Last active
July 27, 2021 09:39
-
-
Save vprusa/974496dd4ff8522442cb91fd9fb6eea9 to your computer and use it in GitHub Desktop.
# sketch of grok patterns for sendmail
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # common postfix patterns | |
| POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{12,}) | |
| POSTFIX_CLIENT_INFO %{HOSTNAME:postfix_client_hostname}?\[%{IP:postfix_client_ip}\](:%{INT:postfix_client_port})? | |
| POSTFIX_RELAY_INFO %{HOSTNAME:postfix_relay_hostname}?\[(%{IP:postfix_relay_ip}|%{DATA:postfix_relay_service})\](:%{INT:postfix_relay_port})?|%{WORD:postfix_relay_service} | |
| POSTFIX_SMTP_STAGE (CONNECT|HELO|EHLO|STARTTLS|AUTH|MAIL( FROM)?|RCPT( TO)?|(end of )?DATA|RSET|UNKNOWN|END-OF-MESSAGE|VRFY|\.) | |
| POSTFIX_ACTION (accept|defer|discard|filter|header-redirect|reject) | |
| POSTFIX_STATUS_CODE \d{3} | |
| POSTFIX_STATUS_CODE_ENHANCED \d\.\d\.\d | |
| POSTFIX_DNSBL_MESSAGE Service unavailable; .* \[%{GREEDYDATA:postfix_status_data}\] %{GREEDYDATA:postfix_status_message}; | |
| POSTFIX_PS_ACCESS_ACTION (DISCONNECT|BLACKLISTED|WHITELISTED|WHITELIST VETO|PASS NEW|PASS OLD) | |
| POSTFIX_PS_VIOLATION (BARE NEWLINE|COMMAND (TIME|COUNT|LENGTH) LIMIT|COMMAND PIPELINING|DNSBL|HANGUP|NON-SMTP COMMAND|PREGREET) | |
| POSTFIX_TIME_UNIT %{NUMBER}[smhd] | |
| POSTFIX_KEYVALUE_DATA [\w-]+=[^;]* | |
| POSTFIX_KEYVALUE_DATA2 [\w-]+=[^,]* | |
| POSTFIX_KEYVALUE_DATA3 [^,]* | |
| # postfix queued as | |
| POSTFIX_KEYVALUES_TO to=<%{DATA:postfix_smtp_to}> | |
| POSTFIX_KEYVALUES_ORIG_TO orig_to=<%{DATA:postfix_smtp_orig_to}> | |
| POSTFIX_KEYVALUES_RELAY relay=%{POSTFIX_RELAY_INFO} | |
| POSTFIX_KEYVALUES_CONN_USE conn_use=%{INT:postfix_smtp_conn_use} | |
| POSTFIX_KEYVALUES_DELAY delay=%{NUMBER:postfix_smtp_delay} | |
| #POSTFIX_KEYVALUES_DELAYS %{NUMBER:postfix_smtp_delay_before_qmgr}/%{NUMBER:postfix_smtp_delay_in_qmgr}/%{NUMBER:postfix_smtp_delay_conn_setup}/%{NUMBER:postfix_smtp_delay_transmission} | |
| POSTFIX_KEYVALUES_DELAYS delays=%{POSTFIX_KEYVALUE_DATA3:postfix_smtp_delays} | |
| #POSTFIX_KEYVALUES_DELAYS %{POSTFIX_KEYVALUE_DATA2} | |
| #POSTFIX_KEYVALUES_DSN dsn=%{WORD:postfix_smtp_dsn} | |
| POSTFIX_KEYVALUES_DSN %{POSTFIX_KEYVALUE_DATA2} | |
| POSTFIX_SMTP_STATUS_QUEUEDAS \(.*queued as %{POSTFIX_QUEUEID:postfix_queued_as}\) | |
| POSTFIX_SMTP_STATUS_FWDAS \(.*forwarded as %{POSTFIX_QUEUEID:postfix_fwd_as}\) | |
| POSTFIX_KEYVALUES_STATUS_NOTES \(.*queued as %{POSTFIX_QUEUEID:postfix_queued_as}\)|%{GREEDYDATA} | |
| POSTFIX_KEYVALUES_STATUS status=%{WORD:postfix_smtp_status_w} %{POSTFIX_KEYVALUES_STATUS_NOTES:postfix_kw_status_notes} | |
| #POSTFIX_SMTP_KEYVALUES %{POSTFIX_KEYVALUES_TO}, %{POSTFIX_KEYVALUES_RELAY},( %{POSTFIX_KEYVALUES_CONN_USE},)? %{POSTFIX_KEYVALUES_DELAY}, %{POSTFIX_KEYVALUES_DELAYS}, %{POSTFIX_KEYVALUES_DSN}, %{POSTFIX_KEYVALUES_STATUS:POSTFIX_KEYVALUES_STATUS} | |
| POSTFIX_SMTP_KEYVALUES %{POSTFIX_KEYVALUES_TO},( %{POSTFIX_KEYVALUES_ORIG_TO},)? %{POSTFIX_KEYVALUES_RELAY},( %{POSTFIX_KEYVALUES_CONN_USE},)? %{POSTFIX_KEYVALUES_DELAY}, %{POSTFIX_KEYVALUES_DELAYS}, %{POSTFIX_KEYVALUES_DSN}, | |
| POSTFIX_KEYVALUE %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data} | |
| POSTFIX_WARNING_LEVEL (warning|fatal|info) | |
| POSTFIX_TLSCONN (Anonymous|Trusted|Untrusted|Verified) TLS connection established (to %{POSTFIX_RELAY_INFO}|from %{POSTFIX_CLIENT_INFO}): %{DATA:postfix_tls_version} with cipher %{DATA:postfix_tls_cipher} \(%{DATA:postfix_tls_cipher_size} bits\) | |
| POSTFIX_DELAYS %{NUMBER:postfix_delay_before_qmgr}/%{NUMBER:postfix_delay_in_qmgr}/%{NUMBER:postfix_delay_conn_setup}/%{NUMBER:postfix_delay_transmission} | |
| POSTFIX_LOSTCONN (lost connection|timeout|SSL_accept error) | |
| POSTFIX_LOSTCONN_REASONS (receiving the initial server greeting|sending message body|sending end of data -- message may be sent more than once) | |
| POSTFIX_PROXY_MESSAGE (%{POSTFIX_STATUS_CODE:postfix_proxy_status_code} )?(%{POSTFIX_STATUS_CODE_ENHANCED:postfix_proxy_status_code_enhanced})?.* | |
| POSTFIX_COMMAND_COUNTER_DATA (helo=(%{INT:postfix_cmd_helo_accepted}/)?%{INT:postfix_cmd_helo} )?(ehlo=(%{INT:postfix_cmd_ehlo_accepted}/)?%{INT:postfix_cmd_ehlo} )?(starttls=(%{INT:postfix_cmd_starttls_accepted}/)?%{INT:postfix_cmd_starttls} )?(auth=(%{INT:postfix_cmd_auth_accepted}/)?%{INT:postfix_cmd_auth} )?(mail=(%{INT:postfix_cmd_mail_accepted}/)?%{INT:postfix_cmd_mail} )?(rcpt=(%{INT:postfix_cmd_rcpt_accepted}/)?%{INT:postfix_cmd_rcpt} )?(data=(%{INT:postfix_cmd_data_accepted}/)?%{INT:postfix_cmd_data} )?(rset=(%{INT:postfix_cmd_rset_accepted}/)?%{INT:postfix_cmd_rset} )?(quit=(%{INT:postfix_cmd_quit_accepted}/)?%{INT:postfix_cmd_quit} )?(unknown=(%{INT:postfix_cmd_unknown_accepted}/)?%{INT:postfix_cmd_unknown} )?commands=(%{INT:postfix_cmd_count_accepted}/)?%{INT:postfix_cmd_count} | |
| # helper patterns | |
| GREEDYDATA_NO_COLON [^:]* | |
| GREEDYDATA_NO_SEMICOLON [^;]* | |
| STATUS_WORD [\w-]* | |
| # warning patterns | |
| POSTFIX_WARNING_WITH_KV (%{POSTFIX_QUEUEID:postfix_queueid}: )?%{POSTFIX_WARNING_LEVEL:postfix_message_level}: %{GREEDYDATA:postfix_message}; %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data} | |
| POSTFIX_WARNING_WITHOUT_KV (%{POSTFIX_QUEUEID:postfix_queueid}: )?%{POSTFIX_WARNING_LEVEL:postfix_message_level}: %{GREEDYDATA:postfix_message} | |
| POSTFIX_WARNING %{POSTFIX_WARNING_WITH_KV}|%{POSTFIX_WARNING_WITHOUT_KV} | |
| # smtpd patterns | |
| POSTFIX_SMTPD_CONNECT connect from %{POSTFIX_CLIENT_INFO} | |
| POSTFIX_SMTPD_DISCONNECT disconnect from %{POSTFIX_CLIENT_INFO}( %{GREEDYDATA:postfix_command_counter_data})? | |
| POSTFIX_SMTPD_LOSTCONN %{POSTFIX_LOSTCONN:postfix_smtpd_lostconn_data}( after %{POSTFIX_SMTP_STAGE:postfix_smtp_stage}( \(%{INT} bytes\))?)? from %{POSTFIX_CLIENT_INFO}(: %{GREEDYDATA:postfix_smtpd_lostconn_reason})? | |
| POSTFIX_SMTPD_NOQUEUE NOQUEUE: %{POSTFIX_ACTION:postfix_action}: %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} from %{POSTFIX_CLIENT_INFO}:( %{POSTFIX_STATUS_CODE:postfix_status_code} %{POSTFIX_STATUS_CODE_ENHANCED:postfix_status_code_enhanced})?( <%{DATA:postfix_status_data}>:)? (%{POSTFIX_DNSBL_MESSAGE}|%{GREEDYDATA:postfix_status_message};) %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data} | |
| POSTFIX_SMTPD_ANYQUEUE %{POSTFIX_ACTION:postfix_action}: %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} from %{POSTFIX_CLIENT_INFO}:( %{POSTFIX_STATUS_CODE:postfix_status_code} %{POSTFIX_STATUS_CODE_ENHANCED:postfix_status_code_enhanced})?( <%{DATA:postfix_status_data}>:)? (%{POSTFIX_DNSBL_MESSAGE}|%{GREEDYDATA:postfix_status_message};) %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data} | |
| #POSTFIX_SMTPD_NOQUEUE NOQUEUE: %{POSTFIX_SMTPD_ANYQUEUE} | |
| POSTFIX_SMTPD_PIPELINING improper command pipelining after %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} from %{POSTFIX_CLIENT_INFO}: %{GREEDYDATA:postfix_improper_pipelining_data} | |
| POSTFIX_SMTPD_PROXY proxy-%{POSTFIX_ACTION:postfix_proxy_result}: (%{POSTFIX_SMTP_STAGE:postfix_proxy_smtp_stage}): %{POSTFIX_PROXY_MESSAGE:postfix_proxy_message}; %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data} | |
| POSTFIX_SMTPD_OTHER %{POSTFIX_QUEUEID:postfix_queueid}: (client=%{POSTFIX_CLIENT_INFO}|%{POSTFIX_SMTPD_ANYQUEUE}) | |
| # cleanup patterns | |
| POSTFIX_CLEANUP_MILTER %{POSTFIX_QUEUEID:postfix_queueid}: milter-%{POSTFIX_ACTION:postfix_milter_result}: %{GREEDYDATA:postfix_milter_message}; %{GREEDYDATA_NO_COLON:postfix_keyvalue_data}(: %{GREEDYDATA:postfix_milter_data})? | |
| POSTFIX_CLEANUP_OTHER %{POSTFIX_QUEUEID:postfix_queueid}: (message-id=(%{DATA:postfix_cleanup_messageId}|<%{DATA:postfix_cleanup_messageId}>)|resent-message-id=<%{DATA:postfix_cleanup_resent_messageId}>) | |
| # qmgr patterns | |
| POSTFIX_QMGR_REMOVED %{POSTFIX_QUEUEID:postfix_queueid}: removed | |
| POSTFIX_QMGR_ACTIVE %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data} \(queue active\) | |
| POSTFIX_QMGR_EXPIRED %{POSTFIX_QUEUEID:postfix_queueid}: from=<%{DATA:postfix_from}>, status=%{STATUS_WORD:postfix_status}, returned to sender | |
| # pipe patterns | |
| POSTFIX_PIPE_ANY %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}, status=%{STATUS_WORD:postfix_status} \(%{GREEDYDATA:postfix_pipe_response}\) | |
| # error patterns | |
| POSTFIX_ERROR_ANY %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}, status=%{STATUS_WORD:postfix_status} \(%{GREEDYDATA:postfix_error_response}\) | |
| # discard patterns | |
| POSTFIX_DISCARD_ANY %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data} status=%{STATUS_WORD:postfix_status} %{GREEDYDATA} | |
| # postsuper patterns | |
| POSTFIX_POSTSUPER_ACTIONS (removed|requeued|placed on hold|released from hold) | |
| POSTFIX_POSTSUPER_ACTION %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_POSTSUPER_ACTIONS:postfix_postsuper_action} | |
| POSTFIX_POSTSUPER_SUMMARY_ACTIONS (Deleted|Requeued|Placed on hold|Released from hold) | |
| POSTFIX_POSTSUPER_SUMMARY %{POSTFIX_POSTSUPER_SUMMARY_ACTIONS:postfix_postsuper_summary_action}: %{NUMBER:postfix_postsuper_summary_count} messages? | |
| # postscreen patterns | |
| POSTFIX_PS_CONNECT CONNECT from %{POSTFIX_CLIENT_INFO} to \[%{IP:postfix_server_ip}\]:%{INT:postfix_server_port} | |
| POSTFIX_PS_ACCESS %{POSTFIX_PS_ACCESS_ACTION:postfix_postscreen_access} %{POSTFIX_CLIENT_INFO} | |
| POSTFIX_PS_NOQUEUE %{POSTFIX_SMTPD_NOQUEUE} | |
| POSTFIX_PS_TOOBUSY NOQUEUE: reject: CONNECT from %{POSTFIX_CLIENT_INFO}: %{GREEDYDATA:postfix_postscreen_toobusy_data} | |
| POSTFIX_PS_DNSBL %{POSTFIX_PS_VIOLATION:postfix_postscreen_violation} rank %{INT:postfix_postscreen_dnsbl_rank} for %{POSTFIX_CLIENT_INFO} | |
| POSTFIX_PS_CACHE cache %{DATA} full cleanup: retained=%{NUMBER:postfix_postscreen_cache_retained} dropped=%{NUMBER:postfix_postscreen_cache_dropped} entries | |
| POSTFIX_PS_VIOLATIONS %{POSTFIX_PS_VIOLATION:postfix_postscreen_violation}( %{INT})?( after %{NUMBER:postfix_postscreen_violation_time})? from %{POSTFIX_CLIENT_INFO}(( after %{POSTFIX_SMTP_STAGE:postfix_smtp_stage})?(: %{GREEDYDATA:postfix_postscreen_data})?| in tests (after|before) SMTP handshake) | |
| # dnsblog patterns | |
| POSTFIX_DNSBLOG_LISTING addr %{IP:postfix_client_ip} listed by domain %{HOSTNAME:postfix_dnsbl_domain} as %{IP:postfix_dnsbl_result} | |
| # tlsproxy patterns | |
| POSTFIX_TLSPROXY_CONN (DIS)?CONNECT( from)? %{POSTFIX_CLIENT_INFO} | |
| # anvil patterns | |
| POSTFIX_ANVIL_CONN_RATE statistics: max connection rate %{NUMBER:postfix_anvil_conn_rate}(\\)?/%{POSTFIX_TIME_UNIT:postfix_anvil_conn_period} for \(%{DATA:postfix_service}:%{IP:postfix_client_ip}\) at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp} | |
| POSTFIX_ANVIL_CONN_CACHE statistics: max cache size %{NUMBER:postfix_anvil_cache_size} at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp} | |
| POSTFIX_ANVIL_CONN_COUNT statistics: max connection count %{NUMBER:postfix_anvil_conn_count} for \(%{DATA:postfix_service}:%{IP:postfix_client_ip}\) at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp} | |
| # smtp patterns | |
| POSTFIX_SMTP_STATUS status=%{STATUS_WORD:postfix_status}( %{POSTFIX_SMTP_STATUS_QUEUEDAS}| %{POSTFIX_SMTP_STATUS_FWDAS}|%{GREEDYDATA:postfix_smtp_response})? | |
| POSTFIX_SMTP_DELIVERY %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_SMTP_KEYVALUES:postfix_smtp_keyvalues} %{POSTFIX_SMTP_STATUS} | |
| POSTFIX_SMTP_CONNERR connect to %{POSTFIX_RELAY_INFO}: (Connection timed out|No route to host|Connection refused|Network is unreachable) | |
| POSTFIX_SMTP_LOSTCONN %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_LOSTCONN:postfix_smtp_lostconn_data} with %{POSTFIX_RELAY_INFO}( while %{POSTFIX_LOSTCONN_REASONS:postfix_smtp_lostconn_reason})? | |
| POSTFIX_SMTP_TIMEOUT %{POSTFIX_QUEUEID:postfix_queueid}: conversation with %{POSTFIX_RELAY_INFO} timed out( while %{POSTFIX_LOSTCONN_REASONS:postfix_smtp_lostconn_reason})? | |
| POSTFIX_SMTP_RELAYERR %{POSTFIX_QUEUEID:postfix_queueid}: host %{POSTFIX_RELAY_INFO} said: %{GREEDYDATA:postfix_smtp_response} \(in reply to %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} command\) | |
| POSTFIX_SMTP_OTHER %{POSTFIX_QUEUEID:postfix_queueid}: client=%{POSTFIX_CLIENT_INFO} | |
| # master patterns | |
| POSTFIX_MASTER_START (daemon started|reload) -- version %{DATA:postfix_version}, configuration %{PATH:postfix_config_path} | |
| POSTFIX_MASTER_EXIT terminating on signal %{INT:postfix_termination_signal} | |
| # bounce patterns | |
| POSTFIX_BOUNCE_NOTIFICATION %{POSTFIX_QUEUEID:postfix_queueid}: sender (non-delivery|delivery status|delay) notification: %{POSTFIX_QUEUEID:postfix_bounce_queueid} | |
| # scache patterns | |
| POSTFIX_SCACHE_LOOKUPS statistics: (address|domain) lookup hits=%{INT:postfix_scache_hits} miss=%{INT:postfix_scache_miss} success=%{INT:postfix_scache_success}% | |
| POSTFIX_SCACHE_SIMULTANEOUS statistics: max simultaneous domains=%{INT:postfix_scache_domains} addresses=%{INT:postfix_scache_addresses} connection=%{INT:postfix_scache_connection} | |
| POSTFIX_SCACHE_TIMESTAMP statistics: start interval %{SYSLOGTIMESTAMP:postfix_scache_timestamp} | |
| #openkim patterns | |
| EMAIL_SEND %{WORD:email_send_type}\[%{INT:email_send_id}\] %{INT:email_send_from_id} (\(%{DATA:email_send_from_email}|)\) -> \(%{WORD:email_send_id_type} %{INT:email_send_to_id} %{DATA:email_send_to_email}\) | |
| #email_send patterns | |
| OPENDKIM_BODY BodyLengthDB matched %{DATA:opendkim_body_email}, signing with l= requested | |
| OPENDKIM_DKIM DKIM-Signature field added \(s=%{DATA:opendkim_dkim_server_name}, d=%{DATA:opendkim_dkim_server_domain}\) | |
| OPENDKIM_NO_SIGN_TABLE no signing table match for '%{DATA:opendkim_no_sign_tab_hostname}' | |
| OPENDKIM %{POSTFIX_QUEUEID:postfix_queueid}: (%{OPENDKIM_BODY}|%{OPENDKIM_DKIM}|%{OPENDKIM_NO_SIGN_TABLE}) | |
| # aggregate all patterns | |
| POSTFIX_SMTPD %{POSTFIX_SMTPD_CONNECT}|%{POSTFIX_SMTPD_DISCONNECT}|%{POSTFIX_SMTPD_LOSTCONN}|%{POSTFIX_SMTPD_NOQUEUE}|%{POSTFIX_SMTPD_PIPELINING}|%{POSTFIX_TLSCONN}|%{POSTFIX_WARNING}|%{POSTFIX_SMTPD_PROXY}|%{POSTFIX_SMTPD_OTHER}|%{POSTFIX_KEYVALUE} | |
