Last active
August 29, 2015 14:07
-
-
Save rudymccomb/dff260bc6ed17512d25c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input { | |
redis { | |
host => 'redis1.hgv.iss.local' | |
data_type => list | |
key => logpassing | |
} | |
redis { | |
host => 'redis2.hgv.iss.local' | |
data_type => list | |
key => logpassing | |
} | |
redis { | |
host => 'redis3.hgv.iss.local' | |
data_type => list | |
key => logpassing | |
} | |
} | |
filter { | |
grok { | |
patterns_dir => "/opt/logstash/patterns/" | |
break_on_match => false | |
keep_empty_captures => true | |
match => ["message", "(%{SYSLOGBASE} )(%{EXIM_MULTILINE} )(%{GREEDYDATA})"] | |
add_field => { "multiline_message" => true } | |
} | |
if [multiline_message] { | |
drop { } | |
} | |
# Multiple IF are needed to keep the exclude readable | |
# I have devided them in sections on where the are used. | |
# System | |
if [message] =~ /Bad HELO|no (host|IP) (name|address) found for (host|IP address)|SMTP (command timeout|protocol synchronization error)|too many syntax or protocol errors|unexpected disconnection|TLS error on connection|rejected connection|whitelist=mx-trusted.white.dnsbl.ziggo.local|refused: too many connections|Warning: Delaying blacklisted|daemon started|Spool file is locked|message abandoned|rejected HELO from|uitlees|adreskwaliteit|totaal|too many nonmail commands|lost while reading message data/ { | |
drop { } | |
} | |
if [message] =~ /prefork: child states|spamd: (result|clean message|checking message|setuid|connection from localhost|identified spam)|R=feed_spamanalyser T=netcat|DecodeShortURLs|handled cleanup of child pid|rejected EHLO from|server successfully spawned child process|Unrouteable address|suspected mail loop|Unfrozen by forced delivery|Frozen|LMTP error after DATA|Use of uninitialized value|bayes db version 0 is not able to be used|autolearn=ham|spamd: server pid|killed successfully|cannot parse spamd output|server pid|removing stderr method|has dependency|restarting|sysread(16)|compiled rules|server started on port 783/ { | |
drop { } | |
} | |
# Client ERROR's | |
if [message] =~ /(Start|End) queue run|SIGHUP received|more than 100 messages|host lookup did not complete|Could not complete sender verify|server reached --max-children setting|all relevant MX records point to non-existent hosts|error in redirect data|an MX or SRV record indicated no SMTP service|unqualified recipient rejected|SMTP connection lost after final dot|discarded by RCPT ACL|error reading from spamd socket|port 783 failed|unqualified sender rejected|all spamd servers failed/ { | |
drop { } | |
} | |
# | |
# Custom ziggo log tags | |
if [message] =~ /RD001|RD004|RD005|RD007|DW001|MD004|DH003|DH007|EG010|EG0013|EG0014|RW002|DH005|B002|MD001|MD002|RD008|DH001|DH002|DH006/ { | |
drop { } | |
} | |
# | |
# Undefined stuff | |
if [message] =~ /je poort 587 gebruikt|AAA (2|6)s delay for auth|AAA warning AUTH used twice|message too big|rejected (VRFY|EXPN)/ { | |
drop { } | |
} | |
# | |
# LDAP stuff | |
if [message] =~ /LDAP search failed - error 50/ { | |
drop {} | |
} | |
# Really, really dirty hack to workaround bug in grok code | |
# which won't handle multiple matches on the same field | |
mutate { | |
add_field => { | |
"message_1" => "%{message}" | |
"message_2" => "%{message}" | |
"message_3" => "%{message}" | |
"message_4" => "%{message}" | |
"message_5" => "%{message}" | |
"message_6" => "%{message}" | |
"message_7" => "%{message}" | |
"message_8" => "%{message}" | |
"message_9" => "%{message}" | |
"message_10" => "%{message}" | |
"message_11" => "%{message}" | |
"message_12" => "%{message}" | |
"message_13" => "%{message}" | |
"message_14" => "%{message}" | |
