vprusa/another.grok

## another.grok
# common postfix patterns
POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{12,})
POSTFIX_CLIENT_INFO %{HOSTNAME:postfix_client_hostname}?\[%{IP:postfix_client_ip}\](:%{INT:postfix_client_port})?
POSTFIX_RELAY_INFO %{HOSTNAME:postfix_relay_hostname}?\[(%{IP:postfix_relay_ip}|%{DATA:postfix_relay_service})\](:%{INT:postfix_relay_port})?|%{WORD:postfix_relay_service}
POSTFIX_SMTP_STAGE (CONNECT|HELO|EHLO|STARTTLS|AUTH|MAIL( FROM)?|RCPT( TO)?|(end of )?DATA|RSET|UNKNOWN|END-OF-MESSAGE|VRFY|\.)
POSTFIX_ACTION (accept|defer|discard|filter|header-redirect|reject)
POSTFIX_STATUS_CODE \d{3}
POSTFIX_STATUS_CODE_ENHANCED \d\.\d\.\d
POSTFIX_DNSBL_MESSAGE Service unavailable; .* \[%{GREEDYDATA:postfix_status_data}\] %{GREEDYDATA:postfix_status_message};
POSTFIX_PS_ACCESS_ACTION (DISCONNECT|BLACKLISTED|WHITELISTED|WHITELIST VETO|PASS NEW|PASS OLD)
POSTFIX_PS_VIOLATION (BARE NEWLINE|COMMAND (TIME|COUNT|LENGTH) LIMIT|COMMAND PIPELINING|DNSBL|HANGUP|NON-SMTP COMMAND|PREGREET)
POSTFIX_TIME_UNIT %{NUMBER}[smhd]
POSTFIX_KEYVALUE_DATA [\w-]+=[^;]*
POSTFIX_KEYVALUE_DATA2 [\w-]+=[^,]*
POSTFIX_KEYVALUE_DATA3 [^,]*

# postfix queued as
POSTFIX_KEYVALUES_TO to=<%{DATA:postfix_smtp_to}>
POSTFIX_KEYVALUES_ORIG_TO orig_to=<%{DATA:postfix_smtp_orig_to}>
POSTFIX_KEYVALUES_RELAY relay=%{POSTFIX_RELAY_INFO}
POSTFIX_KEYVALUES_CONN_USE conn_use=%{INT:postfix_smtp_conn_use}
POSTFIX_KEYVALUES_DELAY delay=%{NUMBER:postfix_smtp_delay}
#POSTFIX_KEYVALUES_DELAYS %{NUMBER:postfix_smtp_delay_before_qmgr}/%{NUMBER:postfix_smtp_delay_in_qmgr}/%{NUMBER:postfix_smtp_delay_conn_setup}/%{NUMBER:postfix_smtp_delay_transmission}
POSTFIX_KEYVALUES_DELAYS delays=%{POSTFIX_KEYVALUE_DATA3:postfix_smtp_delays}
#POSTFIX_KEYVALUES_DELAYS %{POSTFIX_KEYVALUE_DATA2}
#POSTFIX_KEYVALUES_DSN dsn=%{WORD:postfix_smtp_dsn}
POSTFIX_KEYVALUES_DSN %{POSTFIX_KEYVALUE_DATA2}
POSTFIX_SMTP_STATUS_QUEUEDAS \(.*queued as %{POSTFIX_QUEUEID:postfix_queued_as}\)
POSTFIX_SMTP_STATUS_FWDAS \(.*forwarded as %{POSTFIX_QUEUEID:postfix_fwd_as}\)
POSTFIX_KEYVALUES_STATUS_NOTES \(.*queued as %{POSTFIX_QUEUEID:postfix_queued_as}\)|%{GREEDYDATA}
POSTFIX_KEYVALUES_STATUS status=%{WORD:postfix_smtp_status_w} %{POSTFIX_KEYVALUES_STATUS_NOTES:postfix_kw_status_notes}
#POSTFIX_SMTP_KEYVALUES %{POSTFIX_KEYVALUES_TO}, %{POSTFIX_KEYVALUES_RELAY},( %{POSTFIX_KEYVALUES_CONN_USE},)? %{POSTFIX_KEYVALUES_DELAY}, %{POSTFIX_KEYVALUES_DELAYS}, %{POSTFIX_KEYVALUES_DSN}, %{POSTFIX_KEYVALUES_STATUS:POSTFIX_KEYVALUES_STATUS}
POSTFIX_SMTP_KEYVALUES %{POSTFIX_KEYVALUES_TO},( %{POSTFIX_KEYVALUES_ORIG_TO},)? %{POSTFIX_KEYVALUES_RELAY},( %{POSTFIX_KEYVALUES_CONN_USE},)? %{POSTFIX_KEYVALUES_DELAY}, %{POSTFIX_KEYVALUES_DELAYS}, %{POSTFIX_KEYVALUES_DSN},

POSTFIX_KEYVALUE %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
POSTFIX_WARNING_LEVEL (warning|fatal|info)

POSTFIX_TLSCONN (Anonymous|Trusted|Untrusted|Verified) TLS connection established (to %{POSTFIX_RELAY_INFO}|from %{POSTFIX_CLIENT_INFO}): %{DATA:postfix_tls_version} with cipher %{DATA:postfix_tls_cipher} \(%{DATA:postfix_tls_cipher_size} bits\)
POSTFIX_DELAYS %{NUMBER:postfix_delay_before_qmgr}/%{NUMBER:postfix_delay_in_qmgr}/%{NUMBER:postfix_delay_conn_setup}/%{NUMBER:postfix_delay_transmission}
POSTFIX_LOSTCONN (lost connection|timeout|SSL_accept error)
POSTFIX_LOSTCONN_REASONS (receiving the initial server greeting|sending message body|sending end of data -- message may be sent more than once)
POSTFIX_PROXY_MESSAGE (%{POSTFIX_STATUS_CODE:postfix_proxy_status_code} )?(%{POSTFIX_STATUS_CODE_ENHANCED:postfix_proxy_status_code_enhanced})?.*
POSTFIX_COMMAND_COUNTER_DATA (helo=(%{INT:postfix_cmd_helo_accepted}/)?%{INT:postfix_cmd_helo} )?(ehlo=(%{INT:postfix_cmd_ehlo_accepted}/)?%{INT:postfix_cmd_ehlo} )?(starttls=(%{INT:postfix_cmd_starttls_accepted}/)?%{INT:postfix_cmd_starttls} )?(auth=(%{INT:postfix_cmd_auth_accepted}/)?%{INT:postfix_cmd_auth} )?(mail=(%{INT:postfix_cmd_mail_accepted}/)?%{INT:postfix_cmd_mail} )?(rcpt=(%{INT:postfix_cmd_rcpt_accepted}/)?%{INT:postfix_cmd_rcpt} )?(data=(%{INT:postfix_cmd_data_accepted}/)?%{INT:postfix_cmd_data} )?(rset=(%{INT:postfix_cmd_rset_accepted}/)?%{INT:postfix_cmd_rset} )?(quit=(%{INT:postfix_cmd_quit_accepted}/)?%{INT:postfix_cmd_quit} )?(unknown=(%{INT:postfix_cmd_unknown_accepted}/)?%{INT:postfix_cmd_unknown} )?commands=(%{INT:postfix_cmd_count_accepted}/)?%{INT:postfix_cmd_count}

# helper patterns
GREEDYDATA_NO_COLON [^:]*
GREEDYDATA_NO_SEMICOLON [^;]*
STATUS_WORD [\w-]*

# warning patterns
POSTFIX_WARNING_WITH_KV (%{POSTFIX_QUEUEID:postfix_queueid}: )?%{POSTFIX_WARNING_LEVEL:postfix_message_level}: %{GREEDYDATA:postfix_message}; %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
POSTFIX_WARNING_WITHOUT_KV (%{POSTFIX_QUEUEID:postfix_queueid}: )?%{POSTFIX_WARNING_LEVEL:postfix_message_level}: %{GREEDYDATA:postfix_message}
POSTFIX_WARNING %{POSTFIX_WARNING_WITH_KV}|%{POSTFIX_WARNING_WITHOUT_KV}

# smtpd patterns
POSTFIX_SMTPD_CONNECT connect from %{POSTFIX_CLIENT_INFO}
POSTFIX_SMTPD_DISCONNECT disconnect from %{POSTFIX_CLIENT_INFO}( %{GREEDYDATA:postfix_command_counter_data})?
POSTFIX_SMTPD_LOSTCONN %{POSTFIX_LOSTCONN:postfix_smtpd_lostconn_data}( after %{POSTFIX_SMTP_STAGE:postfix_smtp_stage}( \(%{INT} bytes\))?)? from %{POSTFIX_CLIENT_INFO}(: %{GREEDYDATA:postfix_smtpd_lostconn_reason})?
POSTFIX_SMTPD_NOQUEUE NOQUEUE: %{POSTFIX_ACTION:postfix_action}: %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} from %{POSTFIX_CLIENT_INFO}:( %{POSTFIX_STATUS_CODE:postfix_status_code} %{POSTFIX_STATUS_CODE_ENHANCED:postfix_status_code_enhanced})?( <%{DATA:postfix_status_data}>:)? (%{POSTFIX_DNSBL_MESSAGE}|%{GREEDYDATA:postfix_status_message};) %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}

