Created
March 27, 2015 08:52
-
-
Save wellcomer/f1c863e5810b2ceb4e3c to your computer and use it in GitHub Desktop.
grok-filters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input { | |
file { | |
path => [ "/var/log/exim4/mainlog" ] | |
start_position => end | |
type => "exim" | |
} | |
} | |
filter { | |
if [type] == "exim" { | |
grok { | |
match => { "message" => "%{EXIM_DATE:exim_date} %{EXIM_PID:exim_pid}" } | |
} | |
date { | |
locale => "en" | |
match => [ "exim_date", "yyyy-MM-dd HH:mm:ss" ] | |
} | |
grok { | |
match => { "message" => "SMTP connection %{EXIM_REMOTE_HOST} %{EXIM_INTERFACE} %{GREEDYDATA:exim_conn_info}" } | |
add_field => [ "exim_msg_state", "connection" ] | |
} | |
grok { | |
match => { "message" => "%{EXIM_MSGID} Completed %{EXIM_QT}" } | |
add_field => [ "exim_msg_state", "completed" ] | |
} | |
grok { | |
match => { "message" => "%{EXIM_MSGID} DKIM: d=%{HOST:exim_dkim_d} s=%{NOTSPACE:exim_dkim_s} c=%{NOTSPACE:exim_dkim_c} a=%{NOTSPACE:exim_dkim_a} (t=%{NOTSPACE:exim_dkim_t} )?%{GREEDYDATA:exim_dkim_status}" } | |
add_field => [ "exim_msg_state", "dkim" ] | |
} | |
grok { | |
match => { "message" => "%{EXIM_MSGID} %{EXIM_FLAGS:exim_flag}" } | |
} | |
if [exim_flag] == "<=" { | |
grok { match => { "message" => "<= %{EXIM_MAIL:exim_mail_from}" } } | |
grok { match => { "message" => "%{EXIM_REMOTE_HOST}" } } | |
grok { match => { "message" => "%{EXIM_INTERFACE}" } } | |
grok { match => { "message" => "%{EXIM_PROTOCOL}" } } | |
grok { match => { "message" => "%{EXIM_MSG_SIZE}" } } | |
grok { match => { "message" => "%{EXIM_HEADER_ID}" } } | |
grok { match => { "message" => "%{EXIM_TLS_INFO}" } } | |
grok { match => { "message" => "from %{EXIM_MAIL:exim_mail_from}" } } | |
grok { match => { "message" => "for %{GREEDYDATA:exim_mail_to}" } } | |
mutate { | |
add_field => [ "exim_msg_state", "received" ] | |
} | |
} else if [exim_flag] == "=>" or [exim_flags] == "->" { | |
grok { match => { "message" => "=> (%{USER:exim_local_user}.*\s)?%{EXIM_MAIL:exim_mail_alias} F" } } | |
grok { match => { "message" => "%{EXIM_REMOTE_HOST}" } } | |
grok { match => { "message" => "F=%{EXIM_MAIL:exim_mail_from}" } } | |
grok { match => { "message" => "P=%{EXIM_MAIL:exim_return_path}" } } | |
grok { match => { "message" => "R=%{NOTSPACE:exim_router}" } } | |
grok { match => { "message" => "T=%{NOTSPACE:exim_transport}" } } | |
grok { match => { "message" => "%{EXIM_MSG_SIZE}" } } | |
grok { match => { "message" => "%{EXIM_QT}" } } | |
grok { match => { "message" => "%{EXIM_DT}" } } | |
grok { match => { "message" => "%{EXIM_TLS_INFO}" } } | |
grok { match => { "message" => "%{EXIM_DN}" } } | |
grok { match => { "message" => "%{EXIM_SMTP_CONFIRMATION}" } } | |
mutate { | |
add_field => [ "exim_msg_state", "delivered" ] | |
} | |
} else if [exim_flag] == "**" { | |
grok { match => { "message" => "\*\* (%{USER:exim_local_user}.*\s)?%{EXIM_MAIL:exim_mail_alias} F" } } | |
grok { match => { "message" => "F=%{EXIM_MAIL:exim_mail_from}" } } | |
grok { match => { "message" => "P=%{EXIM_MAIL:exim_return_path}" } } | |
grok { match => { "message" => "R=%{NOTSPACE:exim_router}" } } | |
grok { match => { "message" => "T=%{NOTSPACE:exim_transport}.*?:\s%{DATA:exim_error}:(%{EXIM_MAIL:exim_mail_to}:)? %{EXIM_REMOTE_HOST}:? %{GREEDYDATA:exim_error_info}" } } | |
mutate { | |
add_field => [ "exim_msg_state", "failed" ] | |
} | |
} else if [exim_flag] == "==" { | |
grok { match => { "message" => "== (%{USER:exim_local_user}.*\s)?%{EXIM_MAIL:exim_mail_alias} R=" } } | |
grok { match => { "message" => "R=%{NOTSPACE:exim_router}" } } | |
grok { match => { "message" => "T=%{NOTSPACE:exim_transport}.*?: %{GREEDYDATA:exim_error_info}" } } | |
mutate { | |
add_field => [ "exim_msg_state", "deferred" ] | |
} | |
} else { | |
grok { | |
match => { "message" => "%{EXIM_REMOTE_HOST}.*(?<exim_error>sender verify (fail|defer)) for %{EXIM_MAIL:exim_mail_from}: %{GREEDYDATA:exim_error_info}" } | |
match => { "message" => "%{EXIM_REMOTE_HOST}.*F=%{EXIM_MAIL:exim_mail_from} .*(?<exim_error>rejected RCPT) %{EXIM_MAIL:exim_mail_to}: %{GREEDYDATA:exim_error_info}" } | |
match => { "message" => "%{EXIM_REMOTE_HOST}.*(?<exim_error>incomplete transaction) (%{DATA:exim_error_info}) from %{EXIM_MAIL:exim_mail_from}" } | |
match => { "message" => "(?<exim_error>unexpected disconnection).*%{EXIM_REMOTE_HOST}" } | |
match => { "message" => "(?<exim_error>list matching forced to fail): %{DATA:exim_error_info} for %{IP:exim_remote_host}" } | |
match => { "message" => "(?<exim_error>SMTP protocol synchronization error) \(%{GREEDYDATA:exim_error_info}\):.*%{EXIM_REMOTE_HOST}" } | |
match => { "message" => "(?<exim_error>no host name found) for IP address %{IP:exim_remote_host}" } | |
match => { "message" => "(?<exim_error>no IP address found) for host %{NOTSPACE:exim_remote_hostname}.*%{EXIM_REMOTE_HOST}" } | |
} | |
if ![exim_msg_state] { | |
mutate { | |
add_field => [ "exim_msg_state", "error" ] | |
} | |
} | |
} | |
mutate { | |
remove_tag => [ "_grokparsefailure" ] | |
remove_field => "path" | |
} | |
if [exim_mail_to] != "" { | |
mutate { | |
split => ["exim_mail_to", " "] | |
} | |
} | |
} | |
} | |
output { | |
stdout { codec => rubydebug } | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment