Created
March 13, 2017 12:48
-
-
Save magicdude4eva/5001d3b52743062f6fb28e3a92b7fce4 to your computer and use it in GitHub Desktop.
Port25 / PowertMTA Logstash / Graylog configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################################################ | |
| ## Port25 Logstash configuration | |
| ## | |
| ## Logging configuration: | |
| ## | |
| ## <acct-file /var/log/pmta/acct.csv> | |
| ## delete-after 60d | |
| ## move-interval 5m | |
| ## max-size 500M | |
| ## records d,b,r,t,tq,f,rb,rs | |
| ## </acct-file> | |
| ## The input directive specifies the various log files | |
| input { | |
| # Port 25 logs | |
| file { | |
| type => "port25" | |
| tags => "port25" | |
| sincedb_path => "/var/log/logstash/sincedb_port25_acct.db" | |
| sincedb_write_interval => 15 | |
| path => [ "/var/log/pmta/acct*.csv" ] | |
| } | |
| } | |
| # We use a Grok filter for matching - see here: https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html | |
| filter { | |
| ############################################################################################################################## | |
| # Parse Port25 logs | |
| if [type] == "port25" { | |
| if ([message] =~ "^(t|b|d|r|tq),") { | |
| csv { | |
| source => "message" | |
| columns => [ "logtype","timeLogged","timeQueued","orig","rcpt","orcpt","dsnAction","dsnStatus","dsnDiag","dsnMta","bounceCat","srcType","srcMta","dlvType","dlvSourceIp","dlvDestinationIp","dlvEsmtpAvailable","dlvSize","vmta","jobId","envId","queue","vmtaPool","repSourceIp","feedbackType","format","userAgent","reportingMta","reportedDomain","header_From","header_Return-Path","header_X-job","header_Subject","rcvSourceIp","rcvDestinationIp","dsnReportingMta" ] | |
| separator => "," | |
| convert => [ "dlvSize", "integer" ] | |
| add_tag => [ "pmta" ] | |
| skip_empty_columns => true | |
| } | |
| if ("pmta" in [tags]) { | |
| date { match => [ "timeLogged", "YYYY-MM-dd HH:mm:ssZ", "ISO8601" ] | |
| target => "@timestamp" | |
| } | |
| date { match => ["timeQueued", "YYYY-MM-dd HH:mm:ssZ", "ISO8601" ] | |
| } | |
| if [format] == "jmrp" { | |
| mutate { replace => [ "rcpt", "%{header_From}" ] } | |
| } | |
| if [rcpt] { | |
| mutate { lowercase => ["rcpt"] | |
| add_field => { "rcptdomain" => "%{rcpt}" } | |
| } | |
| mutate { gsub => [ 'rcptdomain', '.*@', ''] } | |
| } | |
| mutate { | |
| gsub => [ "dsnStatus", "-", "_", "bounceCat", "-", "_" ] | |
| } | |
| if [timeLogged] and [timeQueued] { | |
| ruby { | |
| init => "require 'time';" | |
| code => "begin; secondsToDeliver = 0.0; secondsToDeliver = Time.parse(event.get('timeLogged')).to_f - Time.parse(event.get('timeQueued')).to_f; event.set('dlvTimeTaken', secondsToDeliver); rescue Exception; event.set('dlvTimeTaken', 'parse_failure'); end" | |
| } | |
| } | |
| } | |
| } else { | |
| # powermta acct header, ignore | |
| drop {} | |
| } | |
| } | |
| } | |
| output { | |
| # Requires /usr/share/logstash/bin/logstash-plugin install logstash-output-gelf | |
| gelf { | |
| host => "###.###.###.###" | |
| port => #### | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi magicdude4eva, do you know how to put graylog to get the PMTA logs and display?