POSTFIX_SMTPD_ANYQUEUE %{POSTFIX_ACTION:postfix_action}: %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} from %{POSTFIX_CLIENT_INFO}:( %{POSTFIX_STATUS_CODE:postfix_status_code} %{POSTFIX_STATUS_CODE_ENHANCED:postfix_status_code_enhanced})?( <%{DATA:postfix_status_data}>:)? (%{POSTFIX_DNSBL_MESSAGE}|%{GREEDYDATA:postfix_status_message};) %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
#POSTFIX_SMTPD_NOQUEUE NOQUEUE: %{POSTFIX_SMTPD_ANYQUEUE}


POSTFIX_SMTPD_PIPELINING improper command pipelining after %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} from %{POSTFIX_CLIENT_INFO}: %{GREEDYDATA:postfix_improper_pipelining_data}
POSTFIX_SMTPD_PROXY proxy-%{POSTFIX_ACTION:postfix_proxy_result}: (%{POSTFIX_SMTP_STAGE:postfix_proxy_smtp_stage}): %{POSTFIX_PROXY_MESSAGE:postfix_proxy_message}; %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
POSTFIX_SMTPD_OTHER %{POSTFIX_QUEUEID:postfix_queueid}: (client=%{POSTFIX_CLIENT_INFO}|%{POSTFIX_SMTPD_ANYQUEUE})

# cleanup patterns
POSTFIX_CLEANUP_MILTER %{POSTFIX_QUEUEID:postfix_queueid}: milter-%{POSTFIX_ACTION:postfix_milter_result}: %{GREEDYDATA:postfix_milter_message}; %{GREEDYDATA_NO_COLON:postfix_keyvalue_data}(: %{GREEDYDATA:postfix_milter_data})?
POSTFIX_CLEANUP_OTHER %{POSTFIX_QUEUEID:postfix_queueid}: (message-id=(%{DATA:postfix_cleanup_messageId}|<%{DATA:postfix_cleanup_messageId}>)|resent-message-id=<%{DATA:postfix_cleanup_resent_messageId}>)

# qmgr patterns
POSTFIX_QMGR_REMOVED %{POSTFIX_QUEUEID:postfix_queueid}: removed
POSTFIX_QMGR_ACTIVE %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data} \(queue active\)
POSTFIX_QMGR_EXPIRED %{POSTFIX_QUEUEID:postfix_queueid}: from=<%{DATA:postfix_from}>, status=%{STATUS_WORD:postfix_status}, returned to sender

# pipe patterns
POSTFIX_PIPE_ANY %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}, status=%{STATUS_WORD:postfix_status} \(%{GREEDYDATA:postfix_pipe_response}\)

# error patterns
POSTFIX_ERROR_ANY %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}, status=%{STATUS_WORD:postfix_status} \(%{GREEDYDATA:postfix_error_response}\)

# discard patterns
POSTFIX_DISCARD_ANY %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data} status=%{STATUS_WORD:postfix_status} %{GREEDYDATA}

# postsuper patterns
POSTFIX_POSTSUPER_ACTIONS (removed|requeued|placed on hold|released from hold)
POSTFIX_POSTSUPER_ACTION %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_POSTSUPER_ACTIONS:postfix_postsuper_action}
POSTFIX_POSTSUPER_SUMMARY_ACTIONS (Deleted|Requeued|Placed on hold|Released from hold)
POSTFIX_POSTSUPER_SUMMARY %{POSTFIX_POSTSUPER_SUMMARY_ACTIONS:postfix_postsuper_summary_action}: %{NUMBER:postfix_postsuper_summary_count} messages?

# postscreen patterns
POSTFIX_PS_CONNECT CONNECT from %{POSTFIX_CLIENT_INFO} to \[%{IP:postfix_server_ip}\]:%{INT:postfix_server_port}
POSTFIX_PS_ACCESS %{POSTFIX_PS_ACCESS_ACTION:postfix_postscreen_access} %{POSTFIX_CLIENT_INFO}
POSTFIX_PS_NOQUEUE %{POSTFIX_SMTPD_NOQUEUE}
POSTFIX_PS_TOOBUSY NOQUEUE: reject: CONNECT from %{POSTFIX_CLIENT_INFO}: %{GREEDYDATA:postfix_postscreen_toobusy_data}
POSTFIX_PS_DNSBL %{POSTFIX_PS_VIOLATION:postfix_postscreen_violation} rank %{INT:postfix_postscreen_dnsbl_rank} for %{POSTFIX_CLIENT_INFO}
POSTFIX_PS_CACHE cache %{DATA} full cleanup: retained=%{NUMBER:postfix_postscreen_cache_retained} dropped=%{NUMBER:postfix_postscreen_cache_dropped} entries
POSTFIX_PS_VIOLATIONS %{POSTFIX_PS_VIOLATION:postfix_postscreen_violation}( %{INT})?( after %{NUMBER:postfix_postscreen_violation_time})? from %{POSTFIX_CLIENT_INFO}(( after %{POSTFIX_SMTP_STAGE:postfix_smtp_stage})?(: %{GREEDYDATA:postfix_postscreen_data})?| in tests (after|before) SMTP handshake)

# dnsblog patterns
POSTFIX_DNSBLOG_LISTING addr %{IP:postfix_client_ip} listed by domain %{HOSTNAME:postfix_dnsbl_domain} as %{IP:postfix_dnsbl_result}

# tlsproxy patterns
POSTFIX_TLSPROXY_CONN (DIS)?CONNECT( from)? %{POSTFIX_CLIENT_INFO}

# anvil patterns
POSTFIX_ANVIL_CONN_RATE statistics: max connection rate %{NUMBER:postfix_anvil_conn_rate}(\\)?/%{POSTFIX_TIME_UNIT:postfix_anvil_conn_period} for \(%{DATA:postfix_service}:%{IP:postfix_client_ip}\) at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp}
POSTFIX_ANVIL_CONN_CACHE statistics: max cache size %{NUMBER:postfix_anvil_cache_size} at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp}
POSTFIX_ANVIL_CONN_COUNT statistics: max connection count %{NUMBER:postfix_anvil_conn_count} for \(%{DATA:postfix_service}:%{IP:postfix_client_ip}\) at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp}

# smtp patterns
POSTFIX_SMTP_STATUS status=%{STATUS_WORD:postfix_status}( %{POSTFIX_SMTP_STATUS_QUEUEDAS}| %{POSTFIX_SMTP_STATUS_FWDAS}|%{GREEDYDATA:postfix_smtp_response})?

POSTFIX_SMTP_DELIVERY %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_SMTP_KEYVALUES:postfix_smtp_keyvalues} %{POSTFIX_SMTP_STATUS}


POSTFIX_SMTP_CONNERR connect to %{POSTFIX_RELAY_INFO}: (Connection timed out|No route to host|Connection refused|Network is unreachable)
POSTFIX_SMTP_LOSTCONN %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_LOSTCONN:postfix_smtp_lostconn_data} with %{POSTFIX_RELAY_INFO}( while %{POSTFIX_LOSTCONN_REASONS:postfix_smtp_lostconn_reason})?
POSTFIX_SMTP_TIMEOUT %{POSTFIX_QUEUEID:postfix_queueid}: conversation with %{POSTFIX_RELAY_INFO} timed out( while %{POSTFIX_LOSTCONN_REASONS:postfix_smtp_lostconn_reason})?
POSTFIX_SMTP_RELAYERR %{POSTFIX_QUEUEID:postfix_queueid}: host %{POSTFIX_RELAY_INFO} said: %{GREEDYDATA:postfix_smtp_response} \(in reply to %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} command\)
POSTFIX_SMTP_OTHER %{POSTFIX_QUEUEID:postfix_queueid}: client=%{POSTFIX_CLIENT_INFO}

# master patterns
POSTFIX_MASTER_START (daemon started|reload) -- version %{DATA:postfix_version}, configuration %{PATH:postfix_config_path}
POSTFIX_MASTER_EXIT terminating on signal %{INT:postfix_termination_signal}

# bounce patterns
POSTFIX_BOUNCE_NOTIFICATION %{POSTFIX_QUEUEID:postfix_queueid}: sender (non-delivery|delivery status|delay) notification: %{POSTFIX_QUEUEID:postfix_bounce_queueid}

