pattern

POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{12,})
POSTFIX_CLIENT_INFO %{HOSTNAME:postfix.client_hostname}?\[%{IP:postfix.client_ip}\](:%{INT:postfix.client_port})?
POSTFIX_RELAY_INFO %{HOSTNAME:postfix.relay_hostname}?\[(%{IP:postfix.relay_ip}|%{DATA:postfix.relay_service})\](:%{INT:postfix.relay_port})?|%{WORD:postfix.relay_service}
POSTFIX_SMTP_STAGE (CONNECT|HELO|EHLO|STARTTLS|AUTH|MAIL( FROM)?|RCPT( TO)?|(end of )?DATA|RSET|UNKNOWN|END-OF-MESSAGE|VRFY|\.)
POSTFIX_ACTION (accept|defer|discard|filter|header-redirect|reject)
POSTFIX_STATUS_CODE \d{3}
POSTFIX_STATUS_CODE_ENHANCED \d\.\d\.\d
POSTFIX_DNSBL_MESSAGE Service unavailable; .* \[%{GREEDYDATA:postfix.status_data}\] %{GREEDYDATA:postfix.status_message};
POSTFIX_PS_ACCESS_ACTION (DISCONNECT|BLACKLISTED|WHITELISTED|WHITELIST VETO|PASS NEW|PASS OLD)
POSTFIX_PS_VIOLATION (BARE NEWLINE|COMMAND (TIME|COUNT|LENGTH) LIMIT|COMMAND PIPELINING|DNSBL|HANGUP|NON-SMTP COMMAND|PREGREET)
POSTFIX_TIME_UNIT %{NUMBER}[smhd]
POSTFIX_KEYVALUE_DATA [\w-]+=[^;]*
POSTFIX_KEYVALUE %{POSTFIX_QUEUEID:postfix.queueid}: %{POSTFIX_KEYVALUE_DATA:postfix.keyvalue_data}
POSTFIX_WARNING_LEVEL (warning|fatal|info)

POSTFIX_TLSCONN (Anonymous|Trusted|Untrusted|Verified) TLS connection established (to %{POSTFIX_RELAY_INFO}|from %{POSTFIX_CLIENT_INFO}): %{DATA:postfix.tls_version} with cipher %{DATA:postfix.tls_cipher} \(%{DATA:postfix.tls_cipher_size} bits\)
POSTFIX_TLSVERIFICATION certificate verification failed for %{POSTFIX_RELAY_INFO}: %{GREEDYDATA:postfix.tls_error}

POSTFIX_DELAYS %{NUMBER:postfix.delay_before_qmgr}/%{NUMBER:postfix.delay_in_qmgr}/%{NUMBER:postfix.delay_conn_setup}/%{NUMBER:postfix.delay_transmission}
POSTFIX_LOSTCONN (Connection timed out|No route to host|Connection refused|Network is unreachable|lost connection|timeout|SSL_accept error|-1)
POSTFIX_LOSTCONN_REASONS (receiving the initial server greeting|sending message body|sending end of data -- message may be sent more than once)
POSTFIX_PROXY_MESSAGE (%{POSTFIX_STATUS_CODE:postfix.proxy_status_code} )?(%{POSTFIX_STATUS_CODE_ENHANCED:postfix.proxy_status_code_enhanced})?.*
POSTFIX_COMMAND_COUNTER_DATA (helo=(%{INT:postfix.cmd_helo_accepted}/)?%{INT:postfix.cmd_helo} )?(ehlo=(%{INT:postfix.cmd_ehlo_accepted}/)?%{INT:postfix.cmd_ehlo} )?(starttls=(%{INT:postfix.cmd_starttls_accepted}/)?%{INT:postfix.cmd_starttls} )?(auth=(%{INT:postfix.cmd_auth_accepted}/)?%{INT:postfix.cmd_auth} )?(mail=(%{INT:postfix.cmd_mail_accepted}/)?%{INT:postfix.cmd_mail} )?(rcpt=(%{INT:postfix.cmd_rcpt_accepted}/)?%{INT:postfix.cmd_rcpt} )?(data=(%{INT:postfix.cmd_data_accepted}/)?%{INT:postfix.cmd_data} )?(rset=(%{INT:postfix.cmd_rset_accepted}/)?%{INT:postfix.cmd_rset} )?(quit=(%{INT:postfix.cmd_quit_accepted}/)?%{INT:postfix.cmd_quit} )?(unknown=(%{INT:postfix.cmd_unknown_accepted}/)?%{INT:postfix.cmd_unknown} )?commands=(%{INT:postfix.cmd_count_accepted}/)?%{INT:postfix.cmd_count}

# helper patterns
GREEDYDATA_NO_COLON [^:]*
GREEDYDATA_NO_SEMICOLON [^;]*
STATUS_WORD [\w-]*

# warning patterns
POSTFIX_WARNING_WITH_KV (%{POSTFIX_QUEUEID:postfix.queueid}: )?%{POSTFIX_WARNING_LEVEL:postfix.message_level}: (%{POSTFIX_CLIENT_INFO}: )?%{GREEDYDATA:postfix.message}; %{POSTFIX_KEYVALUE_DATA:postfix.keyvalue_data}
POSTFIX_WARNING_WITHOUT_KV (%{POSTFIX_QUEUEID:postfix.queueid}: )?%{POSTFIX_WARNING_LEVEL:postfix.message_level}: (%{POSTFIX_CLIENT_INFO}: )?%{GREEDYDATA:postfix.message}
POSTFIX_WARNING %{POSTFIX_WARNING_WITH_KV}|%{POSTFIX_WARNING_WITHOUT_KV}

# smtpd patterns
POSTFIX_SMTPD_CONNECT connect from %{POSTFIX_CLIENT_INFO}
POSTFIX_SMTPD_DISCONNECT disconnect from %{POSTFIX_CLIENT_INFO}( %{GREEDYDATA:postfix.command_counter_data})?
POSTFIX_SMTPD_LOSTCONN %{POSTFIX_LOSTCONN:postfix.smtpd_lostconn_data}( after %{POSTFIX_SMTP_STAGE:postfix.smtp_stage}( \(%{INT} bytes\))?)? from %{POSTFIX_CLIENT_INFO}(: %{GREEDYDATA:postfix.smtpd_lostconn_reason})?
POSTFIX_SMTPD_NOQUEUE NOQUEUE: %{POSTFIX_ACTION:postfix.action}: %{POSTFIX_SMTP_STAGE:postfix.smtp_stage} from %{POSTFIX_CLIENT_INFO}:( %{POSTFIX_STATUS_CODE:postfix.status_code} %{POSTFIX_STATUS_CODE_ENHANCED:postfix.status_code_enhanced})?( <%{DATA:postfix.status_data}>:)? (%{POSTFIX_DNSBL_MESSAGE}|%{GREEDYDATA:postfix.status_message};) %{POSTFIX_KEYVALUE_DATA:postfix.keyvalue_data}
POSTFIX_SMTPD_PIPELINING improper command pipelining after %{POSTFIX_SMTP_STAGE:postfix.smtp_stage} from %{POSTFIX_CLIENT_INFO}: %{GREEDYDATA:postfix.improper_pipelining_data}
POSTFIX_SMTPD_PROXY proxy-%{POSTFIX_ACTION:postfix.proxy_result}: (%{POSTFIX_SMTP_STAGE:postfix.proxy_smtp_stage}): %{POSTFIX_PROXY_MESSAGE:postfix.proxy_message}; %{POSTFIX_KEYVALUE_DATA:postfix.keyvalue_data}

# cleanup patterns
POSTFIX_CLEANUP_MILTER %{POSTFIX_QUEUEID:postfix.queueid}: milter-%{POSTFIX_ACTION:postfix.milter_result}: %{GREEDYDATA:postfix.milter_message}; %{GREEDYDATA_NO_COLON:postfix.keyvalue_data}(: %{GREEDYDATA:postfix.milter_data})?

# qmgr patterns
POSTFIX_QMGR_REMOVED %{POSTFIX_QUEUEID:postfix.queueid}: removed
POSTFIX_QMGR_ACTIVE %{POSTFIX_QUEUEID:postfix.queueid}: %{POSTFIX_KEYVALUE_DATA:postfix.keyvalue_data} \(queue active\)
POSTFIX_QMGR_EXPIRED %{POSTFIX_QUEUEID:postfix.queueid}: from=<%{DATA:postfix.from}>, status=%{STATUS_WORD:postfix.status}, returned to sender

# pipe patterns
POSTFIX_PIPE_ANY %{POSTFIX_QUEUEID:postfix.queueid}: %{POSTFIX_KEYVALUE_DATA:postfix.keyvalue_data}, status=%{STATUS_WORD:postfix.status} \(%{GREEDYDATA:postfix.pipe_response}\)

# error patterns
POSTFIX_ERROR_ANY %{POSTFIX_QUEUEID:postfix.queueid}: %{POSTFIX_KEYVALUE_DATA:postfix.keyvalue_data}, status=%{STATUS_WORD:postfix.status} \(%{GREEDYDATA:postfix.error_response}\)

# discard patterns
POSTFIX_DISCARD_ANY %{POSTFIX_QUEUEID:postfix.queueid}: %{POSTFIX_KEYVALUE_DATA:postfix.keyvalue_data} status=%{STATUS_WORD:postfix.status} %{GREEDYDATA}

# postsuper patterns
POSTFIX_POSTSUPER_ACTIONS (removed|requeued|placed on hold|released from hold)
POSTFIX_POSTSUPER_ACTION %{POSTFIX_QUEUEID:postfix.queueid}: %{POSTFIX_POSTSUPER_ACTIONS:postfix.postsuper_action}
POSTFIX_POSTSUPER_SUMMARY_ACTIONS (Deleted|Requeued|Placed on hold|Released from hold)
POSTFIX_POSTSUPER_SUMMARY %{POSTFIX_POSTSUPER_SUMMARY_ACTIONS:postfix.postsuper_summary_action}: %{NUMBER:postfix.postsuper_summary_count} messages?

# postscreen patterns
POSTFIX_PS_CONNECT CONNECT from %{POSTFIX_CLIENT_INFO} to \[%{IP:postfix.server_ip}\]:%{INT:postfix.server_port}
POSTFIX_PS_ACCESS %{POSTFIX_PS_ACCESS_ACTION:postfix.postscreen_access} %{POSTFIX_CLIENT_INFO}
POSTFIX_PS_NOQUEUE %{POSTFIX_SMTPD_NOQUEUE}
POSTFIX_PS_TOOBUSY NOQUEUE: reject: CONNECT from %{POSTFIX_CLIENT_INFO}: %{GREEDYDATA:postfix.postscreen_toobusy_data}
POSTFIX_PS_DNSBL %{POSTFIX_PS_VIOLATION:postfix.postscreen_violation} rank %{INT:postfix.postscreen_dnsbl_rank} for %{POSTFIX_CLIENT_INFO}
POSTFIX_PS_CACHE cache %{DATA} full cleanup: retained=%{NUMBER:postfix.postscreen_cache_retained} dropped=%{NUMBER:postfix.postscreen_cache_dropped} entries
POSTFIX_PS_VIOLATIONS %{POSTFIX_PS_VIOLATION:postfix.postscreen_violation}( %{INT})?( after %{NUMBER:postfix.postscreen_violation_time})? from %{POSTFIX_CLIENT_INFO}(( after %{POSTFIX_SMTP_STAGE:postfix.smtp_stage})?(: %{GREEDYDATA:postfix.postscreen_data})?| in tests (after|before) SMTP handshake)

# dnsblog patterns
POSTFIX_DNSBLOG_LISTING addr %{IP:postfix.client_ip} listed by domain %{HOSTNAME:postfix.dnsbl_domain} as %{IP:postfix.dnsbl_result}

# tlsproxy patterns
POSTFIX_TLSPROXY_CONN (DIS)?CONNECT( from)? %{POSTFIX_CLIENT_INFO}

# anvil patterns
POSTFIX_ANVIL_CONN_RATE statistics: max connection rate %{NUMBER:postfix.anvil_conn_rate}/%{POSTFIX_TIME_UNIT:postfix.anvil_conn_period} for \(%{DATA:postfix.service}:%{IP:postfix.client_ip}\) at %{SYSLOGTIMESTAMP:postfix.anvil_timestamp}
POSTFIX_ANVIL_CONN_CACHE statistics: max cache size %{NUMBER:postfix.anvil_cache_size} at %{SYSLOGTIMESTAMP:postfix.anvil_timestamp}
POSTFIX_ANVIL_CONN_COUNT statistics: max connection count %{NUMBER:postfix.anvil_conn_count} for \(%{DATA:postfix.service}:%{IP:postfix.client_ip}\) at %{SYSLOGTIMESTAMP:postfix.anvil_timestamp}

# smtp patterns
POSTFIX_SMTP_DELIVERY %{POSTFIX_KEYVALUE} status=%{STATUS_WORD:postfix.status}( \(%{GREEDYDATA:postfix.smtp_response}\))?
POSTFIX_SMTP_CONNERR connect to %{POSTFIX_RELAY_INFO}: %{POSTFIX_LOSTCONN:postfix.smtp_lostconn_data}
POSTFIX_SMTP_SSLCONNERR SSL_connect error to %{POSTFIX_RELAY_INFO}: %{POSTFIX_LOSTCONN:postfix.smtp_lostconn_data}
POSTFIX_SMTP_LOSTCONN %{POSTFIX_QUEUEID:postfix.queueid}: %{POSTFIX_LOSTCONN:postfix.smtp_lostconn_data} with %{POSTFIX_RELAY_INFO}( while %{POSTFIX_LOSTCONN_REASONS:postfix.smtp_lostconn_reason})?
POSTFIX_SMTP_TIMEOUT %{POSTFIX_QUEUEID:postfix.queueid}: conversation with %{POSTFIX_RELAY_INFO} timed out( while %{POSTFIX_LOSTCONN_REASONS:postfix.smtp_lostconn_reason})?
POSTFIX_SMTP_RELAYERR %{POSTFIX_QUEUEID:postfix.queueid}: host %{POSTFIX_RELAY_INFO} said: %{GREEDYDATA:postfix.smtp_response} \(in reply to %{POSTFIX_SMTP_STAGE:postfix.smtp_stage} command\)
POSTFIX_SMTP_UTF8 host %{POSTFIX_RELAY_INFO} offers SMTPUTF8 support, but not 8BITMIME

# master patterns
POSTFIX_MASTER_START (daemon started|reload) -- version %{DATA:postfix.version}, configuration %{PATH:postfix.config_path}
POSTFIX_MASTER_EXIT terminating on signal %{INT:postfix.termination_signal}

# bounce patterns
POSTFIX_BOUNCE_NOTIFICATION %{POSTFIX_QUEUEID:postfix.queueid}: sender (non-delivery|delivery status|delay) notification: %{POSTFIX_QUEUEID:postfix.bounce_queueid}

# scache patterns
POSTFIX_SCACHE_LOOKUPS statistics: (address|domain) lookup hits=%{INT:postfix.scache_hits} miss=%{INT:postfix.scache_miss} success=%{INT:postfix.scache_success}%
POSTFIX_SCACHE_SIMULTANEOUS statistics: max simultaneous domains=%{INT:postfix.scache_domains} addresses=%{INT:postfix.scache_addresses} connection=%{INT:postfix.scache_connection}
POSTFIX_SCACHE_TIMESTAMP statistics: start interval %{SYSLOGTIMESTAMP:postfix.scache_timestamp}

# aggregate all patterns
POSTFIX_SMTPD %{POSTFIX_SMTPD_CONNECT}|%{POSTFIX_SMTPD_DISCONNECT}|%{POSTFIX_SMTPD_LOSTCONN}|%{POSTFIX_SMTPD_NOQUEUE}|%{POSTFIX_SMTPD_PIPELINING}|%{POSTFIX_TLSCONN}|%{POSTFIX_WARNING}|%{POSTFIX_SMTPD_PROXY}|%{POSTFIX_KEYVALUE}
POSTFIX_CLEANUP %{POSTFIX_CLEANUP_MILTER}|%{POSTFIX_WARNING}|%{POSTFIX_KEYVALUE}
POSTFIX_QMGR %{POSTFIX_QMGR_REMOVED}|%{POSTFIX_QMGR_ACTIVE}|%{POSTFIX_QMGR_EXPIRED}|%{POSTFIX_WARNING}
POSTFIX_PIPE %{POSTFIX_PIPE_ANY}
POSTFIX_POSTSCREEN %{POSTFIX_PS_CONNECT}|%{POSTFIX_PS_ACCESS}|%{POSTFIX_PS_NOQUEUE}|%{POSTFIX_PS_TOOBUSY}|%{POSTFIX_PS_CACHE}|%{POSTFIX_PS_DNSBL}|%{POSTFIX_PS_VIOLATIONS}|%{POSTFIX_WARNING}
POSTFIX_DNSBLOG %{POSTFIX_DNSBLOG_LISTING}|%{POSTFIX_WARNING}
POSTFIX_ANVIL %{POSTFIX_ANVIL_CONN_RATE}|%{POSTFIX_ANVIL_CONN_CACHE}|%{POSTFIX_ANVIL_CONN_COUNT}
POSTFIX_SMTP %{POSTFIX_SMTP_DELIVERY}|%{POSTFIX_SMTP_CONNERR}|%{POSTFIX_SMTP_SSLCONNERR}|%{POSTFIX_SMTP_LOSTCONN}|%{POSTFIX_SMTP_TIMEOUT}|%{POSTFIX_SMTP_RELAYERR}|%{POSTFIX_TLSCONN}|%{POSTFIX_WARNING}|%{POSTFIX_SMTP_UTF8}|%{POSTFIX_TLSVERIFICATION}
POSTFIX_DISCARD %{POSTFIX_DISCARD_ANY}|%{POSTFIX_WARNING}
POSTFIX_LMTP %{POSTFIX_SMTP}
POSTFIX_PICKUP %{POSTFIX_KEYVALUE}
POSTFIX_TLSPROXY %{POSTFIX_TLSPROXY_CONN}|%{POSTFIX_WARNING}
POSTFIX_MASTER %{POSTFIX_MASTER_START}|%{POSTFIX_MASTER_EXIT}|%{POSTFIX_WARNING}
POSTFIX_BOUNCE %{POSTFIX_BOUNCE_NOTIFICATION}
POSTFIX_SENDMAIL %{POSTFIX_WARNING}
POSTFIX_POSTDROP %{POSTFIX_WARNING}
POSTFIX_SCACHE %{POSTFIX_SCACHE_LOOKUPS}|%{POSTFIX_SCACHE_SIMULTANEOUS}|%{POSTFIX_SCACHE_TIMESTAMP}
POSTFIX_TRIVIAL_REWRITE %{POSTFIX_WARNING}
POSTFIX_TLSMGR %{POSTFIX_WARNING}
POSTFIX_LOCAL %{POSTFIX_KEYVALUE}|%{POSTFIX_WARNING}
POSTFIX_VIRTUAL %{POSTFIX_SMTP_DELIVERY}
POSTFIX_ERROR %{POSTFIX_ERROR_ANY}
POSTFIX_POSTSUPER %{POSTFIX_POSTSUPER_ACTION}|%{POSTFIX_POSTSUPER_SUMMARY}