_instances_reconfigure($buffer);
        return null;
    }
    if (preg_match('#NOQUEUE: reject: MAIL from.+?452 4.3.1 Insufficient system storage#', $buffer)) {
        $file = "/etc/artica-postfix/croned.1/postfix.storage.error";
        if (file_time_min($file) > 10) {
            email_events("Postfix Insufficient storage disk space!!! ", "Postfix claim: {$buffer}\n Please check your hard disk space !", "system");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return null;
    }
    if (preg_match("#starting amavisd-milter.+?on socket#", $buffer)) {
        email_events("Amavisd New has been successfully started", $buffer, "system");
        return;
    }
    if (preg_match("#kavmilter\\[.+?\\]:\\s+Could not open pid file#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/postfix.kavmilter.pid.error";
        if (file_time_min($file) > 10) {
            events("Kaspersky Milter PID error");
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                email_events("Kaspersky Milter PID error", "kvmilter claim {$buffer}\nArtica will try to restart it", "postfix");
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart kavmilter');
            }
            @unlink($file);
        } else {
            events("Kaspersky Milter PID error, but take action after 10mn");
        }
        file_put_contents($file, "#");
        return null;
    }
    // HACK POP3
    if (preg_match("#cyrus\\/pop3\\[.+?badlogin.+?.+?\\[(.+?)\\]\\s+APOP.+?<(.+?)>.+?SASL.+?: user not found: could not find password#", $buffer, $re)) {
        hackPOP($re[1], $re[2], $buffer);
        return;
    }
    if (preg_match("#cyrus\\/pop3\\[.+?:\\s+badlogin:\\s+.+?\\[(.+?)\\]\\s+plaintext\\s+(.+?)\\s+SASL.+?authentication failure:#", $buffer, $re)) {
        hackPOP($re[1], $re[2], $buffer);
        return;
    }
    if (preg_match("#zarafa-gateway\\[.+?: Failed to login from\\s+(.+?)\\s+with invalid username\\s+\"(.+?)\"\\s+or wrong password#", $buffer, $re)) {
        hackPOP($re[1], $re[2], $buffer);
        return;
    }
    if (preg_match("#postfix\\/.+?warning: TLS library problem.+?system library:fopen:No such file or directory.+?\\('(.+?)',#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/postfix.tls.{$re[1]}.error";
        if (file_time_min($file) > 5) {
            events("TLS {$re[1]} No such file");
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                email_events("Postfix error TLS on {$re[1]} (no such file)", "Postfix claim {$buffer}\nArtica will try to repair it by rebuilding certificate", "postfix");
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --change-postfix-certificate');
            }
            @unlink($file);
        } else {
            events("TLS {$re[1]} No such file failure, but take action after 5mn");
        }
        return null;
    }
    if (preg_match("#smtpd.+?:\\s+warning: SASL authentication failure: no secret in database#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/postfix.sasl.secret.error";
        if (file_time_min($file) > 10) {
            events("SASL authentication failure");
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                email_events("Postfix error SASL", "Postfix claim {$buffer}\nArtica will try to repair it", "postfix");
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --postfix-sasldb2');
            }
            @unlink($file);
        } else {
            events("SASL authentication failure, but take action after 10mn");
        }
        return null;
    }
    if (preg_match("#smtp.+?connect to 127\\.0\\.0\\.1\\[127\\.0\\.0\\.1\\]:10024: Connection refused#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->AmavisConfigErrorInPostfix($buffer);
        return null;
    }
    if (preg_match("#postfix\\/smtp\\[.+?:\\s+(.+?):\\s+to=<(.+?)>.+?status=deferred\\s+\\(SASL authentication failed.+?\\[(.+?)\\]#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "authentication failed", $re[3], $re[2]);
        smtp_sasl_failed($re[3], $re[3], $buffer);
    }
    if (preg_match("#postfix\\/smtp\\[.+?:\\s+(.+?):\\s+to=<(.+?)>.+?status=bounced.+?.+?\\[(.+?)\\]\\s+said:\\s+554.+?http:\\/\\/#", $buffer, $re)) {
        ImBlackListed($re[3], $buffer);
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "Your are blacklisted", $re[3], $re[2]);
        return null;
    }
    if (preg_match("#postfix\\/(cleanup|bounce|smtp|smtpd|flush|trivial-rewrite)\\[.+?warning: database\\s+(.+?)\\.db\\s+is older than source file\\s+(.+)#", $buffer, $re)) {
        postfix_compile_db($re[3], $buffer);
        return null;
    }
    if (preg_match("#postfix\\/(cleanup|bounce|smtp|smtpd|flush|trivial-rewrite)\\[.+?fatal: open database\\s+(.+?)\\.db:\\s+No such file or directory#", $buffer, $re)) {
        postfix_compile_missing_db($re[2], $buffer);
        return null;
    }
    if (preg_match("#postfix\\/smtp\\[.+?:\\s+(.+?):\\s+host.+?\\[(.+?)\\]\\s+said:\\s+[0-9]+\\s+invalid sender domain#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->Postfix_Addconnection_error($re[1], $re[2], "invalid sender domain");
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "invalid sender domain", $re[2], null);
        return null;
    }
    if (preg_match("#warning: connect to Milter service unix:(.+?)clamav-milter.ctl: Connection refused#", $buffer, $re)) {
        MilterClamavError($buffer, "{$re['1']}/clamav-milter.ctl");
        return null;
    }
    if (preg_match("#warning: connect to Milter service unix:(.+?)greylist.sock: No such file or directory#", $buffer, $re)) {
        miltergreylist_error($buffer, "{$re[1]}/greylist.sock");
        return null;
    }
    if (preg_match("#postfix\\/smtpd\\[.+?warning: connect to Milter service unix:(.+?)milter-greylist.sock: No such file or directory#", $buffer, $re)) {
        miltergreylist_error($buffer, "{$re[1]}/milter-greylist.sock");
        return null;
    }
    if (preg_match("#warning: connect to Milter service unix:/var/spool/postfix/var/run/amavisd-milter/amavisd-milter.sock: Connection refused#", $buffer)) {
        AmavisConfigErrorInPostfix($buffer);
        return null;
    }
    if (preg_match("#qmgr.+?transport amavis: Connection refused#", $buffer)) {
        AmavisConfigErrorInPostfixRestart($buffer);
        return null;
    }
    if (preg_match('#milter-greylist: greylist: Unable to bind to port (.+?): Permission denied#', $buffer, $re)) {
        miltergreylist_error($buffer, $re[1]);
    }
    if (preg_match('#]:\\s+(.+?): to=<(.+?)>.+?socket/lmtp\\].+?status=deferred.+?lost connection with.+?end of data#', $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_finish($re[1], $re[2], "deferred", "mailbox service error", null, $buffer);
        return null;
    }
    if (preg_match('#badlogin: \\[(.+?)\\] plaintext\\s+(.+?)\\s+SASL\\(-13\\): authentication failure: checkpass failed#', $buffer, $re)) {
        if ($GLOBALS["DisableMailBoxesHack"] == 1) {
            return;
        }
        if ($GLOBALS["GlobalIptablesEnabled"] != 1) {
            return;
        }
        $date = date('Y-m-d H');
        $_GET["IMAP_HACK"][$re[1]][$date] = $_GET["IMAP_HACK"][$re[1]][$date] + 1;
        events("cyrus Hack:bad login {$re[1]}:{$_GET["IMAP_HACK"][$re[1]][$date]} retries");
        if ($_GET["IMAP_HACK"][$re[1]][$date] > 15) {
            email_events("Cyrus HACKING !!!!", "Build iptables rule \"iptables -I INPUT -s {$re[1]} -j DROP\" for {$re[1]}!\nlaster error: {$buffer}", "mailbox");
            shell_exec_maillog("iptables -I INPUT -s {$re[1]} -j DROP");
            events("IMAP Hack: -> iptables -I INPUT -s {$re[1]} -j DROP");
            unset($_GET["IMAP_HACK"][$re[1]]);
        }
        return null;
    }
    if (preg_match('#badlogin: \\[(.+?)\\] plaintext\\s+(.+?)\\s+SASL\\(-1\\): generic failure: checkpass failed#', $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.checkpass.error";
        if (file_time_min($file) > 10) {
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                email_events("Cyrus auth error", "Artica will restart messaging service\n\"{$buffer}\"", "mailbox");
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/etc/init.d/cyrus-imapd restart');
            }
            @unlink($file);
        }
        return null;
    }
    if (preg_match('#cyrus\\/lmtpunix.+?DBERROR:\\s+opening.+?\\.db:\\s+Cannot allocate memory#', $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.dberror.restart.error";
        if (file_time_min($file) > 10) {
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                email_events("Cyrus DBERROR error", "Artica will restart messaging service\n\"{$buffer}\"", "mailbox");
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/etc/init.d/cyrus-imapd restart');
            }
            @unlink($file);
        }
        return null;
    }
    if (preg_match('#cyrus\\/imap.+?DBERROR.+?Open database handle:\\s+(.+?)tls_sessions\\.db#', $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.dberror.tls_sessions.error";
        if (file_time_min($file) > 10) {
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                email_events("Cyrus DBERROR error", "Artica will delete {$re[1]}tls_sessions.db file\n\"{$buffer}\"", "mailbox");
                @unlink("{$re[1]}tls_sessions.db");
            }
            @unlink($file);
        }
        return null;
    }
    if (preg_match('#cyrus\\/notify.+?DBERROR db[0-9]: PANIC: fatal region error detected; run recovery#', $buffer)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.db.error";
        if (file_time_min($file) > 10) {
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $buffer = "Artica has detected a fatal error on cyrus\n{$buffer}\nArtica will try to repair it but it should not working\n";
                $buffer = $buffer . "Perhaps you need to contact your support to correctly recover cyrus databases\n";
                $buffer = $buffer . "Notice,read this topic : http://www.gradstein.info/software/how-to-recover-from-cyrus-when-you-have-some-db-errors/\n";
                THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --cyrus-recoverdb');
                email_events("Cyrus database error !!", $buffer, "mailbox");
            }
            events("DBERROR detected, take action");
            @unlink($file);
            file_put_contents($file, "#");
        } else {
            events("(fatal region error detected; run recovery) DBERROR detected, but take action after 10mn");
        }
        return null;
    }
    if (preg_match("#cyrus.+?DBERROR\\s+db[0-9]+:\\s+DB_AUTO_COMMIT may not be specified in non-transactional environment#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.db.error";
        if (file_time_min($file) > 10) {
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $buffer = "Artica has detected a fatal error on cyrus\n{$buffer}\nArtica will try to repair it but it should not working\n";
                $buffer = $buffer . "Perhaps you need to contact your support to correctly recover cyrus databases\n";
                $buffer = $buffer . "Notice,read this topic : http://www.gradstein.info/software/how-to-recover-from-cyrus-when-you-have-some-db-errors/\n";
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --cyrus-ctl-cyrusdb');
                email_events("Cyrus database error !!", $buffer, "mailbox");
            }
            events("DBERROR detected, take action");
            @unlink($file);
            file_put_contents($file, "#");
        } else {
            events("(DB_AUTO_COMMIT may not be specified in non-transactional) DBERROR detected, but take action after 10mn");
        }
        return null;
    }
    if (preg_match("#tlsmgr.+?fatal: open database .+?Stale NFS file handle#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/tlsmgr.Stale.NFS.file.handle";
        if (file_time_min($file) > 10) {
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $buffer = "Artica has detected a fatal error on Postfix (tls manager)\n{$buffer}\nTo fix this issue, you need to reboot the computer\n";
                $buffer = $buffer . "In order to release locked file\nIf reboot trough Artica did not working, run this commandline :\nshutdown -rF now";
                email_events("Stale NFS file handle !!", $buffer, "postfix");
                events("Stale NFS file handle");
                @unlink($file);
            }
            file_put_contents($file, "#");
        } else {
            events("tlsmgr:Stale NFS file handle, but take action after 10mn");
        }
        return null;
    }
    if (preg_match("#cyrus.+?:\\s+DBERROR:\\s+opening.+?mailboxes.db:\\s+cyrusdb error#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.db.error";
        if (file_time_min($file) > 10) {
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $buffer = "Artica has detected a fatal error on cyrus\n{$buffer}\nArtica will try to repair it but it should not working\n";
                $buffer = $buffer . "Perhaps you need to contact your support to correctly recover cyrus databases\n";
                $buffer = $buffer . "Notice,read this topic : http://www.gradstein.info/software/how-to-recover-from-cyrus-when-you-have-some-db-errors/\n";
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --cyrus-recoverdb');
                email_events("Cyrus database error !!", $buffer, "mailbox");
            }
            @unlink($file);
            file_put_contents($file, "#");
        } else {
            events("DBERROR detected, but take action after 10mn");
        }
        return null;
    }
    if (preg_match("#IMAP Login from\\s+(.*?)\\s+for user\\s+(.+)#", $buffer, $re)) {
        $service = "imap";
        $server = trim($re[2]);
        $server_ip = null;
        $user = trim($re[4]);
        cyrus_imap_conx($service, $server, $server_ip, $user);
    }
    if (preg_match('#cyrus\\/(.+?)\\[.+?login:(.+?)\\[(.+?)\\]\\s+(.+?)\\s+.+?User#', $buffer, $re)) {
        $service = trim($re[1]);
        $server = trim($re[2]);
        $server_ip = trim($re[3]);
        $user = trim($re[4]);
        cyrus_imap_conx($service, $server, $server_ip, $user);
        return null;
    }
    if (preg_match("#zarafa-gateway\\[.+?:\\s+IMAP Login from\\s+(.+)\\s+for user\\s+(.+?)\\s+#", $buffer, $re)) {
        $service = "IMAP";
        $server = trim($re[1]);
        $server_ip = trim($re[1]);
        $user = trim($re[2]);
        cyrus_imap_conx($service, $server, $server_ip, $user);
        return null;
    }
    if (preg_match('#cyrus\\/ctl_mboxlist.+?DBERROR: reading.+?, assuming the worst#', $buffer)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.db1.error";
        if (file_time_min($file) > 10) {
            $buffer = "Artica has detected a fatal error on cyrus\n{$buffer}\n\n";
            email_events("Cyrus database error !!", $buffer, "mailbox");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return null;
    }
    if (preg_match('#cyrus\\/sync_client.+?Can not connect to server#', $buffer)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.cluster.error";
        if (file_time_min($file) > 10) {
            $buffer = "Artica has detected that the cyrus cluster replica is not available on cyrus\n{$buffer}\n\n";
            email_events("Cyrus replica not available", $buffer, "mailbox");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return null;
    }
    if (preg_match('#cyrus\\/sync_client.+?connect.+?failed: No route to host#', $buffer)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.cluster.error";
        if (file_time_min($file) > 10) {
            $buffer = "Artica has detected that the cyrus cluster replica is not available on cyrus\n{$buffer}\n\n";
            email_events("Cyrus replica not available", $buffer, "mailbox");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return null;
    }
    if (preg_match('#warning: dict_ldap_connect: Unable to bind to server ldap#', $buffer)) {
        $file = "/etc/artica-postfix/croned.1/ldap.error";
        if (file_time_min($file) > 10) {
            email_events("Postfix is unable to connect to ldap server ", $buffer, "system");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return null;
    }
    if (preg_match('#service pop3 pid.+?in BUSY state and serving connection#', $buffer)) {
        $file = "/etc/artica-postfix/croned.1/pop3-busy.error";
        if (file_time_min($file) > 10) {
            email_events("Pop3 service is overloaded", "pop3 report:\n{$buffer}\nPlease,increase pop3 childs connections in artica Interface", "mailbox");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return null;
    }
    if (preg_match('#milter inet:[0-9\\.]+:1052.+?Connection timed out#', $buffer)) {
        $file = "/etc/artica-postfix/croned.1/KAV-TIMEOUT.error";
        if (file_time_min($file) > 10) {
            email_events("Postfix service Cannot connect to Kaspersky Antivirus milter", "it report:\n{$buffer}\nPlease,disable Kaspersky service or contact your support", "postfix");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return null;
    }
    if (preg_match('#milter unix:/var/run/milter-greylist/milter-greylist.sock.+?Connection timed out#', $buffer)) {
        $file = "/etc/artica-postfix/croned.1/miltergreylist-TIMEOUT.error";
        if (file_time_min($file) > 10) {
            email_events("milter-greylist error", "it report:\n{$buffer}\nPlease,investigate what plugin cannot send to milter-greylist events", "postfix");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return null;
    }
    if (preg_match('#SASL authentication failure: cannot connect to saslauthd server#', $buffer)) {
        $file = "/etc/artica-postfix/croned.1/saslauthd.error";
        if (file_time_min($file) > 10) {
            email_events("saslauthd failed to run", "it report:\n{$buffer}\nThis error is fatal, nobody can be logged on the system.", "mailbox");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return null;
    }
    if (preg_match("#smtp.+?warning:\\s+(.+?)\\[(.+?)\\]:\\s+SASL DIGEST-MD5 authentication failed#", $buffer, $re)) {
        $router_name = $re[1];
        $ip = $re[2];
        smtp_sasl_failed($router_name, $ip, $buffer);
        return null;
    }
    if (preg_match('#warning: connect to Milter service unix:/var/run/kas-milter.socket: Permission denied#', $buffer)) {
        $file = "/etc/artica-postfix/croned.1/kas-perms.error";
        if (file_time_min($file) > 10) {
            email_events("Kaspersky Anti-spam socket error", "it report:\n{$buffer}\nArtica will restart kas service...", "postfix");
            @unlink($file);
            file_put_contents($file, "#");
            if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
                $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart kas3');
            }
        }
        return null;
    }
    if (preg_match('#smtpd.+?warning: problem talking to server (.+?):\\s+Connection refused#', $buffer, $re)) {
        $pb = md5($re[1]);
        $file = "/etc/artica-postfix/croned.1/postfix-talking.{$pb}.error";
        $time = file_time_min($file);
        if ($time > 10) {
            events("Postfix routing error {$re[1]}");
            email_events("Postfix routing error {$re[1]}", "it report:\n{$buffer}\nPlease take a look of your routing table", "postfix");
            @unlink($file);
            file_put_contents($file, "#");
        }
        events("Postfix routing error {$re[1]} (SKIP) {$time}/10mn");
        return null;
    }
    if (preg_match("#sync_client.+?connect\\((.+?)\\) failed: Connection refused#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/" . md5($buffer);
        if (file_time_min($file) > 10) {
            email_events("Cyrus replica {$re[1]} cluster failed", "it report:\n{$buffer}\n\n\t\tplease check your support, mails will not be delivered until replica is down !", "mailbox");
            @unlink($file);
            file_put_contents($file, "#");
        }
        return null;
    }
    if (preg_match("#could not connect to amavisd socket /var/spool/postfix/var/run/amavisd-new/amavisd-new.sock: No such file or directory#", $buffer)) {
        amavis_socket_error($buffer);
        return null;
    }
    if (preg_match("#could not connect to amavisd socket.+?Connection timed out#", $buffer)) {
        amavis_socket_error($buffer);
        return null;
    }