| POSTFIX_CLEANUP %{POSTFIX_CLEANUP_MILTER}|%{POSTFIX_WARNING}|%{POSTFIX_CLEANUP_OTHER}|%{POSTFIX_KEYVALUE} | |
| POSTFIX_QMGR %{POSTFIX_QMGR_REMOVED}|%{POSTFIX_QMGR_ACTIVE}|%{POSTFIX_QMGR_EXPIRED}|%{POSTFIX_WARNING} | |
| POSTFIX_PIPE %{POSTFIX_PIPE_ANY} | |
| POSTFIX_POSTSCREEN %{POSTFIX_PS_CONNECT}|%{POSTFIX_PS_ACCESS}|%{POSTFIX_PS_NOQUEUE}|%{POSTFIX_PS_TOOBUSY}|%{POSTFIX_PS_CACHE}|%{POSTFIX_PS_DNSBL}|%{POSTFIX_PS_VIOLATIONS}|%{POSTFIX_WARNING} | |
| POSTFIX_DNSBLOG %{POSTFIX_DNSBLOG_LISTING}|%{POSTFIX_WARNING} | |
| POSTFIX_ANVIL %{POSTFIX_ANVIL_CONN_RATE}|%{POSTFIX_ANVIL_CONN_CACHE}|%{POSTFIX_ANVIL_CONN_COUNT} | |
| # old | |
| #POSTFIX_SMTP %{POSTFIX_SMTP_DELIVERY}|%{POSTFIX_SMTP_CONNERR}|%{POSTFIX_SMTP_LOSTCONN}|%{POSTFIX_SMTP_TIMEOUT}|%{POSTFIX_SMTP_RELAYERR}|%{POSTFIX_TLSCONN}|%{POSTFIX_WARNING}|%{POSTFIX_KEYVALUE:POSTFIX_KEYVALUE} | |
| POSTFIX_SMTP %{POSTFIX_SMTP_DELIVERY}|%{POSTFIX_SMTP_CONNERR}|%{POSTFIX_SMTP_LOSTCONN}|%{POSTFIX_SMTP_TIMEOUT}|%{POSTFIX_SMTP_RELAYERR}|%{POSTFIX_TLSCONN}|%{POSTFIX_WARNING}|%{POSTFIX_SMTP_OTHER:postfix_smtp_other} | |
| POSTFIX_DISCARD %{POSTFIX_DISCARD_ANY}|%{POSTFIX_WARNING} | |
| POSTFIX_LMTP %{POSTFIX_SMTP} | |
| POSTFIX_PICKUP %{POSTFIX_KEYVALUE}|%{POSTFIX_QUEUEID:postfix_queueid}: uid=%{INT:postfix_pickup_uid} from=<%{DATA:postfix_pickup_from}> | |
| POSTFIX_TLSPROXY %{POSTFIX_TLSPROXY_CONN}|%{POSTFIX_WARNING} | |
| POSTFIX_MASTER %{POSTFIX_MASTER_START}|%{POSTFIX_MASTER_EXIT}|%{POSTFIX_WARNING} | |
| POSTFIX_BOUNCE %{POSTFIX_BOUNCE_NOTIFICATION} | |
| POSTFIX_SENDMAIL %{POSTFIX_WARNING} | |
| POSTFIX_POSTDROP %{POSTFIX_WARNING} | |
| POSTFIX_SCACHE %{POSTFIX_SCACHE_LOOKUPS}|%{POSTFIX_SCACHE_SIMULTANEOUS}|%{POSTFIX_SCACHE_TIMESTAMP} | |
| POSTFIX_TRIVIAL_REWRITE %{POSTFIX_WARNING} | |
| POSTFIX_TLSMGR %{POSTFIX_WARNING} | |
| POSTFIX_LOCAL %{POSTFIX_KEYVALUE}|%{POSTFIX_SMTP_KEYVALUES:POSTFIX_SMTP_KEYVALUES}|%{POSTFIX_WARNING}|%{POSTFIX_SMTP} | |
| POSTFIX_VIRTUAL %{POSTFIX_SMTP_DELIVERY} | |
| POSTFIX_ERROR %{POSTFIX_ERROR_ANY} | |
| POSTFIX_POSTSUPER %{POSTFIX_POSTSUPER_ACTION}|%{POSTFIX_POSTSUPER_SUMMARY} | |
| # |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sketch grok patterns for sendmail | |
| # also checkout https://www.elastic.co/logstash , https://github.com/whyscream/postfix-grok-patterns and others ... | |
| # Everything is more or less in TODO phase ... | |
| SEMA_STATUS_CODE \d{3} | |
| SEMA_MTA_INIT_DASH_050_QUEUED_AS ([0-9a-zA-Z]{12,}) | |
| SEMA_MTA_INIT_DASH_050 (050 <%{GREEDYDATA:SEMA_MTA_INIT_DASH_050_MAIL}>... Sent \(%{WORD:SEMA_MTA_INIT_DASH_050_QUEUED_AS_STATUS}: queued as %{SEMA_MTA_INIT_DASH_050_QUEUED_AS:SEMA_MTA_INIT_DASH_050_QUEUED_AS}\)) | |
| SEMA_MTA_INIT_DASHES (--- (%{SEMA_MTA_INIT_DASH_050:SEMA_MTA_INIT_DASH_050}|%{SEMA_STATUS_CODE:SEMA_STATUS_CODE}.*)) | |
