diff --git a/.gitignore b/.gitignore
index ef4d453..e059b2c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 /*
 !/.gitignore
+!/deploy*
 !/ignore.d.server/
 /ignore.d.server/*
 !/ignore.d.server/domino*
diff --git a/deploy.sh b/deploy.sh
index a63186d..9edd53b 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -1,22 +1,7 @@
-#!/bin/bash
+#!/bin/sh
 
-HOSTS=(
-    linode2
-    linode2-
-    linode
-    linode-
-    adm
-    waw
-    edyta
-    m81
-    m81-
-)
+set -e
 
-for host in ${HOSTS[*]}; do
-    echo "syncing ${host}"
-    rsync --timeout 5 -av --chown=root:logcheck ignore.d.server/ root@${host}:/etc/logcheck/ignore.d.server
-done
+./test.sh && echo "test done."
 
-# rsync -av --chown=root:logcheck ignore.d.server/ root@linode2:/etc/logcheck/ignore.d.server
-# rsync -av --chown=root:logcheck ignore.d.server/ root@adm:/etc/logcheck/ignore.d.server
-# rsync -av --chown=root:logcheck ignore.d.server/ root@edyta.org.pl:/etc/logcheck/ignore.d.server
+ansible-playbook deploy.yml
diff --git a/deploy.yml b/deploy.yml
new file mode 100644
index 0000000..85970e6
--- /dev/null
+++ b/deploy.yml
@@ -0,0 +1,12 @@
+- hosts: servers,!nanode
+
+  remote_user: root
+
+  gather_facts: true
+
+  tasks:
+    - name: sync
+      synchronize:
+        src: ignore.d.server
+        dest: /etc/logcheck
+        delete: yes
diff --git a/ignore.d.server/domino-amavisd b/ignore.d.server/domino-amavisd
index 50700b2..a4f10c0 100644
--- a/ignore.d.server/domino-amavisd
+++ b/ignore.d.server/domino-amavisd
@@ -1,4 +1,4 @@
-# ; -*- mode: text; fill-column: 99999 -*-
+# ; -*- mode: conf; fill-column: 99999 -*-
 
 # Sat Aug  4 17:58:14 CST 2018
 
@@ -7,3 +7,10 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed (CLEAN|SPAM|SPAMMY|INFECTED \([-._[:alnum:][:space:]]+\)|BAD-HEADER(-[[:digit:]])?)( \{((Relayed(OpenRelay|Inbound|Outbound)|Quarantined),?)+\})?,( LOCAL)?( \[(IPv6:)?[[:xdigit:].:]{3,39}\](:[[:digit:]]+)?){0,2} <[^>]*> -> <[^>]*>(,<[^>]*>)*,( quarantine: [[:alnum:]]/(spam|virus|badh)-[-+_[:alnum:]]+(\.gz)?,)?( Queue-ID: [[:xdigit:]]{10,11},)?( Message-ID: <[^>]+>( \((added by[^)]+|sfid-[_[:xdigit:]]+)\))?,)?( Resent-Message-ID: <[^>]+>,)? mail_id: [-+_[:alnum:]]+, Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+, queued_as: [[:xdigit:]/]+(, dkim_id=[-=_+\.,@[:alnum:]]+)?(, dkim_sd=[^[:space:]]+)?( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$
 
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Blocked (SPAM|BANNED \([-.,_[:alnum:][:space:]\\]+\))( {((NoBounceInbound|BouncedOpenRelay|DiscardedInbound|Quarantined|NoBounceOpenRelay),?)+})?,(( \[(IPv6:)?[[:xdigit:].:]{3,39}\](:[[:digit:]]+)?){1,2})? <[^>]*> -> (<[^>]*>,?)+,( quarantine: [[:alnum:]]/(banned|spam)-[-+_[:alnum:]]+(\.gz)?,)?( Queue-ID: [[:xdigit:]]{10},)?( Message-ID: <[^>]+>,)?( \((added by[^)]+|sfid-[_[:xdigit:]]+)\),)?( Resent-Message-ID: <[^>]+>,)?( mail_id: [-+_[:alnum:]]+,)? Hits: (-?[.[:digit:]]*)+, size: [[:xdigit:]]+(, dkim_id=[-=_+\.,@[:alnum:]]+)?(, dkim_sd=[^[:space:]]+)?( OK id=[-[:alnum:]]+)?, [[:digit:]]+ ms$
+
+
+# Jan 01 00:00:00 debian amavis[23028]: (23028-15) Passed SPAM {RelayedTaggedInbound,Quarantined}, [1.2.3.4] [1.2.3.4] <user@domain.com> -> <user@domain.com>, quarantine: 2/spam-21caAMxOOX1T.gz, mail_id: 21caAMxOOX1T, Hits: 22.109, size: 2257, queued_as: 9F5CB40970, 1782 ms
+# Jan 01 00:00:00 debian amavis[13944]: (13944-18) Passed SPAM {RelayedTaggedInbound,Quarantined}, [1.2.3.4] [1.2.3.4] <user@domain.com> -> <user@domain.com>, quarantine: t/spam-texYR1HFOQJL.gz, Message-ID: <2079978790.654136.1579145280906.JavaMail.user@domain.com>, mail_id: texYR1HFOQJL, Hits: 6.627, size: 4410, queued_as: 0993B400C9, 796 ms
+# Jan 01 00:00:00 debian amavis[11111]: (07635-18) Passed SPAM {RelayedTaggedInbound,Quarantined}, [1.2.3.4] [1.2.3.4] <dstartup004@gmail.com> -> <user@domain.com>, quarantine: w/spam-wHNx4wR-oxs3.gz, Message-ID: <20200120002624.B93004436@mail0.ceniai.inf.cu>, mail_id: wHNx4wR-oxs3, Hits: 8.798, size: 2295, queued_as: AF9314084B, 4047 ms
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([0-9-]+\) Passed SPAM {RelayedTaggedInbound,Quarantined}, \[[0-9.]+\] \[[0-9.]+\] <[@[:alnum:].]+> -> <[@[:alnum:].]+>, quarantine: [[:alnum:]\/.-]+,( Message-ID: <[[:alnum:]@.]+>,)? mail_id: [[:alnum:]-]+, Hits: [0-9.]+, size: [0-9]+, queued_as: [[:alnum:]]+, [0-9]+ ms$
diff --git a/ignore.d.server/domino-anacron b/ignore.d.server/domino-anacron
new file mode 100644
index 0000000..fedfe5f
--- /dev/null
+++ b/ignore.d.server/domino-anacron
@@ -0,0 +1,22 @@
+# ; -*- mode: conf; fill-column: 99999 -*-
+
+# Jan  9 07:30:02 debian anacron[2533381]: Will run job `cron.daily' in 5 min.
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ anacron\[[0-9]+\]: Will run job \`cron.[[:alnum:]]+\' in [0-9]+ min.$
+
+# Jan  9 07:30:02 debian anacron[2533381]: Jobs will be executed sequentially
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ anacron\[[0-9]+\]: Jobs will be executed sequentially$
+
+# Jan  9 07:35:02 debian anacron[2533930]: Updated timestamp for job `cron.daily' to 2023-01-09
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ anacron\[[0-9]+\]: Updated timestamp for job \`cron.[[:alnum:]]+\' to [0-9-]+$
+
+# Jan  9 07:35:40 debian anacron[2533381]: Job `cron.daily' terminated
+# Jan  9 07:35:02 debian anacron[2533381]: Job `cron.daily' started
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ anacron\[[0-9]+\]: Job \`cron.[[:alnum:]]+\' (started|terminated)$
+
+# Jan  8 11:30:54 debian anacron[2464186]: Anacron 2.3 started on 2023-01-08
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ anacron\[[0-9]+\]: Anacron [0-9.]+ started on [0-9-]+$
+
+# Jan  8 11:30:54 debian anacron[2464186]: Normal exit (0 jobs run)
+# Jan  9 07:35:40 debian anacron[2533381]: Normal exit (1 job run)
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ anacron\[[0-9]+\]: Normal exit \([0-9]+ job(s) run\)$
+
diff --git a/ignore.d.server/domino-dhclient b/ignore.d.server/domino-dhclient
new file mode 100644
index 0000000..eaba716
--- /dev/null
+++ b/ignore.d.server/domino-dhclient
@@ -0,0 +1,5 @@
+# ; -*- mode: conf; fill-column: 99999 -*-
+
+# May  3 04:14:16 debian dhclient[442]: DHCPREQUEST for 1.2.3.4 on eth0 to 2.3.4.5 port 67
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient\[[[:digit:]]+\]: DHCP(REQUEST|RELEASE) (for [.0-9]{7,15} )?on [[:alnum:].-]+ to [.0-9]{7,15} port 67( \(xid=0x[[:xdigit:]]{8}\))?$
diff --git a/ignore.d.server/domino-dnscrypt-proxy b/ignore.d.server/domino-dnscrypt-proxy
index c59ecef..e05d35b 100644
--- a/ignore.d.server/domino-dnscrypt-proxy
+++ b/ignore.d.server/domino-dnscrypt-proxy
@@ -2,4 +2,4 @@
 
 # Aug 11 22:50:28 debian dnscrypt-proxy[25869]: [2019-08-11 22:50:28] [NOTICE] Server with the lowest initial latency: soltysiak (rtt: 29ms)
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnscrypt-proxy\[[[:digit:]]+\]: \[[-[:digit:]]+ [\:[:digit:]]+\] \[NOTICE\] Server with the lowest initial latency: [[:alnum:]]+ \(rtt: [[:digit:]]+ms\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dnscrypt-proxy\[[[:digit:]]+\]: \[[[:digit:]-]+ [\:[:digit:]]+\] \[NOTICE\] Server with the lowest initial latency: [[:alnum:]]+ \(rtt: [[:digit:]]+ms\)$
diff --git a/ignore.d.server/domino-dnsmasq b/ignore.d.server/domino-dnsmasq
new file mode 100644
index 0000000..74f395f
--- /dev/null
+++ b/ignore.d.server/domino-dnsmasq
@@ -0,0 +1,11 @@
+# Apr 22 12:32:20 debian dnsmasq-dhcp[1222]: DHCPSOLICIT(br0) 00:01:00:01:27:f4:b3:ab:74:78:27:68:64:04
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: DHCPSOLICIT\([[:alnum:]]+\) [[:xdigit:]:]+$
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: DHCPCONFIRM\([[:alnum:]]+\) [[:xdigit:]:]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: DHCPREPLY\([[:alnum:]]+\) [[:xdigit:]:]+ [[:xdigit:]:]+ confirm failed$
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq\[[0-9]+\]: reducing DNS packet size for nameserver [[:digit:].]+ to [0-9]+$
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dnsmasq-dhcp\[[0-9]+\]: DHCPINFORMATION-REQUEST\([[:alnum:]]+\) [[:xdigit:]:]+ [[:alnum:]_-]+$
+
+
diff --git a/ignore.d.server/domino-dovecot b/ignore.d.server/domino-dovecot
index ad5151a..8010b80 100644
--- a/ignore.d.server/domino-dovecot
+++ b/ignore.d.server/domino-dovecot
@@ -1,40 +1,72 @@
-# ; -*- mode: text; fill-column: 99999 -*-
+# ; -*- mode: conf; fill-column: 99999 -*-
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: plain\(\?,[.[:digit:]]+\): Request timed out waiting for client to continue authentication \([[:digit:]]+ secs\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap: Connection closed in=[[:digit:]]+ out=[[:digit:]]+$
 
-# Aug 13 23:21:00 debian dovecot: imap(routeruser)<18757><MyKjGgKQlqbAqAAJ>: Connection closed (IDLE running for 0.001 + waiting input for 8.605 secs, 2 B in + 10 B out, state=wait-input) in=170461 out=572606 deleted=0 expunged=0 trashed=0 hdr_count=624 hdr_bytes=168025 body_count=0 body_bytes=0
+# Jan  1 00:00:00 debian dovecot: imap(john.doe@do-main.com)<19460><TbJq8ganHJofusUW>: Connection closed (UID fetch finished 0.495 secs ago - running for 0.023 + waiting for 4.854 secs, 33 B in + 1596677 B out) in=19688 out=27174696 deleted=0 expunged=0 trashed=0 hdr_count=631 hdr_bytes=276866 body_count=616 body_bytes=26682967
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]-]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(UID fetch finished [.0-9]+ secs ago - running for [.0-9]+ \+ waiting for [.0-9]+ secs, [.0-9]+ B in \+ [.0-9]+ B out\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]\.@_-]+\)<[[:digit:]]+><[\/[:alnum:]]+>: Connection closed \(IDLE running for [[:digit:]\.]+ \+ waiting input for [[:digit:]\.]+ secs, [0-9]+ B in \+ [[:digit:]\+]+ B out, state=wait-input\) in=[0-9]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$
+# Jan  1 00:00:00 debian dovecot: imap(john.doe@do-main.com)<19714><icH2bEWnLKUgAQRwAHEGxLgjG9gKQycb>: Connection closed: read(size=8113) failed: Connection reset by peer (UID FETCH running for 0.028 + waiting input/output for 0.020 secs, 19 B in + 204872+2080 B out, state=wait-output) in=79 out=206478 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]-]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed: read\(size=8113\) failed: Connection reset by peer \(UID FETCH running for [.0-9]+ \+ waiting input\/output for [.0-9]+ secs, [.0-9]+ B in \+ [+.0-9]+ B out, state=wait-output\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$
 
