# Postfix
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: filter: RCPT from [^[:space:]]+: <([^[:space:]]+)?>: .+; from=[^[:space:]]+ to=[^[:space:]]+ proto=E?SMTP helo=<[^[:space:]]+>$

# Amavis
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed CLEAN,( \[[.:[:xdigit:]]+\]){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*, Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: ([-.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (INFECTED \([-._[:alnum:]]+\)|BAD-HEADER|SPAM),( \[[.:[:xdigit:]]+\]){1,2} <[^>]*> -> <[^>]*>, quarantine: (virus|badh|spam)-[\.-+[:alnum:]]+, Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,( Resent-Message-ID: <[^>]+>,)? mail_id: [-+[:alnum:]]+, Hits: ([-.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]]+( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$

# SSH
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): check pass; user unknown$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): authentication failure; .+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ \[[.:[:xdigit:]]+\] failed - POSSIBLE BREAK-?IN ATTEMPT!$

# Dovecot
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: managesieve-login: Disconnected: rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+$

# Cron-apt
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: [[:digit:]]+ packages upgraded, [[:digit:]]+ newly installed, ([[:digit:]]+ downgraded, )?[[:digit:]]+ to remove and [[:digit:]]+ not upgraded\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: CRON-APT LINE: (/usr/bin/(apt-get |aptitude ))?dist-upgrade -d -y -o APT::Get::Show-Upgraded=true$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Need to get [[:digit:].]+([kM]?B)(/[.[:digit:]]+([kM]?B))* of archives\. After unpacking [[:digit:].]+([kM]?B)(/[.[:digit:]]+([kM]?B))* will be used\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Initializing package states\.\.\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Reading extended state information\.\.\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cron-apt: Writing extended state information\.\.\.$

# Bind
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [[:digit:].]+#[[:digit:]]+: query (\(cache\) )?'.*' denied$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: transfer of '[^[:space:]]+/IN' from [.:[:xdigit:]]+#[0-9]+: connected using [.:[:xdigit:]]+#[0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: transfer of '[^[:space:]]+/IN' from [.:[:xdigit:]]+#[0-9]+: Transfer completed: .+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone [^[:space:]]+/IN: notify from [.:[:xdigit:]]+#[0-9]+: zone is up to date$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [.:[:xdigit:]]+#[0-9]+: RFC 1918 response from Internet for [.:[:xdigit:]]+\.in-addr\.arpa$

# Shorewall
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[ 0-9\.]*\] Shorewall:[[:alnum:]]+:DROP:IN=

# NTP
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (enabled|status( change)?) [0-9]+$