| SEMA_MTA_INIT_ARROW (<--.*) | |
| SEMA_MTA_INIT_MILTER (milter=mimedefang.*) | |
| SEMA_MTA_INIT_MILTER2 (Milter:.*) | |
| SEMA_MTA_INIT_MILTER3 (Milter \(mimedefang\).*) | |
| SEMA_MTA_INIT_AUTH_WARN (Authentication-Warning.*) | |
| SEMA_MAIL_GREEDY (.*) | |
| SEMA_MAIL_WRAPPED_GREEDY <%{SEMA_MAIL_GREEDY:SEMA_MAIL_GREEDY}> | |
| SEMA_MTA_DATA_FROM (from=((<%{EMAILADDRESS:SEMA_MTA_DATA_FROM_EMAILADDRESS}>)|(<%{SEMA_MAIL_GREEDY:SEMA_MTA_DATA_FROM_EMAILADDRESS2}>)), size=%{WORD:SEMA_MTA_DATA_FROM_SIZE}, class=%{WORD:SEMA_MTA_DATA_FROM_CLASS}, nrcpts=%{WORD:SEMA_MTA_DATA_FROM_NRCPTS}, (msgid=<(%{GREEDYDATA:SEMA_MTA_DATA_FROM_MSGID})>, )*(bodytype=(%{WORD:SEMA_MTA_DATA_FROM_BODYTYPE}), )*proto=%{WORD:SEMA_MTA_DATA_FROM_PROTO}, daemon=%{USERNAME:SEMA_MTA_DATA_FROM_DAEMON_TODO}, relay=%{GREEDYDATA:SEMA_MTA_DATA_FROM_RELAY_TODO}) | |
| SEMA_MTA_DATA_TO to=(<(%{EMAILADDRESS:SEMA_MTA_DATA_TO_EMAILADDRESS}|%{SEMA_MAIL_GREEDY:SEMA_MTA_DATA_TO_EMAILADDRESS2})>|%{GREEDYDATA:SEMA_MTA_DATA_TO_PATH}), (ctladdr=Postmaster \(%{WORD:SEMA_MTA_DATA_TO_POSTMASTER_X}/%{WORD:SEMA_MTA_DATA_TO_POSTMASTER_Y}\) ,)*delay=%{GREEDYDATA:SEMA_MTA_DATA_TO_DELAY}, (xdelay=%{GREEDYDATA:SEMA_MTA_DATA_TO_XDELAY},)*(mailer=%{GREEDYDATA:SEMA_MTA_DATA_TO_MAILER}, )*pri=%{NUMBER:SEMA_MTA_DATA_TO_PRI}, (relay=%{GREEDYDATA:SEMA_MTA_DATA_TO_RELAY}, )*(dsn=%{GREEDYDATA:SEMA_MTA_DATA_TO_DSN}, )*stat=%{GREEDYDATA:SEMA_MTA_DATA_TO_STAT} | |
| SEMA_MTA_CONN makeconnection.* | |
| SEMA_MTA (%{SEMA_MTA_INIT_DASHES:dashes}|%{SEMA_MTA_INIT_ARROW:arrow}|%{SEMA_MTA_INIT_MILTER:SEMA_MTA_INIT_MILTER}|%{SEMA_MTA_INIT_MILTER2:SEMA_MTA_INIT_MILTER2}|%{SEMA_MTA_INIT_MILTER3:SEMA_MTA_INIT_MILTER3}|%{SEMA_MTA_INIT_AUTH_WARN:SEMA_MTA_INIT_AUTH_WARN}|%{SEMA_MTA_DATA_FROM:SEMA_MTA_DATA_FROM}|%{SEMA_MTA_DATA_TO:SEMA_MTA_DATA_TO}|%{SEMA_MTA_CONN:SEMA_MTA_CONN}) | |
| SEMA_PROG_LOG_SPEC_NOQUEUE (NOQUEUE:.*) | |
| SEMA_PROG_LOG_SPEC_AUTH (AUTH:.*) | |
| SEMA_FILTER_DATA (.*) | |
| SEMA_FILTER (dnsbl_check: %{SEMA_FILTER_DATA:SEMA_FILTER_DATA}) | |
| SEMA_DNSBL_DATA (.*) | |
| SEMA_DNSBL_FILTER_SENDER (filter_sender: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA}) | |
| SEMA_DNSBL_FILTER_BEGIN (filter_begin: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA}) | |
| SEMA_DNSBL_FILTER_END (filter_end: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA}) | |
| SEMA_DNSBL_FILTER_BAD_FILENAME (filter_bad_filename: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA}) | |
| SEMA_MIMEDEFANG_CHECK_SPF_TODO check_spf: .* | |
| SEMA_MIMEDEFANG %{SEMA_FILTER:SEMA_FILTER}|%{SEMA_DNSBL_FILTER_BEGIN:SEMA_DNSBL_FILTER_BEGIN}|%{SEMA_DNSBL_FILTER_END:SEMA_DNSBL_FILTER_END}|%{SEMA_DNSBL_FILTER_SENDER:SEMA_DNSBL_FILTER_SENDER}|%{SEMA_DNSBL_FILTER_BAD_FILENAME:SEMA_DNSBL_FILTER_BAD_FILENAME}|%{SEMA_MIMEDEFANG_CHECK_SPF_TODO:SEMA_MIMEDEFANG_CHECK_SPF_TODO} | |