# scache patterns
POSTFIX_SCACHE_LOOKUPS statistics: (address|domain) lookup hits=%{INT:postfix_scache_hits} miss=%{INT:postfix_scache_miss} success=%{INT:postfix_scache_success}%
POSTFIX_SCACHE_SIMULTANEOUS statistics: max simultaneous domains=%{INT:postfix_scache_domains} addresses=%{INT:postfix_scache_addresses} connection=%{INT:postfix_scache_connection}
POSTFIX_SCACHE_TIMESTAMP statistics: start interval %{SYSLOGTIMESTAMP:postfix_scache_timestamp}

#openkim patterns
EMAIL_SEND %{WORD:email_send_type}\[%{INT:email_send_id}\] %{INT:email_send_from_id} (\(%{DATA:email_send_from_email}|)\) -> \(%{WORD:email_send_id_type} %{INT:email_send_to_id} %{DATA:email_send_to_email}\)

#email_send patterns
OPENDKIM_BODY BodyLengthDB matched %{DATA:opendkim_body_email}, signing with l= requested
OPENDKIM_DKIM DKIM-Signature field added \(s=%{DATA:opendkim_dkim_server_name}, d=%{DATA:opendkim_dkim_server_domain}\)
OPENDKIM_NO_SIGN_TABLE no signing table match for '%{DATA:opendkim_no_sign_tab_hostname}'
OPENDKIM %{POSTFIX_QUEUEID:postfix_queueid}: (%{OPENDKIM_BODY}|%{OPENDKIM_DKIM}|%{OPENDKIM_NO_SIGN_TABLE})


# aggregate all patterns
POSTFIX_SMTPD %{POSTFIX_SMTPD_CONNECT}|%{POSTFIX_SMTPD_DISCONNECT}|%{POSTFIX_SMTPD_LOSTCONN}|%{POSTFIX_SMTPD_NOQUEUE}|%{POSTFIX_SMTPD_PIPELINING}|%{POSTFIX_TLSCONN}|%{POSTFIX_WARNING}|%{POSTFIX_SMTPD_PROXY}|%{POSTFIX_SMTPD_OTHER}|%{POSTFIX_KEYVALUE}
POSTFIX_CLEANUP %{POSTFIX_CLEANUP_MILTER}|%{POSTFIX_WARNING}|%{POSTFIX_CLEANUP_OTHER}|%{POSTFIX_KEYVALUE}
POSTFIX_QMGR %{POSTFIX_QMGR_REMOVED}|%{POSTFIX_QMGR_ACTIVE}|%{POSTFIX_QMGR_EXPIRED}|%{POSTFIX_WARNING}
POSTFIX_PIPE %{POSTFIX_PIPE_ANY}
POSTFIX_POSTSCREEN %{POSTFIX_PS_CONNECT}|%{POSTFIX_PS_ACCESS}|%{POSTFIX_PS_NOQUEUE}|%{POSTFIX_PS_TOOBUSY}|%{POSTFIX_PS_CACHE}|%{POSTFIX_PS_DNSBL}|%{POSTFIX_PS_VIOLATIONS}|%{POSTFIX_WARNING}
POSTFIX_DNSBLOG %{POSTFIX_DNSBLOG_LISTING}|%{POSTFIX_WARNING}
POSTFIX_ANVIL %{POSTFIX_ANVIL_CONN_RATE}|%{POSTFIX_ANVIL_CONN_CACHE}|%{POSTFIX_ANVIL_CONN_COUNT}

# old
#POSTFIX_SMTP %{POSTFIX_SMTP_DELIVERY}|%{POSTFIX_SMTP_CONNERR}|%{POSTFIX_SMTP_LOSTCONN}|%{POSTFIX_SMTP_TIMEOUT}|%{POSTFIX_SMTP_RELAYERR}|%{POSTFIX_TLSCONN}|%{POSTFIX_WARNING}|%{POSTFIX_KEYVALUE:POSTFIX_KEYVALUE}

POSTFIX_SMTP %{POSTFIX_SMTP_DELIVERY}|%{POSTFIX_SMTP_CONNERR}|%{POSTFIX_SMTP_LOSTCONN}|%{POSTFIX_SMTP_TIMEOUT}|%{POSTFIX_SMTP_RELAYERR}|%{POSTFIX_TLSCONN}|%{POSTFIX_WARNING}|%{POSTFIX_SMTP_OTHER:postfix_smtp_other}

POSTFIX_DISCARD %{POSTFIX_DISCARD_ANY}|%{POSTFIX_WARNING}
POSTFIX_LMTP %{POSTFIX_SMTP}
POSTFIX_PICKUP %{POSTFIX_KEYVALUE}|%{POSTFIX_QUEUEID:postfix_queueid}: uid=%{INT:postfix_pickup_uid} from=<%{DATA:postfix_pickup_from}>
POSTFIX_TLSPROXY %{POSTFIX_TLSPROXY_CONN}|%{POSTFIX_WARNING}
POSTFIX_MASTER %{POSTFIX_MASTER_START}|%{POSTFIX_MASTER_EXIT}|%{POSTFIX_WARNING}
POSTFIX_BOUNCE %{POSTFIX_BOUNCE_NOTIFICATION}
POSTFIX_SENDMAIL %{POSTFIX_WARNING}
POSTFIX_POSTDROP %{POSTFIX_WARNING}
POSTFIX_SCACHE %{POSTFIX_SCACHE_LOOKUPS}|%{POSTFIX_SCACHE_SIMULTANEOUS}|%{POSTFIX_SCACHE_TIMESTAMP}
POSTFIX_TRIVIAL_REWRITE %{POSTFIX_WARNING}
POSTFIX_TLSMGR %{POSTFIX_WARNING}
POSTFIX_LOCAL %{POSTFIX_KEYVALUE}|%{POSTFIX_SMTP_KEYVALUES:POSTFIX_SMTP_KEYVALUES}|%{POSTFIX_WARNING}|%{POSTFIX_SMTP}
POSTFIX_VIRTUAL %{POSTFIX_SMTP_DELIVERY}
POSTFIX_ERROR %{POSTFIX_ERROR_ANY}
POSTFIX_POSTSUPER %{POSTFIX_POSTSUPER_ACTION}|%{POSTFIX_POSTSUPER_SUMMARY}

#

## sendmail.grok
# sketch grok patterns for sendmail
# also checkout https://www.elastic.co/logstash , https://github.com/whyscream/postfix-grok-patterns and others ...
# Everything is more or less in TODO phase ...

SEMA_STATUS_CODE \d{3}

SEMA_MTA_INIT_DASH_050_QUEUED_AS ([0-9a-zA-Z]{12,})

SEMA_MTA_INIT_DASH_050 (050 <%{GREEDYDATA:SEMA_MTA_INIT_DASH_050_MAIL}>... Sent \(%{WORD:SEMA_MTA_INIT_DASH_050_QUEUED_AS_STATUS}: queued as %{SEMA_MTA_INIT_DASH_050_QUEUED_AS:SEMA_MTA_INIT_DASH_050_QUEUED_AS}\))

SEMA_MTA_INIT_DASHES (--- (%{SEMA_MTA_INIT_DASH_050:SEMA_MTA_INIT_DASH_050}|%{SEMA_STATUS_CODE:SEMA_STATUS_CODE}.*))
SEMA_MTA_INIT_ARROW (<--.*)
SEMA_MTA_INIT_MILTER (milter=mimedefang.*)
SEMA_MTA_INIT_MILTER2 (Milter:.*)
SEMA_MTA_INIT_MILTER3 (Milter \(mimedefang\).*)
SEMA_MTA_INIT_AUTH_WARN (Authentication-Warning.*)

SEMA_MAIL_GREEDY (.*)
SEMA_MAIL_WRAPPED_GREEDY <%{SEMA_MAIL_GREEDY:SEMA_MAIL_GREEDY}>

SEMA_MTA_DATA_FROM (from=((<%{EMAILADDRESS:SEMA_MTA_DATA_FROM_EMAILADDRESS}>)|(<%{SEMA_MAIL_GREEDY:SEMA_MTA_DATA_FROM_EMAILADDRESS2}>)), size=%{WORD:SEMA_MTA_DATA_FROM_SIZE}, class=%{WORD:SEMA_MTA_DATA_FROM_CLASS}, nrcpts=%{WORD:SEMA_MTA_DATA_FROM_NRCPTS}, (msgid=<(%{GREEDYDATA:SEMA_MTA_DATA_FROM_MSGID})>, )*(bodytype=(%{WORD:SEMA_MTA_DATA_FROM_BODYTYPE}), )*proto=%{WORD:SEMA_MTA_DATA_FROM_PROTO}, daemon=%{USERNAME:SEMA_MTA_DATA_FROM_DAEMON_TODO}, relay=%{GREEDYDATA:SEMA_MTA_DATA_FROM_RELAY_TODO})

