Last active
July 30, 2018 21:32
-
-
Save danslimmon/6084415 to your computer and use it in GitHub Desktop.
My logstash config for postfix logs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter { | |
| # Capture all the generic syslog stuff and populate @timestamp | |
| if [type] == "postfix" { | |
| grok { | |
| match => [ "message", "%{SYSLOGBASE} %{GREEDYDATA:_syslog_payload}" ] | |
| singles => true | |
| } | |
| # Postfix pads single-digit numbers with spaces (WHYYYYY) | |
| mutate { gsub => [ "timestamp", " ", " 0" ] } | |
| date { match => [ "timestamp", "MMM dd HH:mm:ss"] } | |
| # Tag email_specific events (events that are about a particular email) | |
| if [_syslog_payload] =~ /[0-9A-F]+: / { | |
| grok { | |
| singles => true | |
| match => [ "_syslog_payload", "%{BASE16NUM:queue_id}: %{GREEDYDATA:details}" ] | |
| } | |
| } | |
| # We assume there are key-value pairs in details if it contains | |
| # an '=' character. | |
| if [details] =~ /=/ { | |
| kv { source => "details" trim => "<>," } | |
| } | |
| mutate { remove_field => [ "_syslog_payload" ] } | |
| } | |
| } | |
| This ends up producing entries like: | |
| { | |
| "@fields": { | |
| "delay": "1.2", | |
| "delays": "0.01/0.01/0.7/0.47", | |
| "details": "to=<[email protected]>, relay=email-smtp.us-east-1.amazonaws.com[54.243.69.182]:25, delay=1.2, delays=0.01/0.01/0.7/0.47, dsn=2.0.0, status=sent (250 Ok 0000015017ae82c0-141b91c6-6fbc-42f2-a1f7-fafd14ca53c0-000000)", | |
| "dsn": "2.0.0", | |
| "logsource": "blahblah", | |
| "pid": "11720", | |
| "program": "postfix/smtp", | |
| "queue_id": "BDD053BA050", | |
| "relay": "email-smtp.us-east-1.amazonaws.com[54.243.69.182]:25", | |
| "status": "sent", | |
| "timestamp": "Jul 25 21:14:10", | |
| "to": "[email protected]" | |
| }, | |
| "@message": "Jul 25 21:14:10 onep-01 postfix/smtp[11720]: BDD053BA050: to=<[email protected]>, relay=email-smtp.us-east-1.amazonaws.com[54.243.69.182]:25, delay=1.2, delays=0.01/0.01/0.7/0.47, dsn=2.0.0, status=sent (250 Ok 0000015017ae82c0-141b91c6-6fbc-42f2-a1f7-fafd14ca53c0-000000)", | |
| "@source": "file://log-abc.exosite.biz//tmp/crap.log", | |
| "@source_host": "log-abc.exosite.biz", | |
| "@source_path": "//tmp/crap.log", | |
| "@tags": [ | |
| "email_specific", | |
| "structured" | |
| ], | |
| "@timestamp": "2013-07-25T21:14:10.000Z", | |
| "@type": "postfix" | |
| } |
What filebeat config do you use for this?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Queries for charts:
Replace the tags by your owns
Bounced: tags:("postfix", "mail01", "email") AND status:bounced AND program:_smtp
_Deferred:* tags:("postfix", "mail01", "email") AND status:deferred AND program:_smtp
_Rejected incoming:* type:"email-log" AND message:receiver AND message:reject AND message:"SPF fail - not authorized"
Successfully sent tags:("postfix", "mail01", "email") AND status:"sent" AND program:"_smtp"
_Successfully received* tags:("postfix", "mail01", "email") AND (orig_to:_yourdomain.com OR orig_to:_yourotherdomain.com) AND program:lmtp
Rejected received tags:("postfix", "mail01", "email") AND message:reject AND (orig_to:_yourdomain.com OR orig_to:_yourotherdomain.com)
SPAM Bloqued tags:("postfix", "mail01", "email") AND message:"Blocked SPAM" AND program:amavis