| SEMA_DB_FILL (db_fill: %{SEMA_DNSBL_DATA:SEMA_DNSBL_DATA}) | |
| SEMA_PROG_LOG_SPEC (%{SEMA_PROG_LOG_SPEC_NOQUEUE:SEMA_PROG_LOG_SPEC_NOQUEUE}|%{SEMA_PROG_LOG_SPEC_AUTH:SEMA_PROG_LOG_SPEC_AUTH}) | |
| SEMA_PROG_DONE done; delay=%{NOTSPACE:SEMA_PROG_DONE_DELAY}, ntries=%{WORD:SEMA_PROG_DONE_NTRIES} | |
| SEMA_PROG_MILTER_TODO Milter .* | |
| SEMA_PROG_STATS_TODO stats .* | |
| SEMA_PROG_SPAM SpamAssassin .* | |
| SEMA_PROG_SMTP_OUT SMTP outgoing connect on %{NOTSPACE:SEMA_PROG_SMTP_OUT_HOST}.* | |
| SEMA_PROG_SKIP_HOSTNAME %{HOSTNAME} | |
| SEMA_PROG_SKIP_IP %{IP} | |
| SEMA_PROG_SKIP_RIGHT %{NOTSPACE} | |
| SEMA_PROG_SKIP skip dnsbl check: %{SEMA_PROG_SKIP_HOSTNAME:SEMA_PROG_SKIP_HOSTNAME} \[%{SEMA_PROG_SKIP_IP:SEMA_PROG_SKIP_IP}\] =~ %{SEMA_PROG_SKIP_RIGHT:SEMA_PROG_SKIP_RIGHT} | |
| # 05UFLjHo079106: alias Postmaster => /var/mail/postmaster | |
| SEMA_PROG_SMTP_ALIAS alias %{GREEDYDATA:SEMA_PROG_SMTP_ALIAS_KEY} => %{GREEDYDATA:SEMA_PROG_SMTP_ALIAS_VALUE} | |
| # 05UFLjHo079106: 05UFLtHp079117: postmaster notify: User unknown | |
| SEMA_PROG_SMTP_MSGID %{SEMA_MESSAGE_ID:SEMA_PROG_SMTP_MSGID_ID}: .* | |
| SEMA_PROG_SMTP_AUTH (AUTH.*) | |
| SEMA_PROG_SMTP_RULESET (ruleset=%{GREEDYDATA:SEMA_PROG_SMTP_RULESET_RULESET}, arg1=%{GREEDYDATA:SEMA_PROG_SMTP_ARG1}, relay=%{GREEDYDATA:SEMA_PROG_SMTP_RELAY}, reject=%{GREEDYDATA:SEMA_PROG_SMTP_RULESET_REJECT}|%{GREEDYDATA:SEMA_PROG_SMTP_RULESET_TODO}) | |
| SEMA_PROG_LOG %{SEMA_MTA:SEMA_MTA}|%{SEMA_PROG_LOG_SPEC:SEMA_PROG_LOG_SPEC}|%{SEMA_MIMEDEFANG:SEMA_MIMEDEFANG}|%{SEMA_PROG_SKIP:SEMA_PROG_SKIP}|%{SEMA_PROG_DONE:SEMA_PROG_DONE}|%{SEMA_PROG_MILTER_TODO:SEMA_PROG_MILTER_TODO}|%{SEMA_PROG_STATS_TODO:SEMA_PROG_STATS_TODO}|%{SEMA_PROG_SPAM}|%{SEMA_PROG_SMTP_OUT}|%{SEMA_PROG_SMTP_ALIAS:SEMA_PROG_SMTP_ALIAS}|%{SEMA_PROG_SMTP_MSGID:SEMA_PROG_SMTP_MSGID} | |
| SEMA_MIMEDEFANG_ERR_TODO (Slave %{NUMBER})* stderr.* | |
| SEMA_MESSAGE_ID ([0-9a-zA-Z]{14,}) | |
| SEMA_STARTTLS STARTTLS.* | |
| SEMA_WITH_MESSAGE_ID %{SEMA_MESSAGE_ID:SEMA_MESSAGE_ID}: %{SEMA_PROG_LOG:SEMA_PROG_LOG} | |
| SEMA_NO_MESSAGE_ID %{SEMA_DB_FILL:SEMA_DB_FILL}|%{SEMA_PROG_LOG_SPEC_NOQUEUE:SEMA_PROG_LOG_SPEC_NOQUEUE}|%{SEMA_PROG_LOG_SPEC_AUTH:SEMA_PROG_LOG_SPEC_AUTH}|%{SEMA_STARTTLS:SEMA_STARTTLS}|%{SEMA_PROG_STATS_TODO:SEMA_PROG_STATS_TODO}|%{SEMA_MIMEDEFANG_ERR_TODO:SEMA_MIMEDEFANG_ERR_TODO}|%{SEMA_PROG_SMTP_AUTH:SEMA_PROG_SMTP_AUTH}|%{SEMA_PROG_SMTP_RULESET:SEMA_PROG_SMTP_RULESET} | |
| SEMA_REPEATED (last message repeated %{WORD:SEMA_REPEATED_COUNT} times.*) | |
| SEMA_MESSAGE (%{SEMA_WITH_MESSAGE_ID}|%{SEMA_NO_MESSAGE_ID}) | |
| SEMA_WHOLE %{SEMA_REPEATED:SEMA_REPEATED}|%{SEMA_MESSAGE} | |
| SEMA_WHOLE_WITH_SYSLOG (%{SYSLOGTIMESTAMP} %{SEMA_REPEATED}|%{SYSLOGBASE} %{SEMA_WHOLE}) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment