Last active
July 30, 2018 21:32
-
-
Save danslimmon/6084415 to your computer and use it in GitHub Desktop.
My logstash config for postfix logs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filter { | |
# Capture all the generic syslog stuff and populate @timestamp | |
if [type] == "postfix" { | |
grok { | |
match => [ "message", "%{SYSLOGBASE} %{GREEDYDATA:_syslog_payload}" ] | |
singles => true | |
} | |
# Postfix pads single-digit numbers with spaces (WHYYYYY) | |
mutate { gsub => [ "timestamp", " ", " 0" ] } | |
date { match => [ "timestamp", "MMM dd HH:mm:ss"] } | |
# Tag email_specific events (events that are about a particular email) | |
if [_syslog_payload] =~ /[0-9A-F]+: / { | |
grok { | |
singles => true | |
match => [ "_syslog_payload", "%{BASE16NUM:queue_id}: %{GREEDYDATA:details}" ] | |
} | |
} | |
# We assume there are key-value pairs in details if it contains | |
# an '=' character. | |
if [details] =~ /=/ { | |
kv { source => "details" trim => "<>," } | |
} | |
mutate { remove_field => [ "_syslog_payload" ] } | |
} | |
} | |
This ends up producing entries like: | |
{ | |
"@fields": { | |
"delay": "1.2", | |
"delays": "0.01/0.01/0.7/0.47", | |
"details": "to=<dan@danslimmon.com>, relay=email-smtp.us-east-1.amazonaws.com[54.243.69.182]:25, delay=1.2, delays=0.01/0.01/0.7/0.47, dsn=2.0.0, status=sent (250 Ok 0000015017ae82c0-141b91c6-6fbc-42f2-a1f7-fafd14ca53c0-000000)", | |
"dsn": "2.0.0", | |
"logsource": "blahblah", | |
"pid": "11720", | |
"program": "postfix/smtp", | |
"queue_id": "BDD053BA050", | |
"relay": "email-smtp.us-east-1.amazonaws.com[54.243.69.182]:25", | |
"status": "sent", | |
"timestamp": "Jul 25 21:14:10", | |
"to": "dan@danslimmon.com" | |
}, | |
"@message": "Jul 25 21:14:10 onep-01 postfix/smtp[11720]: BDD053BA050: to=<dan@danslimmon.com>, relay=email-smtp.us-east-1.amazonaws.com[54.243.69.182]:25, delay=1.2, delays=0.01/0.01/0.7/0.47, dsn=2.0.0, status=sent (250 Ok 0000015017ae82c0-141b91c6-6fbc-42f2-a1f7-fafd14ca53c0-000000)", | |
"@source": "file://log-abc.exosite.biz//tmp/crap.log", | |
"@source_host": "log-abc.exosite.biz", | |
"@source_path": "//tmp/crap.log", | |
"@tags": [ | |
"email_specific", | |
"structured" | |
], | |
"@timestamp": "2013-07-25T21:14:10.000Z", | |
"@type": "postfix" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What filebeat config do you use for this?