    if (preg_match("#NOQUEUE: reject:.+?from.+?\\[([0-9\\.]+)\\]:.+?Sender address rejected: Domain not found; from=<(.+?)> to=<(.+?)> proto#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("Domain not found", $re[2], $re[3], $re[1]);
        events("{$re[1]} Domain not found from=<{$re[2]}> to=<{$re[3]}>");
        return null;
    }
    if (preg_match("#NOQUEUE: reject:.+?from.+?\\[([0-9\\.]+)\\]:.+?Client host rejected: cannot find your hostname.+?from=<(.+?)> to=<(.+?)> proto#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("hostname not found", $re[2], $re[3], $re[1]);
        return null;
    }
    if (preg_match("#smtpd.+?NOQUEUE:.+?from.+?\\[(.+?)\\].+?Client host rejected.+?reverse hostname.+?from=<(.+?)>.+?to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("hostname not found", $re[2], $re[3], $re[1]);
        return null;
    }
    if (preg_match("#smtpd.+?NOQUEUE: reject.+?from.+?\\[(.+?)\\].+?Helo command rejected:.+?from=<(.+?)> to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("Helo command rejected", $re[2], $re[3], $re[1]);
        return null;
    }
    if (preg_match("#smtpd.+?NOQUEUE: reject.+?from.+?\\[(.+?)\\].+?4.3.5 Server configuration problem.+?from=<(.+?)> to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("Server configuration problem", $re[2], $re[3], $re[1]);
        return null;
    }
    if (preg_match("#postfix.+?\\[.+?reject: header.+?from.+?\\[([0-9\\.]+)\\];\\s+from=<(.*?)>\\s+to=<(.+?)>.+? too many rec.+?pients#", $buffer, $re)) {
        events("too many recipients from {$re[2]} to {$re[3]}");
        if ($GLOBALS["PostfixNotifyMessagesRestrictions"] == 1) {
            events("-> notification...");
            $GLOBALS["CLASS_UNIX"]->send_email_events("Blocked message too many recipients from {$re[2]}", "Postfix claims {$buffer}", "postfix");
        }
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("too many recepients", $re[2], $re[3], $re[1]);
        return null;
    }
    if (preg_match("#cyrus.+?badlogin:\\s+(.+?)\\s+\\[(.+?)\\]\\s+.+?\\s+(.+?)\\s+(.+)#", $buffer, $re)) {
        $router = $re[1];
        $ip = $re[2];
        $user = $re[3];
        $error = $re[4];
        cyrus_bad_login($router, $ip, $user, $error);
        return null;
    }
    if (preg_match("#IOERROR.+?fstating sieve script\\s+(.+?):\\s+No such file or directory#", $buffer, $re)) {
        if ($GLOBALS["ActAsSMTPGatewayStatistics"] == 0) {
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("/bin/touch \"" . trim($re[1]) . "\"");
        }
        return null;
    }
    if (preg_match("#smtp.+?\\].+?([A-Z0-9]+):\\s+to=<(.+?)>.+?status=deferred.+?\\((.+?)command#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "deferred", $re[2], $re[3]);
        return null;
    }
    if (preg_match("#smtp.+?:\\s+(.+?):\\s+to=<(.+?)>,\\s+relay=none,.+?status=deferred \\(connect to .+?\\[(.+?)\\].+?Connection refused#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "Connection refused", $re[2], $re[3]);
        return null;
    }
    if (preg_match("#smtp.+?\\].+?([A-Z0-9]+):.+?SASL authentication failed#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "Authentication failed");
        return null;
    }
    if (preg_match("#smtp.+?\\].+?([A-Z0-9]+):.+?refused to talk to me.+?554 RBL rejection#", $buffer, $re)) {
        ImBlackListed($re[2], $buffer);
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "Your are blacklisted");
        return null;
    }
    if (preg_match("#smtp\\[.+?:\\s+(.+?):\\s+to=<(.+?)>,\\s+relay=.+?\\[(.+?)\\].+?status=deferred.+?refused to talk to me#", $buffer, $re)) {
        ImBlackListed($re[3], $buffer);
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "Your are blacklisted", $re[3], $re[2]);
        return null;
    }
    if (preg_match("#postfix\\/bounce\\[.+?:\\s+(.+?):\\s+sender non-delivery notification#", $buffer, $re)) {
        events("{$re[1]} non-delivery");
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "non-delivery", null, null);
        return null;
    }
    if (preg_match("#smtp\\[.+?\\]:\\s+(.+?):\\s+to=<(.+?)>, relay=(.+?)\\[.+?status=bounced\\s+\\(.+?loops back to myself#", $buffer, $re)) {
        if (!is_dir("/etc/artica-postfix/croned.1")) {
            @mkdir("/etc/artica-postfix/croned.1", 0755, true);
        }
        $file = "/etc/artica-postfix/croned.1/postfix.loops.back.to.myself";
        if (file_time_min($file) > 10) {
            shell_exec("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.maincf.php --urgency >/dev/null 2>&1 &");
            @unlink($file);
            @file_put_contents($file, time);
        }
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "loops back to myself", $re[3], $re[2]);
        return null;
    }
    if (preg_match("#smtp\\[.+?:\\s+(.+?): host.+?\\[(.+?)\\] said.+?<(.+?)>:.+?Greylisting in action#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "Greylisted", $re[2], $re[3]);
        return null;
    }
    if (preg_match("#smtp\\[.+?:\\s+(.+?):\\s+host.+?\\[(.+?)\\]\\s+refused to talk to me:#", $buffer, $re)) {
        ImBlackListed($re[2], $buffer);
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "Your are blacklisted", $re[2]);
        return null;
    }
    if (preg_match("#\\/cleanup.*?:\\s+([A-Z0-9]+):\\s+redirect:.*?from\\s+(.+?)\\[([0-9\\.]+)\\];\\s+from=<(.*?)>\\s+to=<(.*?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_messageid_rejected($re[1], "Redirect", $re[2], $re[5], $re[4], $re[3]);
        return null;
    }
    if (preg_match('#milter-greylist:.+?:.+?addr.+?from <(.+?)> to <(.+?)> delayed for#', $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_rejected(md5($re[1] . $re[2] . date('Y-m d H is')), "Greylisting", $re[1], $re[2], $buffer);
        return null;
    }
    if (preg_match('#milter-greylist:.+?addr.+?\\[(.+?)\\] from <> to <(.+?)> delayed#', $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_rejected(md5($re[1] . $re[2] . date('Y-m d H is')), "Greylisting", "unknown", $re[2], $buffer);
        return null;
    }
    if (preg_match('#milter-greylist: \\(unknown id\\): addr.+?\\[(.+?)\\] from\\s+=(.+?)> to <(.+?)>\\s+delayed#', $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_rejected(md5($re[1] . $re[2] . time()), "Greylisting", $re[2], $re[3], $buffer, $re[1]);
        return null;
    }
    if (preg_match("#assp.+?<(.+?)>\\s+to:\\s+(.+?)\\s+recipient delayed#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_rejected(md5($re[1] . $re[2] . date('Y-m d H is')), "Greylisting", $re[1], $re[2], $buffer);
        return null;
    }
    if (preg_match("#assp.+?MessageScoring.+?<(.+?)>\\s+to:\\s+(.+?)\\s+\\[spam found\\]#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_rejected(md5($re[1] . $re[2] . date('Y-m d H is')), "SPAM", $re[1], $re[2], $buffer);
        return null;
    }
    if (preg_match("#assp.+?MalformedAddress.+?<(.+?)>\\s+to:\\s+(.+?)\\s+\\malformed address:'\\|(.+?)'#", $buffer, $re)) {
        eventsRTM("malformed address: {$buffer}");
        $GLOBALS["maillog_tools"]->event_message_rejected(md5($re[1] . $re[2] . date('Y-m d H is')), "malformed address (ASSP)", $re[1], $re[2], $buffer);
        return null;
    }
    if (preg_match("#assp.+?\\[Extreme\\]\\s+(.+?)\\s+<(.+?)>\\s+to:\\s+(.+?)\\s+\\[spam found\\]#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_rejected(md5($re[1] . $re[2] . date('Y-m d H is')), "SPAM", $re[2], $re[3], $buffer, $re[1]);
        return null;
    }
    if (preg_match("#assp.+?<(.*?)>\\s+to:\\s+(.+?)\\s+bounce delayed#", $buffer, $re)) {
        if ($re[1] == null) {
            $re[1] = "Unknown";
        }
        $GLOBALS["maillog_tools"]->event_message_rejected(md5($re[1] . $re[2] . date('Y-m d H is')), "bounce delayed", $re[1], $re[2], $buffer);
    }
    if (preg_match("#assp.+?\\[DNSBL\\]\\s+(.+?)\\s+<(.*?)>\\s+to:\\s+(.+?)\\s+#", $buffer, $re)) {
        if ($re[2] == null) {
            $re[2] = "Unknown";
        }
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("DNSBL", $re[2], $re[3], $re[1]);
        return null;
    }
    if (preg_match("#assp.+?\\[URIBL\\]\\s+(.+?)\\s+<(.*?)>\\s+to:\\s+(.+?)\\s+#", $buffer, $re)) {
        if ($re[2] == null) {
            $re[2] = "Unknown";
        }
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("URIBL", $re[2], $re[3], $re[1]);
        return null;
    }
    if (preg_match("#assp.+?\\[SpoofedSender\\]\\s+(.+?)\\s+<(.*?)>\\s+to:\\s+(.+?)\\s+.+?No Spoofing Allowed#", $buffer, $re)) {
        if ($re[2] == null) {
            $re[2] = "Unknown";
        }
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("SPOOFED", $re[2], $re[3], $re[1]);
        return null;
    }
    if (preg_match("#assp.+?\\[InvalidHELO\\]\\s+(.+?)\\s+<(.*?)>\\s+to:\\s+(.+?)\\s+#", $buffer, $re)) {
        if ($re[2] == null) {
            $re[2] = "Unknown";
        }
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("BAD HELO", $re[2], $re[3], $re[1]);
        return null;
    }
    if (preg_match("#NOQUEUE: reject: RCPT from.+?<(.+?)>: Recipient address rejected: User unknown in relay recipient table;.+?to=<(.+?)> proto=SMTP#", $buffer, $re)) {
        $id = md5($re[1] . $re[2] . date('Y-m d H is'));
        $GLOBALS["maillog_tools"]->event_finish($id, $re[2], "reject", "User unknown", $re[1]);
        return null;
    }
    if (preg_match("#postfix\\/lmtp.+?:\\s+(.+?):\\s+to=<(.+?)>.+?said:\\s+550-Mailbox unknown#", $buffer, $re)) {
        $id = $re[1];
        $to = $re[2];
        $GLOBALS["maillog_tools"]->event_message_milter_reject($id, "Mailbox unknown", null, $re[2], $buffer);
        mailbox_unknown($buffer, $to);
        return null;
    }
    if (preg_match('#: (.+?): reject: RCPT.+?Relay access denied; from=<(.+?)> to=<(.+?)> proto=SMTP#', $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/postfix.relay.access.denied";
        if (file_time_min($file) > 30) {
            $GLOBALS["CLASS_UNIX"]->send_email_events("Postfix Relay access denied", "Artica will recompile Postfix in case of bad settings", "postfix");
            shell_exec("{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.maincf.php --urgency >/dev/null 2>&1 &");
            @unlink($file);
            @file_put_contents($file, time);
        }
        if ($re[1] == "NOQUEUE") {
            $re[1] = md5($re[3] . $re[2] . date('Y-m d H is'));
        }
        $GLOBALS["maillog_tools"]->event_finish($re[1], $re[3], "reject", "Relay access denied", $re[2], $buffer);
        return null;
    }
    if (preg_match('#postfix.+?cleanup.+?:\\s+(.+?):\\s+milter-reject: END-OF-MESSAGE.+4.6.0 Content scanner malfunction; from=<(.+?)> to=<(.+?)> proto=SMTP#', $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_Content_scanner_malfunction($re[1], $re[2], $re[3]);
        return null;
    }
    if (preg_match("#postfix.+?cleanup.+?:\\s+(.+?):\\s+milter-discard.+?END-OF-MESSAGE.+?DISCARD.+?from=<(.+?)> to=<(.+?)> proto=SMTP#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_DISCARD($re[1], $re[2], $re[3], $buffer);
        return null;
    }
    if (preg_match("#cleanup\\[.+?:\\s+(.+?):\\s+milter-discard: END-OF-MESSAGE from.+?\\[(.+?)\\]:\\s+milter triggers DISCARD action;\\s+from=<(.+?)>\\s+to=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_DISCARD($re[1], $re[3], $re[4], $buffer, $re[2]);
        return null;
    }
    if (preg_match("#^([A-ZA-z]+)\\s+([0-9]+)\\s+([0-9\\:]+).+?:\\s+([A-Z0-9]+):\\s+client=(.+)#", $buffer, $re)) {
        $date = date('Y-m-d H:i:s');
        $GLOBALS["maillog_tools"]->event_newmail($re[4]);
        return null;
    }
    if (preg_match("#^([A-ZA-z]+)\\s+([0-9]+)\\s+([0-9\\:]+).+?:\\s+([A-Z0-9]+):\\s+message-id=<(.*?)>#", $buffer, $re)) {
        events("NEW message_id {$re[4]} {$re[5]}");
        $GLOBALS["maillog_tools"]->event_newmail($re[4], $re[5]);
        return null;
    }
    if (preg_match("#^([A-ZA-z]+)\\s+([0-9]+)\\s+([0-9\\:]+).+?:\\s+([A-Z0-9]+):\\s+from=<(.*?)>, size=([0-9]+)#", $buffer, $re)) {
        events("NEW MAIL {$re[4]} <{$re[5]}> ({$re[6]} bytes)");
        $GLOBALS["maillog_tools"]->event_message_from($re[4], $re[5], $re[6]);
        return null;
    }
    if (preg_match("#NOQUEUE: milter-reject: RCPT from.+?: 451 4.7.1 Greylisting in action, please come back in .+?; from=<(.+?)> to=<(.+?)> proto=SMTP#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_reject_hostname("Greylisting", $re[1], $re[2]);
        return null;
    }
    if (preg_match("#^([A-ZA-z]+)\\s+([0-9]+)\\s+([0-9\\:]+).+?:\\s+([A-Z0-9]+):\\s+milter-reject:.+?:(.+?)\\s+from=<(.+?)>#", $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_milter_reject($re[4], $re[5], $re[6], null, $buffer);
        return null;
    }
    if (preg_match("#^([A-ZA-z]+)\\s+([0-9]+)\\s+([0-9\\:]+).+?:\\s+([A-Z0-9]+):\\s+to=<(.+?)>,\\s+orig_to=<.+?>,\\s+relay=(.+?),\\s+delay=.+?,\\s+delays=.+?,\\s+dsn=.+?,\\s+status=([a-zA-Z]+)#", $buffer, $re)) {
        if (preg_match('#\\s+status=.+?\\s+\\((.+?)\\)#', $buffer, $ri)) {
            $bounce_error = $ri[1];
        }
        events("Finish {$re[4]} <{$re[5]}> ({$re[7]})");
        $GLOBALS["maillog_tools"]->event_finish($re[4], $re[5], $re[7], $bounce_error, null, $buffer);
        return null;
    }
    if (preg_match("#^([A-ZA-z]+)\\s+([0-9]+)\\s+([0-9\\:]+).+?:\\s+([A-Z0-9]+):\\s+to=<(.+?)>,\\s+relay=(.+?),\\s+delay=.+?,\\s+delays=.+?,\\s+dsn=.+?,\\s+status=([a-zA-Z]+)#", $buffer, $re)) {
        if (preg_match('#\\s+status=.+?\\s+\\((.+?)\\)#', $buffer, $ri)) {
            $bounce_error = $ri[1];
        }
        $GLOBALS["maillog_tools"]->event_finish($re[4], $re[5], $re[7], $bounce_error, null, $buffer);
        return null;
    }
    //-------------------------------------------------------------- ERRORS
    if (preg_match('#amavisd-milter.+?could not read from amavisd socket.+?\\.sock:Connection timed out#', $buffer, $re)) {
        amavis_socket_error($buffer);
        return null;
    }
    if (preg_match('#warning: milter unix.+?amavisd-milter.sock:.+SMFIC_MAIL reply packet header: Broken pipe#', $buffer, $re)) {
        amavis_error_restart($buffer);
        return null;
    }
    if (preg_match('#sfupdates.+?KASERROR.+?keepup2date\\s+failed.+?code.+?critical error#', $buffer, $re)) {
        kas_error_update($buffer);
        return null;
    }
    if (preg_match('#lmtp.+?:\\s+(.+?): to=<(.+?)>,.+?status=deferred.+?connect to .+?\\[(.+?)\\].+?No such file or directory#', $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_milter_reject($re[1], "deferred", null, $re[1]);
        cyrus_socket_error($buffer, "{$re['3']}");
        return null;
    }
    if (preg_match('#lmtp.+?:(.+?):\\s+to=<(.+?)>.+?said: 550-Mailbox unknown#', $buffer, $re)) {
        $GLOBALS["maillog_tools"]->event_message_milter_reject($re[1], "Mailbox unknown", null, $re[2]);
        mailbox_unknown($buffer, $re[2]);
        return null;
    }
    events_not_filtered("Not Filtered:\"{$buffer}\"");
}
Exemplo n.º 5
0
function Parseline($buffer)
{
    $buffer = trim($buffer);
    $GLOBALS["COUNT-LINES"]++;
    if ($GLOBALS["COUNT-LINES"] > 5000) {
        $GLOBALS["TOTAL-LINES"] = $GLOBALS["TOTAL-LINES"] + $GLOBALS["COUNT-LINES"];
        $distanceInSeconds = round(abs(time() - $GLOBALS["COUNT-LINES-TIME"]));
        $distanceInMinutes = round($distanceInSeconds / 60);
        events("{$GLOBALS["TOTAL-LINES"]} Parsed...");
        if ($distanceInMinutes > 2) {
            events("{$GLOBALS["TOTAL-LINES"]} Check size...");
            $GLOBALS["COUNT-LINES-TIME"] = time();
            shell_exec($GLOBALS["CLEANCMD"]);
            $GLOBALS["COUNT-LINES"] = 0;
        }
    }
    if (strpos($buffer, '):  operation="file_perm" pid=') > 0) {
        return;
    }
    $dust = new syslogger();
    if (strpos($buffer, "]: [DEBUG]") > 0) {
        return;
    }
    if ($dust->MailDustbin($buffer)) {
        return;
    }
    //kernel dustbin
    if (strpos($buffer, "ext4_dx_add_entry: Directory index full") > 0) {
        return true;
    }
    if (strpos($buffer, "] ll header:") > 0) {
        return true;
    }
    if (strpos($buffer, "exec.squid.watchdog.php") > 0) {
        return true;
    }
    if (strpos($buffer, "using local addresses only for domain") > 0) {
        return true;
    }
    //squid dustbin
    if (strpos($buffer, "Load average increasing, re-enabling all cpus for irq balancing") > 0) {
        return true;
    }
    if (strpos($buffer, "artica-watchdog[") > 0) {
        return true;
    }
    if (strpos($buffer, "exec.syslog-engine.php") > 0) {
        return true;
    }
    if (strpos($buffer, "exec.postfix-logger.php") > 0) {
        return true;
    }
    if (strpos($buffer, "]: WARNING: ") > 0) {
        return true;
    }
    if (strpos($buffer, " epmd running") > 0) {
        return true;
    }
    if (strpos($buffer, "#]: Startup: Initializing") > 0) {
        return true;
    }
    if (strpos($buffer, "]: Reconfiguring Squid Cache") > 0) {
        return true;
    }
    if (strpos($buffer, "]: Closing HTTP port") > 0) {
        return true;
    }
    if (strpos($buffer, "]: Processing Configuration File:") > 0) {
        return true;
    }
    if (strpos($buffer, "]: Startup: Initialized") > 0) {
        return true;
    }
    if (strpos($buffer, "]: Warning: empty ACL") > 0) {
        return true;
    }
    if (strpos($buffer, "]: Accepting HTTP Socket connections") > 0) {
        return true;
    }
    if (strpos($buffer, " RELEASE ") > 0) {
        return true;
    }
    if (strpos($buffer, " SWAPOUT ") > 0) {
        return true;
    }
    if (strpos($buffer, "RELEASE -1 FFFFFFFF") > 0) {
        return true;
    }
    //Postfix dustbin
    if (preg_match("#Do you need to run.+?sa-update#", $buffer)) {
        amavis_sa_update($buffer);
        return;
    }
    if (strpos($buffer, " fcrontab[") > 0) {
        return true;
    }
    if (strpos($buffer, "exec.mailarchive.php") > 0) {
        return true;
    }
    if (strpos($buffer, "Orphan Comm::Connection: local=") > 0) {
        return true;
    }
    if (strpos($buffer, "class.mysql.squid.builder.php") > 0) {
        return true;
    }
    if (strpos($buffer, "Orphans since last started") > 0) {
        return true;
    }
    if (strpos($buffer, "general, No Profile configured! Allowing") > 0) {
        return true;
    }
    if (strpos($buffer, "general, KHSE: no threat detected in") > 0) {
        return true;
    }
    if (preg_match("#exec.dstat.top.php#", $buffer)) {
        return true;
    }
    if (preg_match("#artica-filter#", $buffer)) {
        return true;
    }
    if (preg_match("#postfix\\/#", $buffer)) {
        return true;
    }
    if (preg_match("#CRON\\[#", $buffer)) {
        return true;
    }
    if (preg_match("#: CACHEMGR:#", $buffer)) {
        return true;
    }
    if (preg_match("#exec\\.postfix-logger\\.php:#", $buffer)) {
        return true;
    }
    if (preg_match("#artica-install\\[#", $buffer)) {
        return true;
    }
    // monit dustbin
    if (preg_match("#monitor action done#", $buffer)) {
        return true;
    }
    if (preg_match("#monitor service.+?on user request#", $buffer)) {
        return true;
    }
    if (preg_match("#CRON\\[.+?\\(root\\).+CMD#", $buffer)) {
        return true;
    }
    if (preg_match("#winbindd\\[.+?winbindd_listen_fde_handler#", $buffer)) {
        return true;
    }
    if (strpos($buffer, "Other action already in progress -- please try again later") > 0) {
        return true;
    }
    if (strpos($buffer, "class.cronldap.inc") > 0) {
        return true;
    }
    if (strpos($buffer, "Awakened by User defined") > 0) {
        return true;
    }
    if (strpos($buffer, ": Checking summary") > 0) {
        return true;
    }
    //Zarafa dustbin
    if (strpos($buffer, ": End of session (logoff)") > 0) {
        return true;
    }
    if (strpos($buffer, " receives session ") > 0) {
        return true;
    }
    if (strpos($buffer, ": Disconnecting client") > 0) {
        return true;
    }
    if (strpos($buffer, "  thread exiting") > 0) {
        return true;
    }
    if (strpos($buffer, ": Accepted connection from") > 0) {
        return true;
    }
    if (strpos($buffer, ": Not authorized for command: CAPA") > 0) {
        return true;
    }
    if (strpos($buffer, ": Starting worker process for") > 0) {
        return true;
    }
    // **************** peut être utilisé ???
    if (strpos($buffer, "User supplied password using program zarafa-gateway") > 0) {
        return true;
    }
    if (strpos($buffer, "authenticated through User supplied password using program") > 0) {
        return true;
    }
    if (strpos($buffer, "authenticated through Pipe socket using program") > 0) {
        return true;
    }
    if (strpos($buffer, "conntrack-tools[") > 0) {
        return true;
    }
    if (strpos($buffer, "]: (root) CMD (") > 0) {
        return true;
    }
    if (strpos($buffer, "]: MemoryInstances") > 0) {
        return true;
    }
    if (strpos($buffer, "]: launch_all_status(") > 0) {
        return true;
    }
    if (strpos($buffer, "]: PROCESS IN MEMORY") > 0) {
        return true;
    }
    if (strpos($buffer, ">/dev/null 2>&1 &") > 0) {
        return true;
    }
    if (strpos($buffer, "executed...end") > 0) {
        return true;
    }
    if (strpos($buffer, "requests per minute") > 0) {
        return true;
    }
    if (strpos($buffer, "Ask all status to MONIT") > 0) {
        return true;
    }
    if (strpos($buffer, "exec.status.php[") > 0) {
        return true;
    }
    if (preg_match("#slapd.+?conn=[0-9]+\\s+fd=.+?closed#", $buffer)) {
        return true;
    }
    if (strpos($buffer, "msmtp: ") > 0) {
        return true;
    }
    if (strpos($buffer, "*system*awstats") > 0) {
        return true;
    }
    if (strpos($buffer, "extra modules loaded after daemonizing/chrooting") > 0) {
        return;
    }
    if (strpos($buffer, "/etc/cron.d/awstats") > 0) {
        return;
    }
    if (strpos($buffer, "emailrelay:") > 0) {
        return;
    }
    if (strpos($buffer, "pptpd-logwtmp.so loaded") > 0) {
        return;
    }
    if (strpos($buffer, "Reinitializing monit daemon") > 0) {
        return;
    }
    if (strpos($buffer, "Monit reloaded") > 0) {
        return;
    }
    if (strpos($buffer, "Tarticaldap.logon") > 0) {
        return;
    }
    if (strpos($buffer, "pulseaudio[") > 0) {
        return;
    }
    if (strpos($buffer, "exec: /usr/bin/php5") > 0) {
        return;
    }
    if (strpos($buffer, "Found decoder for ") > 0) {
        return;
    }
    if (strpos($buffer, "Internal decoder for ") > 0) {
        return;
    }
    if (strpos($buffer, "Loaded Icons") > 0) {
        return;
    }
    if (strpos($buffer, "CP ConfReq") > 0) {
        return;
    }
    if (strpos($buffer, "CP ConfAck") > 0) {
        return;
    }
    if (strpos($buffer, "CP EchoReq") > 0) {
        return;
    }
    if (strpos($buffer, "/usr/sbin/cron") > 0) {
        return;
    }
    if (strpos($buffer, "no IPv6 routers present") > 0) {
        return;
    }
    if (strpos($buffer, "AM.PDP-SOCK") > 0) {
        return;
    }
    if (strpos($buffer, "disconnect from unknown") > 0) {
        return;
    }
    //amavis - Mail Dutdsbin
    //LDAP Dustbin
    if (strpos($buffer, "SEARCH RESULT tag=") > 0) {
        return;
    }
    if (strpos($buffer, 'SRCH base="cn=') > 0) {
        return;
    }
    if (strpos($buffer, 'ACCEPT from IP=') > 0) {
        return;
    }
    if (strpos($buffer, 'closed (connection lost)') > 0) {
        return;
    }
    //automount dustbin
    if (strpos($buffer, "handle_packet: type") > 0) {
        return;
    }
    if (strpos($buffer, "dev_ioctl_send_fail: token") > 0) {
        return;
    }
    if (strpos($buffer, "lookup_mount: lookup(ldap)") > 0) {
        return;
    }
    if (strpos($buffer, "handle_packet_missing_indirect: token") > 0) {
        return;
    }
    if (strpos($buffer, "getuser_func: called with context") > 0) {
        return;
    }
    if (strpos($buffer, "attempting to mount entry /automounts") > 0) {
        return;
    }
    if (strpos($buffer, "lookup_one: lookup(ldap)") > 0) {
        return;
    }
    if (strpos($buffer, "do_bind: lookup(ldap):") > 0) {
        return;
    }
    if (strpos($buffer, "sun_mount: parse") > 0) {
        return;
    }
    if (strpos($buffer, "]: failed to mount /") > 0) {
        return;
    }
    if (strpos($buffer, "]: do_mount:") > 0) {
        return;
    }
    if (strpos($buffer, "]: parse_mount: parse") > 0) {
        return;
    }
    if (strpos($buffer, "mount_mount: mount(generic):") > 0) {
        return;
    }
    if (strpos($buffer, ">> Error connecting to") > 0) {
        return;
    }
    if (strpos($buffer, ">> Refer to the mount") > 0) {
        return;
    }
    if (strpos($buffer, "getpass_func: context (nil)") > 0) {
        return;
    }
    //ROOT Dustbin
    if (strpos($buffer, "(root) CMD") > 0) {
        return;
    }
    if (strpos($buffer, "RELOAD (/etc/cron") > 0) {
        return;
    }
    //Cyrus DUSTBIN
    //pdns dustbin
    if (strpos($buffer, "question for '") > 0) {
        return;
    }
    if (strpos($buffer, "answer to question '") > 0) {
        return;
    }
    if (strpos($buffer, "failed (res=3)") > 0) {
        return;
    }
    if (preg_match("#pdns_recursor\\[[0-9]+\\]: \\[[0-9]+\\]\\s+#", $buffer)) {
        return;
    }
    //roundcube dustbin
    if (strpos($buffer, "IMAP Error: Empty password") > 0) {
        return;
    }
    //monit dustbin
    if (strpos($buffer, "Monit has not changed") > 0) {
        return;
    }
    if (strpos($buffer, ": synchronized to ") > 0) {
        return;
    }
    if (strpos($buffer, "monit HTTP server stopped") > 0) {
        return;
    }
    if (strpos($buffer, "Shutting down monit HTTP server") > 0) {
        return;
    }
    if (strpos($buffer, "Starting monit HTTP server at") > 0) {
        return;
    }
    if (strpos($buffer, "Reinitializing monit - Control") > 0) {
        return;
    }
    //squid dustbin:
    if (strpos($buffer, "Unlinkd pipe opened on FD") > 0) {
        return;
    }
    if (strpos($buffer, "Beginning Validation Procedure") > 0) {
        return;
    }
    //EMAILRELAY DUSTBIN
    if (strpos($buffer, "emailrelay: info: failing file") > 0) {
        return;
    }
    if (strpos($buffer, "emailrelay: info: no more messages to send") > 0) {
        return;
    }
    if (strpos($buffer, "emailrelay: warning: cannot do tls") > 0) {
        return;
    }
    if (strpos($buffer, "]: monit daemon at") > 0) {
        return;
    }
    if (strpos($buffer, "artica-ldap[") > 0) {
        return;
    }
    if (strpos($buffer, "want to change spamassassin settings but not installed") > 0) {
        return;
    }
    //SAMBA DUSTBIN
    if (strpos($buffer, "smb_register_idmap") > 0) {
        return;
    }
    if (strpos($buffer, "could not find idmap alloc module ad") > 0) {
        return;
    }
    if (strpos($buffer, "Idmap module nss already registered") > 0) {
        return;
    }
    if (strpos($buffer, "'winbindd' process PID changed to") > 0) {
        return;
    }
    if (strpos($buffer, "idmap_alloc module tdb already registered") > 0) {
        return;
    }
    if (strpos($buffer, "ad_idmap_cached_connection_internal") > 0) {
        return;
    }
    if (strpos($buffer, "idmap_ad_unixids_to_sids") > 0) {
        return;
    }
    if (strpos($buffer, "libads/kerberos.c:") > 0) {
        return;
    }
    if (strpos($buffer, "initialize_winbindd_cache") > 0) {
        return;
    }
    if (strpos($buffer, "winbindd/winbindd_group.c") > 0) {
        return;
    }
    if (strpos($buffer, "winbindd/winbindd_util.c") > 0) {
        return;
    }
    if (strpos($buffer, "smb_register_idmap_alloc") > 0) {
        return;
    }
    if (strpos($buffer, "Idmap module passdb already registered") > 0) {
        return;
    }
    if (strpos($buffer, "Cleaning up brl and lock database after unclean shutdown") > 0) {
        return;
    }
    if (strpos($buffer, "winbindd_sig_term_handler") > 0) {
        return;
    }
    if (strpos($buffer, "wins_registration_timeout") > 0) {
        return;
    }
    if (strpos($buffer, ":   netbios connect:") > 0) {
        return;
    }
    if (strpos($buffer, "cleanup_timeout_fn") > 0) {
        return;
    }
    if (strpos($buffer, "struct wbint_Gid2Sid") > 0) {
        return;
    }
    if (strpos($buffer, ":   doing parameter") > 0) {
        return;
    }
    if (strpos($buffer, "param/loadparm.c") > 0) {
        return;
    }
    if (strpos($buffer, ":   wins_registration_timeout:") > 0) {
        return;
    }
    if (strpos($buffer, "src: struct server_id") > 0) {
        return;
    }
    if (strpos($buffer, "dest: struct server_id") > 0) {
        return;
    }
    if (strpos($buffer, "messages: struct messaging_rec") > 0) {
        return;
    }
    if (strpos($buffer, "ndr/ndr.c") > 0) {
        return;
    }
    if (strpos($buffer, "smbd/reply.c") > 0) {
        return;
    }
    if (strpos($buffer, "lib/smbldap.c") > 0) {
        return;
    }
    if (strpos($buffer, "srvsvc_NetShare") > 0) {
        return;
    }
    if (strpos($buffer, "]:   Global parameter") > 0) {
        return;
    }
    if (strpos($buffer, "STYPE_IPC_HIDDEN") > 0) {
        return;
    }
    if (strpos($buffer, "STYPE_DISKTREE") > 0) {
        return;
    }
    if (strpos($buffer, ": NTLMSSP_") > 0) {
        return;
    }
    if (strpos($buffer, "MSG_SMB_UNLOCK") > 0) {
        return;
    }
    if (strpos($buffer, ":           messages: ARRAY(") > 0) {
        return;
    }
    if (strpos($buffer, "struct messaging_array") > 0) {
        return;
    }
    if (strpos($buffer, ":                   msg_version              :") > 0) {
        return;
    }
    if (strpos($buffer, ":           num_messages             :") > 0) {
        return;
    }
    if (strpos($buffer, ":                   sid                      :") > 0) {
        return;
    }
    if (strpos($buffer, ":               sid                      :") > 0) {
        return;
    }
    if (strpos($buffer, ":                       id                       :") > 0) {
        return;
    }
    if (strpos($buffer, ":               dom_name                 :") > 0) {
        return;
    }
    if (strpos($buffer, ":                   msg_version              :") > 0) {
        return;
    }
    if (strpos($buffer, ":                   buf                      :") > 0) {
        return;
    }
    if (strpos($buffer, ":               result                   :") > 0) {
        return;
    }
    if (strpos($buffer, ":               gid                      :") > 0) {
        return;
    }
    if (strpos($buffer, "server_unc") > 0) {
        return;
    }
    if (strpos($buffer, "union ntlmssp_AvValue") > 0) {
        return;
    }
    if (strpos($buffer, "MsvAvNbDomainName") > 0) {
        return;
    }
    if (strpos($buffer, "NegotiateFlags") > 0) {
        return;
    }
    if (strpos($buffer, "AvDnsComputerName") > 0) {
        return;
    }
    if (strpos($buffer, "Version: struct VERSION") > 0) {
        return;
    }
    if (strpos($buffer, "array: ARRAY(") > 0) {
        return;
    }
    if (strpos($buffer, "info_ctr") > 0) {
        return;
    }
    if (strpos($buffer, "init_sam_from_ldap: Entry found") > 0) {
        return;
    }
    //Snort dustbin
    //pdns_recursor[23651]: stats: 600 questions, 665 cache entries, 29 negative entries, 0% cache hits"
    // check_ntlm_password:  Authentication for user [root] -> [root] FAILED with error NT_STATUS_WRONG_PASSWORD
    if (strpos($buffer, "]: last message repeated") > 0) {
        return;
    }
    //pdns dustbin
    if (strpos($buffer, "Looking for CNAME") > 0) {
        return;
    }
    if (strpos($buffer, "No CNAME cache hit of") > 0) {
        return;
    }
    if (strpos($buffer, "Found cache hit") > 0) {
        return;
    }
    if (strpos($buffer, ": Resolved '") > 0) {
        return;
    }
    if (strpos($buffer, ": Trying IP") > 0) {
        return;
    }
    if (strpos($buffer, ".: Got 1 answers") > 0) {
        return;
    }
    if (strpos($buffer, ": accept answer") > 0) {
        return;
    }
    if (strpos($buffer, ": determining status") > 0) {
        return;
    }
    if (strpos($buffer, ": got negative caching") > 0) {
        return;
    }
    if (strpos($buffer, ": No cache hit for") > 0) {
        return;
    }
    if (strpos($buffer, ": Checking if we have NS") > 0) {
        return;
    }
    if (strpos($buffer, ": no valid/useful NS") > 0) {
        return;
    }
    if (strpos($buffer, ": NS (with ip, or non-glue)") > 0) {
        return;
    }
    if (strpos($buffer, ": We have NS in cache") > 0) {
        return;
    }
    if (strpos($buffer, ".: Nameservers:") > 0) {
        return;
    }
    if (strpos($buffer, ": Trying to resolve NS") > 0) {
        return;
    }
    if (strpos($buffer, ".: got NS record") > 0) {
        return;
    }
    if (strpos($buffer, ".: status=") > 0) {
        return;
    }
    if (strpos($buffer, ".: Starting additional") > 0) {
        return;
    }
    if (strpos($buffer, ".: Done with additional") > 0) {
        return;
    }
    if (strpos($buffer, ".: Found cache CNAME hit") > 0) {
        return;
    }
    if (strpos($buffer, ".: answer is in") > 0) {
        return;
    }
    if (strpos($buffer, "is negatively cached via") > 0) {
        return;
    }
    if (strpos($buffer, ".: within bailiwick") > 0) {
        return;
    }
    if (strpos($buffer, "]: Query: '") > 0) {
        return;
    }
    if (strpos($buffer, "bdb_equality_candidates:") > 0) {
        return;
    }
    if (strpos($buffer, "Cache consultations done") > 0) {
        return;
    }
    if (strpos($buffer, ".: Entire record") > 0) {
        return;
    }
    if (strpos($buffer, "got upwards/level NS record") > 0) {
        return;
    }
    if (strpos($buffer, "), rcode=0, in") > 0) {
        return;
    }
    if (strpos($buffer, "]    ns1.") > 0) {
        return;
    }
    if (strpos($buffer, "error resolving, possible error: Connection refused") > 0) {
        return;
    }
    if (strpos($buffer, "Failed to resolve via any of the") > 0) {
        return;
    }
    if (strpos($buffer, "failed (res=-1)") > 0) {
        return;
    }
    if (strpos($buffer, "question answered from packet cache from") > 0) {
        return;
    }
    if (strpos($buffer, ": timeout resolving") > 0) {
        return;
    }
    if (strpos($buffer, ": query throttled") > 0) {
        return;
    }
    if (strpos($buffer, "]: Invalid query packet") > 0) {
        return;
    }
    if (strpos($buffer, 'BIND dn="cn=') > 0) {
        return;
    }
    if (strpos($buffer, 'RESULT tag=') > 0) {
        return;
    }
    if (strpos($buffer, 'SRCH base="') > 0) {
        return;
    }
    if (strpos($buffer, 'SRCH attr=') > 0) {
        return;
    }
    if (strpos($buffer, 'MOD attr=') > 0) {
        return;
    }
    if (strpos($buffer, 'MOD dn=') > 0) {
        return;
    }
    if (strpos($buffer, ' UNBIND') > 0) {
        return;
    }
    if (strpos($buffer, ": connection_input: conn=") > 0) {
        return;
    }
    if (strpos($buffer, "attr=dNSTTL aRecord nSRecord cNAMERecord") > 0) {
        return;
    }
    if (strpos($buffer, ": monit HTTP server started") > 0) {
        return;
    }
    if (strpos($buffer, "Awakened by the") > 0) {
        return;
    }
    //nginx
    if (preg_match("#nginx:.*?notice.+?gracefully shutting down#", $buffer)) {
        squid_admin_mysql(1, "Reverse Proxy service gracefully shutting down", $buffer, __FILE__, __LINE__);
        return;
    }
    if (preg_match("#nginx:.+?start worker processes#", $buffer)) {
        squid_admin_mysql(2, "Reverse Proxy service starting", $buffer, __FILE__, __LINE__);
        return;
    }
    if (preg_match("#nginx:.*?:\\s+reconfiguring#", $buffer)) {
        squid_admin_mysql(1, "Reverse Proxy service was reconfigured", $buffer, __FILE__, __LINE__);
        return;
    }
    if (preg_match("#wifidog.*?Failed to open HTML message file#", $buffer)) {
        squid_admin_mysql(1, "Creating HTML message for the Hotspot", null, __FILE__, __LINE__);
        shell_exec2("{$GLOBALS["LOCATE_PHP5_BIN"]} {$GLOBALS["BASE_ROOT"]}/hostpot.php --templates >/dev/null 2>&1");
        shell_exec2("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} {$GLOBALS["BASE_ROOT"]}/exec.wifidog.php --restart");
        return;
    }
    if (preg_match("#wifidog\\[.*?Removing Firewall rules#", $buffer, $re)) {
        squid_admin_mysql(1, "HotSpot is stopped", null, __FILE__, __LINE__);
        return;
    }
    //Crash kernel
    if (preg_match("#nf_queue: full at [0-9]+ entries,\\s+dropping packets#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/nf_queue.full";
        if (IfFileTime($file, 5)) {
            system_admin_events("Fatal! nf_queue is full\n{$buffer}\nYou should consider increase your hardware memory and CPU\nor disable Network application detection", __FUNCTION__, __FILE__, __LINE__, "system");
            if ($GLOBALS["SQUID_INSTALLED"]) {
                squid_admin_mysql(0, "Fatal! nf_queue is full", "{$buffer}\nYou should consider increase your hardware memory and CPU\nor disable Network application detection", __FILE__, __LINE__);
            }
        }
        return;
    }
    if (preg_match("#glibc detected.*?\\/(.+?):\\s+(.+?):#", $buffer, $re)) {
        system_admin_events("Fatal! Crash {$re[1]} {$re[2]} [action=Run Sync]\n{$buffer}", __FUNCTION__, __FILE__, __LINE__, "system");
        if ($GLOBALS["SQUID_INSTALLED"]) {
            squid_admin_mysql(0, "Fatal! Crash {$re[1]} {$re[2]} [action=Run Sync]", $buffer, __FILE__, __LINE__);
        }
        shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["SYNC_BIN"]} >/dev/null 2>&1 &");
        return;
    }
    if (preg_match("#kernel:\\[.*?general protection fault:\\s+[0-9]+\\s+\\[\\#([0-9]+)\\]\\s+SMP#", $buffer, $re)) {
        if ($GLOBALS["SQUID_INSTALLED"]) {
            squid_admin_mysql(0, "Kernel crash !! general protection fault on SMP processor", $buffer, __FILE__, __LINE__);
        }
        system_admin_events("Kernel crash !! general protection fault on SMP Processor\n{$buffer}", __FUNCTION__, __FILE__, __LINE__, "system");
        return;
    }
    if (preg_match("#kernel:.*?squid\\[.*?segfault at.*?error.*?in squid#", $buffer)) {
        squid_admin_mysql(0, "Fatal, proxy service was crashed !!!", "Here it is the report\n{$buffer}\nService is automatically started\n", __FILE__, __LINE__);
