Created
March 13, 2017 12:48
-
-
Save magicdude4eva/5001d3b52743062f6fb28e3a92b7fce4 to your computer and use it in GitHub Desktop.
Port25 / PowertMTA Logstash / Graylog configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################################################ | |
| ## Port25 Logstash configuration | |
| ## | |
| ## Logging configuration: | |
| ## | |
| ## <acct-file /var/log/pmta/acct.csv> | |
| ## delete-after 60d | |
| ## move-interval 5m | |
| ## max-size 500M | |
| ## records d,b,r,t,tq,f,rb,rs | |
| ## </acct-file> | |
| ## The input directive specifies the various log files | |
| input { | |
| # Port 25 logs | |
| file { | |
| type => "port25" | |
| tags => "port25" | |
| sincedb_path => "/var/log/logstash/sincedb_port25_acct.db" | |
| sincedb_write_interval => 15 | |
| path => [ "/var/log/pmta/acct*.csv" ] | |
| } | |
| } | |
| # We use a Grok filter for matching - see here: https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html | |
| filter { | |
| ############################################################################################################################## | |
| # Parse Port25 logs | |
| if [type] == "port25" { | |
| if ([message] =~ "^(t|b|d|r|tq),") { | |
| csv { | |
| source => "message" | |
| columns => [ "logtype","timeLogged","timeQueued","orig","rcpt","orcpt","dsnAction","dsnStatus","dsnDiag","dsnMta","bounceCat","srcType","srcMta","dlvType","dlvSourceIp","dlvDestinationIp","dlvEsmtpAvailable","dlvSize","vmta","jobId","envId","queue","vmtaPool","repSourceIp","feedbackType","format","userAgent","reportingMta","reportedDomain","header_From","header_Return-Path","header_X-job","header_Subject","rcvSourceIp","rcvDestinationIp","dsnReportingMta" ] | |
| separator => "," | |
| convert => [ "dlvSize", "integer" ] | |
| add_tag => [ "pmta" ] | |
| skip_empty_columns => true | |
| } | |
| if ("pmta" in [tags]) { | |
| date { match => [ "timeLogged", "YYYY-MM-dd HH:mm:ssZ", "ISO8601" ] | |
| target => "@timestamp" | |
| } | |
| date { match => ["timeQueued", "YYYY-MM-dd HH:mm:ssZ", "ISO8601" ] | |
| } | |
| if [format] == "jmrp" { | |
| mutate { replace => [ "rcpt", "%{header_From}" ] } | |
| } | |
| if [rcpt] { | |
| mutate { lowercase => ["rcpt"] | |
| add_field => { "rcptdomain" => "%{rcpt}" } | |
| } | |
| mutate { gsub => [ 'rcptdomain', '.*@', ''] } | |
| } | |
| mutate { | |
| gsub => [ "dsnStatus", "-", "_", "bounceCat", "-", "_" ] | |
| } | |
| if [timeLogged] and [timeQueued] { | |
| ruby { | |
| init => "require 'time';" | |
| code => "begin; secondsToDeliver = 0.0; secondsToDeliver = Time.parse(event.get('timeLogged')).to_f - Time.parse(event.get('timeQueued')).to_f; event.set('dlvTimeTaken', secondsToDeliver); rescue Exception; event.set('dlvTimeTaken', 'parse_failure'); end" | |
| } | |
| } | |
| } | |
| } else { | |
| # powermta acct header, ignore | |
| drop {} | |
| } | |
| } | |
| } | |
| output { | |
| # Requires /usr/share/logstash/bin/logstash-plugin install logstash-output-gelf | |
| gelf { | |
| host => "###.###.###.###" | |
| port => #### | |
| } | |
| } |
Hi magicdude4eva, do you know how to put graylog to get the PMTA logs and display?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Donations are always welcome
🍺 Please support me: If the above helped you in any way, then follow me on Twitter or send me some coins:
Go to Curve.com to add your Crypto.com card to ApplePay and signup to Crypto.com for a staking and free Crypto debit card.
Use Binance Exchange to trade #altcoins. Sign up with Coinbase and instantly get $10 in BTC. I also accept old-school PayPal.
If you have no crypto, follow me at least on Twitter.