-# Aug 13 19:32:47 debian dovecot: imap(routeruser)<21817><rJ67mQKQEKjAqAAJ>: Logged out in=305 out=46530 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=221 body_count=0 body_bytes=0
+# Jan  1 00:00:00 debian dovecot: imap(john.doe@do-main.com)<3626><BhRJ1yan9uVTHSf8>: Server shutting down. in=329 out=3420 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Server shutting down. in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([\._@[:alnum:]-]+\)<[[:digit:]]+><[\+\/[:alnum:]]+>: Logged out in=[[:digit:]]+ out=[[:digit:]]+ deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+$
+# Jan  1 00:00:00 debian dovecot[4316]: doveadm(john.doe@do-main.com): Fatal: connect(2a01:7e01::f03c:91ff:fe92:641e:12345) failed: No route to host
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot\[[0-9]+\]: doveadm\([@.[:alnum:]-]+\): Fatal: connect\([\:[:xdigit:]]+\) failed: No route to host$
 
+# auth
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: Event [[:alnum:]]+ leaked \(parent=\(nil\)\): auth-client-connection.c:[0-9]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: plain\(\?,[.[:digit:]]+\): Request timed out waiting for client to continue authentication \([[:digit:]]+ secs\)$
 
-# Sep 18 05:09:54 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=1.2.3.4, lip=2.3.4.5, TLS handshaking: read(size=1024) failed: Connection reset by peer, session=<xDPTK8uSvlLGbEMw>
-# Sep 21 17:50:17 debian dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=1.2.3.4, lip=2.3.4.5, TLS handshaking: Connection closed, session=<rMypJBKTJJBqDH/T>
-# Nov 14 07:59:36 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=1.2.3.4, lip=2.3.4.5, TLS: SSL_read failed: error:140940F5:SSL
-routines:ssl3_read_bytes:unexpected record, session=<aBY1BkmXLKJHBp6m>
+# imap
+# Jan  1 00:00:00 debian dovecot: imap: Warning: Time jumped forwards 28 seconds
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap: Warning: Time jumped forwards [0-9]+ seconds$
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \((no auth attempts in [0-9]+ secs|disconnected before auth was ready, waited [0-9]+ secs)\):( user=<>,)? rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS:? (handshaking: (read\(size=[0-9]+\) failed: Connection reset by peer|Connection closed)|SSL_read failed: error:[[:alnum:]]+:SSL\sroutines:ssl3_read_bytes:unexpected record), session=<[[:alnum:]\+\/]+>$
 
-# Sep 17 03:09:07 debian dovecot: auth: Warning: Event 0x562bf4aefcc0 leaked (parent=(nil)): auth-client-connection.c:338
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap: Connection closed in=[[:digit:]]+ out=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed \((EXAMINE|UID FETCH|UID STORE|LIST|NOOP|STATUS|APPEND|append)? finished [0-9.]+ secs ago\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Disconnected for inactivity in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]\.@_-]+\)<[[:digit:]]+><[\/[:alnum:]]+>: Connection closed \(IDLE running for [[:digit:]\.]+ \+ waiting input for [[:digit:]\.]+ secs, [0-9]+ B in \+ [[:digit:]\+]+ B out, state=wait-input\) in=[0-9]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([\._@[:alnum:]-]+\)<[[:digit:]]+><[\+\/[:alnum:]]+>: Logged out in=[[:digit:]]+ out=[[:digit:]]+ deleted=[[:digit:]]+ expunged=[[:digit:]]+ trashed=[[:digit:]]+ hdr_count=[[:digit:]]+ hdr_bytes=[[:digit:]]+ body_count=[[:digit:]]+ body_bytes=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed(: read\(size=[0-9]+\))?( failed: Connection reset by peer)? \(IDLE running for [0-9.]+ \+ waiting input for [0-9.]+ secs, [0-9]+ B in \+ [0-9\+]+ B out, state=wait-input\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: Event [[:alnum:]]+ leaked \(parent=\(nil\)\): auth-client-connection.c:[0-9]+$
+# Aug 28 01:20:24 debian dovecot: imap(user@domain.com)<557292><ZU7jLeStUtwfusUW>: Connection closed (SEARCH finished 0.403 secs ago) in=87 out=3864 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+# Aug 20 12:01:07 debian dovecot: imap(user@domain.com)<157847><9K4aJ0ytxsAfusUW>: Connection closed (UID EXPUNGE finished 196.892 secs ago) in=243 out=1470 deleted=3 expunged=3 trashed=3 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+# Jan  1 00:00:00 debian dovecot: imap(user@domain.com)<28998><I1mJ+MqktMMfusUW>: Connection closed (ID finished 0.296 secs ago) in=89 out=448 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+# Jan  1 00:00:00 debian dovecot: imap(user@domain.com)<29432><sPotR8uk2MMfusUW>: Connection closed (SELECT finished 0.096 secs ago) in=121 out=981 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+# Jan  1 00:00:00 debian dovecot: imap(user@domain.com)<16443><i7h23j6c8KBPvAGh>: Connection closed (noop finished 0.081 secs ago) in=1207 out=74860 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=310 body_count=0 body_bytes=0
+# Jan  1 00:00:00 debian dovecot: imap(user@domain.com)<18518><V3/zyZWcSoJTBJQq>: Connection closed (IDLE finished 137.627 secs ago) in=1074 out=5163 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+# Jan  1 00:00:00 debian dovecot: imap(user@domain.com)<20806><pfn8vJac0MxTBJQq>: Connection closed (UID SEARCH finished 2.242 secs ago) in=54 out=1167 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+# Jan  1 00:00:00 debian dovecot: imap(user@domain.com)<13658><NnDnez2clJRPvAGh>: Connection closed (UID fetch finished 0.145 secs ago) in=9581 out=9495290 deleted=0 expunged=0 trashed=0 hdr_count=4 hdr_bytes=1467 body_count=144 body_bytes=9365757
+# Apr 21 22:22:01 debian dovecot: imap(user@domain.com)<37293><E9uAwNKj3tZTHSoc>: Connection closed (No commands sent) in=0 out=374 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+# Jan  1 00:00:00 debian dovecot: imap(john.doe@do-main.com)<20592><yKE/HZyle828kvNq>: Connection closed (FETCH finished 126.461 secs ago) in=688 out=7307 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]-]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(((ID|SELECT|FETCH|noop|IDLE|UID )?(SEARCH|EXPUNGE|fetch)? finished [.0-9]+ secs ago|No commands sent)\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$
+
+# May  3 09:23:30 debian dovecot: imap(abc@domain.com)<11038><cRsjBbmkyLYfusUW>: Connection closed (IDLE running for 0.014 + waiting input for 558.906 secs, 0.001 in locks, 2 B in + 10 B out, state=wait-input) in=199 out=1429 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([.@[:alnum:]]+\)<[0-9]+><[\/+[:alnum:]]+>: Connection closed \(IDLE running for [0-9.]+ \+ waiting input for [0-9.]+ secs, [0-9.]+ in locks, [0-9.]+ B in \+ [0-9.]+ B out, state=wait-input\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$
+
+# Jan  1 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS handshaking: SSL connection closed during handshake, session=<FA84PESjC+hZKElg>
+# Jan  1 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS handshaking: SSL connection closed during handshake, session=<as/c4UyjV/ZZKEnQ>
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(no auth attempts in [0-9]+ secs\): user=<[[:alnum:]@_.-]*>, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS handshaking: SSL connection closed during handshake, session=<[[:alnum:]\+\/]+>$
 
-# Nov  6 00:00:00 linode2 dovecot: imap(abc@domain.com)<3549><7UkTJq6W7pxPvAGh>: Disconnected for inactivity in=322 out=1009 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \((no auth attempts in [0-9]+ secs|disconnected before auth was ready, waited [0-9]+ secs)\):( user=<>,)? rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS:? (handshaking: (read\(size=[0-9]+\) failed: Connection reset by peer|Connection closed)|SSL_read failed: error:[[:alnum:]]+:SSL\sroutines:ssl3_read_bytes:unexpected record), session=<[[:alnum:]\+\/]+>$
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Disconnected for inactivity in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+ trashed=[0-9]+ hdr_count=[0-9]+ hdr_bytes=[0-9]+ body_count=[0-9]+ body_bytes=[0-9]+$
+# Jan  1 00:00:00 debian dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<user@domain.com>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session=<EbVGd0WjTa+3WdNe>
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): user=<[[:alnum:]@_.-]+>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS: Connection closed, session=<[[:alnum:]\+\/]+>$
 
-# Nov  6 00:00:00 linode2 dovecot: imap(abc@domain.com)<1187><GLJqa62WpLdPvAGh>: Connection closed (UID FETCH finished 895.794 secs ago) in=329 out=3439 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
-# Nov  6 00:00:00 linode2 dovecot: imap(abc@domain.com)<1186><Kqppa62WordPvAGh>: Connection closed (LIST finished 895.877 secs ago) in=23 out=897 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
-# Nov  6 00:00:00 linode2 dovecot: imap(abc@domain.com)<28476><OR1DvquWiLRPvAGh>: Connection closed (NOOP finished 0.072 secs ago) in=31 out=940 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+# Jan  1 00:00:00 debian dovecot: imap-login: Disconnected (client didn't finish SASL auth, waited 1 secs): user=<>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, TLS: read(size=401) failed: Connection reset by peer, session=<zl9waw6mJ+/CKQ3P>
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(client didn't finish SASL auth, waited [.0-9]+ secs\): user=<[[:alnum:]@_.-]*>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS: read\(size=[0-9]+\) failed: Connection reset by peer, session=<[+\/[:alnum:]]+>$
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed \((UID FETCH|UID STORE|LIST|NOOP|STATUS|append)? finished [0-9.]+ secs ago\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$
+# '
+# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: Connection closed, session=<sTF0vUKc1rvRYbSh>
+# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2600:3c03::f03c:92ff:fe37:de06, lip=2a01:7e01::f03c:91ff:fe92:641e, TLS handshaking: Connection closed, session=<wBWyTkOcWtomADwDAAAAAPA8kv/+N94G>
+# Jan 01 00:00:00 debian dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=1.2.3.4, lip=1.2.3.4, TLS: read(size=583) failed: Connection reset by peer, session=<wSrda9KcRpdC8Ox3>
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(no auth attempts in [0-9]+ secs\): user=<>, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, TLS( handshaking)?:( read\(size=[0-9]+\) failed:)? Connection (closed|reset by peer), session=<[\/\+[:alnum:]]+>$
 
-# Nov  9 11:12:28 linode2 dovecot: imap(abc@domain.com)<2509><7BepIueWNJtPvWPC>: Connection closed: read(size=8013) failed: Connection reset by peer (IDLE running for 0.001 + waiting input for 0.001 secs, 2 B in + 10 B out, state=wait-input) in=179 out=10967 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+# Jan  1 00:00:00 debian dovecot: imap-login: Login: user=<john.doe@do-main.com>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, mpid=25205, TLS: Connection closed, session=<8/MvZBWnqdXCKQ3I>
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Login: user=<[[:alnum:]@_.-]*>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, mpid=[0-9]+, TLS: Connection closed, session=<[+\/[:alnum:]]+>$
 
-# Nov  9 11:12:28 linode2 dovecot: imap(abc@domain.com)<2508><HA+gIueWJptPvWPC>: Connection closed (IDLE running for 0.001 + waiting input for 0.001 secs, 2 B in + 10+10 B out, state=wait-input) in=180 out=89621 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
+# Aug 23 05:50:30 debian dovecot: imap-login: Login: user=<user@domain.com>, method=PLAIN, rip=1.2.3.4, lip=2.3.4.5, mpid=302123, TLS: read(size=337) failed: Connection reset by peer, session=<R9b7XoOtMqgfusUW>
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Login: user=<[[:alnum:]@_.-]*>, method=PLAIN, rip=[.:[:alnum:]]+, lip=[.:[:alnum:]]+, mpid=[0-9]+, TLS: read\(size=[0-9]+\) failed: Connection reset by peer, session=<[+\/[:alnum:]]+>$
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]]+>)?: Connection closed(: read\(size=[0-9]+\))?( failed: Connection reset by peer)? \(IDLE running for [0-9.]+ \+ waiting input for [0-9.]+ secs, [0-9]+ B in \+ [0-9\+]+ B out, state=wait-input\) in=[0-9-]+ out=[0-9]+ deleted=[0-9]+ expunged=[0-9]+( trashed=[0-9]+)?( hdr_count=[0-9]+)?( hdr_bytes=[0-9]+)?( body_count=[0-9]+)?( body_bytes=[0-9]+)?$
+# Jun  5 11:22:59 vps417842 dovecot: lmtp(john.doe@do-main.com)<29931><pMsQHfMO2l7rdAAAFhaupQ>: sieve: msgid=<PATT3L844_20175508_anaVh5fIpUR8r2wofcY/ew==john.doe@do-main.com>: stored mail into mailbox 'INBOX'
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (dovecot: )?(lmtp|lda)\([-_.,@[:alnum:] ]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: (Error: )?([-+_\/.,@:[:alnum:] ]+: )?(sieve: )?(msgid=(\? )?(<?[[:punct:][:alnum:] ]+>?(\ )?|unspecified): )?( \(((added by )?[^[:space:]]+|sfid-[_[:xdigit:]]+)\)?)?(saved mail to INBOX|stored mail into mailbox '[^']+'|marked message to be discarded if not explicitly delivered \(discard action\)|(forwarded to|sent vacation response to|discarding vacation response for message implicitly delivered to|not sending vacation response to system address|discarding vacation response to mailinglist recipient|discarded vacation reply to|discarding vacation response to (auto-submitted|precedence=(bulk|Bulk|list)) message from|discarded duplicate (vacation response|forward) to) <[^[:space:]]*>|failed to open script [\/[:alnum:].]+ \(view user logfile [\/[:alnum:].]+ for more information\))$
diff --git a/ignore.d.server/domino-dovecot-lmtp b/ignore.d.server/domino-dovecot-lmtp
new file mode 100644
index 0000000..33bd3c8
--- /dev/null
+++ b/ignore.d.server/domino-dovecot-lmtp
@@ -0,0 +1,18 @@
+# ; -*- mode: conf; fill-column: 99999 -*-
+
+# Jan  1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417><l2STEE5Nll5hXwAAk+NzKg:2>: sieve: msgid=<user@domain.com>: stored mail into mailbox 'INBOX'
+# Jan  1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417><l2STEE5Nll5hXwAAk+NzKg>: sieve: msgid=<user@domain.com>: stored mail into mailbox 'INBOX'
+# Apr  1 03:42:34 debian dovecot: lmtp(do@minik.pl)<27587><KlP7C4qVo17DawAAK/wqrw>: sieve: msgid=? <VI1PR0501MB22566805495B69687A1A6552FAD00@VI1PR0501MB2256.eurprd05.prod.outlook.com>: stored mail into mailbox 'debian-user'
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=(\? )?<?[[:alnum:]\=:$+@_.-]+>?: stored mail into mailbox '[[:alnum:]_-]+'$
+
+# Jan  1 00:00:00 debian dovecot: lmtp(user@domain.com)<10252><KYAjLYzslV4MKAAAk+NzKg>: sieve: msgid=<user@domain.com>: forwarded to <user@domain.com>
+# Jan  1 00:00:00 debian dovecot: lmtp(user@domain.com)<24417><l2STEE5Nll5hXwAAk+NzKg:2>: sieve: msgid=<user@domain.com>: forwarded to <user@domain.com>
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\)<[[:alnum:]]+>(<[\/+[:alnum:]:]+>)?: sieve: msgid=<?[[:alnum:]:=$+@_.-]+>?: forwarded to <[[:alnum:]@._-]+>$
+
+# May  5 00:57:29 debian dovecot: lmtp(9716): Disconnect from local: Remote closed connection (state=READY)
+# Jan  1 00:00:00 debian dovecot: lmtp(24420): Disconnect from local: Client has quit the connection (state=READY)
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-[:alnum:]@\.]+\): Disconnect from local: (Client has quit the|Remote closed) connection \(state=READY\)$
+
diff --git a/ignore.d.server/domino-hostapd b/ignore.d.server/domino-hostapd
index 4f3c907..44d66a7 100644
--- a/ignore.d.server/domino-hostapd
+++ b/ignore.d.server/domino-hostapd
@@ -1,4 +1,4 @@
-# ; -*- mode: text; fill-column: 99999 -*-
+# ; -*- mode: conf; fill-column: 99999 -*-
 
 # Nov  2 00:00:00 debian hostapd: wls12: STA 0a:0a:0a:0a:0a:0a IEEE 802.1X: Supplicant used different EAP type: 3 (unknown)
 
@@ -28,8 +28,9 @@
 # Nov  2 00:00:00 debian hostapd[544]: wls12: CTRL-EVENT-EAP-STARTED 0a:0a:0a:0a:0a:0a
 # Nov  2 00:00:00 debian hostapd[544]: wls12: CTRL-EVENT-EAP-SUCCESS2 0a:0a:0a:0a:0a:0a
 # Nov  2 00:00:00 debian hostapd[544]: wls12: CTRL-EVENT-EAP-TIMEOUT-FAILURE 0a:0a:0a:0a:0a:0a
+# Jul  1 00:00:00 debian hostapd[213]: wlp6s1: CTRL-EVENT-EAP-TIMEOUT-FAILURE2 0a:0a:0a:0a:0a:0a
 
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hostapd(\[[0-9]+\])?: [[:alnum:]]+: CTRL-EVENT-EAP-(STARTED|SUCCESS2|RETRANSMIT(2)?|TIMEOUT-FAILURE|FAILURE2|PROPOSED-METHOD) ([[:xdigit:]:]{17})?(vendor=[0-9]+ method=[0-9]+)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hostapd(\[[0-9]+\])?: [[:alnum:]]+: CTRL-EVENT-EAP-(STARTED|SUCCESS2|RETRANSMIT(2)?|TIMEOUT-FAILURE2?|FAILURE2|PROPOSED-METHOD) ([[:xdigit:]:]{17})?(vendor=[0-9]+ method=[0-9]+)?$
 
 # Nov  9 15:52:09 debian hostapd[491]: Switching to 40 MHz operation
 
@@ -43,3 +44,14 @@
 
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hostapd(\[[0-9]+\])?:\s+frame too short for this IEEE 802\.1(1|X) packet$
 
+# Jan  1 00:00:00 debian hostapd[687]: wls4: AP-STA-POLL-OK 3c:71:bf:2d:10:52
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hostapd(\[[0-9]+\])?: [[:alnum:]]+: AP-STA-POLL-OK [[:xdigit:]:]{17}$
+
+# Apr 22 09:31:54 debian hostapd[1555]: wlp13s0: STA-OPMODE-SMPS-MODE-CHANGED 50:2f:9b:04:0a:b5 off
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hostapd(\[[0-9]+\])?: [[:alnum:]]+: STA-OPMODE-SMPS-MODE-CHANGED [[:xdigit:]:]{17} off$
+
+# Apr 22 04:09:39 debian hostapd[1537]: Station f0:05:d1:c6:ed:12 trying to disassociate, but it is not associated
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ hostapd(\[[0-9]+\])?: Station [[:xdigit:]:]+ trying to disassociate, but it is not associated$
diff --git a/ignore.d.server/domino-influxd b/ignore.d.server/domino-influxd
new file mode 100644
index 0000000..cd77cba
--- /dev/null
+++ b/ignore.d.server/domino-influxd
@@ -0,0 +1,2 @@
+# ; -*- mode: conf; fill-column: 99999 -*-
+
diff --git a/ignore.d.server/domino-influxdb b/ignore.d.server/domino-influxdb
deleted file mode 100644
index b88942b..0000000
--- a/ignore.d.server/domino-influxdb
+++ /dev/null
@@ -1,11 +0,0 @@
-# ; -*- mode: conf; fill-column: 99999 -*-
-
-# Nov 24 09:51:32 debian influxd[27703]: [httpd] 192.168.0.1 - root [24/Nov/2019:09:51:32 +0100] "GET /query?db=abc&q=SELECT+%2A+from+state HTTP/1.1" 200 244 "-" "python-requests/2.22.0" 9d3d77ce-0e97-11ea-8077-000000000000 1833
-# Nov 24 09:51:46 debian influxd[27703]: [httpd] ::1 - - [24/Nov/2019:09:51:46 +0100] "POST /query?db=&epoch=ns&q=SHOW+DATABASES HTTP/1.1" 200 116 "-" "InfluxDBShell/1.6.4" a52ae7c6-0e97-11ea-8079-000000000000 2350
-# Nov 24 09:52:45 debian influxd[27703]: [httpd] 192.168.0.1 - root [24/Nov/2019:09:52:45 +0100] "POST /write?db=abc HTTP/1.1" 204 0 "-" "python-requests/2.22.0" c841ac38-0e97-11ea-807d-000000000000 6362
-
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ influxd\[[0-9]+\]: \[httpd\]( [,.:[:digit:]]+,)? [,.:[:digit:]]+ \-( \-)? [[:alnum:]-]+ \[[\/:\+[:alnum:] ]+\] \"(POST|GET) \/[\?\=\&\+\%[:alnum:]-]+ HTTP\/1\.1\" [0-9]+ [0-9]+ \"\-\" \"[\-\/\.[:alnum:]]+\" [[:alnum:]-]+ [0-9]+$
-
-# Nov 24 09:51:32 debian influxd[27703]: ts=2019-11-24T08:51:32.912602Z lvl=info msg="Executing query" log_id=0JIHWOo0000 service=query query="SELECT * FROM abc.autogen.state"
-
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ influxd\[[0-9]+\]: ts=[\:\-\.[:alnum:]]+ lvl=info msg=\"Executing query\" log_id=[[:alnum:]]+ service=query query=\"[\*\.\(\)\>\=\<[:alnum:] -]+\"$
diff --git a/ignore.d.server/domino-kernel b/ignore.d.server/domino-kernel
index f54c800..367d02e 100644
--- a/ignore.d.server/domino-kernel
+++ b/ignore.d.server/domino-kernel
@@ -1,4 +1,4 @@
-# ; -*- mode: text; fill-column: 99999 -*-
+# ; -*- mode: conf; fill-column: 99999 -*-
 
 # Jun 16 08:28:17 debian kernel: [219862.976978] input: 40:EF:4C:33:AE:21 as /devices/virtual/input/input14
 
@@ -17,3 +17,23 @@ Jun 17 18:47:23 router kernel: [6425157.863842] ip6_tables: (C) 2000-2006 Netfil
 
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[ .[:digit:]]+\] INFO: NMI handler \(perf_event_nmi_handler\) took too long to run: [.[:digit:]]+ msecs$
 
+# Jan  1 00:00:00 debian kernel: [5674129.042703] device br0 entered promiscuous mode
+# Jan  1 00:00:00 debian kernel: [5674141.471188] device br0 left promiscuous mode
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[ .[:digit:]]+\] device [[:alnum:]]+ (entered|left) promiscuous mode$
+
+# Aug 19 07:48:03 debian kernel: [155896.114715] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[ .[:digit:]]+\] conntrack: generic helper won't handle protocol [0-9]+. Please consider loading the specific helper module.$
+
+# Nov 26 16:13:34 debian kernel: [14885.004498] Rekeying PTK for STA 00:0f:02:02:98:98 but driver can't safely do that.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[.[:digit:]]+\] Rekeying PTK for STA [[:xdigit:]:]+ but driver can't safely do that\.$
+
+# May 17 07:26:40 debian kernel: [8672235.902147] ath10k_pci 0000:0d:00.0: Invalid peer id 217 peer stats buffer
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[.[:digit:]]+\] ath10k_pci [[:alnum:]:.]+ Invalid peer id [0-9]+ peer stats buffer$
+
+# Jan  1 00:00:00 debian kernel: [3130700.334016] md: md0: data-check done.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[.[:digit:]]+\] md: md[0-9]+: data-check done.$
+
+# Jan  1 00:00:00 debian kernel: [3128758.102199] md: data-check of RAID array md0
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[.[:digit:]]+\] md: data-check of RAID array md[0-9]+$
+
diff --git a/ignore.d.server/domino-lsyncd b/ignore.d.server/domino-lsyncd
new file mode 100644
index 0000000..7ee0ca6
--- /dev/null
+++ b/ignore.d.server/domino-lsyncd
@@ -0,0 +1,19 @@
+# ; -*- mode: conf; fill-column: 99999 -*-
+
+# May 27 13:02:26 debian systemd[31861]: Created slice lsyncd.slice.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: (Created|Removed) slice lsyncd.slice.$
+
+# May 27 13:04:58 debian systemd[31861]: lsyncd@pix2.service: Main process exited, code=exited, status=143/n/a
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: lsyncd@pix2.service: Main process exited, code=exited, status=[0-9]+\/n\/a$
+
+# May 27 13:04:58 debian systemd[31861]: lsyncd@pix2.service: Failed with result 'exit-code'.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: lsyncd@pix2.service: Failed with result 'exit-code'.$
+
+# May 27 13:02:26 debian lsyncd[31871]: 13:02:26 Normal: --- Startup ---
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ lsyncd\[[0-9]+\]: [\:[:digit:]]+ Normal: --- (Startup|TERM signal, fading) ---$
+
+# May 27 13:02:26 debian lsyncd[31871]: 13:02:26 Normal: recursive startup rsync: /var/www/adm/pix2/ -> domain.com:/home/user/sites/pix2/
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ lsyncd\[[0-9]+\]: [\:[:digit:]]+ Normal: recursive startup rsync: [\/[:alnum:]]+ -> [.\:\/[:alnum:]]+$
+
+# May 27 13:02:29 debian lsyncd[31871]: 13:02:29 Normal: Startup of "/var/www/adm/pix2/" finished: 0
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ lsyncd\[[0-9]+\]: [\:[:digit:]]+ Normal: Startup of "[\/[:alnum:]]+" finished: 0$
diff --git a/ignore.d.server/domino-ntp b/ignore.d.server/domino-ntp
index f96e62e..4513e2b 100644
--- a/ignore.d.server/domino-ntp
+++ b/ignore.d.server/domino-ntp
@@ -1,16 +1,29 @@
 # ; -*- mode: conf; fill-column: 99999 -*-
 
-# Oct  3 16:24:34 debian-linode ntpd[3668]: receive: KoD packet from 185.228.137.116 has inconsistent xmt/org/rec timestamps.  Ignoring.
+# Oct  3 16:24:34 debian ntpd[3668]: receive: KoD packet from 185.228.137.116 has inconsistent xmt/org/rec timestamps.  Ignoring.
 
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: receive: KoD packet from [.0-9]+ has inconsistent xmt\/org\/rec timestamps.\s+Ignoring.$
 
 
-# Aug 25 09:02:36 router ntpd[879]: Soliciting pool server 2a02:f40:10:1::3
+# Aug 25 09:02:36 debian ntpd[879]: Soliciting pool server 2a02:f40:10:1::3
 
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: Soliciting pool server [\.\:[:xdigit:]]+$
 
 
-# Nov 17 07:13:36 linode2 ntpd[32535]: 2a03:4000:29:91:2549:9:f370:a1 local addr 2a01:7e01::f03c:91ff:fe92:641e -> <null>
-# Nov 17 07:13:37 linode2 ntpd[32535]: 2001:638:504:2000::35 local addr 2a01:7e01::f03c:91ff:fe92:641e -> <null>
+# Nov 17 07:13:36 debian ntpd[32535]: 2a03:4000:29:91:2549:9:f370:a1 local addr 2a01:7e01::f03c:91ff:fe92:641e -> <null>
+# Nov 17 07:13:37 debian ntpd[32535]: 2001:638:504:2000::35 local addr 2a01:7e01::f03c:91ff:fe92:641e -> <null>
 
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: [.[:xdigit:]:]+ local addr [.[:xdigit:]:]+ -> <null>$
+
+
+# Jan 01 00:00:00 debian ntpd[32535]: new interface(s) found: waking up resolver
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: new interface\(s\) found: waking up resolver$
+
+# Jan 01 01:01:01 debian ntpd[843]: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): will expire in less than 24 days
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: leapsecond file \('\/usr\/share\/zoneinfo\/leap-seconds.list'\): will expire in less than [0-9]+ days$
+
+# Apr 22 10:20:48 debian ntpd[2656614]: no peer for too long, server running free now
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: no peer for too long, server running free now$
diff --git a/ignore.d.server/domino-opendkim b/ignore.d.server/domino-opendkim
new file mode 100644
index 0000000..ce06f41
--- /dev/null
+++ b/ignore.d.server/domino-opendkim
@@ -0,0 +1,10 @@
+# ; -*- mode: conf; fill-column: 99999 -*-
+
+# Jan  1 00:00:00 debian opendkim[689]: AC9103E9A5: external host mail-oi1-x22b.google.com attempted to send as costam.org.pl
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:xdigit:]]{10,11}: external host [[:alnum:]\.-]+ attempted to send as [[:alnum:]\.-]+$
+
+# Jul 21 07:02:12 debian opendkim[604]: 054F13E803: s=mail d=domain.com a=rsa-sha256 SSL
+# Jul 21 07:02:17 debian opendkim[604]: 5145C3E803: s=mail d=domain.com a=rsa-sha256 SSL
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:xdigit:]]{10,11}: s=[[:alnum:]_.-]+ d=[[:alnum:].-]+ a=(rsa|ed25519)-sha256 SSL$
diff --git a/ignore.d.server/domino-openvpn b/ignore.d.server/domino-openvpn
new file mode 100644
index 0000000..48e761c
--- /dev/null
+++ b/ignore.d.server/domino-openvpn
@@ -0,0 +1,17 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: [[:alnum:].\/:]+ peer info: .*$
+
+# Jun 22 15:05:02 debian ovpn-server[701778]: hostname1/1.2.3.4:12345 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
+# Jun 22 15:05:02 debian ovpn-server[701778]: hostname1/1.2.3.4:12345 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: [[:alnum:].\/:]+ (Incoming|Outgoing) Data Channel: Cipher '[[:alnum:]-]+' initialized with [0-9]+ bit key$
+
+# Jun 22 15:06:13 debian ovpn-server[701778]: hostname/1.2.3.4:12345 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=linode, name=EasyRSA, emailAddress=me@myhost.mydomain
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: [[:alnum:].\/:]+ VERIFY OK: .*$
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: [[:alnum:].\/:]+ TLS: soft reset sec=[0-9-]+ bytes=[[:digit:]\/-]+ pkts=[[:digit:]\/-]+$
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: [[:alnum:].\/:]+ Control Channel: TLSv[0-9.]+, cipher TLSv[0-9.]+ [[:alnum:]_]+, [0-9]+ bit [[:alnum:]]+$
+
+# Jun 23 07:34:08 debian ovpn-server[701778]: 192.168.0.6:1194 TLS: Initial packet from [AF_INET]192.168.0.6:1194, sid=c793723e cc9e1b35
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: [[:alnum:].\/:]+ TLS: Initial packet from \[AF_INET\][[:digit:].:]+, sid=[[:xdigit:]]+ [[:xdigit:]]+$
+
+
diff --git a/ignore.d.server/domino-postfix b/ignore.d.server/domino-postfix
index c16dbdd..dc347d4 100644
--- a/ignore.d.server/domino-postfix
+++ b/ignore.d.server/domino-postfix
@@ -1,47 +1,116 @@
 # ; -*- mode: conf; fill-column: 99999 -*-
 
+# Jan  1 00:00:00 debian postfix/postfix-script[5427]: refreshing the Postfix mail system
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/postfix-script\[[0-9]+\]: refreshing the Postfix mail system$
+
+# Jan  1 00:00:00 debian postfix/master[1634]: reload -- version 3.4.10, configuration /etc/postfix
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/master\[[0-9]+\]: reload -- version [.0-9]+, configuration \/etc\/postfix$
+
+# --- smtpd ---
+
 # Sep 18 22:55:37 debian postfix/smtpd[13312]: warning: TLS library problem: error:1417D0FC:SSL routines:tls_process_client_hello:unknown protocol:../ssl/statem/statem_srvr.c:938:
 # Sep 18 22:55:38 debian postfix/smtpd[13312]: warning: TLS library problem: error:1417D18C:SSL routines:tls_process_client_hello:version too low:../ssl/statem/statem_srvr.c:974:
 # Sep 18 22:55:39 debian postfix/smtpd[13312]: warning: TLS library problem: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1399:SSL alert number 70:
 # Sep 18 22:55:40 debian postfix/smtpd[13312]: warning: TLS library problem: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1399:SSL alert number 70:
 # Sep 22 04:29:35 debian postfix/smtpd[26597]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared
-# Oct  3 04:20:03 linode2 postfix/smtpd[9011]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1404:
-# Nov 15 23:39:59 linode2 postfix/smtpd[20808]: warning: TLS library problem: error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol:../ssl/statem/statem_srvr.c:1636:
-# Nov 15 23:39:59 linode2 postfix/smtpd[20808]: warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../ssl/statem/statem_srvr.c:1661:
+# Oct  3 04:20:03 debian postfix/smtpd[9011]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1404:
+# Nov 15 23:39:59 debian postfix/smtpd[20808]: warning: TLS library problem: error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol:../ssl/statem/statem_srvr.c:1636:
+# Nov 15 23:39:59 debian postfix/smtpd[20808]: warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../ssl/statem/statem_srvr.c:1661:
 
 ^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:(tls_process_client_hello:(unknown protocol|version too low):|tls_post_process_client_hello:no shared cipher:|tls_early_post_process_client_hello:(unknown protocol:|version too low:)|ssl3_read_bytes:tlsv[0-9]+ alert protocol version:|tls_post_process_client_hello:no shared)?(..\/ssl\/(record|statem)\/(statem_srvr.c:[0-9]+:|rec_layer_s3.c:[0-9]+:SSL alert number [0-9]+:))?$
 
-# ?
+# Nov 14 05:14:24 debian postfix/smtpd[21323]: warning: unknown[1.2.3.4]: SASL Plain authentication failed:
+# Nov 14 05:21:37 debian postfix/smtpd[21372]: warning: 123domain.com[1.2.3.4]: SASL Plain authentication failed:
+
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: warning: [-.[:alnum:]]+\[[.[:digit:]]+\]: SASL Plain authentication failed:$
+
+# Jan  1 00:00:00 debian postfix/smtpd[21504]: warning: hostname zg-0428c-216.stretchoid.com does not resolve to address 1.2.3.4: No address associated with hostname
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: warning: hostname [[:alnum:].-]+ does not resolve to address [.[:digit:]]+: No address associated with hostname$
+
+# Apr 30 07:02:05 debian postfix/smtpd[20567]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:1661:
+
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[[:digit:]]+\]: warning: TLS library problem: error:[[:alnum:]]+:SSL routines:tls_early_post_process_client_hello:unsupported protocol:\.\.\/ssl\/statem\/statem_srvr.c:[0-9]+:$
+
+# Jan 01 00:00:00 debian postfix/smtpd[11111]: Anonymous TLS connection established from z15.domain.com[1.2.3.4]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256
+
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: Anonymous TLS connection established from [.[:alnum:]-]+\[[:.0-9a-f]+\]: TLSv[.0-9]+ with cipher [_[:alnum:]]+ \([\/0-9]+ bits\) key-exchange (ECDHE|X25519)( \([[:alnum:]-]+\))? server-signature [[:alnum:]-]+ \([0-9]+ bits\)( server-digest [[:alnum:]]+)?$
+
+# Sep 01 15:37:11 debian postfix/smtpd[11363]: improper command pipelining after HELO from unknown[1.2.3.4]: STARTTLS\r\n
+# Sep  1 11:18:50 debian postfix/smtpd[28021]: improper command pipelining after EHLO from unknown[223.229.67.159]: HELO example.com\r\nSTARTTLS\r\n
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: improper command pipelining after [HELO]+ from unknown\[[[:digit:].]+\]: (HELO [[:alnum:].]+\\r\\n)?STARTTLS\\r\\n$
+
+#
 
 ^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:[\/_.:[:alnum:]]+ alert number [[:xdigit:]]+:$
 
-# ?
+# Jan 01 00:00:00 debian postfix/smtp[11111]: 172733EFE6: Cannot start TLS: handshake failure
+
+# --- smtp ---
+
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: [[:alnum:]]+: Cannot start TLS: handshake failure$
+
+# Jan 01 00:00:00 debian postfix/smtp[11111]: SSL_connect error to eu-smtp-inbound-2.mimecast.com[195.130.217.201]:25: -1
+# Jan 01 00:00:00 debian postfix/smtp[11111]: SSL_connect error to mail.po-mysl.pl[185.204.218.208]:25: -1
+
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: SSL_connect error to [\.[:alnum:]-]+\[[.0-9]+\]:[0-9]+: [[:digit:]-]+$
+
+# Jan 01 00:00:00 debian postfix/smtp[11111]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
+
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: warning: TLS library problem: error:[[:alnum:]]+:SSL routines:ssl3_get_record:wrong version number:..\/ssl\/record\/ssl3_record.c:[0-9]+:$
+
+# Apr 30 09:19:07 debian postfix/smtp[28712]: warning: TLS library problem: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1544:SSL alert number 70:
+
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: warning: TLS library problem: error:[[:alnum:]]+:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:..\/ssl\/record\/rec_layer_s3.c:[0-9]+:SSL alert number [0-9]+:$
+
+# Apr 30 11:02:05 domino postfix/smtp[6625]: Untrusted TLS connection established to poczta.cos.pl[133.111.171.21]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
+# Jan  1 00:00:00 debian postfix/smtp[28014]: Trusted TLS connection established to mail.galapp.net[1.2.3.4]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix\/smtp\[[[:digit:]]+\]: (Untrusted|Trusted) TLS connection established to [-._[:alnum:]]+\[[0-9a-f:.]+\]:[0-9]+: TLSv1\.3 with cipher [_[:alnum:]-]+ \([0-9]+\/[0-9]+ bits\) key-exchange [[:alnum:]]+( \(P-[0-9]+\))? server-signature [[:alnum:]-]+ \([P0-9-]+( bits)?\) server-digest [[:alnum:]]+$
+
+# --- submission smtps ---
 
 ^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(/submission|/smtps|/[0-9]+)?/smtpd\[[[:digit:]]+\]: disconnect from [[:alnum:]_\.-]+\[[[:alnum:]\.:]+\] commands=[0-9]/[0-9]$
 
+# Jun 11 12:20:40 debian postfix/smtpd[19535]: NOQUEUE: reject: MAIL from oakwood.hyperslice.net[109.203.106.148]: 552 5.3.4 Message size exceeds fixed limit; proto=ESMTP helo=<oakwood.hyperslice.net>
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(/submission|/smtps|/[0-9]+)?/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: MAIL from [\.[:alnum:]]+\[[\.[:alnum:]]+\]: 552 5\.3\.4 Message size exceeds fixed limit; proto=ESMTP helo=<[.[:alnum:]]+>$
 
-# Jun 11 12:20:40 linode2 postfix/smtpd[19535]: NOQUEUE: reject: MAIL from oakwood.hyperslice.net[109.203.106.148]: 552 5.3.4 Message size exceeds fixed limit; proto=ESMTP helo=<oakwood.hyperslice.net>
+# Jan  8 11:15:03 debian postfix/smtpd[41137]: NOQUEUE: reject: RCPT from unknown[185.239.242.52]: 554 5.7.1 <spameri@tiscali.it>: Relay access denied; from=<spameri@tiscali.it> to=<spameri@tiscali.it> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [.[:alnum:]-]+\[[.0-9]+\]: [0-9]+ [.0-9]+ <[@._[:alnum:]-]+>: Relay access denied; from=<[@._=[:alnum:]-]+> to=<[@._=[:alnum:]-]+> proto=(E)SMTP helo=<[._[:alnum:]-]+>$
 
-\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(/submission|/smtps|/[0-9]+)?/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: MAIL from [\.[:alnum:]]+\[[\.[:alnum:]]+\]: 552 5\.3\.4 Message size exceeds fixed limit; proto=ESMTP helo=<[.[:alnum:]]+>$
+# Jan  1 00:00:00 debian postfix/smtpd[3169]: NOQUEUE: reject: RCPT from ip242.ip-54-38-110.eu[1.2.3.4]: 550 5.7.27 <john.doe@do-main.com>: Sender address rejected: Domain example.com does not accept mail (nullMX); from=<john.doe@do-main.com> to=<john.doe@do-main.com> proto=SMTP helo=<win-51ct1cgvsd8.domain>
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [.[:alnum:]-]+\[[.0-9]+\]: [0-9]+ [.0-9]+ <[@._[:alnum:]-]+>: Sender address rejected: Domain example.com does not accept mail \(nullMX\); from=<[@._[:alnum:]-]+> to=<[@._[:alnum:]-]+> proto=SMTP helo=<[._[:alnum:]-]+>$
 
 
 # Sep  9 09:17:58 debian postfix/smtpd[5361]: Anonymous TLS connection established from mail-lj1-f177.google.com[209.85.208.177]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
-# Nov 16 02:09:33 linode2 postfix/smtpd[27303]: Anonymous TLS connection established from ms1622.m.lrmailr.pl[164.132.49.188]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
+# Nov 16 02:09:33 debian postfix/smtpd[27303]: Anonymous TLS connection established from ms1622.m.lrmailr.pl[164.132.49.188]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: Anonymous TLS connection established from [-._[:alnum:]]+\[[.[:digit:]]+\]: TLSv[\.0-9]+ with cipher [_[:alnum:]-]+ \([0-9]+\/[0-9]+ bits\) key-exchange [_[:alnum:]-]+ server-signature [_[:alnum:]-]+ \([0-9]+ bits\)( server-digest [_[:alnum:]-]+)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: Anonymous TLS connection established from [-._[:alnum:]]+\[[:.[:digit:]]+\]: TLSv[\.0-9]+ with cipher [_[:alnum:]-]+ \([0-9]+\/[0-9]+ bits\) key-exchange [_[:alnum:]-]+ server-signature [_[:alnum:]-]+ \([0-9]+ bits\)( server-digest [_[:alnum:]-]+)?$
 
+# --- cleanup ---
 
-# Nov 14 05:14:24 router postfix/smtpd[21323]: warning: unknown[1.2.3.4]: SASL Plain authentication failed:
-# Nov 14 05:21:37 router postfix/smtpd[21372]: warning: 123domain.com[1.2.3.4]: SASL Plain authentication failed:
+# Dec 13 11:50:26 debian postfix/cleanup[3960]: CD1D940A83: message-id=  
 
-^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/smtpd\[[0-9]+\]: warning: [-.[:alnum:]]+\[[.[:digit:]]+\]: SASL Plain authentication failed:$
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/cleanup\[[0-9]+\]: [[:xdigit:]]+: message-id=$
 
+# Jan  8 12:45:41 debian postfix/cleanup[4112707]: B371B3E840: replace: header Received: from debian-m2.debian-m2 (unknown [IPv6:2001:4707:d03d:0:a260:69ff:fec4:3a5f])??(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)?? key-exchange X25519 server-signature RSA-PSS from unknown[2001:407:d03d:0:a260:69ff:fec4:3a5f]; from=<me@mail.com> to=<someone@gmail.com> proto=ESMTP helo=<debian-m2.debian-m2>: Received: from debian-m2 (thanks!)
 
-# Dec 13 11:50:26 linode2 postfix/cleanup[3960]: CD1D940A83: message-id=  
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/cleanup\[[0-9]+\]: [[:xdigit:]]+: replace: header Received: from [\.[:alnum:]-]+ \(unknown \[[\.[:alnum:][:xdigit:]:]+\]\)\?\?\(using TLSv[0-9.]+ with cipher TLS_[[:alnum:]_]+ \([0-9\/]+ bits\)\?\? key-exchange [[:alnum:]-]+ server-signature RSA-PSS from unknown\[[[:xdigit:]:]+\]; from=<[[:alnum:]@_.-]+> to=<[[:alnum:]@_.-]+> proto=(E)SMTP helo=<[[:alnum:]@_.-]+>: Received: from [[:alnum:]-]+ \(thanks!\)$
 
-^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/cleanup\[[0-9]+\]: [[:xdigit:]]+: message-id=$
+# --- qmgr ---
+
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/qmgr\[[0-9]+\]: [[:xdigit:]]+: removed$
+
+# --- scache ---
+
+# Jan  8 11:05:37 debian postfix/scache[2995]: statistics: domain lookup hits=0 miss=1 success=0%
+
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/scache\[[0-9]+\]: statistics: (domain|address) lookup hits=[0-9]+ miss=[0-9]+ success=[0-9.]+%$
+
+# Jan  8 11:05:37 debian postfix/scache[2995]: statistics: start interval Jan  8 11:02:10
+
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/scache\[[0-9]+\]: statistics: start interval \w{3} [ :[:digit:]]{11}$
 
+# Jan  8 11:05:37 debian postfix/scache[4110981]: statistics: max simultaneous domains=1 addresses=1 connection=1
 
-# Nov 16 05:31:27 debian-linode postfix/smtpd[2253]: warning: hostname 30.223.46.89.baremetal.zare.com does not resolve to address 89.46.223.30: No address associated with hostname
+^\w{3} [ :[:digit:]]{11} [_[:alnum:]-]+ postfix\/scache\[[0-9]+\]: statistics: max simultaneous domains=[0-9]+ addresses=[0-9]+ connection=[0-9]+$
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/submission|\/smtps|\/[0-9]+)?\/smtpd\[[[:digit:]]+\]: warning: hostname [[:alnum:].]+ does not resolve to address [.[:digit:]]+: No address associated with hostname$
diff --git a/ignore.d.server/domino-prometheus b/ignore.d.server/domino-prometheus
index 53f7f8a..34cb8fa 100644
--- a/ignore.d.server/domino-prometheus
+++ b/ignore.d.server/domino-prometheus
@@ -5,3 +5,6 @@
 # Nov 22 10:00:03 debian prometheus[32638]: level=info ts=2019-11-22T09:00:03.649576084Z caller=compact.go:391 component=tsdb msg="compact blocks" count=3 mint=1574380800000 maxt=1574402400000 ulid=01DT95DY28TPGM37SHKZGW8HNZ sources="[01DT8GTS3F22AAFPBRMCT8AHD6 01DT8QPFWB6RYKAM4PQVSWEQTT 01DT8YJ74G7F58SFX0JCEFRZER]" duration=121.365121ms
 
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ prometheus\[[0-9]+\]: level=info ts=[-[:digit:]TZ\.:]+ caller=(compact|head)\.go:[0-9]+ component=tsdb msg="(write block|head GC completed|compact blocks)?"( count=[0-9]+)?( mint=[0-9]+ maxt=[0-9]+ ulid=[[:alnum:]]+)?( sources="\[[[:alnum:] ]+\]")?( duration=[[:digit:]\.]+ms)?$
+
+# apc exporter
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ apcupsd-exporter\[[0-9]+\]: [[:digit:]\/]+ [[:digit:]:]+ &{status:[[:alnum:]]+ nomPower:[[:digit:]]+ batteryChargePercent:[[:digit:]]+ timeOnBattery:[[:digit:]]+ timeLeft:[[:digit:]]+ cumTimeOnBattery:[[:digit:]]+ loadPercent:[[:digit:].]+ batteryVoltage:[[:digit:].]+ lineVoltage:[[:digit:].]+ nomBatteryVoltage:[[:digit:].]+ nomInputVoltage:[[:digit:].]+ hostname:[[:alnum:]_-]+ upsName:[[:alnum:]]+}$
diff --git a/ignore.d.server/domino-python3 b/ignore.d.server/domino-python3
new file mode 100644
index 0000000..a1c2301
--- /dev/null
+++ b/ignore.d.server/domino-python3
@@ -0,0 +1,10 @@
+# ; -*- mode: conf; fill-column: 99999 -*-
+
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: Export: (otodom|gratka)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: Photos: (True|False)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: Exporting [0-9]+ objects.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: Connect to ftps...$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: [dwrx-]+\s*[0-9]+ [[:alnum:]@.]+\s*[[:alnum:]@._-]+\s*[0-9]+ [[:alnum:]]+\s*[0-9]+ [[:digit:]:]+ .*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[[:digit:]:]+\]: Export done.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]:]+\]: estatesexport@(otodom|gratka).service: Consumed [0-9.]+s CPU time.$
diff --git a/ignore.d.server/domino-spamass-milter b/ignore.d.server/domino-spamass-milter
new file mode 100644
index 0000000..6006b47
--- /dev/null
+++ b/ignore.d.server/domino-spamass-milter
@@ -0,0 +1,4 @@
+# ; -*- mode: conf; fill-column: 99999 -*-
+
+# Aug 20 15:49:12 debian spamass-milter[887]: Could not extract score from <>
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamass-milter\[[[:digit:]]+\]: Could not extract score from <>$
diff --git a/ignore.d.server/domino-spamd b/ignore.d.server/domino-spamd
new file mode 100644
index 0000000..155146a
--- /dev/null
+++ b/ignore.d.server/domino-spamd
@@ -0,0 +1,60 @@
+# ; -*- mode: conf; fill-column: 99999 -*-
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: connection from [[:alnum:]:]+ \[[[:alnum:]:]+\]:[0-9]+ to port [0-9]+, fd [0-9]+$
+
+# Jan  1 00:00:00 debian spamd[807]: dns: no callback for id 24621/IN/TXT/_adsp._domainkey.slsware.net, ignored, packet on next debug line
+# Jan  1 00:00:00 debian spamd[807]: dns: no callback for id 15235/IN/MX/slsware.net, ignored, packet on next debug line
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: no callback for id [[:alnum:]\._\/-]+, ignored, packet on next debug line$
+
+# Jan  1 00:00:00 debian spamd[807]: dns: no likely matching queries for id 15235
+# Jan  1 00:00:00 debian spamd[807]: dns: no likely matching queries for id 24621
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: no likely matching queries for id [0-9]+$
+
+# Apr 14 15:16:56 debian spamd[18599]: spamd: result: Y 5 - FREEMAIL_FORGED_REPLYTO,HTML_MESSAGE,SPF_FAIL,TO_NO_BRKTS_HTML_IMG scantime=1.0,size=16475,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43742,mid=<98140bdf92d37fc0d41dc08b9c4fe028@domain.com>,autolearn=no autolearn_force=no
+# Apr 14 15:16:56 debian spamd[18600]: spamd: result: Y 5 - FREEMAIL_FORGED_REPLYTO,HTML_MESSAGE,SPF_FAIL,TO_NO_BRKTS_HTML_IMG scantime=1.0,size=16991,user=abc-1,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43744,mid=<98140bdf92d37fc0d41dc08b9c4fe028@domain.com>,autolearn=no autolearn_force=no
+# Apr 14 15:48:13 debian spamd[18599]: spamd: result: . 0 - DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,HTML_IMAGE_RATIO_06,HTML_MESSAGE,LOTS_OF_MONEY,MAILING_LIST_MULTI,SPF_SOFTFAIL scantime=1.0,size=23150,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=43862,mid=<E1jOLey-0002y5-C200@z31.sare25.com>,autolearn=no autolearn_force=no
+# Apr 15 14:48:25 debian spamd[8102]: spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,SPF_FAIL,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL scantime=0.5,size=21463,user=abc,uid=109,required_score=5.0,rhost=::1,raddr=::1,rport=46926,mid=<c68a4eb1181d333eff145cb6a29b4e84@3e723b591bdb95ce8f5c9b7032dc572ca97351d0da5efc73459c1fbaf438e43b>,autolearn=no autolearn_force=no
+# Dec 13 09:00:14 debian spamd[9959]: spamd: result: . -2 - BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS,URIBL_BLOCKED scantime=0.6,size=2609,user=user@domain.com,uid=115,required_score=5.0,rhost=::1,raddr=::1,rport=56124,mid=<20201213080002.187DD501447@hostname>,bayes=0.000000,autolearn=ham autolearn_force=no
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: [[:alnum:].]+ [[:digit:]-]+ - [[:alnum:]_,]+ scantime=[0-9.]+,size=[0-9]+,user=[[:alnum:]@_.-]+,uid=[0-9]+,required_score=[0-9.]+,rhost=[[:digit:]:.]+,raddr=[[:digit:]:.]+,rport=[0-9]+,mid=(<[[:alnum:]:=\$_\/@.+-]+>|\(unknown\)),(bayes=[0-9.]+,)?(rmid=<[[:alnum:]:\$=_\/@.+-]+>,)?autolearn=(yes|no|spam|ham) autolearn_force=(yes|no)$
+
+# Apr 20 11:39:28 debian spamd[23580]: spamd: using default config for user@domain.com: /home/vmail/domain.com/.spamassasin/user_-1/user_prefs
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: using default config for [[:alnum:].@_-]+: \/home\/vmail\/[[:alnum:]_.-]+\/.spamassassin\/[[:alnum:]_-]+\/user_prefs$
+
+# Jan  1 00:00:00 debian spamd[19297]: spamd: server socket closed, type IO::Socket::IP
+# Jan  1 00:00:00 debian spamd[19297]: spamd: server socket closed, type IO::Socket::IP
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server socket closed, type IO::Socket::IP$
+
+# Jan  1 00:00:00 debian spamd[66370]: zoom: able to use 371/372 'body_0' compiled rules (99.731%)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: zoom: able to use [0-9\/]+ 'body_0' compiled rules \([0-9.]+\%\)$
+
+# Jan  1 00:00:00 debian spamd[4108]: prefork: child states: II [... logline repeated 47 times]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: child states: II \[\.\.\. logline repeated [0-9]+ times\]$
+
+# Jan  1 00:00:00 debian spamd[6670]: spamd: server started on IO::Socket::IP [::1]:783, IO::Socket::IP [127.0.0.1]:783 (running version 3.4.2)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server started on IO::Socket::IP \[::1\]:783, IO::Socket::IP \[[0-9.]+\]:783 \(running version [0-9.]+\)$
+
+# May  7 06:35:43 debian spamd: spamd: restarting using '/usr/sbin/spamd -d --pidfile=/var/run/spamd.pid --create-prefs --max-children 5 --helper-home-dir -u debian-spamd -x --virtual-config-dir=/home/vmail/%d/.spamassassin/%l --allow-tell'
+# Jan  1 06:55:16 debian spamd: spamd: restarting using '/usr/sbin/spamd -d --pidfile=/run/spamd.pid --create-prefs --max-children 5 --helper-home-dir -u debian-spamd -x --virtual-config-dir=/home/vmail/%d/.spamassassin/%l --allow-tell'
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd: spamd: restarting using '\/usr\/sbin\/spamd -d --pidfile=(\/var)?\/run\/spamd\.pid --create-prefs --max-children [0-9]+ --helper-home-dir -u debian-spamd -x --virtual-config-dir=\/home\/vmail\/\%d\/.spamassassin\/\%l --allow-tell'$
+
+# Aug 22 06:55:05 debian spamd[251886]: spamd: server pid: 251886
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: server pid: [0-9]+$
+
+# May 28 11:25:25 debian spamd[28526]: spamd: using default config for spamass-milter: /home/vmail//.spamassassin//user_prefs
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: using default config for spamass-milter: \/home\/vmail\/\/.spamassassin\/\/user_prefs$
+
+# Jan  8 20:04:03 debian spamd[4105928]: spamd: processing message <Y7sSMYzbQDW9XmtB@seger.debian.org> aka <k62aIxGHpn.A.52B.TJxujB@bendel> for me@mail.com:115
+# Jan  8 10:02:08 debian spamd[4105928]: spamd: processing message <20230108090202.C0EC43C174@someone.com> for me@domain.com:115
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: processing message <[[:alnum:]:=\$_\/@.+-]+>( aka <[[:alnum:]:=\$_\/@.+-]+>)? for [@._[:alnum:]-]+:[0-9]+$
+
+# Jan  8 10:02:16 debian spamd[4105928]: spamd: clean message (-2.1/5.0) for me@domain.com:115 in 0.1 seconds, 2269 bytes.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: clean message \([0-9\/.-]+\) for [@._[:alnum:]-]+:[0-9]+ in [0-9.]+ seconds, [0-9]+ bytes.$
+
+# Jan  8 06:54:32 debian spamd[23459]: spamd: server successfully spawned child process, pid 23460
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: server successfully spawned child process, pid [0-9]+$
+
+# Jan  8 07:24:47 debian spamd[4066587]: logger: removing stderr method
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: logger: removing stderr method$
+
+
diff --git a/ignore.d.server/domino-squid b/ignore.d.server/domino-squid
new file mode 100644
index 0000000..eb3a69a
--- /dev/null
+++ b/ignore.d.server/domino-squid
@@ -0,0 +1,88 @@
+# ; -*- mode: conf; fill-column: 99999 -*-
+
+# Jan  9 00:00:03 debian squid[384047]: storeDirWriteCleanLogs: Starting...
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: storeDirWriteCleanLogs: Starting...$
+
+# Jan  9 00:00:03 debian squid[384047]:   Finished.  Wrote 0 entries.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: [\s]+Finished.  Wrote [0-9]+ entries.$
+
+# Jan  9 00:00:03 debian squid[384047]:   Took 0.00 seconds (  0.00 entries/sec).
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: [\s]+Took [0-9.]+ seconds \([\s0-9.]+ entries\/sec\).$
+
+#Apr  9 10:45:52 debian squid[30555]: Logfile: closing log stdio:/var/spool/squid/netdb.state
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Logfile: (opening|closing) log stdio:\/var\/spool\/squid\/[[:alnum:].]+$
+
+#Apr  9 10:45:52 debian squid[30555]: NETDB state saved; 0 entries, 0 msec
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: NETDB state saved; [0-9.]+ entries, [0-9.]+ msec$
+
+# Jan  1 00:00:00 debian squid[12451]: Squid Parent: (squid-1) process 14076 started
+# Jan  1 00:00:00 debian squid[12451]: Squid Parent: squid-1 process 23082 exited due to signal 6 with status 0
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Squid Parent: \(?squid-1\)? process [0-9]+ (started|exited due to signal [0-9]+ with status [0-9]+)$
+
+# Jan  1 00:00:00 debian squid[14076]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Accepting HTTP Socket connections at local=\[::\]:[0-9]+ remote=\[::\] FD [0-9]+ flags=[0-9]+$
+
+# Jan  1 00:00:00 debian squid[14076]: Adaptation support is off.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Adaptation support is off.$
+
+# Jan  1 00:00:00 debian squid[14076]: DNS Socket created at 1.2.3.4, FD 9
+# Jan  1 00:00:00 debian squid[14076]: DNS Socket created at [::], FD 5
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: DNS Socket created at ([.[:digit:]]+|\[[\.:[:xdigit:]+]\]|\[::\]), FD [0-9]+$
+
+# Jan  1 00:00:00 debian squid[14076]: Finished loading MIME types and icons.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Finished loading MIME types and icons.$
+
+# Jan  1 00:00:00 debian squid[14076]: Initializing IP Cache...
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Initializing IP Cache...$
+
+# Jan  1 00:00:00 debian squid[14076]: Logfile Daemon: opening log /var/log/squid/access.log
+# Jan  1 00:00:00 debian squid[14076]: Logfile: opening log daemon:/var/log/squid/access.log
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Logfile( Daemon)?: (opening|closing) log (daemon:)?\/var\/log\/squid\/[[:alnum:].]+$
+
+# Jan  1 00:00:00 debian squid[14076]: Pinger socket opened on FD 14
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Pinger socket opened on FD [0-9]+$
+
+# Jan  1 00:00:00 debian squid[14076]: Process Roles: worker
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Process Roles: worker$
+
+# Jan  1 00:00:00 debian squid[14076]: Service Name: squid
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Service Name: squid$
+
+# Jan  1 00:00:00 debian squid[14076]: Squid plugin modules loaded: 0
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Squid plugin modules loaded: [0-9]+$
+
+# Jan  1 00:00:00 debian squid[14076]: Starting Squid Cache version 4.6 for x86_64-pc-linux-gnu...
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Starting Squid Cache version [0-9.]+ for x86_64-pc-linux-gnu\.\.\.$
+
+# Jan  1 00:00:00 debian squid[14076]: Store logging disabled
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Store logging disabled$
+
+# Jan  1 00:00:00 debian squid[14076]: Swap maxSize 0 + 262144 KB, estimated 20164 objects
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Swap maxSize [0-9]+ \+ [0-9]+ KB, estimated [0-9]+ objects$
+
+# Jan  1 00:00:00 debian squid[23082]: Closing Pinger socket on FD 14
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Closing Pinger socket on FD [0-9]+$
+
+# Jan  1 00:00:00 debian squid[23082]: assertion failed: comm.cc:428: "!isOpen(conn->fd)"
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: assertion failed: [[:alnum:].:]+ \"\!isOpen\([[:alnum:]>-]+\)\"$
+
+# Jan  1 00:00:00 debian squid[23082]: logfileRotate: daemon:/var/log/squid/access.log
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: logfileRotate: daemon:\/var\/log\/squid\/[[:alnum:]]+.log$
+
+# Apr 20 09:01:27 debian squid[4642]: Startup: Initializing Authentication Schemes ...
+# Apr 20 09:01:27 debian squid[4642]: Startup: Initialized Authentication Scheme 'basic'
+# Apr 20 09:01:27 debian squid[4642]: Startup: Initialized Authentication.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Startup: Initializ(ed|ing) Authentication\.?( Scheme(s)? (\.\.\.|\'[[:alnum:]]+\'))?
+
+# Apr 20 09:01:27 debian squid[4642]: Processing Configuration File: /etc/squid/squid.conf (depth 0)
+# Apr 20 09:01:27 debian squid[4642]: Processing Configuration File: /etc/squid/conf.d/debian.conf (depth 1)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Processing Configuration File: \/etc\/squid\/(conf\.d\/)?[[:alnum:].]+ \(depth [0-9]+\)$
+
+# Apr 20 09:01:27 debian squid[4642]: Reconfiguring Squid Cache (version 4.6)...
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Reconfiguring Squid Cache \(version [0-9.]+\)\.\.\.$
+
+# Apr 20 09:01:27 debian squid[4642]: Closing HTTP(S) port [::]:3128
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Closing HTTP(S) port \[[0-9a-f:]+\]:[0-9]+$
+
+# Apr 20 09:01:27 debian squid[4642]: Initializing https:// proxy context
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ squid\[[[:digit:]]+\]: Initializing https\:\/\/ proxy context$
diff --git a/ignore.d.server/domino-sshd b/ignore.d.server/domino-sshd
index 0dfb703..13cd143 100644
--- a/ignore.d.server/domino-sshd
+++ b/ignore.d.server/domino-sshd
@@ -1,5 +1,6 @@
 # ; -*- mode: text; fill-column: 99999 -*-
 