"message_15" => "%{message}" | |
} | |
} | |
grok { | |
patterns_dir => "/etc/logstash/patterns/" | |
break_on_match => true | |
keep_empty_captures => true | |
match => [ | |
"message_1", "(%{EXIM_LOG_BASE})(%{EXIM_REMOTE_HOST} )(%{EXIM_PROTOCOL} )(%{EXIM_MSG_SIZE} )(%{EXIM_HEADER_ID} )(%{NOTSPACE:for} )(%{EMAILADDRESS:env_rcpt})" | |
] | |
match => [ | |
"message_2", "(%{EXIM_LOG_BASE})(%{EXIM_REMOTE_HOST} )(%{EXIM_PROTOCOL} )(%{NOTSPACE:tls_info} )(%{EXIM_AUTH_LOGIN:login} )(%{EXIM_MSG_SIZE } )(for )(%{EMAILADDRESS:env_rcpt})" | |
] | |
match => [ | |
"message_3", "(%{EXIM_LOG_BASE})(%{EXIM_REMOTE_HOST} )(%{EXIM_PROTOCOL} )(%{NOTSPACE:tls_info} )((%{EXIM_AUTH_LOGIN:login} )|(%{EXIM_AUTH_LOGIN:login} ))(%{EXIM_MSG_SIZE} )(%{EXIM_HEADER_ID} )(%{NOTSPACE:for} )(%{EMAILADDRESS:env_rcpt})" | |
] | |
match => [ | |
"message_4", "(%{SYSLOGBASE} )(%{EXIM_DATE} )(%{EXIM_REMOTE_HOST} )(%{EXIM_FOR:env_sender} )(rejected RCPT <%{EMAILADDRESS}>: Auth-user )(%{EMAILADDRESS:login} )(%{GREEDYDATA:reason})" | |
] | |
match => [ | |
"message_5", "(%{SYSLOGBASE} )(%{EXIM_DATE} )(%{EXIM_MSGID:exim_msg_id} )(%{EXIM_MSG_STATE:exim_msg_state})" | |
] | |
match => [ | |
"message_6", "(%{SYSLOGBASE} )(%{EXIM_DATE} )(%{EXIM_MSGID:exim_msg_id} )(%{EXIM_REMOTE_HOST} )(Warning: DW001 Spam: host=%{IP:ip} )(login=%{EMAILADDRESS:login} )(%{GREEDYDATA})" | |
] | |
match => [ | |
"message_7", "(%{EXIM_LOG_BASE})(%{EXIM_ROUTE} )(%{EXIM_TRANSPORT} )(%{EXIM_REMOTE_HOST})" | |
] | |
match => [ | |
"message_8", "(%{EXIM_LOG_BASE})(%{EXIM_CAP_EMAIL} )(%{EXIM_ROUTE} )(%{EXIM_TRANSPORT} )(%{EXIM_REMOTE_HOST})" | |
] | |
match => [ | |
"message_9", "(%{SYSLOGBASE} )(%{EXIM_DATE} )(%{EXIM_MSGID:exim_msg_id} )(%{EXIM_REMOTE_HOST} )(%{GREEDYDATA})" | |
] | |
match => [ | |
"message_10", "(%{SYSLOGBASE} )(%{EXIM_DATE} )(%{EXIM_AUTH_FAIL:auth_fail} )(%{NOTSPACE:remote_hostname} )(\(%{NOTSPACE:remote_heloname}\) )?(\[%{IP:remote_host}\]\: )(%{EXIM_ERR_NUM} )(%{EXIM_SET_ID})" | |
] | |
match => [ | |
"message_11", "(%{EXIM_LOG_BASE})(%{EXIM_REMOTE_HOST} )(%{EXIM_PROTOCOL} )(%{EXIM_MSG_SIZE} )(%{NOTSPACE:for} )(%{EMAILADDRESS:env_rcpt})" | |
] | |
match => [ | |
"message_12", "(%{SYSLOGBASE} )(%{EXIM_DATE} )(%{EXIM_MSGID:exim_msg_id} )(%{EXIM_REMOTE_HOST} )(%{EXIM_DEFERRED:reason})" | |
] | |
match => [ | |
"message_13", "(%{SYSLOGBASE} )(%{EXIM_DATE} )(%{EXIM_AUTH_FAIL:auth_fail} )(%{NOTSPACE:remote_hostname} )(\(%{NOTSPACE:remote_heloname}\) )?(\[%{IP:remote_host}\]\: )(%{EXIM_ERR_NUM})" | |
] | |
match => [ | |
"message_14", "(%{EXIM_LOG_BASE})(%{EXIM_REMOTE_HOST} )(%{EXIM_PROTOCOL} )(%{EXIM_MSG_SIZE})(%{GREEDYDATA})" | |
] | |
match => [ | |
"message_15", "(%{SYSLOGBASE} )(%{EXIM_DATE} )(%{EXIM_MSGID:exim_msg_id} )(%{EXIM_FLAGS:exim_flags} )(%{EXIM_BLACKHOLE:blackhole} )(%{GREEDYDATA:reason})" | |
] | |
} | |
########### End main grok match | |
date { | |
match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss", "ISO8601" ] | |
} | |
if [program] == "spamd" { | |
drop { } | |
} | |
if ![exim_msg_state] { | |
mutate { | |
add_field => { "exim_msg_state" => "undefined" } | |
} | |
} | |
if [exim_msg_id] and ![exim_flags] and [remote_host] { | |
mutate { | |
update => [ "exim_msg_state", "connection" ] | |
} | |
} | |
if [exim_flags] == "<=" { | |
mutate { | |
update => [ "exim_msg_state", "received" ] | |
rename => [ "env_email", "env_sender" ] | |
} | |
} | |
if [exim_flags] == "=>" or [exim_flags] == "->" { | |
mutate { | |
update => [ "exim_msg_state", "delivered" ] | |
rename => [ "env_email", "env_rcpt" ] | |
} | |
} | |
if [exim_flags] == ">>" { | |
mutate { | |
update => [ "exim_msg_state", "cutthrough_delivery" ] | |
} | |
} | |
if [exim_flags] == "*>" { | |
mutate { | |
update => [ "exim_msg_state", "suppressed_delivery" ] | |
} | |
} | |
if [exim_flags] == "==" { | |
mutate { | |
update => [ "exim_msg_state", "deferred" ] | |
} | |
} | |
if [exim_flags] == "**" { | |
mutate { | |
update => [ "exim_msg_state", "failed" ] | |
} | |
} | |
if "Completed" in [message] { | |
mutate { | |
update => [ "exim_msg_state", "completed" ] | |
} | |
} | |
if [auth_fail] { | |
mutate { | |
update => [ "exim_msg_state", "failed_login" ] | |
} | |
} | |
if [reason] { | |
if [reason] =~ /wordt misbruikt vanuit/ { | |
mutate { | |
update => [ "exim_msg_state", "deferred" ] | |
} | |
} else if [reason] =~ "deferred" { | |
mutate { | |
update => [ "exim_msg_state", "deferred" ] | |
} | |
} else if [reason] =~ /blocked/ { | |
mutate { | |
update => [ "exim_msg_state", "blocked_account" ] | |
} | |
} else if [reason] =~ /zie spam vanaf ip adressen buiten ons netwerk/ { | |
mutate { | |
update => [ "exim_msg_state", "blocked_account" ] | |
} | |
} | |
} | |
if [exim_msg_state] == "delivered" and [exim_flags] == "<-" { | |
elasticsearch { | |
hosts => [ "loganalyse3.tb.mail.iss.local" ] | |
query => 'exim_msg_id:"%{exim_msg_id}"' | |
fields => [ "env_sender", "env_sender", "remote_host", "remote_host", "remote_hostname", "remote_hostname" ] | |
sort => "ignore_unmapped:true" | |
#fail_on_error => "false" | |
} | |
mutate { | |
remove_field => [ "query_failed" ] | |
} | |
} | |
if [logsource] =~ /smtp(1|2).(tb|gn).*/ { | |
mutate { | |
add_field => { "host_type" => "auth_smtp" } | |
} | |
} | |
if [logsource] =~ /^smtp[3..7].(tb|gn).*/ { | |
mutate { | |
add_field => { "host_type" => "smtp" } | |
} | |
} | |
if [logsource] =~ /^mx/ { | |
mutate { | |
add_field => { "host_type" => "mx" } | |
} | |
} | |
if [logsource] =~ /^smtpq*.(gn|tb).*/ { | |
mutate { | |
add_field => { "host_type" => "smtpq" } | |
} | |
} | |
# Remove the really, really dirty hack to workaround bug in grok code | |
# which won't handle multiple matches on the same field | |
mutate { | |
remove_field => [ "message_1","message_2","message_3","message_4","message_5","message_6","message_7", "message_8","message_9","message_10","message_11","message_12","message_13","message_14","message_15" ] | |
} | |
# GeoIP data to the ES so we can build a bettermap to see | |
# Where the connections are comming from | |
if [remote_host] { | |
if [remote_host] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^212\.54\.42\.(10|13|17))" { | |
geoip { | |
source => "remote_host" | |
} | |
mutate { | |
add_field => [ "coords", "%{[geoip][longitude]}", | |
"tmplat", "%{[geoip][latitude]}" ] | |
} | |
mutate { | |
merge => [ "coords", "tmplat" ] | |
} | |
mutate { | |
convert => [ "coords", "float" ] | |
remove_field => [ "tmplat" ] | |
} | |
} | |
} | |
# # Temp stuff to filter out "good" event to develop on the undefined and bad events. | |
# if [exim_msg_state] == "completed" { | |
# drop {} | |
# } else if [exim_msg_state] == "received" { | |
# drop {} | |
# } else if [exim_msg_state] == "delivered" { | |
# drop {} | |
# } else if [exim_msg_state] == "connection" { | |
# drop {} | |
# } | |
# } else if [exim_msg_state] == "failed_login" { | |
# drop {} | |
# } else if [exim_msg_state] == "blocked_account" { | |
# drop {} | |
# } else if [exim_msg_state] == "deferred" { | |
# drop {} | |
# } | |
} | |
output { | |
elasticsearch { | |
cluster => mailtools | |
host => "elasticsearch1.hgv.iss.local" | |
index_type => "%{exim_msg_state}" | |
index => "exim-%{+YYYY.MM.dd}" | |
flush_size => 1 | |
} | |
# stdout { | |
# codec => rubydebug | |
# } | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment