# dovecot
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot(\[[0-9]+\])?: (pop3|imap)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot(\[[0-9]+\])?: (pop3|imap)\([^)]*\): Disconnected: Logged out.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot(\[[0-9]+\])?: (pop3|imap)\([^)]*\): Connection closed in.*$

# cron
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (CROND|crond|run-crons)(\[[0-9]+\])?: .*$

# syn-flood
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: IPTables SYN-FLOOD: .*$

# pure-ftpd
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pure-ftpd(\[[0-9]+\])?: [^[]*\[INFO\].*$