SEMA_MTA_DATA_TO to=(<(%{EMAILADDRESS:SEMA_MTA_DATA_TO_EMAILADDRESS}|%{SEMA_MAIL_GREEDY:SEMA_MTA_DATA_TO_EMAILADDRESS2})>|%{GREEDYDATA:SEMA_MTA_DATA_TO_PATH}), (ctladdr=Postmaster \(%{WORD:SEMA_MTA_DATA_TO_POSTMASTER_X}/%{WORD:SEMA_MTA_DATA_TO_POSTMASTER_Y}\) ,)*delay=%{GREEDYDATA:SEMA_MTA_DATA_TO_DELAY}, (xdelay=%{GREEDYDATA:SEMA_MTA_DATA_TO_XDELAY},)*(mailer=%{GREEDYDATA:SEMA_MTA_DATA_TO_MAILER}, )*pri=%{NUMBER:SEMA_MTA_DATA_TO_PRI}, (relay=%{GREEDYDATA:SEMA_MTA_DATA_TO_RELAY}, )*(dsn=%{GREEDYDATA:SEMA_MTA_DATA_TO_DSN}, )*stat=%{GREEDYDATA:SEMA_MTA_DATA_TO_STAT}

SEMA_MTA_CONN makeconnection.*

SEMA_MTA (%{SEMA_MTA_INIT_DASHES:dashes}|%{SEMA_MTA_INIT_ARROW:arrow}|%{SEMA_MTA_INIT_MILTER:SEMA_MTA_INIT_MILTER}|%{SEMA_MTA_INIT_MILTER2:SEMA_MTA_INIT_MILTER2}|%{SEMA_MTA_INIT_MILTER3:SEMA_MTA_INIT_MILTER3}|%{SEMA_MTA_INIT_AUTH_WARN:SEMA_MTA_INIT_AUTH_WARN}|%{SEMA_MTA_DATA_FROM:SEMA_MTA_DATA_FROM}|%{SEMA_MTA_DATA_TO:SEMA_MTA_DATA_TO}|%{SEMA_MTA_CONN:SEMA_MTA_CONN})

SEMA_PROG_LOG_SPEC_NOQUEUE (NOQUEUE:.*)
SEMA_PROG_LOG_SPEC_AUTH (AUTH:.*)

SEMA_FILTER_DATA (.*)
SEMA_FILTER (dnsbl_check: %{SEMA_FILTER_DATA:SEMA_FILTER_DATA})

SEMA_DNSBL_DATA (.*)
SEMA_DNSBL_FILTER_SENDER (filter_sender: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA})
SEMA_DNSBL_FILTER_BEGIN (filter_begin: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA})
SEMA_DNSBL_FILTER_END (filter_end: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA})
SEMA_DNSBL_FILTER_BAD_FILENAME (filter_bad_filename: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA})
SEMA_MIMEDEFANG_CHECK_SPF_TODO check_spf: .*

SEMA_MIMEDEFANG %{SEMA_FILTER:SEMA_FILTER}|%{SEMA_DNSBL_FILTER_BEGIN:SEMA_DNSBL_FILTER_BEGIN}|%{SEMA_DNSBL_FILTER_END:SEMA_DNSBL_FILTER_END}|%{SEMA_DNSBL_FILTER_SENDER:SEMA_DNSBL_FILTER_SENDER}|%{SEMA_DNSBL_FILTER_BAD_FILENAME:SEMA_DNSBL_FILTER_BAD_FILENAME}|%{SEMA_MIMEDEFANG_CHECK_SPF_TODO:SEMA_MIMEDEFANG_CHECK_SPF_TODO}

SEMA_DB_FILL (db_fill: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA})

SEMA_PROG_LOG_SPEC (%{SEMA_PROG_LOG_SPEC_NOQUEUE:SEMA_PROG_LOG_SPEC_NOQUEUE}|%{SEMA_PROG_LOG_SPEC_AUTH:SEMA_PROG_LOG_SPEC_AUTH})

SEMA_PROG_DONE done; delay=%{NOTSPACE:SEMA_PROG_DONE_DELAY}, ntries=%{WORD:SEMA_PROG_DONE_NTRIES}
SEMA_PROG_MILTER_TODO Milter .*
SEMA_PROG_STATS_TODO stats .*
SEMA_PROG_SPAM SpamAssassin .*
SEMA_PROG_SMTP_OUT SMTP outgoing connect on %{NOTSPACE:SEMA_PROG_SMTP_OUT_HOST}.*

SEMA_PROG_SKIP_HOSTNAME %{HOSTNAME}
SEMA_PROG_SKIP_IP %{IP}
SEMA_PROG_SKIP_RIGHT %{NOTSPACE}
SEMA_PROG_SKIP skip dnsbl check: %{SEMA_PROG_SKIP_HOSTNAME:SEMA_PROG_SKIP_HOSTNAME} \[%{SEMA_PROG_SKIP_IP:SEMA_PROG_SKIP_IP}\] =~ %{SEMA_PROG_SKIP_RIGHT:SEMA_PROG_SKIP_RIGHT}


# 05UFLjHo079106: alias Postmaster => /var/mail/postmaster
SEMA_PROG_SMTP_ALIAS alias %{GREEDYDATA:SEMA_PROG_SMTP_ALIAS_KEY} => %{GREEDYDATA:SEMA_PROG_SMTP_ALIAS_VALUE}

# 05UFLjHo079106: 05UFLtHp079117: postmaster notify: User unknown
SEMA_PROG_SMTP_MSGID %{SEMA_MESSAGE_ID:SEMA_PROG_SMTP_MSGID_ID}: .*

SEMA_PROG_SMTP_AUTH (AUTH.*)

SEMA_PROG_SMTP_RULESET (ruleset=%{GREEDYDATA:SEMA_PROG_SMTP_RULESET_RULESET}, arg1=%{GREEDYDATA:SEMA_PROG_SMTP_ARG1}, relay=%{GREEDYDATA:SEMA_PROG_SMTP_RELAY}, reject=%{GREEDYDATA:SEMA_PROG_SMTP_RULESET_REJECT}|%{GREEDYDATA:SEMA_PROG_SMTP_RULESET_TODO})

SEMA_PROG_LOG %{SEMA_MTA:SEMA_MTA}|%{SEMA_PROG_LOG_SPEC:SEMA_PROG_LOG_SPEC}|%{SEMA_MIMEDEFANG:SEMA_MIMEDEFANG}|%{SEMA_PROG_SKIP:SEMA_PROG_SKIP}|%{SEMA_PROG_DONE:SEMA_PROG_DONE}|%{SEMA_PROG_MILTER_TODO:SEMA_PROG_MILTER_TODO}|%{SEMA_PROG_STATS_TODO:SEMA_PROG_STATS_TODO}|%{SEMA_PROG_SPAM}|%{SEMA_PROG_SMTP_OUT}|%{SEMA_PROG_SMTP_ALIAS:SEMA_PROG_SMTP_ALIAS}|%{SEMA_PROG_SMTP_MSGID:SEMA_PROG_SMTP_MSGID}

SEMA_MIMEDEFANG_ERR_TODO (Slave %{NUMBER})* stderr.*

SEMA_MESSAGE_ID ([0-9a-zA-Z]{14,})

SEMA_STARTTLS STARTTLS.*
SEMA_WITH_MESSAGE_ID %{SEMA_MESSAGE_ID:SEMA_MESSAGE_ID}: %{SEMA_PROG_LOG:SEMA_PROG_LOG}
SEMA_NO_MESSAGE_ID %{SEMA_DB_FILL:SEMA_DB_FILL}|%{SEMA_PROG_LOG_SPEC_NOQUEUE:SEMA_PROG_LOG_SPEC_NOQUEUE}|%{SEMA_PROG_LOG_SPEC_AUTH:SEMA_PROG_LOG_SPEC_AUTH}|%{SEMA_STARTTLS:SEMA_STARTTLS}|%{SEMA_PROG_STATS_TODO:SEMA_PROG_STATS_TODO}|%{SEMA_MIMEDEFANG_ERR_TODO:SEMA_MIMEDEFANG_ERR_TODO}|%{SEMA_PROG_SMTP_AUTH:SEMA_PROG_SMTP_AUTH}|%{SEMA_PROG_SMTP_RULESET:SEMA_PROG_SMTP_RULESET}

SEMA_REPEATED (last message repeated %{WORD:SEMA_REPEATED_COUNT} times.*)

SEMA_MESSAGE (%{SEMA_WITH_MESSAGE_ID}|%{SEMA_NO_MESSAGE_ID})
SEMA_WHOLE %{SEMA_REPEATED:SEMA_REPEATED}|%{SEMA_MESSAGE}

SEMA_WHOLE_WITH_SYSLOG (%{SYSLOGTIMESTAMP} %{SEMA_REPEATED}|%{SYSLOGBASE} %{SEMA_WHOLE})
	# common postfix patterns
	POSTFIX_QUEUEID ([0-9A-F]{6,}\|[0-9a-zA-Z]{12,})
	POSTFIX_CLIENT_INFO %{HOSTNAME:postfix_client_hostname}?\[%{IP:postfix_client_ip}\](:%{INT:postfix_client_port})?
	POSTFIX_RELAY_INFO %{HOSTNAME:postfix_relay_hostname}?\[(%{IP:postfix_relay_ip}\|%{DATA:postfix_relay_service})\](:%{INT:postfix_relay_port})?\|%{WORD:postfix_relay_service}
	POSTFIX_SMTP_STAGE (CONNECT\|HELO\|EHLO\|STARTTLS\|AUTH\|MAIL( FROM)?\|RCPT( TO)?\|(end of )?DATA\|RSET\|UNKNOWN\|END-OF-MESSAGE\|VRFY\|\.)
	POSTFIX_ACTION (accept\|defer\|discard\|filter\|header-redirect\|reject)
	POSTFIX_STATUS_CODE \d{3}
	POSTFIX_STATUS_CODE_ENHANCED \d\.\d\.\d
	POSTFIX_DNSBL_MESSAGE Service unavailable; .* \[%{GREEDYDATA:postfix_status_data}\] %{GREEDYDATA:postfix_status_message};
	POSTFIX_PS_ACCESS_ACTION (DISCONNECT\|BLACKLISTED\|WHITELISTED\|WHITELIST VETO\|PASS NEW\|PASS OLD)
	POSTFIX_PS_VIOLATION (BARE NEWLINE\|COMMAND (TIME\|COUNT\|LENGTH) LIMIT\|COMMAND PIPELINING\|DNSBL\|HANGUP\|NON-SMTP COMMAND\|PREGREET)
	POSTFIX_TIME_UNIT %{NUMBER}[smhd]
	POSTFIX_KEYVALUE_DATA [\w-]+=[^;]*
	POSTFIX_KEYVALUE_DATA2 [\w-]+=[^,]*
	POSTFIX_KEYVALUE_DATA3 [^,]*

	# postfix queued as
	POSTFIX_KEYVALUES_TO to=<%{DATA:postfix_smtp_to}>
	POSTFIX_KEYVALUES_ORIG_TO orig_to=<%{DATA:postfix_smtp_orig_to}>
	POSTFIX_KEYVALUES_RELAY relay=%{POSTFIX_RELAY_INFO}
	POSTFIX_KEYVALUES_CONN_USE conn_use=%{INT:postfix_smtp_conn_use}
	POSTFIX_KEYVALUES_DELAY delay=%{NUMBER:postfix_smtp_delay}
	#POSTFIX_KEYVALUES_DELAYS %{NUMBER:postfix_smtp_delay_before_qmgr}/%{NUMBER:postfix_smtp_delay_in_qmgr}/%{NUMBER:postfix_smtp_delay_conn_setup}/%{NUMBER:postfix_smtp_delay_transmission}
	POSTFIX_KEYVALUES_DELAYS delays=%{POSTFIX_KEYVALUE_DATA3:postfix_smtp_delays}
	#POSTFIX_KEYVALUES_DELAYS %{POSTFIX_KEYVALUE_DATA2}
	#POSTFIX_KEYVALUES_DSN dsn=%{WORD:postfix_smtp_dsn}
	POSTFIX_KEYVALUES_DSN %{POSTFIX_KEYVALUE_DATA2}
	POSTFIX_SMTP_STATUS_QUEUEDAS \(.*queued as %{POSTFIX_QUEUEID:postfix_queued_as}\)
	POSTFIX_SMTP_STATUS_FWDAS \(.*forwarded as %{POSTFIX_QUEUEID:postfix_fwd_as}\)
	POSTFIX_KEYVALUES_STATUS_NOTES \(.*queued as %{POSTFIX_QUEUEID:postfix_queued_as}\)\|%{GREEDYDATA}
	POSTFIX_KEYVALUES_STATUS status=%{WORD:postfix_smtp_status_w} %{POSTFIX_KEYVALUES_STATUS_NOTES:postfix_kw_status_notes}
	#POSTFIX_SMTP_KEYVALUES %{POSTFIX_KEYVALUES_TO}, %{POSTFIX_KEYVALUES_RELAY},( %{POSTFIX_KEYVALUES_CONN_USE},)? %{POSTFIX_KEYVALUES_DELAY}, %{POSTFIX_KEYVALUES_DELAYS}, %{POSTFIX_KEYVALUES_DSN}, %{POSTFIX_KEYVALUES_STATUS:POSTFIX_KEYVALUES_STATUS}
	POSTFIX_SMTP_KEYVALUES %{POSTFIX_KEYVALUES_TO},( %{POSTFIX_KEYVALUES_ORIG_TO},)? %{POSTFIX_KEYVALUES_RELAY},( %{POSTFIX_KEYVALUES_CONN_USE},)? %{POSTFIX_KEYVALUES_DELAY}, %{POSTFIX_KEYVALUES_DELAYS}, %{POSTFIX_KEYVALUES_DSN},

	POSTFIX_KEYVALUE %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
	POSTFIX_WARNING_LEVEL (warning\|fatal\|info)

	POSTFIX_TLSCONN (Anonymous\|Trusted\|Untrusted\|Verified) TLS connection established (to %{POSTFIX_RELAY_INFO}\|from %{POSTFIX_CLIENT_INFO}): %{DATA:postfix_tls_version} with cipher %{DATA:postfix_tls_cipher} \(%{DATA:postfix_tls_cipher_size} bits\)
	POSTFIX_DELAYS %{NUMBER:postfix_delay_before_qmgr}/%{NUMBER:postfix_delay_in_qmgr}/%{NUMBER:postfix_delay_conn_setup}/%{NUMBER:postfix_delay_transmission}
	POSTFIX_LOSTCONN (lost connection\|timeout\|SSL_accept error)
	POSTFIX_LOSTCONN_REASONS (receiving the initial server greeting\|sending message body\|sending end of data -- message may be sent more than once)
	POSTFIX_PROXY_MESSAGE (%{POSTFIX_STATUS_CODE:postfix_proxy_status_code} )?(%{POSTFIX_STATUS_CODE_ENHANCED:postfix_proxy_status_code_enhanced})?.*
	POSTFIX_COMMAND_COUNTER_DATA (helo=(%{INT:postfix_cmd_helo_accepted}/)?%{INT:postfix_cmd_helo} )?(ehlo=(%{INT:postfix_cmd_ehlo_accepted}/)?%{INT:postfix_cmd_ehlo} )?(starttls=(%{INT:postfix_cmd_starttls_accepted}/)?%{INT:postfix_cmd_starttls} )?(auth=(%{INT:postfix_cmd_auth_accepted}/)?%{INT:postfix_cmd_auth} )?(mail=(%{INT:postfix_cmd_mail_accepted}/)?%{INT:postfix_cmd_mail} )?(rcpt=(%{INT:postfix_cmd_rcpt_accepted}/)?%{INT:postfix_cmd_rcpt} )?(data=(%{INT:postfix_cmd_data_accepted}/)?%{INT:postfix_cmd_data} )?(rset=(%{INT:postfix_cmd_rset_accepted}/)?%{INT:postfix_cmd_rset} )?(quit=(%{INT:postfix_cmd_quit_accepted}/)?%{INT:postfix_cmd_quit} )?(unknown=(%{INT:postfix_cmd_unknown_accepted}/)?%{INT:postfix_cmd_unknown} )?commands=(%{INT:postfix_cmd_count_accepted}/)?%{INT:postfix_cmd_count}

	# helper patterns
	GREEDYDATA_NO_COLON [^:]*
	GREEDYDATA_NO_SEMICOLON [^;]*
	STATUS_WORD [\w-]*

	# warning patterns
	POSTFIX_WARNING_WITH_KV (%{POSTFIX_QUEUEID:postfix_queueid}: )?%{POSTFIX_WARNING_LEVEL:postfix_message_level}: %{GREEDYDATA:postfix_message}; %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
	POSTFIX_WARNING_WITHOUT_KV (%{POSTFIX_QUEUEID:postfix_queueid}: )?%{POSTFIX_WARNING_LEVEL:postfix_message_level}: %{GREEDYDATA:postfix_message}
	POSTFIX_WARNING %{POSTFIX_WARNING_WITH_KV}\|%{POSTFIX_WARNING_WITHOUT_KV}

	# smtpd patterns
	POSTFIX_SMTPD_CONNECT connect from %{POSTFIX_CLIENT_INFO}
	POSTFIX_SMTPD_DISCONNECT disconnect from %{POSTFIX_CLIENT_INFO}( %{GREEDYDATA:postfix_command_counter_data})?
	POSTFIX_SMTPD_LOSTCONN %{POSTFIX_LOSTCONN:postfix_smtpd_lostconn_data}( after %{POSTFIX_SMTP_STAGE:postfix_smtp_stage}( \(%{INT} bytes\))?)? from %{POSTFIX_CLIENT_INFO}(: %{GREEDYDATA:postfix_smtpd_lostconn_reason})?
	POSTFIX_SMTPD_NOQUEUE NOQUEUE: %{POSTFIX_ACTION:postfix_action}: %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} from %{POSTFIX_CLIENT_INFO}:( %{POSTFIX_STATUS_CODE:postfix_status_code} %{POSTFIX_STATUS_CODE_ENHANCED:postfix_status_code_enhanced})?( <%{DATA:postfix_status_data}>:)? (%{POSTFIX_DNSBL_MESSAGE}\|%{GREEDYDATA:postfix_status_message};) %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}

	POSTFIX_SMTPD_ANYQUEUE %{POSTFIX_ACTION:postfix_action}: %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} from %{POSTFIX_CLIENT_INFO}:( %{POSTFIX_STATUS_CODE:postfix_status_code} %{POSTFIX_STATUS_CODE_ENHANCED:postfix_status_code_enhanced})?( <%{DATA:postfix_status_data}>:)? (%{POSTFIX_DNSBL_MESSAGE}\|%{GREEDYDATA:postfix_status_message};) %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
	#POSTFIX_SMTPD_NOQUEUE NOQUEUE: %{POSTFIX_SMTPD_ANYQUEUE}


	POSTFIX_SMTPD_PIPELINING improper command pipelining after %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} from %{POSTFIX_CLIENT_INFO}: %{GREEDYDATA:postfix_improper_pipelining_data}
	POSTFIX_SMTPD_PROXY proxy-%{POSTFIX_ACTION:postfix_proxy_result}: (%{POSTFIX_SMTP_STAGE:postfix_proxy_smtp_stage}): %{POSTFIX_PROXY_MESSAGE:postfix_proxy_message}; %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
	POSTFIX_SMTPD_OTHER %{POSTFIX_QUEUEID:postfix_queueid}: (client=%{POSTFIX_CLIENT_INFO}\|%{POSTFIX_SMTPD_ANYQUEUE})

	# cleanup patterns
	POSTFIX_CLEANUP_MILTER %{POSTFIX_QUEUEID:postfix_queueid}: milter-%{POSTFIX_ACTION:postfix_milter_result}: %{GREEDYDATA:postfix_milter_message}; %{GREEDYDATA_NO_COLON:postfix_keyvalue_data}(: %{GREEDYDATA:postfix_milter_data})?
	POSTFIX_CLEANUP_OTHER %{POSTFIX_QUEUEID:postfix_queueid}: (message-id=(%{DATA:postfix_cleanup_messageId}\|<%{DATA:postfix_cleanup_messageId}>)\|resent-message-id=<%{DATA:postfix_cleanup_resent_messageId}>)

	# qmgr patterns
	POSTFIX_QMGR_REMOVED %{POSTFIX_QUEUEID:postfix_queueid}: removed
	POSTFIX_QMGR_ACTIVE %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data} \(queue active\)
	POSTFIX_QMGR_EXPIRED %{POSTFIX_QUEUEID:postfix_queueid}: from=<%{DATA:postfix_from}>, status=%{STATUS_WORD:postfix_status}, returned to sender

	# pipe patterns
	POSTFIX_PIPE_ANY %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}, status=%{STATUS_WORD:postfix_status} \(%{GREEDYDATA:postfix_pipe_response}\)

	# error patterns
	POSTFIX_ERROR_ANY %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}, status=%{STATUS_WORD:postfix_status} \(%{GREEDYDATA:postfix_error_response}\)

	# discard patterns
	POSTFIX_DISCARD_ANY %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data} status=%{STATUS_WORD:postfix_status} %{GREEDYDATA}

	# postsuper patterns
	POSTFIX_POSTSUPER_ACTIONS (removed\|requeued\|placed on hold\|released from hold)
	POSTFIX_POSTSUPER_ACTION %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_POSTSUPER_ACTIONS:postfix_postsuper_action}
	POSTFIX_POSTSUPER_SUMMARY_ACTIONS (Deleted\|Requeued\|Placed on hold\|Released from hold)
	POSTFIX_POSTSUPER_SUMMARY %{POSTFIX_POSTSUPER_SUMMARY_ACTIONS:postfix_postsuper_summary_action}: %{NUMBER:postfix_postsuper_summary_count} messages?

	# postscreen patterns
	POSTFIX_PS_CONNECT CONNECT from %{POSTFIX_CLIENT_INFO} to \[%{IP:postfix_server_ip}\]:%{INT:postfix_server_port}
	POSTFIX_PS_ACCESS %{POSTFIX_PS_ACCESS_ACTION:postfix_postscreen_access} %{POSTFIX_CLIENT_INFO}
	POSTFIX_PS_NOQUEUE %{POSTFIX_SMTPD_NOQUEUE}
	POSTFIX_PS_TOOBUSY NOQUEUE: reject: CONNECT from %{POSTFIX_CLIENT_INFO}: %{GREEDYDATA:postfix_postscreen_toobusy_data}
	POSTFIX_PS_DNSBL %{POSTFIX_PS_VIOLATION:postfix_postscreen_violation} rank %{INT:postfix_postscreen_dnsbl_rank} for %{POSTFIX_CLIENT_INFO}
	POSTFIX_PS_CACHE cache %{DATA} full cleanup: retained=%{NUMBER:postfix_postscreen_cache_retained} dropped=%{NUMBER:postfix_postscreen_cache_dropped} entries
	POSTFIX_PS_VIOLATIONS %{POSTFIX_PS_VIOLATION:postfix_postscreen_violation}( %{INT})?( after %{NUMBER:postfix_postscreen_violation_time})? from %{POSTFIX_CLIENT_INFO}(( after %{POSTFIX_SMTP_STAGE:postfix_smtp_stage})?(: %{GREEDYDATA:postfix_postscreen_data})?\| in tests (after\|before) SMTP handshake)

	# dnsblog patterns
	POSTFIX_DNSBLOG_LISTING addr %{IP:postfix_client_ip} listed by domain %{HOSTNAME:postfix_dnsbl_domain} as %{IP:postfix_dnsbl_result}

	# tlsproxy patterns
	POSTFIX_TLSPROXY_CONN (DIS)?CONNECT( from)? %{POSTFIX_CLIENT_INFO}

	# anvil patterns
	POSTFIX_ANVIL_CONN_RATE statistics: max connection rate %{NUMBER:postfix_anvil_conn_rate}(\\)?/%{POSTFIX_TIME_UNIT:postfix_anvil_conn_period} for \(%{DATA:postfix_service}:%{IP:postfix_client_ip}\) at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp}
	POSTFIX_ANVIL_CONN_CACHE statistics: max cache size %{NUMBER:postfix_anvil_cache_size} at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp}
	POSTFIX_ANVIL_CONN_COUNT statistics: max connection count %{NUMBER:postfix_anvil_conn_count} for \(%{DATA:postfix_service}:%{IP:postfix_client_ip}\) at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp}

	# smtp patterns
	POSTFIX_SMTP_STATUS status=%{STATUS_WORD:postfix_status}( %{POSTFIX_SMTP_STATUS_QUEUEDAS}\| %{POSTFIX_SMTP_STATUS_FWDAS}\|%{GREEDYDATA:postfix_smtp_response})?

	POSTFIX_SMTP_DELIVERY %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_SMTP_KEYVALUES:postfix_smtp_keyvalues} %{POSTFIX_SMTP_STATUS}


	POSTFIX_SMTP_CONNERR connect to %{POSTFIX_RELAY_INFO}: (Connection timed out\|No route to host\|Connection refused\|Network is unreachable)
	POSTFIX_SMTP_LOSTCONN %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_LOSTCONN:postfix_smtp_lostconn_data} with %{POSTFIX_RELAY_INFO}( while %{POSTFIX_LOSTCONN_REASONS:postfix_smtp_lostconn_reason})?
	POSTFIX_SMTP_TIMEOUT %{POSTFIX_QUEUEID:postfix_queueid}: conversation with %{POSTFIX_RELAY_INFO} timed out( while %{POSTFIX_LOSTCONN_REASONS:postfix_smtp_lostconn_reason})?
	POSTFIX_SMTP_RELAYERR %{POSTFIX_QUEUEID:postfix_queueid}: host %{POSTFIX_RELAY_INFO} said: %{GREEDYDATA:postfix_smtp_response} \(in reply to %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} command\)
	POSTFIX_SMTP_OTHER %{POSTFIX_QUEUEID:postfix_queueid}: client=%{POSTFIX_CLIENT_INFO}

	# master patterns
	POSTFIX_MASTER_START (daemon started\|reload) -- version %{DATA:postfix_version}, configuration %{PATH:postfix_config_path}
	POSTFIX_MASTER_EXIT terminating on signal %{INT:postfix_termination_signal}

	# bounce patterns
	POSTFIX_BOUNCE_NOTIFICATION %{POSTFIX_QUEUEID:postfix_queueid}: sender (non-delivery\|delivery status\|delay) notification: %{POSTFIX_QUEUEID:postfix_bounce_queueid}

	# scache patterns
	POSTFIX_SCACHE_LOOKUPS statistics: (address\|domain) lookup hits=%{INT:postfix_scache_hits} miss=%{INT:postfix_scache_miss} success=%{INT:postfix_scache_success}%
	POSTFIX_SCACHE_SIMULTANEOUS statistics: max simultaneous domains=%{INT:postfix_scache_domains} addresses=%{INT:postfix_scache_addresses} connection=%{INT:postfix_scache_connection}
	POSTFIX_SCACHE_TIMESTAMP statistics: start interval %{SYSLOGTIMESTAMP:postfix_scache_timestamp}

	#openkim patterns
	EMAIL_SEND %{WORD:email_send_type}\[%{INT:email_send_id}\] %{INT:email_send_from_id} (\(%{DATA:email_send_from_email}\|)\) -> \(%{WORD:email_send_id_type} %{INT:email_send_to_id} %{DATA:email_send_to_email}\)

	#email_send patterns
	OPENDKIM_BODY BodyLengthDB matched %{DATA:opendkim_body_email}, signing with l= requested
	OPENDKIM_DKIM DKIM-Signature field added \(s=%{DATA:opendkim_dkim_server_name}, d=%{DATA:opendkim_dkim_server_domain}\)
	OPENDKIM_NO_SIGN_TABLE no signing table match for '%{DATA:opendkim_no_sign_tab_hostname}'
	OPENDKIM %{POSTFIX_QUEUEID:postfix_queueid}: (%{OPENDKIM_BODY}\|%{OPENDKIM_DKIM}\|%{OPENDKIM_NO_SIGN_TABLE})


	# aggregate all patterns
	POSTFIX_SMTPD %{POSTFIX_SMTPD_CONNECT}\|%{POSTFIX_SMTPD_DISCONNECT}\|%{POSTFIX_SMTPD_LOSTCONN}\|%{POSTFIX_SMTPD_NOQUEUE}\|%{POSTFIX_SMTPD_PIPELINING}\|%{POSTFIX_TLSCONN}\|%{POSTFIX_WARNING}\|%{POSTFIX_SMTPD_PROXY}\|%{POSTFIX_SMTPD_OTHER}\|%{POSTFIX_KEYVALUE}
	POSTFIX_CLEANUP %{POSTFIX_CLEANUP_MILTER}\|%{POSTFIX_WARNING}\|%{POSTFIX_CLEANUP_OTHER}\|%{POSTFIX_KEYVALUE}
	POSTFIX_QMGR %{POSTFIX_QMGR_REMOVED}\|%{POSTFIX_QMGR_ACTIVE}\|%{POSTFIX_QMGR_EXPIRED}\|%{POSTFIX_WARNING}
	POSTFIX_PIPE %{POSTFIX_PIPE_ANY}
	POSTFIX_POSTSCREEN %{POSTFIX_PS_CONNECT}\|%{POSTFIX_PS_ACCESS}\|%{POSTFIX_PS_NOQUEUE}\|%{POSTFIX_PS_TOOBUSY}\|%{POSTFIX_PS_CACHE}\|%{POSTFIX_PS_DNSBL}\|%{POSTFIX_PS_VIOLATIONS}\|%{POSTFIX_WARNING}
	POSTFIX_DNSBLOG %{POSTFIX_DNSBLOG_LISTING}\|%{POSTFIX_WARNING}
	POSTFIX_ANVIL %{POSTFIX_ANVIL_CONN_RATE}\|%{POSTFIX_ANVIL_CONN_CACHE}\|%{POSTFIX_ANVIL_CONN_COUNT}

	# old
	#POSTFIX_SMTP %{POSTFIX_SMTP_DELIVERY}\|%{POSTFIX_SMTP_CONNERR}\|%{POSTFIX_SMTP_LOSTCONN}\|%{POSTFIX_SMTP_TIMEOUT}\|%{POSTFIX_SMTP_RELAYERR}\|%{POSTFIX_TLSCONN}\|%{POSTFIX_WARNING}\|%{POSTFIX_KEYVALUE:POSTFIX_KEYVALUE}

	POSTFIX_SMTP %{POSTFIX_SMTP_DELIVERY}\|%{POSTFIX_SMTP_CONNERR}\|%{POSTFIX_SMTP_LOSTCONN}\|%{POSTFIX_SMTP_TIMEOUT}\|%{POSTFIX_SMTP_RELAYERR}\|%{POSTFIX_TLSCONN}\|%{POSTFIX_WARNING}\|%{POSTFIX_SMTP_OTHER:postfix_smtp_other}

	POSTFIX_DISCARD %{POSTFIX_DISCARD_ANY}\|%{POSTFIX_WARNING}
	POSTFIX_LMTP %{POSTFIX_SMTP}
	POSTFIX_PICKUP %{POSTFIX_KEYVALUE}\|%{POSTFIX_QUEUEID:postfix_queueid}: uid=%{INT:postfix_pickup_uid} from=<%{DATA:postfix_pickup_from}>
	POSTFIX_TLSPROXY %{POSTFIX_TLSPROXY_CONN}\|%{POSTFIX_WARNING}
	POSTFIX_MASTER %{POSTFIX_MASTER_START}\|%{POSTFIX_MASTER_EXIT}\|%{POSTFIX_WARNING}
	POSTFIX_BOUNCE %{POSTFIX_BOUNCE_NOTIFICATION}
	POSTFIX_SENDMAIL %{POSTFIX_WARNING}
	POSTFIX_POSTDROP %{POSTFIX_WARNING}
	POSTFIX_SCACHE %{POSTFIX_SCACHE_LOOKUPS}\|%{POSTFIX_SCACHE_SIMULTANEOUS}\|%{POSTFIX_SCACHE_TIMESTAMP}
	POSTFIX_TRIVIAL_REWRITE %{POSTFIX_WARNING}
	POSTFIX_TLSMGR %{POSTFIX_WARNING}
	POSTFIX_LOCAL %{POSTFIX_KEYVALUE}\|%{POSTFIX_SMTP_KEYVALUES:POSTFIX_SMTP_KEYVALUES}\|%{POSTFIX_WARNING}\|%{POSTFIX_SMTP}
	POSTFIX_VIRTUAL %{POSTFIX_SMTP_DELIVERY}
	POSTFIX_ERROR %{POSTFIX_ERROR_ANY}
	POSTFIX_POSTSUPER %{POSTFIX_POSTSUPER_ACTION}\|%{POSTFIX_POSTSUPER_SUMMARY}

	#
	# sketch grok patterns for sendmail
	# also checkout https://www.elastic.co/logstash , https://github.com/whyscream/postfix-grok-patterns and others ...
	# Everything is more or less in TODO phase ...

	SEMA_STATUS_CODE \d{3}

	SEMA_MTA_INIT_DASH_050_QUEUED_AS ([0-9a-zA-Z]{12,})

	SEMA_MTA_INIT_DASH_050 (050 <%{GREEDYDATA:SEMA_MTA_INIT_DASH_050_MAIL}>... Sent \(%{WORD:SEMA_MTA_INIT_DASH_050_QUEUED_AS_STATUS}: queued as %{SEMA_MTA_INIT_DASH_050_QUEUED_AS:SEMA_MTA_INIT_DASH_050_QUEUED_AS}\))

	SEMA_MTA_INIT_DASHES (--- (%{SEMA_MTA_INIT_DASH_050:SEMA_MTA_INIT_DASH_050}\|%{SEMA_STATUS_CODE:SEMA_STATUS_CODE}.*))
	SEMA_MTA_INIT_ARROW (<--.*)
	SEMA_MTA_INIT_MILTER (milter=mimedefang.*)
	SEMA_MTA_INIT_MILTER2 (Milter:.*)
	SEMA_MTA_INIT_MILTER3 (Milter \(mimedefang\).*)
	SEMA_MTA_INIT_AUTH_WARN (Authentication-Warning.*)

	SEMA_MAIL_GREEDY (.*)
	SEMA_MAIL_WRAPPED_GREEDY <%{SEMA_MAIL_GREEDY:SEMA_MAIL_GREEDY}>

	SEMA_MTA_DATA_FROM (from=((<%{EMAILADDRESS:SEMA_MTA_DATA_FROM_EMAILADDRESS}>)\|(<%{SEMA_MAIL_GREEDY:SEMA_MTA_DATA_FROM_EMAILADDRESS2}>)), size=%{WORD:SEMA_MTA_DATA_FROM_SIZE}, class=%{WORD:SEMA_MTA_DATA_FROM_CLASS}, nrcpts=%{WORD:SEMA_MTA_DATA_FROM_NRCPTS}, (msgid=<(%{GREEDYDATA:SEMA_MTA_DATA_FROM_MSGID})>, )(bodytype=(%{WORD:SEMA_MTA_DATA_FROM_BODYTYPE}), )proto=%{WORD:SEMA_MTA_DATA_FROM_PROTO}, daemon=%{USERNAME:SEMA_MTA_DATA_FROM_DAEMON_TODO}, relay=%{GREEDYDATA:SEMA_MTA_DATA_FROM_RELAY_TODO})

