-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathdovecot.grok
64 lines (54 loc) · 3.67 KB
/
dovecot.grok
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# Utilities
GREEDYDATA_NO_COLON [^:]*
GREEDYDATA_NO_COMMA [^,]*
GREEDYDATA_RESTRICTIVE [^<>: ,]*
EMAILORUSER %{EMAILADDRESS}|%{USER}
# Keywords
STORED stored
SAVED saved
IMAP imap
SIEVE managesieve
POP3 pop3
LMTP lmtp
CLIENT client
SERVER server
PROXY proxy
SAVE save
EXPUNGE expunge
COPY copy
DELETE delete
# General patterns
DOVECOT_PROTOCOL %{IMAP}|%{POP3}|%{LMTP}|%{SIEVE}
DOVECOT_AUTHENTICATED_PREFIX \(%{EMAILORUSER:[dovecot][user]}\)<%{INT:[dovecot][mpid]}><%{DATA:[dovecot][session]}>:
DOVECOT_ANONYMOUS_PREFIX \(%{INT:[dovecot][mpid]}\):
DOVECOT_PREFIX %{DOVECOT_AUTHENTICATED_PREFIX}|%{DOVECOT_ANONYMOUS_PREFIX}
DOVECOT_SAVED_MAIL %{SAVED:[dovecot][action]} mail to %{DATA:[dovecot][mailbox]}
DOVECOT_STORE_MAIL %{STORED:[dovecot][action]} mail into mailbox '%{DATA:[dovecot][mailbox]}'
# Master template
DOVECOT_MASTER master: (%{LOGLEVEL:[dovecot][loglevel]}: )?%{GREEDYDATA:[dovecot][message]}
# Login template
DOVECOT_DISCONNECT_REASON (Disconnected: %{GREEDYDATA_NO_COLON:[dovecot][disconnect_reason]}|Disconnected \(%{GREEDYDATA_NO_COLON:[dovecot][disconnect_reason]}\)|%{GREEDYDATA_NO_COLON:[dovecot][disconnect_reason]})
DOVECOT_LOGIN %{DOVECOT_PROTOCOL:[dovecot][protocol]}-login: (Login|%{DOVECOT_DISCONNECT_REASON}|%{DOVECOT_PROXY}): %{DATA:[dovecot][keyvalue_data]}, (TLS(:? %{GREEDYDATA_NO_COMMA:[dovecot][tls_message]})?, )?session=<%{DATA:[dovecot][session]}>
# Proxy template
DOVECOT_PROXY_DISCONNECT_SIDE %{SERVER}|%{CLIENT}|%{PROXY}
DOVECOT_PROXY_FINISH Disconnected by %{DOVECOT_PROXY_DISCONNECT_SIDE:[dovecot][disconnect_side]}(: )?(%{GREEDYDATA_NO_COMMA:[dovecot][disconnect_reason]})?( \(%{INT:[dovecot][idle_secs]}s idle, in=%{INT:[dovecot][bytes_received]}, out=%{INT:[dovecot][bytes_sent]}(\+%{INT})?(, client output blocked)?\))?
DOVECOT_PROXY_START Started proxying to \<%{IP}\>( as user %{EMAILADDRESS:[dovecot][real_user]})? \(master %{DATA:[dovecot][master_user]}\) \(%{NUMBER:[dovecot][duration]} secs(, %{INT:[dovecot][reconnects]} reconnects)?\)
DOVECOT_PROXY %{PROXY:[dovecot][event]}\(%{EMAILADDRESS},%{IP:[dovecot][proxy][ip]}:%{INT:[dovecot][proxy][port]}\): (%{DOVECOT_PROXY_START}|%{DOVECOT_PROXY_FINISH})
# IMAP template
DOVECOT_IMAP_STATISTICS in=%{INT} out=%{INT}%{GREEDYDATA_NO_COLON}$
DOVECOT_IMAP %{IMAP:[dovecot][protocol]}%{DOVECOT_PREFIX} Disconnected: %{GREEDYDATA:[dovecot][disconnect_reason]} %{DOVECOT_IMAP_STATISTICS:[dovecot][keyvalue_data]}
# LMTP template
DOVECOT_LMTP_MESSAGE_CONNECT Connect from (local|%{IP:[dovecot][rip]})
DOVECOT_LMTP_MESSAGE_DISCONNECT Disconnect from (local|%{IP:[dovecot][rip]}): %{GREEDYDATA:[dovecot][disconnect_reason]}
DOVECOT_LMTP_MESSAGE_SAVED msgid=<?%{GREEDYDATA_RESTRICTIVE:[dovecot][msgid]}>?: %{DOVECOT_SAVED_MAIL}
DOVECOT_LMTP_MESSAGE_SIEVE sieve: msgid=(\? )?<?%{GREEDYDATA_RESTRICTIVE:[dovecot][msgid]}>?: (%{GREEDYDATA}: )?%{DOVECOT_STORE_MAIL}
DOVECOT_LMTP_MESSAGE %{DOVECOT_LMTP_MESSAGE_CONNECT}|%{DOVECOT_LMTP_MESSAGE_DISCONNECT}|%{DOVECOT_LMTP_MESSAGE_SIEVE}|%{DOVECOT_LMTP_MESSAGE_SAVED}
DOVECOT_LMTP %{LMTP:[dovecot][protocol]}%{DOVECOT_PREFIX} %{DOVECOT_LMTP_MESSAGE}
# Sieve template
DOVECOT_SIEVE_STATISTICS bytes=%{INT}/%{INT}
DOVECOT_SIEVE %{SIEVE:[dovecot][protocol]}%{DOVECOT_PREFIX} Disconnected: %{GREEDYDATA:[dovecot][disconnect_reason]} %{DOVECOT_SIEVE_STATISTICS:[dovecot][keyvalue_data]}
# Actions template
DOVECOT_ACTIONS %{SAVE:[dovecot][action]}|%{EXPUNGE:[dovecot][action]}|%{DELETE:[dovecot][action]}|%{COPY:[dovecot][action]} from %{DATA:[dovecot][frombox]}
DOVECOT_ACTION %{DOVECOT_PROTOCOL:[dovecot][protocol]}%{DOVECOT_PREFIX} %{DOVECOT_ACTIONS}: %{DATA:[dovecot][keyvalue_data]}
# Everything together
DOVECOT %{DOVECOT_MASTER}|%{DOVECOT_LOGIN}|%{DOVECOT_IMAP}|%{DOVECOT_LMTP}|%{DOVECOT_SIEVE}|%{DOVECOT_ACTION}