        shell_exec(trim("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.squid.watchdog.php --start --crashed --cache-logs >/dev/null 2>&1 &"));
        return;
    }
    if (preg_match("#class\\.sockets\\.inc.*?Fatal ERROR 500#", $buffer)) {
        shell_exec(trim("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.framework.php --restart >/dev/null 2>&1 &"));
        return;
    }
    if (strpos($buffer, "rdpproxy:") > 0) {
        if (!isset($GLOBALS["CLASS_RDPPROXY_MONITOR"])) {
            $GLOBALS["CLASS_RDPPROXY_MONITOR"] = new rdpproxy_monitor();
        }
        $GLOBALS["CLASS_RDPPROXY_MONITOR"]->parse($buffer);
        return;
    }
    if (strpos($buffer, "C-ICAP") > 0) {
        if ($GLOBALS["CLASS_C_ICAP_MONITOR"]->parse($buffer)) {
            return;
        }
    }
    //UCARP
    if (preg_match("#ucarp\\[.*?Switching to state:\\s+BACKUP#", $buffer)) {
        if (!is_file("/usr/share/ucarp/Master")) {
            foreach (glob("/usr/share/ucarp/vip-*-down.sh") as $filename) {
                $tt[] = $filename;
                shell_exec("{$GLOBALS["nohup"]} {$filename} >/dev/null 2>&1 &");
            }
            squid_admin_mysql(0, "FailOver: Slave switch to backup mode", "Executed\n" . @implode("\n", $tt), __FILE__, __LINE__);
        } else {
            squid_admin_mysql(0, "FailOver: Master shutdown connections transfered to slave", "\n", __FILE__, __LINE__);
        }
        return;
    }
    if (preg_match("#ucarp\\[.*?Switching to state:\\s+MASTER#", $buffer)) {
        if (!is_file("/usr/share/ucarp/Master")) {
            squid_admin_mysql(0, "FailOver: Slave switch to Master mode and accept connections", "\n", __FILE__, __LINE__);
        } else {
            squid_admin_mysql(0, "FailOver: Master return back and accept connections", "\n", __FILE__, __LINE__);
        }
        return;
    }
    // SHOREWALL
    if (preg_match("#Shorewall:(.+?)2(.+?):(.+?):IN=(.*?)\\s+OUT=(.*?)\\s+MAC=(.*?)\\s+SRC=(.*?)\\s+DST=(.*?)\\s+.*?PROTO=(.*?)\\s+.*?DPT=([0-9]+)#", $buffer, $re)) {
        $ZONE_FROM = $re[1];
        $ZONE_TO = $re[2];
        $ACTION = $re[2];
        $NIC_IN = $re[4];
        $NIC_OUT = $re[5];
        $MAC_SRC = strtolower($re[6]);
        $IP_SRC = $re[7];
        $IP_DST = $re[8];
        $PROTO = $re[9];
        $PORT = $re[10];
        $DATE = date("Y-m-d H:i:s");
        $currentHour = date("YmdH");
        if (!isset($GLOBALS["MYSQL_SHOREWALL"])) {
            $GLOBALS["MYSQL_SHOREWALL"] = new mysql_shorewall();
        }
        if (!isset($GLOBALS["MYSQL_SHOREWALL_T"][date("YmdH")])) {
            $GLOBALS["MYSQL_SHOREWALL"]->BuildHourTable();
        }
        $sql = "INSERT IGNORE INTO `FWH_{$currentHour}` (`ZDATE`,`ZONE_FROM`,`ZONE_TO`,`ACTION`,`NIC_IN`,`NIC_OUT`,`MAC_SRC`,`IP_SRC`,`IP_DST`,`PROTO`,`PORT`) VALUES\n\t('{$DATE}','{$ZONE_FROM}','{$ZONE_TO}','{$ACTION}','{$NIC_IN}','{$NIC_OUT}','{$MAC_SRC}','{$IP_SRC}','{$IP_DST}','{$PROTO}','{$PORT}')";
        $GLOBALS["MYSQL_SHOREWALL"]->QUERY_SQL($sql);
        if (count($GLOBALS["MYSQL_SHOREWALL_T"]) > 10) {
            unset($GLOBALS["MYSQL_SHOREWALL_T"]);
        }
        return;
    }
    if (preg_match("#kernel:.*?:\\s+(.+?):\\s+link down#", $buffer, $re)) {
        system_admin_events("{$re[1]}: Network Interface Down\n{$buffer}", __FUNCTION__, __FILE__, __LINE__, "network");
        squid_admin_mysql(0, "{$re[1]}: Network Interface Down", $buffer, __FILE__, __LINE__);
        return;
    }
    if (preg_match("#kernel:.*?\\]\\s+ADDRCONF.*?:\\s+(.+?):\\s+link is not ready#", $buffer, $re)) {
        system_admin_events("{$re[1]}: Network Interface not ready\n{$buffer}", __FUNCTION__, __FILE__, __LINE__, "network");
        squid_admin_mysql(0, "{$re[1]}: Network Interface not ready", $buffer, __FILE__, __LINE__);
        return;
    }
    if (preg_match("#kernel:.*?\\]\\s+ADDRCONF.*?:\\s+(.+?):\\s+link becomes ready#", $buffer, $re)) {
        system_admin_events("{$re[1]}: Network Interface becomes ready\n{$buffer}", __FUNCTION__, __FILE__, __LINE__, "network");
        squid_admin_mysql(0, "{$re[1]}: Network Interface becomes ready", $buffer, __FILE__, __LINE__);
        return;
    }
    if (preg_match("#kernel:.*?:\\s+(.+?):\\s+link up#", $buffer, $re)) {
        system_admin_events("{$re[1]}: Network Interface Up\n{$buffer}", __FUNCTION__, __FILE__, __LINE__, "network");
        squid_admin_mysql(2, "{$re[1]}: Network Interface Up", $buffer, __FILE__, __LINE__);
        return;
    }
    if (preg_match("#FATAL ERROR: unable to open remote file .*?framework\\.sock#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/lighttpd.framework.sock.error";
        if (IfFileTime($file, 1)) {
            system_admin_events("Framework issue, restarting framework service\n{$buffer}", __FUNCTION__, __FILE__, __LINE__, "artica");
            $cmd = "{$GLOBALS["nohup"]} /etc/init.d/artica-framework restart >/dev/null 2>&1 &";
            shell_exec($cmd);
        }
        return;
    }
    if (preg_match("#lighttpd\\[.*?connect failed: No such file or directory on unix:\\/var\\/run\\/php-fpm\\.sock#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/lighttpd.phpfpm.sock.error";
        if (IfFileTime($file, 1)) {
            system_admin_events("PHP-FPM issue, starting PHP-FPM service\n{$buffer}", __FUNCTION__, __FILE__, __LINE__, "artica");
            $cmd = "{$GLOBALS["nohup"]} /etc/init.d/php5-fpm start >/dev/null 2>&1 &";
            shell_exec($cmd);
        }
        return;
    }
    // LIGTTPD
    if (preg_match("#lighttpd.*?connections\\.c.*?SSL.*?error.*?Broken pipe#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/lighttpd.connections.Broken.pipe";
        if (IfFileTime($file, 2)) {
            shell_exec("{$GLOBALS["nohup"]} /etc/init.d/artica-webconsole restart >/dev/null 2>&1 &");
        }
        return;
    }
    if (dhcpd($buffer)) {
        return;
    }
    if (preg_match("#squid.*?\\[[0-9]+\\]:#", $buffer)) {
        squid_parser($buffer);
        return;
    }
    if (preg_match("#\\(squid-.*?\\):#", $buffer)) {
        squid_parser($buffer);
        return;
    }
    if (preg_match("#nss_wins.*?\\[[0-9]+\\]:#", $buffer)) {
        nss_parser($buffer);
        return;
    }
    if (preg_match("#haproxy.*?\\[[0-9]+\\]:#", $buffer)) {
        haproxy_parser($buffer);
        return;
    }
    if (preg_match("#kernel.*?\\[#", $buffer)) {
        Kernel_parser($buffer);
        return;
    }
    if (preg_match("#coova-chilli.+?net\\.c.*?Cannot assign requested address.*?ioctl.*?SIOCSIFFLAGS#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/coova-chilli.SIOCSIFFLAGS";
        if (IfFileTime($file, 5)) {
            events("HotSpot Failed to bin address, disable hotSpot system!");
            system_admin_events("HotSpot Failed to bin address, disable hotSpot system!", __FUNCTION__, __FILE__, __LINE__, "system");
            @file_put_contents("/etc/artica-postfix/settings/Daemons/EnableChilli", 0);
            ToSyslog("kernel: [  Artica-Net] Start Network [artica-ifup] (" . basename(__FILE__) . "/" . __LINE__ . ")");
            $cmd = "{$GLOBALS["nohup"]} /etc/init.d/artica-ifup start >/dev/null 2>&1 &";
            shell_exec($cmd);
            $cmd = "{$GLOBALS["nohup"]} /etc/init.d/chilli stop >/dev/null 2>&1 &";
            shell_exec($cmd);
            WriteFileCache($file);
            return;
        }
        events("{$buffer} = > TIMEOUT ... ");
        return;
    }
    if (preg_match("#'apache' total mem amount of ([0-9]+)([a-zA-Z])+\\s+matches resource limit#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/apache.matches.resource.limit";
        if (IfFileTime($file, 5)) {
            $unit = strtolower($re[2]);
            if ($unit == "kb") {
                $size = $re[1];
                $size = round($size / 1024, 2);
                $cmd = "{$GLOBALS["nohup"]} /etc/init.d/artica-postfix restart apachesrc >/dev/null 2>&1 &";
                events("{$size}M {$buffer} = {$cmd} ... ");
                shell_exec($cmd);
                WriteFileCache($file);
                return;
            }
            events("{$buffer} = > TIMEOUT ... ");
            return;
        }
    }
    if (preg_match("#connect failed: No such file or directory on unix:\\/var\\/run\\/php-fpm\\.sock#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/lighttpd.php-fpm.sock.No.such.file.directory.0";
        if (IfFileTime($file, 1)) {
            $cmd = "{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.initslapd.php --phppfm-fix >/dev/null 2>&1 &";
            events("{$buffer} = {$cmd} ... ");
            shell_exec($cmd);
            WriteFileCache($file);
            return;
        }
        events("{$buffer} = > TIMEOUT ... ");
        return;
    }
    if (preg_match("#lighttpd.*?mod_fastcgi.*?connect failed:\\s+No such file or directory on unix:\\/var\\/run\\/php-fpm\\.sock#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/lighttpd.php-fpm.sock.No.such.file.directory";
        if (IfFileTime($file, 1)) {
            $cmd = "{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.initslapd.php --phppfm-fix >/dev/null 2>&1 &";
            events("{$buffer} = {$cmd} ... ");
            shell_exec($cmd);
            WriteFileCache($file);
            return;
        }
        events("{$buffer} = > TIMEOUT ... ");
        return;
    }
    if (preg_match("#haarp.*?munmap_chunk.*?invalid pointer#", $buffer)) {
        $GLOBALS["HAARP_FATAL"]++;
        if (haarp_remove()) {
            return;
        }
        $file = "/etc/artica-postfix/croned.1/haarp.invalid.pointer";
        events("invalid pointer haarp:" . __LINE__);
        squid_admin_mysql(1, "Haarp issue: {$GLOBALS["HAARP_FATAL"]}/5 invalid pointer", "Proxy service have issues with haarp,\n{$buffer}\n the service will be restarted", __FILE__, __LINE__);
        if (IfFileTime($file, 3)) {
            squid_admin_notifs("Warning, Haarp issues.\nProxy service have issues with haarp,\n{$buffer}\n the service will be restarted");
            shell_exec("{$GLOBALS["nohup"]} /etc/init.d/haarp start >/dev/null 2>&1 &");
            WriteFileCache($file);
        }
        return;
    }
    if (preg_match("#kernel:\\s+\\[.*?haarp.*?general protection.*?libmysqlclient\\.#", $buffer)) {
        $GLOBALS["HAARP_FATAL"]++;
        if (haarp_remove()) {
            return;
        }
        $file = "/etc/artica-postfix/croned.1/haarp.general.protection";
        events("general protection haarp:" . __LINE__);
        squid_admin_mysql(1, "Haarp issue: {$GLOBALS["HAARP_FATAL"]}/5 general protection libmysqlclient", "Proxy service have issues with haarp,\n{$buffer}\n the service will be restarted", __FILE__, __LINE__);
        if (IfFileTime($file, 1)) {
            squid_admin_notifs("Warning, Haarp issues.\nProxy service have issues with haarp,\n{$buffer}\n the service will be restarted");
            shell_exec("{$GLOBALS["nohup"]} /etc/init.d/haarp start >/dev/null 2>&1 &");
            WriteFileCache($file);
        }
        return;
    }
    if (preg_match("#monit\\[.+?APP_UFDBGUARD.+?start:#", $buffer)) {
        return;
    }
    if (preg_match("#monit\\[.+?system statistic error.+?cannot get real memory buffers amount#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/squid.Failed.to.make.swap.directory";
        if (IfFileTime($file, 10)) {
            email_events("Watchdog failed, cannot get real memory buffers amount", "monit claim \"{$buffer}\" Artica will install the latest monit version....", 'system');
            shell_exec("{$GLOBALS["nohup"]} /usr/share/artica-postfix/bin/artica-make APP_MONIT >/dev/null 2>&1 &");
            WriteFileCache($file);
        }
        return;
    }
    if (preg_match("#squid\\.monitrc:.*?syntax error#", $buffer)) {
        $cmd = "{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.squid.php --watchdog-config >/dev/null 2>&1 &";
        events("{$buffer} Monit = {$cmd} ... ");
        shell_exec($cmd);
        return;
    }
    if (preg_match("#artica-cron\\[.+?: Could not add job : serial queue is full#", $buffer)) {
        $cmd = "{$GLOBALS["nohup"]} /etc/init.d/artica-postfix restart fcron >/dev/null 2>&1 &";
        events("{$buffer} fcron CMD = {$cmd} ... ");
        shell_exec($cmd);
        return;
    }
    if (preg_match("#cron\\[.+?Fork error : could not exec.+?Cannot allocate memory#", $buffer)) {
        if ($GLOBALS["NOOUTOFMEMORYREBOOT"] != 1) {
            $uptime = $GLOBALS["CLASS_UNIX"]->uptime();
            exec("{$GLOBALS["PS_BIN"]} aux 2>&1", $resultsa);
            email_events("Memory full: System will be rebooted after running after {$uptime}", "System claim \"{$buffer}\" the operating system will be rebooted ({$reboot}).", 'proxy');
            if ($GLOBALS["SQUID_INSTALLED"]) {
                squid_admin_mysql(0, "Memory full: System will be rebooted after running after {$uptime}", "System claim \"{$buffer}\" the operating system will be rebooted\n" . @implode("\n", $resultsa), __FILE__, __LINE__);
            }
            UcarpDown();
            shell_exec("{$GLOBALS["SHUTDOWN_BIN"]} -rF now");
            return;
        }
    }
    if (preg_match("#monit: Error reading pid from file '(.+?)\\/ufdbguardd.pid'#", $buffer, $re)) {
        $cmd = "{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} " . dirname(__FILE__) . "/exec.squidguard.php --ufdbguard-start >/dev/null 2>&1 &";
        events("{$buffer} Monit CMD = {$cmd} ... ");
        shell_exec($cmd);
        return;
    }
    if (preg_match("#Cannot open.*?\\/var\\/log\\/squid\\/store\\.log.*?No space left on device#is", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/varlogfull";
        if (IfFileTime($file, 5)) {
            $results[] = "\n\n--------------   SPACE AVAILABLE   -------------\n\n";
            exec("{$GLOBALS["DF_BIN"]} -h 2>&1", $results);
            $results[] = "\n\n--------------   INODES AVAILABLE   -------------\n\n";
            exec("{$GLOBALS["DF_BIN"]} -i 2>&1", $results);
            squid_admin_mysql(0, "Fatal: no space left on log partition", "A specific procedure as been executed to make more free space.\nHere it is the current status\n" . @implode("\n", $results), __FILE__, __LINE__);
            $cmd = "{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} " . dirname(__FILE__) . "/exec.varlog-urgency.php --squid >/dev/null 2>&1 &";
            shell_exec($cmd);
            WriteFileCache($file);
        }
    }
    if (preg_match("#\\(squid-.+?Failed to make swap directory\\s+(.+?):\\s+\\(13\\)\\s+Permission denied#i", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/squid.Failed.to.make.swap.directory";
        if (IfFileTime($file, 10)) {
            $cmd = "{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} " . dirname(__FILE__) . "/exec.squid.php --reconfigure-squid >/dev/null 2>&1 &";
            events("--> Repair squid dir '{$re[1]}'... {$cmd}");
            @mkdir($re[1], 0755, true);
            @chmod($re[1], 0755);
            @chown($re[1], "squid");
            @chgrp($re[1], "squid");
            shell_exec($cmd);
            WriteFileCache($file);
        }
        return;
    }
    if (strpos($buffer, "DETECTED IN") > 0) {
        if (preg_match("#KHSE: THREAT\\s+(.+?)\\s+DETECTED IN\\s+(.+)#", $buffer, $re)) {
            $user = "******";
            $local_ip = "unknown";
            $rulename = "Antivirus KSE";
            $category = "KSE_THREAT";
            $public_ip = "unknown";
            $virus = $re[1];
            $uri = $re[2];
            if (preg_match("#(|http|https|ftp|ftps)://(.+)#", $uri, $re)) {
                $www = $re[2];
            }
            if (preg_match("#^www\\.(.+)#", $www, $re)) {
                $www = $re[1];
            }
            if (strpos($www, "/") > 0) {
                $tb = explode("/", $www);
                $www = $tb[0];
            }
            $date = time();
            $table = date('Ymd') . "_blocked";
            $md5 = md5("{$date},{$local_ip},{$rulename},{$category},{$www},{$public_ip}");
            $sql = "('{$local_ip}','{$www}','{$category}','{$rulename}','{$public_ip}','THREAT {$virus} DETECTED','Security issue','unknown')";
            if (!is_dir("{$GLOBALS["ARTICALOGDIR"]}/ufdbguard-queue")) {
                @mkdir("{$GLOBALS["ARTICALOGDIR"]}/ufdbguard-queue", 0755, true);
            }
            @file_put_contents("{$GLOBALS["ARTICALOGDIR"]}/ufdbguard-queue/{$md5}.sql", $sql);
            eventsAuth("[KHSE]: blocked THREAT {$virus} DETECTED IN {$uri}");
            return;
        }
    }
    $auth = new auth_tail();
    if ($auth->ParseLog($buffer)) {
        return;
    }
    $auth = null;
    // ---------------------- DANSGUARDIAN ---------------------------------
    if (strpos($buffer, "dansguardian[") > 0) {
        if (preg_match("#dansguardian\\[.+?:\\s+[0-9\\.]+\\s+[0-9:]+\\s+(.+?)\\s+([0-9\\.]+)\\s+(.+?)\\s+\\*([A-Z]+)\\*\\s+(.+?):\\s+(.+?)\\s+([A-Z]+)\\s+[0-9]+\\s+[0-9]+\\s+(.+?)\\s+([0-9]+)#", $buffer, $re)) {
            $array["userid"] = trim($re[1]);
            $array["ipaddr"] = $re[2];
            $array["uri"] = $re[3];
            $array["EVENT"] = $re[4];
            $array["WHY"] = trim($re[5]);
            $array["EXPLAIN"] = $re[6];
            $array["BLOCKTYPE"] = $re[8];
            $array["RULEID"] = $re[9];
            $array["TIME"] = date('Y-m-d H:i:s');
            eventsAuth("[Dansguardian]: blocked {$array["uri"]} {$array["BLOCKTYPE"]} {$array["RULEID"]}");
            @file_put_contents("{$GLOBALS["ARTICALOGDIR"]}/dansguardian-stats4/" . md5(serialize($array)), serialize($array));
        }
        return;
    }
    // Samba/Winbind **********************************************************************************************************************************************
    if (preg_match("#winbindd\\[.+?Connection to LDAP server failed for the\\s+[0-9]+\\s+try#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/samba." . md5("winbindd\\[.+?Connection to LDAP server failed for the\\s+[0-9]+\\s+try") . ".error";
        system_admin_events("winbindd connection to LDAP failed, update password...", __FUNCTION__, __FILE__, __LINE__, "samba");
        if (IfFileTime($file, 5)) {
            system_admin_events("winbindd connection to LDAP failed, update password...", __FUNCTION__, __FILE__, __LINE__, "samba");
            shell_exec("{$GLOBALS["nohup"]} /usr/share/artica-postfix/exec.samba.php --smbpasswd >/dev/null 2>&1 &");
        }
        return true;
    }
    if (preg_match("#net:\\s+ads_keytab_add_entry: unable to determine machine account's dns name in AD#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/samba." . md5("net:\\s+ads_keytab_add_entry: unable to determine machine account's dns name in AD") . ".error";
        if (IfFileTime($file, 10)) {
            email_events("Active Directory: Unable to determine machine account's dns name in AD", "System claims:\n{$buffer}\nThere is link problem with your Active Directory", 'system');
            WriteFileCache($file);
        }
        return true;
    }
    if (preg_match("#winbindd\\[.*?Could not fetch our SID - did we join#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/ntlm.samba.could.not.fetch.our.SID.join.error";
        if (IfFileTime($file, 3)) {
            squid_admin_mysql(0, "NTLM: not joinded", $buffer, __FILE__, __LINE__);
            $cmd = "{$GLOBALS["LOCATE_PHP5_BIN"]} " . dirname(__FILE__) . "/exec.kerbauth.php --join";
            events("Active Directory: NTLM:: not joinded -> {$cmd}");
            shell_exec("{$GLOBALS["nohup"]} {$cmd} >/dev/null 2>&1 &");
            WriteFileCache($file);
        } else {
            events("Active Directory: NTLM: not joinded -> WAIT");
        }
        return;
    }
    if (preg_match("#\\(ntlm_auth\\): could not obtain winbind domain name\\!#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/ntlm.samba.could.not.obtain.winbind.domain.name.error";
        if (IfFileTime($file, 3)) {
            squid_admin_mysql(0, "NTLM: could not obtain winbind domain name", $buffer, __FILE__, __LINE__);
            $cmd = "{$GLOBALS["LOCATE_PHP5_BIN"]} " . dirname(__FILE__) . "/exec.kerbauth.php --join";
            events("Active Directory: NTLM:: could not obtain winbind domain name -> {$cmd}");
            shell_exec("{$GLOBALS["nohup"]} {$cmd} >/dev/null 2>&1 &");
            WriteFileCache($file);
        } else {
            events("Active Directory: NTLM:: could not obtain winbind domain name -> WAIT");
        }
        return;
    }
    if (preg_match("#smbd\\[.+?:.+?PANIC\\s+\\(pid.+?:\\s+internal error#", $buffer, $re)) {
        email_events("Samba: SMBD daemon has crashed", "Samba claims:\n{$buffer}\nArtica cannot do something, please try to re-install samba...", 'samba');
        return;
    }
    if (preg_match("#kerberos_kinit_password\\s+(.+?)\\s+failed:\\s+Preauthentication failed#i", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/samba." . md5("kerberos_kinit_password+Preauthentication failed") . ".error";
        if (IfFileTime($file, 2)) {
            squid_admin_mysql(0, "NTLM: Preauthentication failed", $buffer, __FILE__, __LINE__);
            $cmd = "{$GLOBALS["LOCATE_PHP5_BIN"]} " . dirname(__FILE__) . "/exec.kerbauth.php --ping --force";
            email_events("Active Directory: Preauthentication failed", "System claims:\n{$buffer}\nThere is link problem with your Active Directory\nArtica will try to relink the system by executing {$cmd} --verbose\nbut you should try to investigate if this server is able to resolve the Active Directory server", 'system');
            events("Active Directory: Preauthentication failed -> {$cmd}");
            shell_exec("{$GLOBALS["nohup"]} {$cmd} >/dev/null 2>&1 &");
            $cmd = "{$GLOBALS["LOCATE_PHP5_BIN"]} " . dirname(__FILE__) . "/exec.kerbauth.php --join";
            events("Active Directory: Preauthentication failed -> {$cmd}");
            shell_exec("{$GLOBALS["nohup"]} {$cmd} >/dev/null 2>&1 &");
            @unlink($file);
            WriteFileCache($file);
        }
        return true;
    }
    // **********************************************************************************************************************************************
    if (preg_match("#dnsmasq.+? failed to read\\s+(.+?):\\s+Permission denied#", $buffer, $re)) {
        if (!isset($GLOBALS["aa-complain"])) {
            $GLOBALS["aa-complain"] = $GLOBALS["CLASS_UNIX"]->find_program("aa-complain");
        }
        if (!isset($GLOBALS["dnsmasq_bin"])) {
            $GLOBALS["dnsmasq_bin"] = $GLOBALS["CLASS_UNIX"]->find_program("dnsmasq");
        }
        $targetedfile = $re[1];
        $file = "/etc/artica-postfix/croned.1/dnsmasq." . md5($targetedfile) . ".Permission.denied";
        events("dnsmasq {$targetedfile} -> Permission denied");
        if (IfFileTime($file, 10)) {
            events("dnsmasq {$targetedfile} -> chmod 755");
            if (is_file($GLOBALS["aa-complain"])) {
                events("dnsmasq {$GLOBALS["aa-complain"]}  -> {$GLOBALS["dnsmasq_bin"]}");
                shell_exec("{$GLOBALS["aa-complain"]} {$GLOBALS["dnsmasq_bin"]}");
            }
            email_events("dnsmasq: Permission denied on {$targetedfile}", "dnmasq claims:\n{$buffer}\nArtica will change permission of this file to 0755 in order to fix this issue and put it into aa-complain mode", 'system');
            shell_exec("/bin/chmod 755 \"{$targetedfile}\"");
            shell_exec(trim("{$GLOBALS["nohup"]} /etc/init.d/dnsmasq restart >/dev/null 2>&1 &"));
            @unlink($file);
            WriteFileCache($file);
        }
        return;
    }
    if (preg_match("#pam_ldap: error trying to bind \\(Invalid credentials\\)#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/pam_ldap.Invalid.credentials";
        if (IfFileTime($file, 10)) {
            email_events("pam_ldap: system unable to contact the LDAP server", "system claims:\n{$buffer}\nArtica will reconfigure nss-ldap system\nSome systems request rebooting\nto be sure, reboot your server", 'system');
            shell_exec(trim("{$GLOBALS["nohup"]} /usr/share/artica-postfix/bin/artica-install --nsswitch >/dev/null 2>&1 &"));
            @unlink($file);
            WriteFileCache($file);
        }
        return;
    }
    if (preg_match("#net:\\s+failed to bind to server.+?Error: Invalid credentials#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/net.Invalid.credentials";
        if (IfFileTime($file, 10)) {
            email_events("Samba/net: system unable to contact the LDAP server", "Samba/net claims:\n{$buffer}\nArtica will reconfigure samba system\n", 'system');
            shell_exec(trim("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.samba.php --build >/dev/null 2>&1 &"));
            @unlink($file);
            WriteFileCache($file);
        }
        return;
    }
    if (preg_match("#pdns.+?:\\s+\\[LdapBackend\\] Unable to search LDAP directory: Starting LDAP search: Can't contact LDAP server#", $buffer, $re)) {
        events("--> PDNS LDAP FAILED");
        $file = "/etc/artica-postfix/croned.1/pdns.Can.t.contact.LDAP.server";
        if (IfFileTime($file, 10)) {
            email_events("PowerDNS: DNS server is unable to contact the LDAP server", "PDNS claims:\n{$buffer}\nArtica will restart PowerDNS service", 'system');
            shell_exec(trim("{$GLOBALS["nohup"]} /etc/init.d/pdns restart >/dev/null 2>&1 &"));
            @unlink($file);
            WriteFileCache($file);
        }
        return;
    }
    if (preg_match("#pdns_recursor\\[.*?Failed to update \\. records, RCODE=([0-9]+)#", $buffer, $re)) {
        events("--> Failed to update \\. records, RCODE={$re[1]}");
        $file = "/etc/artica-postfix/croned.1/pdns.failed.to.update.record.{$re[1]}";
        if (IfFileTime($file, 2)) {
            shell_exec(trim("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.initslapd.php --pdns-recursor >/dev/null 2>&1"));
            shell_exec(trim("{$GLOBALS["nohup"]} /etc/init.d/pdns-recursor restart >/dev/null 2>&1 &"));
        }
        return;
    }
    if (preg_match("#pdns(?:\\[\\d{1,5}\\])?: Not authoritative for '.*',.*sending servfail to\\s+(.+?)\\s+\\(recursion was desired\\)#", $buffer, $re)) {
        events("--> PDNS Hack {$re[2]}");
        if ($GLOBALS["PDNS_HACK"] == 1) {
            $GLOBALS["PDNS_HACK_DB"][$re[2]] = $GLOBALS["PDNS_HACK_DB"][$re[2]] + 1;
            if ($GLOBALS["PDNS_HACK_DB"][$re[2]] > $GLOBALS["PDNS_HACK_MAX"]) {
                events("--> PDNS Hack {$re[2]} will be banned");
                @file_put_contents("{$GLOBALS["ARTICALOGDIR"]}/pdns-hack-queue/" . time(), $re[2]);
                unset($GLOBALS["PDNS_HACK_DB"][$re[2]]);
            }
        }
        return;
    }
    if (preg_match("#auditd\\[.+?Unable to set audit pid, exiting#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/Unable.to.set.audit.pid";
        if (IfFileTime($file, 10)) {
            email_events("Auditd: cannot start", "auditd claims:\n{$buffer}\nIt seems that Auditd cannot start, if you run this computer on an OpenVZ VPS server, be sure that your Administrator has enabled audtid capability\n\t\t\tTake a look here http://bugzilla.openvz.org/show_bug.cgi?id=1157\n\t\t\t\nthis notification is not a good information.\nthe Auditd feature is now disabled\n", 'system');
            @unlink($file);
            @file_put_contents("/etc/artica-postfix/settings/Daemons/EnableAuditd", "0");
            shell_exec(trim("{$GLOBALS["nohup"]} /etc/init.d/artica-postfix stop auditd >/dev/null 2>&1 &"));
            WriteFileCache($file);
            return;
        }
    }
    if (preg_match("#snort\\[[0-9]+\\]:\\s+\\[.+?\\]\\s+(.+?)\\s+\\[Classification: (.+?)\\]\\s+\\[Priority:\\s+([0-9]+)\\]:\\/s+\\{(.+?)\\}\\s+(.+?):([0-9]+)\\s+->\\s+(.+?):([0-9]+)#", $buffer, $re)) {
        $md5 = md5($buffer);
        $filename = "{$GLOBALS["ARTICALOGDIR"]}/snort-queue/" . time() . ".{$md5}.snort";
        @file_put_contents($filename, serialize($re));
        return;
    }
    if (preg_match("#snort\\[.+?:\\s+Can.+?t acquire.+?cooked-mode frame doesn.+?t have room for sll header#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/snort.cant.bind";
        if (IfFileTime($file, 10)) {
            email_events("SNORT: Fatal error: could not acquire the network", "snort claims:\n{$buffer}\nIt seems that snort is unable to hook your Interface Card, perhaps your server running in a Xen environnement or any virtual system\nthis notification is not a good information.\nYou should remove the IDS feature from Artica or remove SNORT package\nYour system cannot support IDS system.\nsee http://seclists.org/snort/2011/q2/52\nhttp://support.citrix.com/article/CTX116204", 'system');
            @unlink($file);
            WriteFileCache($file);
            return;
        }
    }
    if (preg_match("#.+?roundcube-(.+?): FAILED login for (.+?) from ([0-9\\.]+)#", $buffer, $re)) {
        Roundcubehack($re[1], $re[2], $re[3]);
        return;
    }
    if (preg_match("#net:\\s+failed to bind to server ldap.+?localhost#", $buffer)) {
        events("--> exec.samba.php --fix-etc-hosts");
        shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.samba.php --fix-etc-hosts >/dev/null 2>&1 &");
        $file = "/etc/artica-postfix/croned.1/net-ldap-bind";
        if (IfFileTime($file, 5)) {
            shell_exec("{$GLOBALS["nohup"]} /etc/init.d/slapd restart --framework=" . basename(__FILE__) . " >/dev/null 2>&1 &");
            WriteFileCache($file);
            return;
        }
    }
    if (preg_match("#(winbindd|smbd)\\[.+?failed to bind to server.+?Invalid credentials#", $buffer)) {
        events("SAMBA: Invalid credentials");
        $file = "/etc/artica-postfix/croned.1/samba-ldap-credentials";
        if (IfFileTime($file, 5)) {
            if (is_file("/var/lib/samba/winbindd_idmap.tdb")) {
                @unlink("/var/lib/samba/winbindd_idmap.tdb");
            }
            if (is_file("/var/lib/samba/group_mapping.ldb")) {
                @unlink("/var/lib/samba/group_mapping.ldb");
            }
            email_events("Samba: could not connect to ldap Invalid credentials", "samba claims:\n{$buffer}\nArtica will try to reconfigure password and restart Samba", 'system');
            shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.samba.php --fix-etc-hosts >/dev/null 2>&1 &");
            @unlink($file);
            shell_exec("{$GLOBALS["nohup"]} /etc/init.d/artica-postfix restart samba >/dev/null 2>&1 &");
            WriteFileCache($file);
        }
        return;
    }
    // -------------------------------------------------------------------------------------------------------------------------------------------------
    if (preg_match("#failed due to\\s+\\[winbind client not authorized to use winbindd_pam_auth_crap\\.\\s+Ensure permissions on.+?are set correctly#", $buffer)) {
        events("SQUID: winbindd_pam_auth_crap --> exec.kerbauth.php --winbindfix");
        $file = "/etc/artica-postfix/croned.1/winbindd_pam_auth_crap";
        if (IfFileTime($file, 5)) {
            squid_admin_mysql(0, "NTLM: client not authorized to use winbindd_pam_auth_crap", $buffer, __FILE__, __LINE__);
            shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.kerbauth.php --winbindfix");
            @unlink($file);
            WriteFileCache($file);
        }
        return;
    }
    // -------------------------------------------------------------------------------------------------------------------------------------------------
    if (preg_match("#smbd\\[.+?:\\s+smbd_open_once_socket: open_socket_in: Address already in use#", $buffer)) {
        events("SMBD: smbd_open_once_socket: open_socket_in: Address already in use");
        $file = "/etc/artica-postfix/croned.1/smbd_open_once_socket.open_socket_in.Address.already.in.use";
        if (IfFileTime($file, 10)) {
            email_events("Samba: try to bind ipv6 and ipv4, fixed", "samba claims:\n{$buffer}\n\t\t\tArtica will do \"sysctl net.ipv6.bindv6only=1\" to fix this issue (see https://bugzilla.redhat.com/show_bug.cgi?id=726936)", 'system');
            shell_exec("{$GLOBALS["sysctl"]} net.ipv6.bindv6only=1");
            @unlink($file);
            WriteFileCache($file);
        }
        return;
    }
    // -------------------------------------------------------------------------------------------------------------------------------------------------
    if (preg_match("#winbindd.+?Could not receive trustdoms#", $buffer)) {
        events("WINBIND: Could not receive trustdoms");
        $file = "/etc/artica-postfix/croned.1/Could.not.receive.trustdoms";
        if (IfFileTime($file, 5)) {
            events("WINBIND: Could not receive trustdoms -> restart Winbind");
            if (function_exists("WriteToSyslogMail")) {
                WriteToSyslogMail("restart winbindd", basename(__FILE__));
            }
            email_events("Samba: Could not receive trustdoms", "samba claims:\n{$buffer}\nArtica will try to restart winbindd service", 'system');
            shell_exec("{$GLOBALS["nohup"]} /etc/init.d/winbind restart >/dev/null 2>&1 &");
            @unlink($file);
        }
        WriteFileCache($file);
        return;
    }
    if (preg_match("#winbindd\\[.+?ADS uninitialized: No logon servers#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/winbindd-No-logon-servers";
        events("WINBINDD: ADS uninitialized: No logon servers");
        if ($GLOBALS["EnableKerbAuth"] == 1) {
            if (IfFileTime($file, 3)) {
                squid_admin_mysql(0, "NTLM: No logon servers", $buffer, __FILE__, __LINE__);
                events("WINBINDD: EnableKerbAuth:: exec.kerbauth.php --build (do nothing new patch 2012-05-04)");
                //shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.kerbauth.php --build &");
                WriteFileCache($file);
            }
            return;
        }
    }
    if (preg_match("#lessfs\\[.+?send_backlog : failed to connect to the slave#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/lessfs.1";
        if (IfFileTime($file, 5)) {
            email_events("lessFS: Replication deduplication to connect to the slave ", "lessFS claims:\n{$buffer}\nPlease check communications with the slave", 'system');
            WriteFileCache($file);
            return;
        }
    }
    if (preg_match("#lessfs\\[.+?send_backlog : invalid message size#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/lessfs.2";
        if (IfFileTime($file, 5)) {
            email_events("lessFS: Replication deduplication failed to replicate ", "lessFS claims:\n{$buffer}\nPlease check communications with the slave", 'system');
            WriteFileCache($file);
            return;
        }
    }
    if (preg_match("#lessfs\\[.+?replication_worker : replication is disabled, disconnect#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/lessfs.2";
        if (IfFileTime($file, 5)) {
            email_events("lessFS: Replication deduplication failed: Slave is disabled ", "lessFS claims:\n{$buffer}\nPlease check communications with the slave", 'system');
            WriteFileCache($file);
            return;
        }
    }
    if (preg_match("#lessfs\\[.+?Could not recover database : (.+?)#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/lessfs.3";
        if (IfFileTime($file, 5)) {
            email_events("lessFS: database {$re[1]} corrupted !!", "lessFS claims:\n{$buffer}\nArtica will try to repair it...", 'system');
            shell_exec("lessfsck -o -f -t -c /etc/lessfs.cfg &");
        }
    }
    if (preg_match("#automount\\[.+?mount.+?unknown filesystem type.+?ext4#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/automount.unknown.filesystem.type.ext4";
        if (IfFileTime($file, 15)) {
            email_events("automount: Failed to mount EXT4 !", "automount claims:\n{$buffer}\nYou should upgrade your system in order to obtain the last kernel that enables ext4", 'system');
            WriteFileCache($file);
        }
        return;
    }
    if (preg_match("#automount\\[.+?mount.+?failed to mount\\s+(.+?)\\s+on\\s+(.+)\$#", $buffer, $re)) {
        $mount_dir = $re[1];
        $mount_dest = $re[2];
        $md5 = md5("{$mount_dir}{$mount_dest}");
        $file = "/etc/artica-postfix/croned.1/automount.{$md5}";
        if (IfFileTime($file, 15)) {
            email_events("automount: Failed to mount {$mount_dir} ", "automount claims:\n{$buffer}\nCheck your connexions settings on automount section", 'system');
            WriteFileCache($file);
        }
        return;
    }
    if (preg_match("#modprobe: WARNING: Error inserting\\s+(.+?)\\s+\\(.+?\\):\\s+No such device#", $buffer, $re)) {
        email_events("kernel: missing {$re[1]} module", "modprobe claims:\n{$buffer}\nTry to find the right package that store {$re[2]} file", 'VPN');
        return;
    }
    if (preg_match("#pptp_callmgr.+?Could not open control connection to\\s+([0-9\\.]+)#", $buffer, $re)) {
        vpn_msql_events("VPN connexion failed to {$re[1]}, unable to create connection tunnel", $buffer, "{$re[1]}");
        email_events("VPN connexion failed to {$re[1]}, unable to create connection tunnel ", "{$buffer}", 'VPN');
        return;
    }
    if (preg_match("#pppd\\[.+?Can.+?t open options file.+?ppp\\/peers\\/(.+?):\\s+No such file or directory#", $buffer, $re)) {
        email_events("VPN connexion failed for {$re[1]} connection,No such file", "pptp clients claims {$buffer}\\artica will try to rebuild connections", "VPN");
        vpn_msql_events("VPN (PPTPD) failed for {$re[1]} connection,No such file", $buffer, "{vpn_server}");
        shell_exec(LOCATE_PHP5_BIN2() . " /usr/share/artica-postfix/exec.pptpd.php --clients &");
        return;
    }
    if (preg_match("#pppd\\[.+?peer refused to authenticate: terminating link#", $buffer, $re)) {
        vpn_msql_events("VPN (PPTPD) authentification failed from remote host", $buffer, "{vpn_server}");
        return;
    }
    if (preg_match("#pppd\\[.+?peer refused to authenticate#", $buffer, $re)) {
        vpn_msql_events("VPN (PPTPD) failed peer refused to authenticate", $buffer, "{vpn_server}");
        return;
    }
    if (preg_match("#pppd\\[.+?MS-CHAP authentication failed: E=691 Authentication failure#", $buffer, $re)) {
        vpn_msql_events("VPN (CLIENT) failed server refused to authenticate (Authentication failure)", $buffer, "{vpn_server}");
        return;
    }
    if (preg_match("#pppd\\[.+?MPPE required but not available#", $buffer, $re)) {
        vpn_msql_events("VPN (PPTPD) authentification failed MPPE required", $buffer, "{vpn_server}");
        return;
    }
    if (preg_match("#pptpd\\[.+?CTRL: Client\\s+(.+?)\\s+control connection finished#", $buffer, $re)) {
        vpn_msql_events("VPN (PPTPD) connection closed for {$re[1]}", $buffer, "{vpn_server}");
        return;
    }
    if (preg_match("#pppd\\[.+?pptpd-logwtmp\\.so ip-up ppp[0-9]+\\s+(.+?)\\s+([0-9\\.]+)#", $buffer, $re)) {
        vpn_msql_events("VPN (PPTPD) connection open for {$re[1]} ({$re[2]})", "{$buffer}", '{vpn_server}');
        return;
    }
    if (preg_match("#slapd\\[(.+?)\\]:.+?OpenLDAP: slapd\\s+([0-9\\.]+)#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/openldap-started";
        events("OpenLDAP service version {$re[2]} successfully started PID {$re[1]}", "{$buffer}", 'system');
        return;
    }
    if (preg_match("#monit\\[.+?Sendmail error:\\s+(.+)#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/monit-sendmail-failed-" . md5($re[1]);
        if (IfFileTime($file, 10)) {
            events("MONIT -> SENDMAIL FAILED");
            //email_events("Monit is unable to send notifications","Monit claim \"$buffer\"\ntry to analyze why postfix send this error:\n{$re[1]}",'system');
            WriteFileCache($file);
            return;
        }
    }
    if (strpos($buffer, "pam_ldap: ldap_simple_bind Can't contact LDAP server") > 0) {
        $file = "/etc/artica-postfix/croned.1/ldap-failed";
        if (IfFileTime($file, 10)) {
            events("pam_ldap -> LDAP FAILED");
            email_events("LDAP server is unavailable", "System claim \"{$buffer}\" artica will try to restart LDAP server ", 'system');
            WriteFileCache($file);
            shell_exec("{$GLOBALS["nohup"]} /etc/init.d/slapd restart --framework=" . basename(__FILE__) . " >/dev/null 2>&1 &");
            return;
        }
    }
    if (preg_match("#net:\\s+failed to bind to server.+?Error:\\s+Can.?t\\s+contact LDAP server#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/ldap-failed";
        if (IfFileTime($file, 10)) {
            events("NET -> LDAP FAILED");
            email_events("LDAP server is unavailable", "System claim \"{$buffer}\" artica will try to restart LDAP server ", 'system');
            WriteFileCache($file);
            shell_exec("{$GLOBALS["nohup"]} /etc/init.d/slapd restart --framework=" . basename(__FILE__) . " >/dev/null 2>&1 &");
            return;
        }
    }
    if (preg_match("#winbindd\\[.+?failed to bind to server\\s+(.+?)\\s+with dn.+?Error: Can.+?contact LDAP server#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/ldap-failed";
        if (IfFileTime($file, 10)) {
            events("winbindd -> LDAP FAILED");
            email_events("LDAP server is unavailable", "Samba claim \"{$buffer}\" artica will try to restart LDAP server ", 'system');
            WriteFileCache($file);
            shell_exec("{$GLOBALS["nohup"]} /etc/init.d/slapd restart --framework=" . basename(__FILE__) . " >/dev/null 2>&1 &");
            return;
        }
    }
    if (preg_match("#smbd\\[.+?User\\s+(.+?)with invalid SID\\s+(.+?)\\s+in passdb#", $buffer, $re)) {
        events("SAMBA Invalid SID for {$re[1]}");
        $md5 = md5("{$re[1]}{$re[2]}");
        $file = "/etc/artica-postfix/croned.1/samba.invalid.sid.{$md5}";
        if (IfFileTime($file)) {
            $unix = new unix();
            $localsid = $unix->GET_LOCAL_SID();
            $cmd = LOCATE_PHP5_BIN2() . " /usr/share/artica-postfix/exec.samba.synchronize.php";
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET($cmd);
            email_events("Samba invalid SID for {$re[1]}", "Samba claim \"{$buffer}\"\nUser:{$re[1]} with sid {$re[2]} has this server has the SID {$localsid}\nArtica will re-sync accounts", 'system');
            WriteFileCache($file);
        }
        return true;
    }
    if (preg_match("#smbd\\[.+?sid\\s+(.+?)\\s+does not belong to our domain#", $buffer, $re)) {
        events("SAMBA Invalid global SID for {$re[1]}");
        $md5 = md5("{$re[1]}");
        $file = "/etc/artica-postfix/croned.1/samba.invalid.sid.{$md5}";
        if (IfFileTime($file)) {
            $unix = new unix();
            $localsid = $unix->GET_LOCAL_SID();
            email_events("Samba global invalid SID for {$re[1]}", "Samba claim \"{$buffer}\"\n{$re[1]} has this server has the real SID {$localsid}\nTry to rebuild the configuration trough artica web Interface", 'system');
            WriteFileCache($file);
        }
        return true;
    }
    if (preg_match("#NetBIOS name\\s+(.+?)\\s+is too long. Truncating to (.+?)#", $buffer, $re)) {
        events("SAMBA NetBIOS name {$re[1]} is too long");
        $file = "/etc/artica-postfix/croned.1/NetBIOSNameTooLong";
        if (IfFileTime($file)) {
            email_events("Samba NetBIOS name {$re[1]} is too long", "Samba claim \"{$buffer}\" \nYou should change your server hostname", 'system');
            WriteFileCache($file);
        }
        return true;
    }
    if (preg_match('#net:\\s+WARNING:\\s+Ignoring invalid value.+?Bad Pasword#', $buffer, $re)) {
        events("SAMBA unknown parameter Bad Pasword");
        $file = "/etc/artica-postfix/croned.1/SambaBadPasword";
        if (IfFileTime($file)) {
            email_events("Samba unknown parameter \"Bad Pasword\"", "Samba claim \"{$buffer}\" Artica will reconfigure samba", 'system');
            shell_exec(LOCATE_PHP5_BIN2() . " /usr/share/artica-postfix/exec.samba.php --reconfigure &");
            WriteFileCache($file);
        }
        return true;
    }
    if (preg_match('#smbd\\[.+Ignoring unknown parameter\\s+"hide_unwriteable_files"#', $buffer, $re)) {
        events("SAMBA unknown parameter hide_unwriteable_files");
        $file = "/etc/artica-postfix/croned.1/hide_unwriteable_files";
        if (IfFileTime($file)) {
            email_events("Samba unknown parameter hide_unwriteable_files", "Samba claim \"{$buffer}\" Artica will correct the configuration file", 'system');
            shell_exec(LOCATE_PHP5_BIN2() . " /usr/share/artica-postfix/exec.samba.php --fix-HideUnwriteableFiles &");
            WriteFileCache($file);
        }
        return true;
    }
    if (preg_match('#load_usershare_shares: directory\\s+(.+?)\\s+is not owned by root or does not have the sticky bit#', $buffer, $re)) {
        events("SAMBA load_usershare_shares {$re[1]}");
        $file = "/etc/artica-postfix/croned.1/load_usershare_shares";
        if (IfFileTime($file)) {
            email_events("Samba load_usershare_shares permissions issues", "Samba claim \"{$buffer}\" Artica will correct the filesystem directory", 'system');
            shell_exec("chmod 1775 {$re['1']}/ &");
            shell_exec("chmod chmod +t {$re['1']}/ &");
            WriteFileCache($file);
        }
        return true;
    }
    if (preg_match("#amavis\\[.+?:\\s+\\(.+?\\)TROUBLE\\s+in child_init_hook:#", $buffer, $re)) {
        events("AMAVIS TROUBLE in child_init_hook");
        $file = "/etc/artica-postfix/croned.1/amavis." . md5("AMAVIS:TROUBLE in child_init_hook");
        if (IfFileTime($file)) {
            email_events("Amavis child error", "Amavis claim \"{$buffer}\" the amavis daemon will be restarted", 'postfix');
            shell_exec('/etc/init.d/amavis restart &');
            WriteFileCache($file);
        }
        return true;
    }
    if (preg_match("#amavis\\[.+?:\\s+\\(.+?\\)_DIE:\\s+Suicide in child_init_hook#", $buffer, $re)) {
        events("AMAVIS TROUBLE in child_init_hook");
        $file = "/etc/artica-postfix/croned.1/amavis." . md5("AMAVIS:TROUBLE in child_init_hook");
        if (IfFileTime($file)) {
            email_events("Amavis child error", "Amavis claim \"{$buffer}\" the amavis daemon will be restarted", 'postfix');
            shell_exec('/etc/init.d/amavis restart &');
            WriteFileCache($file);
        }
        return true;
    }
    if (preg_match("#smbd_audit:\\s+(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\$#", $buffer, $re)) {
        events("{$re[5]}/{$re[8]} in xapian queue");
        WriteXapian("{$re[5]}/{$re[8]}");
        return true;
    }
    if (preg_match("#dansguardian.+?:\\s+Error connecting to proxy#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/squid.tostart.error";
        if (IfFileTime($file, 2)) {
            events("Squid not available...! Artica will start squid");
            email_events("Proxy error", "DansGuardian claim \"{$buffer}\", Artica will start squid ", 'system');
            $GLOBALS["CLASS_UNIX"]->RECONFIGURE_SQUID();
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/etc/init.d/artica-postfix start dansguardian');
            WriteFileCache($file);
            return;
        } else {
            events("Proxy error, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#zarafa-server.+?INNODB engine is disabled#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/zarafa.INNODB.engine";
        if (IfFileTime($file, 2)) {
            events("Zarafa innodb errr");
            WriteFileCache($file);
            return;
        } else {
            events("Zarafa innodb err, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#zarafa-spooler\\[.+?Unable to open admin session.*?Error ([0-9a-zA-Z]+)#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/zarafa.Unable.to.open.admin.session";
        events("Unable to open admin session `{$re[1]}` line:" . __LINE__);
        if (IfFileTime($file, 3)) {
            $restartZarafa = false;
            if (preg_match("#0x80040115#", $buffer)) {
                events("{$re[1]}: Restart required...");
                $restartZarafa = true;
                $restartaction = "\nServer will be restarted...\n";
            } else {
                events("{$re[1]}: Restart NOT required...");
            }
            email_events("zarafa Spooler service error connecting to zarafa server ({$re[1]})", "Zarafa claim \"{$buffer}\"{$restartaction} ", 'system');
            WriteFileCache($file);
            if ($restartZarafa) {
                events("\"{$GLOBALS["nohup"]} /etc/init.d/zarafa-server restart >/dev/null 2>&1 &\" line:" . __LINE__);
                shell_exec("{$GLOBALS["nohup"]} /etc/init.d/zarafa-server restart >/dev/null 2>&1 &");
            }
        }
        return;
    }
    if (preg_match("#(.+?)\\[.+?segfault at.+?error.+?in.+?\\[#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/segfault.{$re[1]}";
        if (IfFileTime($file, 10)) {
            events("{$re[1]}: segfault");
            email_events("{$re[1]}: segfault", "Kernel claim \"{$buffer}\" ", 'system');
            WriteFileCache($file);
            return;
        }
    }
    if (preg_match("#kernel:.+?Out of memory:\\s+kill\\s+process\\s+#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kernel.Out.of.memory";
        if (!is_numeric($GLOBALS["NOOUTOFMEMORYREBOOT"])) {
            $GLOBALS["NOOUTOFMEMORYREBOOT"] = 0;
        }
        if (IfFileTime($file, 1)) {
            if ($GLOBALS["NOOUTOFMEMORYREBOOT"] != 1) {
                events("Out of memory -> REBOOT !!!");
                $uptime = $GLOBALS["CLASS_UNIX"]->uptime();
                email_events("Out of memory: reboot action performed Uptime:{$uptime}", "Kernel claim \"{$buffer}\" the server will be rebooted", 'system');
                WriteFileCache($file);
                if ($GLOBALS["SQUID_INSTALLED"]) {
                    squid_admin_mysql(0, "Memory full: System will be rebooted after running after {$uptime}", "System claim \"{$buffer}\" the operating system will be rebooted", __FILE__, __LINE__);
                }
                UcarpDown();
                shell_exec("{$GLOBALS["SHUTDOWN_BIN"]} -rF now");
                return;
            } else {
                email_events("Out of memory: your system hang !", "Kernel claim \"{$buffer}\" I suggest rebooting the system", 'system');
                WriteFileCache($file);
            }
        }
    }
    if (preg_match("#kernel:\\s+\\[.+?Out of memory\\s+\\(oom_kill_allocating_task#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kernel.Out.of.memory";
        if (!is_numeric($GLOBALS["NOOUTOFMEMORYREBOOT"])) {
            $GLOBALS["NOOUTOFMEMORYREBOOT"] = 0;
        }
        if (IfFileTime($file, 1)) {
            if ($GLOBALS["NOOUTOFMEMORYREBOOT"] != 1) {
                events("Out of memory -> REBOOT !!!");
                $uptime = $GLOBALS["CLASS_UNIX"]->uptime();
                email_events("Out of memory: reboot action performed uptime:{$uptime}", "Kernel claim \"{$buffer}\" the server will be rebooted", 'system');
                WriteFileCache($file);
                if ($GLOBALS["SQUID_INSTALLED"]) {
                    squid_admin_mysql(0, "Memory full: System will be rebooted after running after {$uptime}", "System claim \"{$buffer}\" the operating system will be rebooted", __FILE__, __LINE__);
                }
                UcarpDown();
                shell_exec("{$GLOBALS["SHUTDOWN_BIN"]} -rF now");
                return;
            } else {
                email_events("Out of memory: your system hang !", "Kernel claim \"{$buffer}\" I suggest rebooting the system", 'system');
                WriteFileCache($file);
            }
        }
    }
    if (preg_match("#kernel:.+?ata.+?status:\\s+{\\s+DRDY#", $buffer, $re)) {
        if ($GLOBALS["NODRYREBOOT"] == 1) {
            events("Hard Disk problem: -> reboot banned");
            return;
        }
        $file = "/etc/artica-postfix/croned.1/kernel.DRDY";
        if (IfFileTime($file, 5)) {
            events("DRDY -> REBOOT !!!");
            exec("/bin/dmesg 2>&1", $results);
            $array["buffer"] = $buffer;
            $array["dmsg"] = $results;
            @mkdir("/etc/artica-postfix/reboot", 644, true);
            @file_put_contents("/etc/artica-postfix/reboot/" . time(), serialize($array));
            email_events("Hard Disk issue: reboot action performed", "Kernel claim \"{$buffer}\" the server will be rebooted\n" . @implode("\n", $results), 'system');
            if ($GLOBALS["SQUID_INSTALLED"]) {
                squid_admin_mysql(0, "Memory full: System will be rebooted after running after {$uptime}", "System claim \"{$buffer}\" the operating system will be rebooted", __FILE__, __LINE__);
            }
            UcarpDown();
            shell_exec("{$GLOBALS["SHUTDOWN_BIN"]} -rF now");
            return;
        }
    }
    if (preg_match("#winbindd\\[.+?resolve_name: unknown name switch type lmhost#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/winbindd.lmhost.failed";
        if (IfFileTime($file, 10)) {
            events("winbindd -> lmhost failed");
            WriteFileCache($file);
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.samba.php --fix-lmhost");
            return;
        }
    }
    if (preg_match("#nmbd\\[.+?become_logon_server_success: Samba is now a logon server for workgroup (.+?)\\s+on subnet\\s+([A-Z0-9\\._-]+)#", $buffer, $re)) {
        email_events("Samba (file sharing) started domain {$re[1]}/{$re[2]}", "Samba notice: \"{$buffer}\"", 'system');
        return;
    }
    if (preg_match("#zarafa-server.+?Unable to connect to database.+?MySQL server on.+?([0-9\\.]+)#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/zarafa.MYSQL.CONNECT";
        if (IfFileTime($file, 2)) {
            events("Zarafa Mysql Error errr");
            email_events("MailBox server unable connect to database", "Zarafa server  claim \"{$buffer}\" ", 'mailbox');
            WriteFileCache($file);
            return;
        } else {
            events("MailBox server unable connect to database but take action after 10mn");
            return;
        }
    }
    if (preg_match("#winbindd:\\s+Exceeding\\s+[0-9]+\\s+client\\s+connections.+?no idle connection found#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/Winbindd.connect.error";
        if (IfFileTime($file, 2)) {
            events("winbindd Error connections");
            email_events("Winbindd exceeding connections", "Samba server  claim \"{$buffer}\" \nArtica will restart samba", 'system');
            shell_exec('/etc/init.d/artica-postfix restart samba &');
            WriteFileCache($file);
            return;
        } else {
            events("Winbindd exceeding connections take action after 10mn");
            return;
        }
    }
    // -------------------------------------------------------------------- MONIT
    if (preg_match("#'(.+?)'\\s+total mem amount of\\s+([0-9]+).+?matches resource limit#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/mem.globalmem.monit";
        if (IfFileTime($file, 10)) {
            $processname = $re[1];
            if (preg_match("#mysqlmulti([0-9]+)#", $processname, $ri)) {
                $tt = unserialize(@file_get_contents("/etc/artica-postfix/mysql_multi_names.cache"));
                $instancenem = $tt[$ri[1]];
                $re[1] = "Mysql Instance {$ri[1]} ({$instancenem})";
            }
            events("{$re[1]} limit memory exceed");
            shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} " . dirname(__FILE__) . "/exec.watchdog.php --mem >/dev/null 2>&1 &");
            system_admin_events("{$re[1]}: memory limit", "Monitor claim \"{$buffer}\"\n" . @implode("\n", $psarr), __FUNCTION__, __FILE__, __LINE__, "watchdog");
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]} limit memory exceed, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#monit\\[.+?'(.+?)'\\s+trying to restart#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/restart.{$re[1]}.monit";
        if (IfFileTime($file, 5)) {
            events("{$re[1]} was restarted");
            $processname = $re[1];
            if (preg_match("#mysqlmulti([0-9]+)#", $processname, $ri)) {
                $tt = unserialize(@file_get_contents("/etc/artica-postfix/mysql_multi_names.cache"));
                $instancenem = $tt[$ri[1]];
                $re[1] = "Mysql Instance {$ri[1]} ({$instancenem})";
            }
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]}: stopped, try to restart, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#monit\\[.+?mem usage of\\s+([0-9\\.]+)%\\s+matches resource limit#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/mem.usage.monit";
        if (IfFileTime($file, 15)) {
            events("{$re[1]}% limit memory exceed");
            shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} " . dirname(__FILE__) . "/exec.watchdog.php --mem >/dev/null 2>&1 &");
            system_admin_events("{$re[1]}% memory limit\nMonitor claim \"{$buffer}\"\n", __FUNCTION__, __FILE__, __LINE__, "watchdog");
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]}% limit memory exceed, but take action after 15mn");
            return;
        }
    }
    if (preg_match("#monit\\[.+?'(.+?)'\\s+process is not running#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/restart.{$re[1]}.monit";
        if (IfFileTime($file, 5)) {
            events("{$re[1]} was stopped");
            $processname = $re[1];
            if (preg_match("#mysqlmulti([0-9]+)#", $processname, $ri)) {
                $tt = unserialize(@file_get_contents("/etc/artica-postfix/mysql_multi_names.cache"));
                $instancenem = $tt[$ri[1]];
                $re[1] = "Mysql Instance {$ri[1]} ({$instancenem})";
            }
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]}: stopped, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#pdns\\[.+?:\\s+binding UDP socket to.+?Address already in use#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/restart.pdns.bind.error";
        if (IfFileTime($file, 5)) {
            events("PowerDNS: Unable to bind UDP socket");
            email_events("PowerDNS: Unable to bind UDP socket", "Artica will restart PowerDNS", 'system');
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart pdns');
            WriteFileCache($file);
            return;
        } else {
            events("PowerDNS: Unable to bind UDP socket: but take action after 10mn");
            return;
        }
    }
    //pdns_recursor[5011]: Failed to update . records, RCODE=2
    if (preg_match("#pdns_recursor\\[.+?:\\s+Failed to update \\. records, RCODE=2#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/restart.pdns.RCODE2.error";
        if (IfFileTime($file, 5)) {
            events("PowerDNS: Unable to query Public DNS");
            //email_events("PowerDNS: Unable to query Public DNS","PowerDNS claim: $buffer,It seems that your Public DNS are not available or network is down",'system');
            WriteFileCache($file);
            return;
        } else {
            events("PowerDNS: Unable to query Public DNS: but take action after 10mn");
            return;
        }
    }
    if (preg_match("#cpu system usage of ([0-9\\.]+)% matches#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/cpu.system.monit";
        if (IfFileTime($file, 15)) {
            events("cpu exceed");
            system_admin_events("CPU warning {$re[1]}%\nMonitor claim \"{$buffer}\"", __FUNCTION__, __FILE__, __LINE__, "watchdog");
            shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} " . dirname(__FILE__) . "/exec.watchdog.php --cpu >/dev/null 2>&1 &");
            WriteFileCache($file);
            return;
        } else {
            events("cpu exceed, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#monit.+?loadavg.+?of\\s+([0-9\\.]+)\\s+matches resource limit#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/load.system.monit";
        if (IfFileTime($file, 15)) {
            events("Load exceed");
            system_admin_events("Load warning {$re[1]}\nMonitor claim \"{$buffer}\"", __FUNCTION__, __FILE__, __LINE__, "watchdog");
            shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} " . dirname(__FILE__) . "/exec.watchdog.php --loadavg >/dev/null 2>&1 &");
            WriteFileCache($file);
            return;
        } else {
            events("Load exceed, but take action after 15mn");
            return;
        }
    }
    if (preg_match("#monit.+?'(.+)'\\s+start:#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/monit.start.{$re[1]}";
        if (IfFileTime($file, 5)) {
            events("{$re[1]} start");
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]} start, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#monit\\[.+?:\\s+'(.+?)'\\s+process is running with pid\\s+([0-9]+)#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/monit.run.{$re[1]}";
        if (IfFileTime($file, 5)) {
            events("{$re[1]} running");
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]} running, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#nmbd.+?:\\s+Cannot sync browser lists#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/samba.CannotSyncBrowserLists.error";
        if (IfFileTime($file)) {
            events("Samba cannot sync browser list, remove /var/lib/samba/wins.dat");
            @unlink("/var/lib/samba/wins.dat");
            WriteFileCache($file);
        } else {
            events("Samba error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#freshclam.+?:\\s+Database updated \\(([0-9]+)\\s+signatures\\) from .+?#", $buffer, $re)) {
        email_events("ClamAV Database Updated {$re[1]} signatures", "{$buffer}", 'update');
        shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} " . basename(__FILE__) . "/exec.clamavsig.php >/dev/null 2>&1 &");
        return;
    }
    if (preg_match("#freshclam\\[.+?:\\s+Database updated\\s+\\(#", $buffer, $re)) {
        shell_exec("{$GLOBALS["nohup"]} {$GLOBALS["LOCATE_PHP5_BIN"]} " . basename(__FILE__) . "/exec.clamavsig.php >/dev/null 2>&1 &");
    }
    if (preg_match("#freshclam.+?Can.+?t\\s+connect to port\\s+([0-9]+)\\s+of\\s+host\\s+(.+?)\\s+#", $buffer, $re)) {
        $host = $re[2] . ":" . $re[1];
        $file = "/etc/artica-postfix/croned.1/freshclam.error." . md5($host);
        if (IfFileTime($file)) {
            email_events("Unable to update ClamAV Databases from {$host}", "freshclam claim {$buffer}\nCheck is this server hav access to Internet\nCheck your proxy configuration", 'update');
            WriteFileCache($file);
            return;
        } else {
            events("KAV4PROXY error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#KASERROR.+?NOLOGID.+?Can.+?find user mailflt3#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/KASERROR.NOLOGID.mailflt3";
        if (IfFileTime($file)) {
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --mailflt3');
            WriteFileCache($file);
            return;
        } else {
            events("KASERROR error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#lmtp.+?status=deferred.+?lmtp\\]:.+?(No such file or directory|Too many levels of symbolic links)#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.lmtp.failed";
        if (IfFileTime($file)) {
            email_events("cyrus-imapd socket error", "Postfix claim \"{$buffer}\", Artica will restart cyrus", 'system');
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --cyrus-checkconfig');
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET('/etc/init.d/cyrus-imapd restart');
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.main.cf.php --imap-sockets");
            cyrus_socket_error($buffer, $re[1] . "lmtp");
            WriteFileCache($file);
            return;
        } else {
            events("CYRUS error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#rsyncd\\[.+?:\\s+recv.+?\\[(.+?)\\].+?([0-9]+)\$#", $buffer, $re)) {
        $file = md5($buffer);
        @mkdir('{$GLOBALS["ARTICALOGDIR"]}/rsync', null, true);
        $f["IP"] = $re[1];
        $f["DATE"] = date('Y-m-d H:00:00');
        $f["SIZE"] = $re[2];
        @file_put_contents("{$GLOBALS["ARTICALOGDIR"]}/rsync/{$file}", serialize($f));
    }
    if (preg_match("#kavmilter.+?Can.+?t load keys: No active key#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmilter.key.failed";
        if (IfFileTime($file)) {
            email_events("Kaspersky Antivirus Mail license error", "KavMilter claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Kaspersky Antivirus Mail license error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmd.+?Can.+?t load keys:.+?#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmd.key.failed";
        if (IfFileTime($file)) {
            email_events("Kaspersky Antivirus Mail license error", "Kaspersky Antivirus Mail claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Kaspersky Antivirus Mail license error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmd.+?ERROR Engine problem#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmd.engine.failed";
        if (IfFileTime($file)) {
            email_events("Kaspersky Antivirus Mail Engine error", "Kaspersky Antivirus Mail claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Kaspersky Antivirus Mail Engine error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmilter.+?WARNING.+?Your AV signatures are older than#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmilter.upd.failed";
        if (IfFileTime($file)) {
            email_events("Kaspersky Antivirus Mail AV signatures are older", "KavMilter claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Kaspersky Antivirus update license error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#dansguardian.+?Error compiling regexp#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/dansguardian.compiling.regexp";
        if (IfFileTime($file)) {
            email_events("Dansguardian failed to start", "Dansguardian claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Dansguardian failed to start:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmilter.+?Invalid value specified for SendmailPath#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmilter.SendmailPath.Invalid";
        if (IfFileTime($file)) {
            events("Check SendmailPath for kavmilter");
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.kavmilter.php --SendmailPath");
            WriteFileCache($file);
            return;
        } else {
            events("Check SendmailPath for kavmilter:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#KAVMilter Error.+?Group.+?Default.+?has error#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmilter.Default.error";
        if (IfFileTime($file)) {
            events("Check Group default for kavmilter");
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.kavmilter.php --default-group");
            WriteFileCache($file);
            return;
        } else {
            events("Check Group default for kavmilter:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmilter.+?Message INFECTED from (.+?)\\(remote:\\[(.+?)\\).+?with\\s+(.+?)\$#", $buffer, $re)) {
        events("KAVMILTER INFECTION <{$re[1]}> {$re[2]}");
        infected_queue("kavmilter", trim($re[1]), trim($re[2]), trim($re[3]));
        return;
    }
    if (preg_match("#pdns\\[.+?\\[LdapBackend.+?Ldap connection to server failed#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/pdns.ldap.error";
        if (IfFileTime($file)) {
            events("PDNS LDAP FAILED");
            email_events("PowerDNS ldap connection failed", "PowerDNS claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("PDNS FAILED:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#master.+?cannot find executable for service.+?sieve#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.sieve.error";
        if (IfFileTime($file)) {
            events("Check sieve path");
            $GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("/usr/share/artica-postfix/bin/artica-install --reconfigure-cyrus");
            WriteFileCache($file);
            return;
        } else {
            events("Check sieve path error :{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#smbd\\[.+?write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/samba.Error.Connection.reset.by.peer.error";
        if (IfFileTime($file)) {
            events("Check sieve Error Connection reset by peer");
            $text[] = "Your MS Windows computers should not have access to the server cause network generic errors";
            $text[] = "- Check these parameters:";
            $text[] = "- Check if Apparmor or SeLinux are disabled on the server.";
            $text[] = "- Check your hard drives by this command-line: hdparm -tT /dev/sda(0-9)";
            $text[] = "- Check that 137|138|139|445 ports is open from workstation to this server";
            $text[] = "- Check network switch or hub connection between this server and your workstations.";
            $text[] = "- Try to add this registry key [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Disk]\n\t\"TimeOutValue\"=dword:0000003c";
            email_events("Samba network error", "Samba claim \"{$buffer}\"\n" . implode("\n", $text), 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Check sieve Error Connection reset by peer :{$buffer}, but take action after 10mn");
            return;
        }
    }
    $mem = round(memory_get_usage() / 1024 / 1000, 2);
    events_not_filtered("Not Filtered:\"{$buffer}\" (line " . __LINE__ . ") memory: {$mem}MB");
}
Exemplo n.º 6
0
function Parseline($buffer)
{
    $buffer = trim($buffer);
    if (preg_match("#artica-filter#", $buffer)) {
        return true;
    }
    if (preg_match("#postfix\\/#", $buffer)) {
        return true;
    }
    if (preg_match("#CRON\\[#", $buffer)) {
        return true;
    }
    if (preg_match("#: CACHEMGR:#", $buffer)) {
        return true;
    }
    if (preg_match("#exec\\.postfix-logger\\.php:#", $buffer)) {
        return true;
    }
    if (preg_match("#artica-install\\[#", $buffer)) {
        return true;
    }
    if (preg_match("#monitor action done#", $buffer)) {
        return true;
    }
    if (preg_match("#monitor service.+?on user request#", $buffer)) {
        return true;
    }
    if (preg_match("#CRON\\[.+?\\(root\\).+CMD#", $buffer)) {
        return true;
    }
    if (preg_match("#winbindd\\[.+?winbindd_listen_fde_handler#", $buffer)) {
        return true;
    }
    if (preg_match('#smbd\\[.+Ignoring unknown parameter\\s+"hide_unwriteable_files"#', $buffer, $re)) {
        events("SAMBA unknown parameter hide_unwriteable_files");
        $file = "/etc/artica-postfix/croned.1/hide_unwriteable_files";
        if (IfFileTime($file)) {
            email_events("Samba unknown parameter hide_unwriteable_files", "Samba claim \"{$buffer}\" Artica will correct the configuration file", 'system');
            shell_exec(LOCATE_PHP5_BIN2() . " /usr/share/artica-postfix/exec.samba.php --fix-HideUnwriteableFiles &");
            @file_put_contents($file, "#");
        }
        return true;
    }
    if (preg_match('#load_usershare_shares: directory\\s+(.+?)\\s+is not owned by root or does not have the sticky bit#', $buffer, $re)) {
        events("SAMBA load_usershare_shares {$re[1]}");
        $file = "/etc/artica-postfix/croned.1/load_usershare_shares";
        if (IfFileTime($file)) {
            email_events("Samba load_usershare_shares permissions issues", "Samba claim \"{$buffer}\" Artica will correct the filesystem directory", 'system');
            shell_exec("chmod 1775 {$re['1']}/ &");
            shell_exec("chmod chmod +t {$re['1']}/ &");
            @file_put_contents($file, "#");
        }
        return true;
    }
    if (preg_match("#amavis\\[.+?:\\s+\\(.+?\\)TROUBLE\\s+in child_init_hook:#", $buffer, $re)) {
        events("AMAVIS TROUBLE in child_init_hook");
        $file = "/etc/artica-postfix/croned.1/amavis." . md5("AMAVIS:TROUBLE in child_init_hook");
        if (IfFileTime($file)) {
            email_events("Amavis child error", "Amavis claim \"{$buffer}\" the amavis daemon will be restarted", 'postfix');
            shell_exec('/etc/init.d/artica-postfix restart amavis &');
            @file_put_contents($file, "#");
        }
        return true;
    }
    if (preg_match("#amavis\\[.+?:\\s+\\(.+?\\)_DIE:\\s+Suicide in child_init_hook#", $buffer, $re)) {
        events("AMAVIS TROUBLE in child_init_hook");
        $file = "/etc/artica-postfix/croned.1/amavis." . md5("AMAVIS:TROUBLE in child_init_hook");
        if (IfFileTime($file)) {
            email_events("Amavis child error", "Amavis claim \"{$buffer}\" the amavis daemon will be restarted", 'postfix');
            shell_exec('/etc/init.d/artica-postfix restart amavis &');
            @file_put_contents($file, "#");
        }
        return true;
    }
    if (preg_match("#smbd_audit:\\s+(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\$#", $buffer, $re)) {
        events("{$re[5]}/{$re[8]} in xapian queue");
        WriteXapian("{$re[5]}/{$re[8]}");
        return true;
    }
    if (preg_match("#squid\\[.+?comm_old_accept:\\s+FD\\s+15:.+?Invalid argument#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/comm_old_accept.FD15";
        if (IfFileTime($file)) {
            events("comm_old_accept FD15 SQUID");
            email_events("Squid File System error", "SQUID claim \"{$buffer}\" the squid service will be restarted", 'system');
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart squid-cache');
            WriteFileCache($file);
            return;
        } else {
            events("comm_old_accept FD15 SQUID");
            return;
        }
    }
    if (preg_match("#dansguardian.+?:\\s+Error connecting to proxy#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/squid.tostart.error";
        if (IfFileTime($file, 2)) {
            events("Squid not available...! Artica will start squid");
            email_events("Proxy error", "DansGuardian claim \"{$buffer}\", Artica will start squid ", 'system');
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart squid-cache');
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix start dansguardian');
            WriteFileCache($file);
            return;
        } else {
            events("Proxy error, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#zarafa-server.+?INNODB engine is disabled#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/zarafa.INNODB.engine";
        if (IfFileTime($file, 2)) {
            events("Zarafa innodb errr");
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart mysql');
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart zarafa');
            WriteFileCache($file);
            return;
        } else {
            events("Zarafa innodb err, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#(.+?)\\[.+?segfault at.+?error.+?in.+?\\[#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/segfault.{$re[1]}";
        if (IfFileTime($file, 10)) {
            events("{$re[1]}: segfault");
            email_events("{$re[1]}: segfault", "Kernel claim \"{$buffer}\" ", 'system');
            WriteFileCache($file);
            return;
        }
    }
    if (preg_match("#kernel:.+?Out of memory:\\s+kill\\s+process\\s+#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kernel.Out.of.memory";
        if (IfFileTime($file, 1)) {
            events("Out of memory -> REBOOT !!!");
            email_events("Out of memory ! server will be rebooted", "Kernel claim \"{$buffer}\" the server will be rebooted", 'system');
            WriteFileCache($file);
            shell_exec("/etc/init.d/artica-postfix stop");
            shell_exec("reboot");
            return;
        }
    }
    if (preg_match("#winbindd\\[.+?failed to bind to server\\s+(.+?)\\s+with dn.+?Error: Can.+?contact LDAP server#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/winbindd.ldap.failed";
        if (IfFileTime($file, 10)) {
            events("winbindd -> LDAP FAIELD");
            email_events("LDAP server is unavailable", "Samba claim \"{$buffer}\" artica will try to restart LDAP server ", 'system');
            WriteFileCache($file);
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart ldap');
            return;
        }
    }
    if (preg_match("#winbindd\\[.+?resolve_name: unknown name switch type lmhost#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/winbindd.lmhost.failed";
        if (IfFileTime($file, 10)) {
            events("winbindd -> lmhost failed");
            WriteFileCache($file);
            THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.samba.php --fix-lmhost");
            return;
        }
    }
    if (preg_match("#nmbd\\[.+?become_logon_server_success: Samba is now a logon server for workgroup (.+?)\\s+on subnet\\s+([A-Z0-9\\._-]+)#", $buffer, $re)) {
        email_events("Samba (file sharing) started domain {$re[1]}/{$re[2]}", "Samba notice: \"{$buffer}\"", 'system');
        return;
    }
    if (preg_match("#zarafa-server.+?Unable to connect to database.+?MySQL server on.+?([0-9\\.]+)#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/zarafa.MYSQL.CONNECT";
        if (IfFileTime($file, 2)) {
            events("Zarafa Mysql Error errr");
            email_events("MailBox server unable connect to database", "Zarafa server  claim \"{$buffer}\" ", 'mailbox');
            WriteFileCache($file);
            return;
        } else {
            events("MailBox server unable connect to database but take action after 10mn");
            return;
        }
    }
    if (preg_match("#winbindd:\\s+Exceeding\\s+[0-9]+\\s+client\\s+connections.+?no idle connection found#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/Winbindd.connect.error";
        if (IfFileTime($file, 2)) {
            events("winbindd Error connections");
            email_events("Winbindd exceeding connections", "Samba server  claim \"{$buffer}\" \nArtica will restart samba", 'system');
            shell_exec('/etc/init.d/artica-postfix restart samba &');
            WriteFileCache($file);
            return;
        } else {
            events("Winbindd exceeding connections take action after 10mn");
            return;
        }
    }
    // -------------------------------------------------------------------- MONIT
    if (preg_match("#'(.+?)'\\s+total mem amount of\\s+([0-9]+).+?matches resource limit#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/mem.{$re[1]}.monit";
        if (IfFileTime($file, 15)) {
            events("{$re[1]} limit memory exceed");
            email_events("{$re[1]}: memory limit", "Monitor claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]} limit memory exceed, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#monit\\[.+?'(.+?)'\\s+trying to restart#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/restart.{$re[1]}.monit";
        if (IfFileTime($file, 5)) {
            events("{$re[1]} was restarted");
            email_events("{$re[1]}: stopped, try to restart", "Monitor claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]}: stopped, try to restart, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#monit\\[.+?'(.+?)'\\s+process is not running#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/restart.{$re[1]}.monit";
        if (IfFileTime($file, 5)) {
            events("{$re[1]} was stopped");
            email_events("{$re[1]}: stopped", "Monitor claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]}: stopped, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#pdns\\[.+?:\\s+binding UDP socket to.+?Address already in use#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/restart.pdns.bind.error";
        if (IfFileTime($file, 5)) {
            events("PowerDNS: Unable to bind UDP socket");
            email_events("PowerDNS: Unable to bind UDP socket", "Artica will restart PowerDNS", 'system');
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart pdns');
            WriteFileCache($file);
            return;
        } else {
            events("PowerDNS: Unable to bind UDP socket: but take action after 10mn");
            return;
        }
    }
    if (preg_match("#cpu system usage of ([0-9\\.]+)% matches#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/cpu.system.monit";
        if (IfFileTime($file, 15)) {
            events("cpu exceed");
            email_events("cpu warning {$re[1]}%", "Monitor claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("cpu exceed, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#monit.+?'(.+)'\\s+start:#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/monit.start.{$re[1]}";
        if (IfFileTime($file, 5)) {
            events("{$re[1]} start");
            email_events("{$re[1]} starting", "Monitor currently starting service {$re[1]}", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]} start, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#monit\\[.+?:\\s+'(.+?)'\\s+process is running with pid\\s+([0-9]+)#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/monit.run.{$re[1]}";
        if (IfFileTime($file, 5)) {
            events("{$re[1]} running");
            email_events("{$re[1]} now running pid {$re[2]}", "Monitor report {$buffer}", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("{$re[1]} running, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#nmbd.+?:\\s+Cannot sync browser lists#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/samba.CannotSyncBrowserLists.error";
        if (IfFileTime($file)) {
            events("Samba cannot sync browser list, remove /var/lib/samba/wins.dat");
            @unlink("/var/lib/samba/wins.dat");
            WriteFileCache($file);
        } else {
            events("Samba error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#freshclam.+?:\\s+Database updated \\(([0-9]+)\\s+signatures\\) from .+?#", $buffer, $re)) {
        email_events("ClamAV Database Updated {$re[1]} signatures", "{$buffer}", 'update');
        return;
    }
    if (preg_match("#squid.+?:\\s+essential ICAP service is down after an options fetch failure:\\s+icap:\\/\\/:1344\\/av\\/respmod#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/squid.icap1.error";
        if (IfFileTime($file)) {
            email_events("Kaspersky for Squid Down", "{$buffer}", 'system');
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix start kav4proxy');
            THREAD_COMMAND_SET('squid -k reconfigure');
            WriteFileCache($file);
            return;
        } else {
            events("KAV4PROXY error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#KASERROR.+?NOLOGID.+?Can.+?find user mailflt3#", $buffer)) {
        $file = "/etc/artica-postfix/croned.1/KASERROR.NOLOGID.mailflt3";
        if (IfFileTime($file)) {
            THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --mailflt3');
            WriteFileCache($file);
            return;
        } else {
            events("KASERROR error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#lmtp.+?status=deferred.+?lmtp\\]:.+?(No such file or directory|Too many levels of symbolic links)#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.lmtp.failed";
        if (IfFileTime($file)) {
            email_events("cyrus-imapd socket error", "Postfix claim \"{$buffer}\", Artica will restart cyrus", 'system');
            THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --cyrus-checkconfig');
            THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart imap');
            THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.main.cf.php --imap-sockets");
            cyrus_socket_error($buffer, $re[1] . "lmtp");
            WriteFileCache($file);
            return;
        } else {
            events("CYRUS error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#dhcpd: DHCPREQUEST for (.+?)\\s+from\\s+(.+?)\\s+\\((.+?)\\)\\s+via#", $buffer, $re)) {
        events("DHCPD: IP:{$re[1]} MAC:({$re[2]}) computer name={$re[3]}-> exec.dhcpd-leases.php");
        THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.dhcpd-leases.php --single-computer {$re[1]} {$re[2]} {$re[3]}");
        return;
    }
    if (preg_match("#rsyncd\\[.+?:\\s+recv.+?\\[(.+?)\\].+?([0-9]+)\$#", $buffer, $re)) {
        $file = md5($buffer);
        @mkdir('/var/log/artica-postfix/rsync', null, true);
        $f["IP"] = $re[1];
        $f["DATE"] = date('Y-m-d H:00:00');
        $f["SIZE"] = $re[2];
        @file_put_contents("/var/log/artica-postfix/rsync/{$file}", serialize($f));
    }
    if (preg_match("#kavmilter.+?Can.+?t load keys: No active key#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmilter.key.failed";
        if (IfFileTime($file)) {
            email_events("Kaspersky Antivirus Mail license error", "KavMilter claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Kaspersky Antivirus Mail license error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmd.+?Can.+?t load keys:.+?#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmd.key.failed";
        if (IfFileTime($file)) {
            email_events("Kaspersky Antivirus Mail license error", "Kaspersky Antivirus Mail claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Kaspersky Antivirus Mail license error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmd.+?ERROR Engine problem#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmd.engine.failed";
        if (IfFileTime($file)) {
            email_events("Kaspersky Antivirus Mail Engine error", "Kaspersky Antivirus Mail claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Kaspersky Antivirus Mail Engine error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmilter.+?WARNING.+?Your AV signatures are older than#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmilter.upd.failed";
        if (IfFileTime($file)) {
            email_events("Kaspersky Antivirus Mail AV signatures are older", "KavMilter claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Kaspersky Antivirus update license error:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#dansguardian.+?Error compiling regexp#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/dansguardian.compiling.regexp";
        if (IfFileTime($file)) {
            email_events("Dansguardian failed to start", "Dansguardian claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Dansguardian failed to start:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmilter.+?Invalid value specified for SendmailPath#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmilter.SendmailPath.Invalid";
        if (IfFileTime($file)) {
            events("Check SendmailPath for kavmilter");
            THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.kavmilter.php --SendmailPath");
            WriteFileCache($file);
            return;
        } else {
            events("Check SendmailPath for kavmilter:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#KAVMilter Error.+?Group.+?Default.+?has error#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/kavmilter.Default.error";
        if (IfFileTime($file)) {
            events("Check Group default for kavmilter");
            THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.kavmilter.php --default-group");
            WriteFileCache($file);
            return;
        } else {
            events("Check Group default for kavmilter:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#kavmilter.+?Message INFECTED from (.+?)\\(remote:\\[(.+?)\\).+?with\\s+(.+?)\$#", $buffer, $re)) {
        events("KAVMILTER INFECTION <{$re[1]}> {$re[2]}");
        infected_queue("kavmilter", trim($re[1]), trim($re[2]), trim($re[3]));
        return;
    }
    if (preg_match("#pdns\\[.+?\\[LdapBackend.+?Ldap connection to server failed#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/pdns.ldap.error";
        if (IfFileTime($file)) {
            events("PDNS LDAP FAILED");
            email_events("PowerDNS ldap connection failed", "PowerDNS claim \"{$buffer}\"", 'system');
            WriteFileCache($file);
            return;
        } else {
            events("PDNS FAILED:{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#master.+?cannot find executable for service.+?sieve#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/cyrus.sieve.error";
        if (IfFileTime($file)) {
            events("Check sieve path");
            THREAD_COMMAND_SET("/usr/share/artica-postfix/bin/artica-install --reconfigure-cyrus");
            WriteFileCache($file);
            return;
        } else {
            events("Check sieve path error :{$buffer}, but take action after 10mn");
            return;
        }
    }
    if (preg_match("#smbd\\[.+?write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer#", $buffer, $re)) {
        $file = "/etc/artica-postfix/croned.1/samba.Error.Connection.reset.by.peer.error";
        if (IfFileTime($file)) {
            events("Check sieve Error Connection reset by peer");
            $text[] = "Your MS Windows computers should not have access to the server cause network generic errors";
            $text[] = "- Check these parameters:";
            $text[] = "- Check if Apparmor or SeLinux are disabled on the server.";
            $text[] = "- Check your hard drives by this command-line: hdparm -tT /dev/sda(0-9)";
            $text[] = "- Check that 137|138|139|445 ports is open from workstation to this server";
            $text[] = "- Check network switch or hub connection between this server and your workstations.";
            $text[] = "- Try to add this registry key [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Disk]\n\t\"TimeOutValue\"=dword:0000003c";
            email_events("Samba network error", "Samba claim \"{$buffer}\"\n" . implode("\n", $text), 'system');
            WriteFileCache($file);
            return;
        } else {
            events("Check sieve Error Connection reset by peer :{$buffer}, but take action after 10mn");
            return;
        }
    }
    events("Not Filtered:\"{$buffer}\"");
}