	SEMA_MTA_DATA_TO to=(<(%{EMAILADDRESS:SEMA_MTA_DATA_TO_EMAILADDRESS}\|%{SEMA_MAIL_GREEDY:SEMA_MTA_DATA_TO_EMAILADDRESS2})>\|%{GREEDYDATA:SEMA_MTA_DATA_TO_PATH}), (ctladdr=Postmaster \(%{WORD:SEMA_MTA_DATA_TO_POSTMASTER_X}/%{WORD:SEMA_MTA_DATA_TO_POSTMASTER_Y}\) ,)delay=%{GREEDYDATA:SEMA_MTA_DATA_TO_DELAY}, (xdelay=%{GREEDYDATA:SEMA_MTA_DATA_TO_XDELAY},)(mailer=%{GREEDYDATA:SEMA_MTA_DATA_TO_MAILER}, )pri=%{NUMBER:SEMA_MTA_DATA_TO_PRI}, (relay=%{GREEDYDATA:SEMA_MTA_DATA_TO_RELAY}, )(dsn=%{GREEDYDATA:SEMA_MTA_DATA_TO_DSN}, )*stat=%{GREEDYDATA:SEMA_MTA_DATA_TO_STAT}

	SEMA_MTA_CONN makeconnection.*

	SEMA_MTA (%{SEMA_MTA_INIT_DASHES:dashes}\|%{SEMA_MTA_INIT_ARROW:arrow}\|%{SEMA_MTA_INIT_MILTER:SEMA_MTA_INIT_MILTER}\|%{SEMA_MTA_INIT_MILTER2:SEMA_MTA_INIT_MILTER2}\|%{SEMA_MTA_INIT_MILTER3:SEMA_MTA_INIT_MILTER3}\|%{SEMA_MTA_INIT_AUTH_WARN:SEMA_MTA_INIT_AUTH_WARN}\|%{SEMA_MTA_DATA_FROM:SEMA_MTA_DATA_FROM}\|%{SEMA_MTA_DATA_TO:SEMA_MTA_DATA_TO}\|%{SEMA_MTA_CONN:SEMA_MTA_CONN})

	SEMA_PROG_LOG_SPEC_NOQUEUE (NOQUEUE:.*)
	SEMA_PROG_LOG_SPEC_AUTH (AUTH:.*)

	SEMA_FILTER_DATA (.*)
	SEMA_FILTER (dnsbl_check: %{SEMA_FILTER_DATA:SEMA_FILTER_DATA})

	SEMA_DNSBL_DATA (.*)
	SEMA_DNSBL_FILTER_SENDER (filter_sender: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA})
	SEMA_DNSBL_FILTER_BEGIN (filter_begin: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA})
	SEMA_DNSBL_FILTER_END (filter_end: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA})
	SEMA_DNSBL_FILTER_BAD_FILENAME (filter_bad_filename: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA})
	SEMA_MIMEDEFANG_CHECK_SPF_TODO check_spf: .*

	SEMA_MIMEDEFANG %{SEMA_FILTER:SEMA_FILTER}\|%{SEMA_DNSBL_FILTER_BEGIN:SEMA_DNSBL_FILTER_BEGIN}\|%{SEMA_DNSBL_FILTER_END:SEMA_DNSBL_FILTER_END}\|%{SEMA_DNSBL_FILTER_SENDER:SEMA_DNSBL_FILTER_SENDER}\|%{SEMA_DNSBL_FILTER_BAD_FILENAME:SEMA_DNSBL_FILTER_BAD_FILENAME}\|%{SEMA_MIMEDEFANG_CHECK_SPF_TODO:SEMA_MIMEDEFANG_CHECK_SPF_TODO}

	SEMA_DB_FILL (db_fill: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA})

	SEMA_PROG_LOG_SPEC (%{SEMA_PROG_LOG_SPEC_NOQUEUE:SEMA_PROG_LOG_SPEC_NOQUEUE}\|%{SEMA_PROG_LOG_SPEC_AUTH:SEMA_PROG_LOG_SPEC_AUTH})

	SEMA_PROG_DONE done; delay=%{NOTSPACE:SEMA_PROG_DONE_DELAY}, ntries=%{WORD:SEMA_PROG_DONE_NTRIES}
	SEMA_PROG_MILTER_TODO Milter .*
	SEMA_PROG_STATS_TODO stats .*
	SEMA_PROG_SPAM SpamAssassin .*
	SEMA_PROG_SMTP_OUT SMTP outgoing connect on %{NOTSPACE:SEMA_PROG_SMTP_OUT_HOST}.*

	SEMA_PROG_SKIP_HOSTNAME %{HOSTNAME}
	SEMA_PROG_SKIP_IP %{IP}
	SEMA_PROG_SKIP_RIGHT %{NOTSPACE}
	SEMA_PROG_SKIP skip dnsbl check: %{SEMA_PROG_SKIP_HOSTNAME:SEMA_PROG_SKIP_HOSTNAME} \[%{SEMA_PROG_SKIP_IP:SEMA_PROG_SKIP_IP}\] =~ %{SEMA_PROG_SKIP_RIGHT:SEMA_PROG_SKIP_RIGHT}


	# 05UFLjHo079106: alias Postmaster => /var/mail/postmaster
	SEMA_PROG_SMTP_ALIAS alias %{GREEDYDATA:SEMA_PROG_SMTP_ALIAS_KEY} => %{GREEDYDATA:SEMA_PROG_SMTP_ALIAS_VALUE}

	# 05UFLjHo079106: 05UFLtHp079117: postmaster notify: User unknown
	SEMA_PROG_SMTP_MSGID %{SEMA_MESSAGE_ID:SEMA_PROG_SMTP_MSGID_ID}: .*

	SEMA_PROG_SMTP_AUTH (AUTH.*)

	SEMA_PROG_SMTP_RULESET (ruleset=%{GREEDYDATA:SEMA_PROG_SMTP_RULESET_RULESET}, arg1=%{GREEDYDATA:SEMA_PROG_SMTP_ARG1}, relay=%{GREEDYDATA:SEMA_PROG_SMTP_RELAY}, reject=%{GREEDYDATA:SEMA_PROG_SMTP_RULESET_REJECT}\|%{GREEDYDATA:SEMA_PROG_SMTP_RULESET_TODO})

	SEMA_PROG_LOG %{SEMA_MTA:SEMA_MTA}\|%{SEMA_PROG_LOG_SPEC:SEMA_PROG_LOG_SPEC}\|%{SEMA_MIMEDEFANG:SEMA_MIMEDEFANG}\|%{SEMA_PROG_SKIP:SEMA_PROG_SKIP}\|%{SEMA_PROG_DONE:SEMA_PROG_DONE}\|%{SEMA_PROG_MILTER_TODO:SEMA_PROG_MILTER_TODO}\|%{SEMA_PROG_STATS_TODO:SEMA_PROG_STATS_TODO}\|%{SEMA_PROG_SPAM}\|%{SEMA_PROG_SMTP_OUT}\|%{SEMA_PROG_SMTP_ALIAS:SEMA_PROG_SMTP_ALIAS}\|%{SEMA_PROG_SMTP_MSGID:SEMA_PROG_SMTP_MSGID}

	SEMA_MIMEDEFANG_ERR_TODO (Slave %{NUMBER})* stderr.*

	SEMA_MESSAGE_ID ([0-9a-zA-Z]{14,})

	SEMA_STARTTLS STARTTLS.*
	SEMA_WITH_MESSAGE_ID %{SEMA_MESSAGE_ID:SEMA_MESSAGE_ID}: %{SEMA_PROG_LOG:SEMA_PROG_LOG}
	SEMA_NO_MESSAGE_ID %{SEMA_DB_FILL:SEMA_DB_FILL}\|%{SEMA_PROG_LOG_SPEC_NOQUEUE:SEMA_PROG_LOG_SPEC_NOQUEUE}\|%{SEMA_PROG_LOG_SPEC_AUTH:SEMA_PROG_LOG_SPEC_AUTH}\|%{SEMA_STARTTLS:SEMA_STARTTLS}\|%{SEMA_PROG_STATS_TODO:SEMA_PROG_STATS_TODO}\|%{SEMA_MIMEDEFANG_ERR_TODO:SEMA_MIMEDEFANG_ERR_TODO}\|%{SEMA_PROG_SMTP_AUTH:SEMA_PROG_SMTP_AUTH}\|%{SEMA_PROG_SMTP_RULESET:SEMA_PROG_SMTP_RULESET}

	SEMA_REPEATED (last message repeated %{WORD:SEMA_REPEATED_COUNT} times.*)

	SEMA_MESSAGE (%{SEMA_WITH_MESSAGE_ID}\|%{SEMA_NO_MESSAGE_ID})
	SEMA_WHOLE %{SEMA_REPEATED:SEMA_REPEATED}\|%{SEMA_MESSAGE}

	SEMA_WHOLE_WITH_SYSLOG (%{SYSLOGTIMESTAMP} %{SEMA_REPEATED}\|%{SYSLOGBASE} %{SEMA_WHOLE})