-# Sep 21 19:15:41 router sshd[1743]: Connection closed by authenticating user root 1.2.3.4 port 51354 [preauth]
+# Sep 21 19:15:41 debian sshd[1743]: Connection closed by authenticating user root 1.2.3.4 port 51354 [preauth]
+# Oct  4 17:29:59 debian sshd[6511]: Connection closed by authenticating user www-data 10.4.0.1 port 45568 [preauth]
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by authenticating user [[:alnum:]]+ [.[:digit:]]+ port [0-9]+ \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by authenticating user [-[:alnum:]]+ [.[:digit:]]+ port [0-9]+ \[preauth\]$
diff --git a/ignore.d.server/domino-sudodomino-apt b/ignore.d.server/domino-sudodomino-apt
new file mode 100644
index 0000000..5b163ac
--- /dev/null
+++ b/ignore.d.server/domino-sudodomino-apt
@@ -0,0 +1,5 @@
+# ; -*- mode: conf; fill-column: 99999 -*-
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_ssh_agent_auth: matching key found: file\/command \/etc\/security\/authorized_keys, line [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_ssh_agent_auth: Found matching [[:alnum:]]+ key: [[:xdigit:]:]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_ssh_agent_auth: Authenticated: `[[:alnum:]]+' as `[[:alnum:]]+' using \/etc\/security\/authorized_keys$
diff --git a/ignore.d.server/domino-syncthing b/ignore.d.server/domino-syncthing
new file mode 100644
index 0000000..da03432
--- /dev/null
+++ b/ignore.d.server/domino-syncthing
@@ -0,0 +1,4 @@
+# ; -*- mode: conf; fill-column: 99999 -*-
+
+# Dec 26 13:14:11 debian syncthing[1362758]: [IF6O5] INFO:
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ syncthing\[[[:digit:]]+\]: \[[[:alnum:]]+\] INFO:
diff --git a/ignore.d.server/domino-syslog b/ignore.d.server/domino-syslog
index 4f982cc..e045b7c 100644
--- a/ignore.d.server/domino-syslog
+++ b/ignore.d.server/domino-syslog
@@ -1,5 +1,5 @@
-# ; -*- mode: text; fill-column: 99999 -*-
+# ; -*- mode: conf; fill-column: 99999 -*-
 
 # Sep 18 00:00:04 debian-linode rsyslogd:  [origin software="rsyslogd" swVersion="8.1901.0" x-pid="720" x-info="https://www.rsyslog.com"] rsyslogd was HUPed
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd:\s? \[origin software=\"rsyslogd\" swVersion=\"[[:digit:].]+\" x-pid=\"[0-9]+\" x-info=\"https:\/\/www.rsyslog.com\"\] rsyslogd was HUPed$
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd:  \[origin software=\"rsyslogd\" swVersion=\"[[:digit:].]+\" x-pid=\"[0-9]+\" x-info=\"https:\/\/www.rsyslog.com\"\] rsyslogd was HUPed$
diff --git a/ignore.d.server/domino-systemd b/ignore.d.server/domino-systemd
index ce2e8d7..19f845c 100644
--- a/ignore.d.server/domino-systemd
+++ b/ignore.d.server/domino-systemd
@@ -1,65 +1,107 @@
-# ; -*- mode: text; fill-column: 99999 -*-
-
-# Jun 23 07:09:04 router systemd[1]: phpsessionclean.service: Succeeded.
-# Jun 23 16:15:03 router systemd[1]: apt-daily.service: Succeeded.
-# Jun 26 06:46:39 router systemd[1]: apt-daily-upgrade.service: Succeeded.
-# Aug 11 20:05:44 debian systemd[1]: session-193.scope: Succeeded.
-# Aug 14 00:00:15 debian systemd[1]: cups.path: Succeeded.
-# Aug 14 00:00:15 debian systemd[1]: cups.socket: Succeeded.
-# Sep 20 08:06:32 router systemd[1]: user@33.service: Succeeded.
-# Sep 20 08:06:32 router systemd[658]: run-user-33.mount: Succeeded.
-# Sep 20 08:06:32 router systemd[1]: run-user-33.mount: Succeeded.
-# Sep 20 08:06:32 router systemd[1]: user-runtime-dir@33.service: Succeeded.
-# Sep 20 08:06:33 router systemd[1]: user@1000.service: Succeeded.
-# Sep 20 08:06:33 router systemd[1]: run-user-1000.mount: Succeeded.
-# Sep 20 08:06:33 router systemd[1]: user-runtime-dir@1000.service: Succeeded.
+# ; -*- mode: conf; fill-column: 99999 -*-
+
+# Jan  1 00:00:00 debian systemd[1]: Finished Autocommit of changes in /etc directory.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Autocommit of changes in \/etc directory\.$
+
+# Jan  1 00:00:00 debian systemd[1]: Finished Certbot.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Certbot\.$
+
+# Jan  1 00:00:00 debian systemd[1]: Finished Cleanup of Temporary Directories.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Cleanup of Temporary Directories\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Gets the latest METAR message\.$
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [-[:alnum:].@]+.(service|path|socket|scope|mount): Succeeded.$
+# Jan  1 00:00:00 debian systemd[1]: Finished Daily apt download activities.
+# Jan  1 00:00:00 debian systemd[1]: Finished Daily apt upgrade and clean activities.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Daily apt (download|upgrade and clean) activities\.$
+
+# Jan  1 00:00:00 debian systemd[1]: Finished Daily man-db regeneration.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Daily man-db regeneration\.$
+
+# Jan  1 00:00:00 debian systemd[1]: Finished Rotate log files.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Rotate log files\.$
+
+# Sep 20 08:06:33 router systemd[1]: user-runtime-dir@1000.service: Succeeded.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [-_[:alnum:].@]+.(service|path|socket|scope|timer|mount): Succeeded.$
 
 # Aug 14 00:00:15 debian systemd[1]: Closed CUPS Scheduler.
 # Aug 14 00:00:15 debian systemd[1]: Listening on CUPS Scheduler.
-
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Closed|Listening on) CUPS Scheduler.$
 
-# timesyncd:
 # Aug 14 08:22:50 debian systemd-timesyncd[762]: Synchronized to time server for the first time 193.219.28.147:123 (2.debian.pool.ntp.org).
 # Nov 14 13:35:50 debian systemd-timesyncd[291]: Synchronized to time server for the first time 91.212.242.20:123 (0.debian.pool.ntp.org).
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: Synchronized to time server for the first time [.[:digit:]:]+ \([.[:alnum:]]+\).$
+
+# Jan  1 00:00:00 debian systemd-timesyncd[14223]: Network configuration changed, trying to establish connection.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: Network configuration changed, trying to establish connection\.$
+
+# Jan  1 00:00:00 debian systemd-timesyncd[14223]: Initial synchronization to time server 1.2.3.4:123 (0.debian.pool.ntp.org).
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: Initial synchronization to time server [.[:digit:]:]+ \([.[:alnum:]]+\).$
 
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: Timed out waiting for reply from [.[:digit:]:]+ \([.[:alnum:]]+\).$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-timesyncd\[[[:digit:]]+\]: Synchronized to time server for the first time [.[:digit:]:]+ \([.[:alnum:]]+\).$
 
-# systemd-networkd-wait-online:
-# Aug 14 06:24:04 debian systemd-networkd-wait-online[1360]: Event loop failed: Connection timed out
-# Aug 14 06:39:06 debian systemd-networkd-wait-online[2275]: Event loop failed: Connection timed out
 # Aug 13 23:53:11 debian systemd-networkd-wait-online[7015]: Event loop failed: Connection timed out
-
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-networkd-wait-online\[[[:digit:]]+\]: Event loop failed: Connection timed out$
 
-
 # Nov 15 08:04:02 router systemd-networkd[28813]: tun1: Gained carrier
 # Nov 15 08:04:02 router systemd-networkd[28813]: tun1: Gained IPv6LL
 # Nov 15 08:14:59 router systemd-networkd[28813]: tun1: Lost carrier
-
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-networkd\[[[:digit:]]+\]: tun[0-9]+: (Gained|Lost) (carrier|IPv6LL)$
 
+# Jan  1 00:00:00 debian systemd-networkd[14240]: tun1: Link UP
+# Jan  1 00:00:00 debian systemd-networkd[14240]: tun1: Link DOWN
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-networkd\[[[:digit:]]+\]: tun[0-9]+: Link (UP|DOWN)$
 
 # Nov 15 09:12:43 router systemd-udevd[17579]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
-
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-udevd\[[[:digit:]]+\]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.$
 
-
 # Sep 20 13:12:43 router systemd[1]: Created slice User Slice of UID 33.
 # Sep 20 08:06:32 router systemd[1]: Removed slice User Slice of UID 33.
-
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[ :[:digit:]]+\]: (Created|Removed) slice (User Slice of UID [[:digit:]]+)?.$
 
-# systemd-logind:
 # Sep 20 13:17:24 router systemd-logind[486]: Session 760 logged out. Waiting for processes to exit.
+# Apr 28 21:56:49 debian systemd-logind[398]: Session c4 logged out. Waiting for processes to exit.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[ :[:digit:]]+\]: Session [[:alnum:]]+ logged out. Waiting for processes to exit.$
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[ :[:digit:]]+\]: Session [0-9]+ logged out. Waiting for processes to exit.$
-
-# D-Bus:
 # Sep 20 08:03:29 router systemd[658]: Listening on D-Bus User Message Bus Socket.
 # Sep 20 08:06:33 router systemd[658]: Closed D-Bus User Message Bus Socket.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Listening on|Closed) D-Bus User Message Bus Socket.$
+
+# Jan  1 00:00:00 debian systemd[13129]: Finished Exit the Session.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Exit the Session\.$
+
+# Jan  1 00:00:00 debian systemd[1]: Finished Clean php session files.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Clean php session files\.$
+
+# Jan  1 00:00:00 debian systemd[1]: Finished Collect apt metrics for prometheus-node-exporter.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Collect [[:alnum:]]+ metrics for prometheus-node-exporter\.$
+
+# Jan  1 00:00:00 debian systemd[1]: Finished User Runtime Directory /run/user/1000.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished User Runtime Directory \/run\/user\/[0-9]+\.$
+
+# Dec  4 19:11:12 debian systemd[19869]: Queued start job for default target Main User Target.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Queued start job for default target Main User Target.$
+
+# Jan 23 07:35:48 debian systemd[1]: session-c18.scope: Consumed 1.201s CPU time.
+# Aug 31 23:25:00 debian systemd[1]: session-15432.scope: Consumed 1min 52.828s CPU time.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [[:alnum:]-]+.(service|scope|slice): Consumed [[:digit:].]+s CPU time.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: [[:alnum:]-]+.(service|scope|slice): Consumed ([[:digit:]]+min )?[[:digit:].]+s CPU time.$
+
+# Jan 23 07:35:47 debian systemd[563453]: Created slice User Application Slice.
+# Jan 23 07:35:58 debian systemd[563453]: Removed slice User Application Slice.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Created|Removed) slice User Application Slice.$
+
+# Jan 24 20:23:37 debian systemd[1068423]: Created slice app-lsyncd.slice.
+# Jan 24 20:23:49 debian systemd[1068423]: Removed slice app-lsyncd.slice.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Created|Removed) slice [[:alnum:].-]+.$
+
+# Jan 25 00:00:01 debian systemd[1]: rsyslog.service: Sent signal SIGHUP to main process 572 (rsyslogd) on client request.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: rsyslog.service: Sent signal SIGHUP to main process [0-9]+ \(rsyslogd\) on client request.$
+
+# Apr 22 07:39:39 debian systemd: pam_unix(systemd-user:session): session opened for user nobody(uid=65534) by (uid=0)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (systemd|runuser): pam_unix\((systemd-user|runuser):session\): session opened for user [[:alnum:]-]+\(uid=[0-9]+\) by \(uid=[0-9]+\)$
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished Online ext4 Metadata Check for All Filesystems\.$
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Listening on|Closed) D-Bus User Message Bus Socket.
+# Jan  8 11:19:14 debian systemd[1884981]: Reached target Main User Target.
+# Jan  8 11:20:30 debian systemd[1884981]: Reached target Exit the Session.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[ :[:digit:]]+\]: Reached target (Main User Target|Exit the Session).$
diff --git a/ignore.d.server/domino-tor b/ignore.d.server/domino-tor
index 44d9f0e..d86f818 100644
--- a/ignore.d.server/domino-tor
+++ b/ignore.d.server/domino-tor
@@ -1,21 +1,61 @@
-# ; -*- mode: text; fill-column: 99999 -*-
+# ; -*- mode: conf; fill-column: 99999 -*-
 
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Your network connection speed appears to have changed. Resetting timeout to [[:digit:]]+s after [[:digit:]]+ timeouts and [[:digit:]]+ buildtimes.$
+
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: We now have enough directory information to build circuits.$
+
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: I learned some more directory information, but not enough to build a circuit: We're missing descriptors for [/[:digit:]]+ of our primary entry guards \(total microdescriptors: [/[:digit:]]+\).$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Our directory information is no longer up-to-date enough to build circuits: We're missing descriptors for [/[:digit:]]+ of our primary entry guards \(total microdescriptors: [/[:digit:]]+\).$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]:  Your Guard grocock ([\$[:alnum:]]+) is failing a very large amount of circuits. Most likely this means the Tor network is overloaded, but it could also mean an attack against you or potentially the guard itself. Success counts are [/[:digit:]]+. Use counts are [/[:digit:]]+. [[:digit:]]+ circuits completed, [[:digit:]]+ were unusable, [[:digit:]]+ collapsed, and [[:digit:]]+ timed out. For reference, your timeout cutoff is [[:digit:]]+ seconds.$
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: I learned some more directory information, but not enough to build a circuit: We're missing descriptors for [\/[:digit:]]+ of our primary entry guards \(total microdescriptors: [\/[:digit:]]+\). That's ok. We will try to fetch missing descriptors soon.$
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Our directory information is no longer up-to-date enough to build circuits: We're missing descriptors for [\/[:digit:]]+ of our primary entry guards \(total microdescriptors: [\/[:digit:]]+\).( That's ok. We will try to fetch missing descriptors soon.)?$
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: (Your )?Guard [[:alnum:]]+ \([\$[:alnum:]]+\) is failing a very large amount of circuits. Most likely this means the Tor network is overloaded, but it could also mean an attack against you or potentially the guard itself\. Success counts are [0-9]+\/[0-9]+\. Use counts are [0-9]+\/[0-9]+. [[:digit:]]+ circuits completed, [[:digit:]]+ were unusable, [[:digit:]]+ collapsed, and [[:digit:]]+ timed out. For reference, your timeout cutoff is [[:digit:]]+ seconds.$
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: (Your )?Guard [[:alnum:]]+ \([\$[:alnum:]]+\) is failing an extremely large amount of circuits. This could indicate a route manipulation attack, extreme network overload, or a bug. Success counts are [0-9]+\/[0-9]+. Use counts are [0-9]+\/[0-9]+. [0-9]+ circuits completed, [0-9]+ were unusable, [0-9]+ collapsed, and [0-9]+ timed out. For reference, your timeout cutoff is [0-9]+ seconds.$
+
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Average packaged cell fullness: [.[:digit:]]+\%. TLS write overhead: [.[:digit:]]+\%$
 
 # Jun 25 19:20:39 router Tor[992]: Heartbeat: Tor's uptime is 6:00 hours, with 6 circuits open. I've sent 878 kB and received 1.70 MB.
+# Jul 21 00:02:11 debian Tor[647]: Heartbeat: Tor's uptime is 1 day 12:00 hours, with 9 circuits open. I've sent 14.64 MB and received 18.83 MB. I've received 0 connections on IPv4 and 0 on IPv6.
+# Jul 21 12:02:11 debian Tor[647]: Heartbeat: Tor's uptime is 2 days 0:00 hours, with 9 circuits open. I've sent 21.09 MB and received 25.67 MB. I've received 0 connections on IPv4 and 0 on IPv6. I've made 40 connections with IPv4 and 0 with IPv6.
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Heartbeat: Tor's uptime is( [0-9]+ days)? [[:digit:]:]+ hours, with [0-9]+ circuits open. I've sent [.[:digit:]]+ [[:alnum:]]{1,2} and received [.[:digit:]]+ [[:alnum:]]{1,2}.$
-
-# Nov  7 00:01:05 linode2 Tor[14367]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
-# Nov  7 00:01:05 linode2 Tor[14367]: Read configuration file "/etc/tor/torrc".
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Heartbeat: Tor's uptime is( [0-9]+ days?)? [[:digit:]:]+ hours, with [0-9]+ circuits open. I've sent [.[:digit:]]+ [[:alnum:]]{1,2} and received [.[:digit:]]+ [[:alnum:]]{1,2}.( I've received [0-9]+ connections on IPv4 and [0-9]+ on IPv6.)?( I've made [0-9]+ connections with IPv4 and [0-9]+ with IPv6.)?$
 
+# Nov  7 00:01:05 debian Tor[14367]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
+# Nov  7 00:01:05 debian Tor[14367]: Read configuration file "/etc/tor/torrc".
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Read configuration file "[[:alnum:]\/-]+".$
 
-# Nov  7 00:01:05 linode2 Tor[14367]: Received reload signal (hup). Reloading config and resetting internal state.
-
+# Nov  7 00:01:05 debian Tor[14367]: Received reload signal (hup). Reloading config and resetting internal state.
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Received reload signal \(hup\)\. Reloading config and resetting internal state\.$
+
+# Jan 01 00:00:00 debian Tor[14367]: Requested exit point '$39C1B28407EAC759801AFCB7106D5DC05B42A8C9' is not known. Closing.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Requested exit point \'[[:alnum:]$]+\' is not known. Closing.$
+
+# Jun  2 11:59:22 dell-r710 Tor[2585]: Failed to find node for hop #1 of our path. Discarding this circuit.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Failed to find node for hop #[0-9]+ of our path\. Discarding this circuit\.$
+
+# Aug 27 00:07:54 debian Tor[1986412]: Received http status code 404 ("Not found") from server '1.2.3.4:443' while fetching consensus directory.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Received http status code 404 \("Not found"\) from server '[[:digit:].:]+' while fetching consensus directory.$
+
+# Sep  1 13:09:14 debian Tor[809]: No circuits are opened. Relaxed timeout for circuit 4552 (a Measuring circuit timeout 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway. [11 similar message(s) suppressed in last 3600 seconds]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: No circuits are opened\. Relaxed timeout for circuit [0-9]+ \(a Measuring circuit timeout [0-9]+-hop circuit in state doing handshakes with channel state open\) to [0-9]+ms\. However, it appears the circuit has timed out anyway\. \[[0-9]+ similar message\(s\) suppressed in last 3600 seconds\]$
+
+# Oct  5 06:19:34 debian Tor[1986412]: Received http status code 404 ("Consensus is too old") from server '1.2.3.4:443' while fetching consensus directory.
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Received http status code [0-9]+ \("Consensus is too old"\) from server '[.[:digit:]:]+' while fetching consensus directory.$
+
+# Apr 25 14:32:41 debian Tor[28899]: http status 400 ("Nonauthoritative directory does not accept posted server descriptors") response from dirserver '185.100.87.41:443'. Malformed rendezvous descriptor?
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: http status 400 \("Nonauthoritative directory does not accept posted server descriptors"\) response from dirserver '[[:digit:].:]+'. Malformed rendezvous descriptor\?$
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Our onion service received [0-9]+ v2 and [0-9]+ v3 [[:alnum:]]+ cells and attempted to launch [0-9]+ rendezvous circuits.$
+
+# May  1 02:29:21 debian Tor[32138]: Tor has not observed any network activity for the past 150 seconds. Disabling circuit build timeout recording.
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Tor has not observed any network activity for the past [0-9]+ seconds\. Disabling circuit build timeout recording\.$
+
+# May  1 02:29:27 debian Tor[32138]: Tor now sees network activity. Restoring circuit build timeout recording. Network was down for 156 seconds during 4 circuit attempts.
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Tor now sees network activity. Restoring circuit build timeout recording\. Network was down for [0-9]+ seconds during 4 circuit attempts\.$
+
+# Jul 21 00:02:11 debian Tor[647]: While not bootstrapping, fetched this many bytes: 1055429 (consensus network-status fetch); 326938 (microdescriptor fetch)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: While not bootstrapping, fetched this many bytes: [0-9]+ \(consensus network-status fetch\);( [0-9]+ \(authority cert fetch\);)? [0-9]+ \(microdescriptor fetch\)$
diff --git a/ignore.d.server/domino-unbound b/ignore.d.server/domino-unbound
new file mode 100644
index 0000000..b5351cf
--- /dev/null
+++ b/ignore.d.server/domino-unbound
@@ -0,0 +1,4 @@
+# ; -*- mode: conf; fill-column: 99999 -*-
+
+# Jul  7 17:28:11 debian unbound: [2051328:0] info: generate keytag query _ta-4f66. NULL IN
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ unbound: \[[[:digit:]:]+\] info: generate keytag query [[:alnum:]_.-]+ NULL IN$
diff --git a/ignore.d.server/domino-uptimed b/ignore.d.server/domino-uptimed
new file mode 100644
index 0000000..b683277
--- /dev/null
+++ b/ignore.d.server/domino-uptimed
@@ -0,0 +1,3 @@
+# ; -*- mode: conf; fill-column: 99999 -*-
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ uptimed: milestone: .*$
diff --git a/ignore.d.server/repo-smartd b/ignore.d.server/repo-smartd
index 4d3cbea..b8ae771 100644
--- a/ignore.d.server/repo-smartd
+++ b/ignore.d.server/repo-smartd
@@ -1,5 +1,6 @@
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/[^[:space:]]+ (\[(SAT|areca_disk#[[:digit:]]{2}_enc#[[:digit:]]{2})\])?, SMART (Prefailure|Usage) Attribute: [[:digit:]]+ [-_[:alnum:]]+ changed from [[:digit:]]+ to [[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: \/dev\/[^[:space:]]+( \[megaraid_disk_[0-9]+\])? (\[(SAT|areca_disk#[[:digit:]]{2}_enc#[[:digit:]]{2})\])?, SMART (Prefailure|Usage) Attribute: [[:digit:]]+ [-_[:alnum:]]+ changed from [[:digit:]]+ to [[:digit:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/[^[:space:]]+( \[[_/[:alnum:][:space:]]+\])? (\[(SAT|areca_disk#[[:digit:]]{2}_enc#[[:digit:]]{2})\])?, starting scheduled (Offline Immediate |(Long|Short) Self-)Test\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/[^[:space:]]+( \[[_/[:alnum:][:space:]]+\])? (\[(SAT|areca_disk#[[:digit:]]{2}_enc#[[:digit:]]{2})\])?, previous self-test completed without error$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/[^[:space:]]+( \[[_/[:alnum:][:space:]]+\])? (\[(SAT|areca_disk#[[:digit:]]{2}_enc#[[:digit:]]{2})\])?, CHECK POWER STATUS spins up disk \([0x[:xdigit:]]+ -> [0x[:xdigit:]]+\)$
 
+
diff --git a/test.sh b/test.sh
index 87f88f4..027c439 100755
--- a/test.sh
+++ b/test.sh
@@ -12,7 +12,7 @@ failflag=0
 basepath=$(git rev-parse --show-toplevel)
 cd $basepath/ignore.d.server
 for i in `ls`; do
-        egrep -f $i /dev/null #2>/dev/null
+        cat $i | grep -v "^#" | egrep -f - /dev/null #2>/dev/null
         if [ $? -ne 1 ]; then
                 echo "error in server/$i"
                 failflag=1
@@ -20,12 +20,12 @@ for i in `ls`; do
 done
 
 cd $basepath/ignore.d.workstation
-        for i in `ls`; do
-                egrep -f $i /dev/null #2>/dev/null
-                if [ $? -ne 1 ]; then
-                        echo "error in workstation/$i"
-                        failflag=1
-        fi
+for i in `ls`; do
+    cat $i | grep -v "^#" | egrep -f - /dev/null #2>/dev/null
+    if [ $? -ne 1 ]; then
+        echo "error in workstation/$i"
+        failflag=1
+    fi
 done
 
 exit $failflag