From 2cf64cde34f558047e1bbdc5fa0e3adb9ceda61b Mon Sep 17 00:00:00 2001
From: Tom Hendrikx <tom@whyscream.net>
Date: Fri, 5 Jul 2024 00:39:27 +0200
Subject: [PATCH 1/4] Replace CURVE_WORD with named capture

---
 postfix.grok | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/postfix.grok b/postfix.grok
index b003dbb..7b58564 100644
--- a/postfix.grok
+++ b/postfix.grok
@@ -4,7 +4,6 @@ GREEDYDATA_NO_SEMICOLON [^;]*
 GREEDYDATA_NO_BRACKET [^<>]*
 STATUS_WORD [\w-]*
 IP_UNKNOWN unknown
-CURVE_WORD [PBK]-[0-9]+
 
 # common postfix patterns
 POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{12,}|NOQUEUE)
@@ -25,7 +24,7 @@ POSTFIX_WARNING_LEVEL (warning|fatal|info)
 POSTFIX_VERIFY_CLEANUP_TYPE (full|partial)
 
 
-POSTFIX_TLSCONN %{DATA:postfix_tls_trustlevel} TLS connection established (to %{POSTFIX_RELAY}|from %{POSTFIX_CLIENT}): %{DATA:postfix_tls_version} with cipher %{DATA:postfix_tls_cipher} \(%{DATA:postfix_tls_cipher_size} bits\)( key-exchange %{DATA:postfix_tls_key_exchange} server-signature %{DATA:postfix_tls_server_signature} \((%{INT:postfix_tls_server_signature_size} bits|%{CURVE_WORD:postfix_tls_server_signature_curve})\) server-digest %{DATA:postfix_tls_server_digest})?
+POSTFIX_TLSCONN %{DATA:postfix_tls_trustlevel} TLS connection established (to %{POSTFIX_RELAY}|from %{POSTFIX_CLIENT}): %{DATA:postfix_tls_version} with cipher %{DATA:postfix_tls_cipher} \(%{DATA:postfix_tls_cipher_size} bits\)( key-exchange %{DATA:postfix_tls_key_exchange} server-signature %{DATA:postfix_tls_server_signature} \((%{INT:postfix_tls_server_signature_size} bits|(?<postfix_tls_server_signature_curve>[PBK]-\d+))\) server-digest %{DATA:postfix_tls_server_digest})?
 POSTFIX_TLSVERIFICATION certificate verification failed for %{POSTFIX_RELAY}: %{GREEDYDATA:postfix_tls_error}
 
 POSTFIX_DELAYS %{NUMBER:postfix_delay_before_qmgr}/%{NUMBER:postfix_delay_in_qmgr}/%{NUMBER:postfix_delay_conn_setup}/%{NUMBER:postfix_delay_transmission}

From 256da10c5b170c8be00b955b93a6a149ab879043 Mon Sep 17 00:00:00 2001
From: Tom Hendrikx <tom@whyscream.net>
Date: Fri, 5 Jul 2024 00:44:46 +0200
Subject: [PATCH 2/4] Replace POSTFIX_VERIFY_CLEANUP_TYPE with named capture

---
 postfix.grok | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/postfix.grok b/postfix.grok
index 7b58564..3898001 100644
--- a/postfix.grok
+++ b/postfix.grok
@@ -21,7 +21,6 @@ POSTFIX_TIME_UNIT %{NUMBER}[smhd]
 POSTFIX_KEYVALUE_DATA [\w-]+=[^;]*
 POSTFIX_KEYVALUE %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
 POSTFIX_WARNING_LEVEL (warning|fatal|info)
-POSTFIX_VERIFY_CLEANUP_TYPE (full|partial)
 
 
 POSTFIX_TLSCONN %{DATA:postfix_tls_trustlevel} TLS connection established (to %{POSTFIX_RELAY}|from %{POSTFIX_CLIENT}): %{DATA:postfix_tls_version} with cipher %{DATA:postfix_tls_cipher} \(%{DATA:postfix_tls_cipher_size} bits\)( key-exchange %{DATA:postfix_tls_key_exchange} server-signature %{DATA:postfix_tls_server_signature} \((%{INT:postfix_tls_server_signature_size} bits|(?<postfix_tls_server_signature_curve>[PBK]-\d+))\) server-digest %{DATA:postfix_tls_server_digest})?
@@ -119,7 +118,7 @@ POSTFIX_SCACHE_SIMULTANEOUS statistics: max simultaneous domains=%{INT:postfix_s
 POSTFIX_SCACHE_TIMESTAMP statistics: start interval %{SYSLOGTIMESTAMP:postfix_scache_timestamp}
 
 # verify patterns
-POSTFIX_VERIFY_CACHE cache %{DATA} %{POSTFIX_VERIFY_CLEANUP_TYPE:postfix_verify_cleanup_type} cleanup: retained=%{INT:postfix_verify_cache_retained} dropped=%{INT:postfix_verify_cache_dropped} entries
+POSTFIX_VERIFY_CACHE cache %{DATA} (?<postfix_verify_cleanup_type>(full|partial)) cleanup: retained=%{INT:postfix_verify_cache_retained} dropped=%{INT:postfix_verify_cache_dropped} entries
 
 # local patterns
 POSTFIX_LOCAL_DELIVERY %{POSTFIX_KEYVALUE} status=%{STATUS_WORD:postfix_status}( \(%{GREEDYDATA:postfix_local_response}\))?

From b8734bdfd8b8419a8db90e96165ab3ea2340a307 Mon Sep 17 00:00:00 2001
From: Tom Hendrikx <tom@whyscream.net>
Date: Fri, 5 Jul 2024 00:51:43 +0200
Subject: [PATCH 3/4] Replace POSTFIX_WARNING_LEVEL with named capture

---
 postfix.grok | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/postfix.grok b/postfix.grok
index 3898001..97dd254 100644
--- a/postfix.grok
+++ b/postfix.grok
@@ -20,7 +20,6 @@ POSTFIX_PS_VIOLATION (BARE NEWLINE|COMMAND (TIME|COUNT|LENGTH) LIMIT|COMMAND PIP
 POSTFIX_TIME_UNIT %{NUMBER}[smhd]
 POSTFIX_KEYVALUE_DATA [\w-]+=[^;]*
 POSTFIX_KEYVALUE %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
-POSTFIX_WARNING_LEVEL (warning|fatal|info)
 
 
 POSTFIX_TLSCONN %{DATA:postfix_tls_trustlevel} TLS connection established (to %{POSTFIX_RELAY}|from %{POSTFIX_CLIENT}): %{DATA:postfix_tls_version} with cipher %{DATA:postfix_tls_cipher} \(%{DATA:postfix_tls_cipher_size} bits\)( key-exchange %{DATA:postfix_tls_key_exchange} server-signature %{DATA:postfix_tls_server_signature} \((%{INT:postfix_tls_server_signature_size} bits|(?<postfix_tls_server_signature_curve>[PBK]-\d+))\) server-digest %{DATA:postfix_tls_server_digest})?
@@ -34,8 +33,8 @@ POSTFIX_COMMAND_COUNTER_DATA (helo=(%{INT:postfix_cmd_helo_accepted}/)?%{INT:pos
 
 
 # warning patterns
-POSTFIX_WARNING_WITH_KV (%{POSTFIX_QUEUEID:postfix_queueid}: )?%{POSTFIX_WARNING_LEVEL:postfix_message_level}: (%{POSTFIX_QUEUEID:postfix_queueid}: )?(%{POSTFIX_CLIENT}: )?%{GREEDYDATA:postfix_message}; %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
-POSTFIX_WARNING_WITHOUT_KV (%{POSTFIX_QUEUEID:postfix_queueid}: )?%{POSTFIX_WARNING_LEVEL:postfix_message_level}: (%{POSTFIX_QUEUEID:postfix_queueid}: )?(%{POSTFIX_CLIENT}: )?%{GREEDYDATA:postfix_message}
+POSTFIX_WARNING_WITH_KV (%{POSTFIX_QUEUEID:postfix_queueid}: )?(?<postfix_message_level>(warning|fatal|info)): (%{POSTFIX_QUEUEID:postfix_queueid}: )?(%{POSTFIX_CLIENT}: )?%{GREEDYDATA:postfix_message}; %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
+POSTFIX_WARNING_WITHOUT_KV (%{POSTFIX_QUEUEID:postfix_queueid}: )?(?<postfix_message_level>(warning|fatal|info)): (%{POSTFIX_QUEUEID:postfix_queueid}: )?(%{POSTFIX_CLIENT}: )?%{GREEDYDATA:postfix_message}
 POSTFIX_WARNING %{POSTFIX_WARNING_WITH_KV}|%{POSTFIX_WARNING_WITHOUT_KV}
 
 # smtpd patterns

From e246cf45a2799be7dd36be2a6792076cd31253fc Mon Sep 17 00:00:00 2001
From: Tom Hendrikx <tom@whyscream.net>
Date: Fri, 5 Jul 2024 00:58:54 +0200
Subject: [PATCH 4/4] Replace POSTFIX_TIME_UNIT with a named capture

---
 postfix.grok         | 3 +--
 test/anvil_0005.yaml | 4 ++--
 test/anvil_0007.yaml | 4 ++--
 test/anvil_0009.yaml | 4 ++--
 4 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/postfix.grok b/postfix.grok
index 97dd254..b121df6 100644
--- a/postfix.grok
+++ b/postfix.grok
@@ -17,7 +17,6 @@ POSTFIX_STATUS_CODE_ENHANCED \d\.\d+\.\d+
 POSTFIX_DNSBL_MESSAGE Service unavailable; .* \[%{GREEDYDATA:postfix_status_data}\] %{GREEDYDATA:postfix_status_message};
 POSTFIX_PS_ACCESS_ACTION (DISCONNECT|DENYLISTED|BLACKLISTED|ALLOWLISTED|WHITELISTED|ALLOWLIST VETO|WHITELIST VETO|PASS NEW|PASS OLD)
 POSTFIX_PS_VIOLATION (BARE NEWLINE|COMMAND (TIME|COUNT|LENGTH) LIMIT|COMMAND PIPELINING|DNSBL|HANGUP|NON-SMTP COMMAND|PREGREET)
-POSTFIX_TIME_UNIT %{NUMBER}[smhd]
 POSTFIX_KEYVALUE_DATA [\w-]+=[^;]*
 POSTFIX_KEYVALUE %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
 
@@ -88,7 +87,7 @@ POSTFIX_DNSBLOG_LISTING addr %{IP:postfix_client_ip} listed by domain %{HOSTNAME
 POSTFIX_TLSPROXY_CONN (DIS)?CONNECT( from)? %{POSTFIX_CLIENT}
 
 # anvil patterns
-POSTFIX_ANVIL_CONN_RATE statistics: max connection rate %{NUMBER:postfix_anvil_conn_rate}/%{POSTFIX_TIME_UNIT:postfix_anvil_conn_period} for \(%{DATA:postfix_service}:(%{IP_UNKNOWN:postfix_client_ip_unknown}|%{IP:postfix_client_ip})\) at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp}
+POSTFIX_ANVIL_CONN_RATE statistics: max connection rate %{NUMBER:postfix_anvil_conn_rate}/(?<postfix_anvil_conn_period>\d+[smhd]) for \(%{DATA:postfix_service}:(%{IP_UNKNOWN:postfix_client_ip_unknown}|%{IP:postfix_client_ip})\) at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp}
 POSTFIX_ANVIL_CONN_CACHE statistics: max cache size %{NUMBER:postfix_anvil_cache_size} at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp}
 POSTFIX_ANVIL_CONN_COUNT statistics: max connection count %{NUMBER:postfix_anvil_conn_count} for \(%{DATA:postfix_service}:(%{IP_UNKNOWN:postfix_client_ip_unknown}|%{IP:postfix_client_ip})\) at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp}
 
diff --git a/test/anvil_0005.yaml b/test/anvil_0005.yaml
index bcc5748..10abe32 100644
--- a/test/anvil_0005.yaml
+++ b/test/anvil_0005.yaml
@@ -1,8 +1,8 @@
 pattern: ^%{POSTFIX_ANVIL}$
-data: "statistics: max connection rate 1/60s for (smtpd:2604:8d00:0:1::3) at Oct 26 17:46:59"
+data: "statistics: max connection rate 1/5m for (smtpd:2604:8d00:0:1::3) at Oct 26 17:46:59"
 results:
     postfix_anvil_conn_rate: 1
-    postfix_anvil_conn_period: 60s
+    postfix_anvil_conn_period: 5m
     postfix_service: smtpd
     postfix_client_ip: 2604:8d00:0:1::3
     postfix_anvil_timestamp: Oct 26 17:46:59
diff --git a/test/anvil_0007.yaml b/test/anvil_0007.yaml
index 27b01d3..96113ff 100644
--- a/test/anvil_0007.yaml
+++ b/test/anvil_0007.yaml
@@ -1,8 +1,8 @@
 pattern: ^%{POSTFIX_ANVIL}$
-data: "statistics: max connection rate 1/60s for (127.0.0.1:2525:127.0.0.1) at Oct 26 18:13:50"
+data: "statistics: max connection rate 1/2h for (127.0.0.1:2525:127.0.0.1) at Oct 26 18:13:50"
 results:
     postfix_anvil_conn_rate: 1
-    postfix_anvil_conn_period: 60s
+    postfix_anvil_conn_period: 2h
     postfix_service: 127.0.0.1:2525
     postfix_client_ip: 127.0.0.1
     postfix_anvil_timestamp: Oct 26 18:13:50
diff --git a/test/anvil_0009.yaml b/test/anvil_0009.yaml
index 569c993..ae5db7a 100644
--- a/test/anvil_0009.yaml
+++ b/test/anvil_0009.yaml
@@ -1,8 +1,8 @@
 pattern: ^%{POSTFIX_ANVIL}$
-data: "statistics: max connection rate 1/60s for (smtp:unknown) at Sep 7 07:14:19"
+data: "statistics: max connection rate 1/7d for (smtp:unknown) at Sep 7 07:14:19"
 results:
     postfix_anvil_conn_rate: 1
-    postfix_anvil_conn_period: 60s
+    postfix_anvil_conn_period: 7d
     postfix_service: smtp
     postfix_client_ip_unknown: unknown
     postfix_anvil_timestamp: Sep 7 07:14:19