klamontagne · March 24, 2014 19:28
diff --git a/logstash_postfix.conf b/logstash_postfix.conf
 filter {
  # Capture all the generic syslog stuff and populate @timestamp
  if [type] == "postfix" {
    grok {
      match => [ "message", "%{SYSLOGBASE} %{GREEDYDATA:_syslog_payload}" ]
      singles => true
    }
    # Postfix pads single-digit numbers with spaces (WHYYYYY)
    mutate { gsub => [ "timestamp", "  ", " 0" ] }
    date { match => [ "timestamp", "MMM dd HH:mm:ss"] }

    # Tag email_specific events (events that are about a particular email)
    if [_syslog_payload] =~ /[0-9A-F]+: / {
      grok {
        singles => true
        match => [ "_syslog_payload", "%{BASE16NUM:queue_id}: %{GREEDYDATA:details}" ]
      }
    }

    # We assume there are key-value pairs in details if it contains
    # an '=' character.
    if [details] =~ /=/ {
      kv { source => "details" trim => "<>," }
    }

    mutate { remove_field => [ "_syslog_payload" ] }
  }
 }


 This ends up producing entries like:

 {
    "@fields": {
        "delay": "1.2",
        "delays": "0.01/0.01/0.7/0.47",
        "details": "to=<[email protected]>, relay=email-smtp.us-east-1.amazonaws.com[54.243.69.182]:25, delay=1.2, delays=0.01/0.01/0.7/0.47, dsn=2.0.0, status=sent (250 Ok 0000015017ae82c0-141b91c6-6fbc-42f2-a1f7-fafd14ca53c0-000000)",
        "dsn": "2.0.0",
        "logsource": "blahblah",
        "pid": "11720",
        "program": "postfix/smtp",
        "queue_id": "BDD053BA050",
        "relay": "email-smtp.us-east-1.amazonaws.com[54.243.69.182]:25",
        "status": "sent",
        "timestamp": "Jul 25 21:14:10",
        "to": "[email protected]"
    },
    "@message": "Jul 25 21:14:10 onep-01 postfix/smtp[11720]: BDD053BA050: to=<[email protected]>, relay=email-smtp.us-east-1.amazonaws.com[54.243.69.182]:25, delay=1.2, delays=0.01/0.01/0.7/0.47, dsn=2.0.0, status=sent (250 Ok 0000015017ae82c0-141b91c6-6fbc-42f2-a1f7-fafd14ca53c0-000000)",
    "@source": "file://log-abc.exosite.biz//tmp/crap.log",
    "@source_host": "log-abc.exosite.biz",
    "@source_path": "//tmp/crap.log",
    "@tags": [
        "email_specific",
        "structured"
    ],
    "@timestamp": "2013-07-25T21:14:10.000Z",
    "@type": "postfix"
 }
	filter {
	# Capture all the generic syslog stuff and populate @timestamp
	if [type] == "postfix" {
	grok {
	match => [ "message", "%{SYSLOGBASE} %{GREEDYDATA:_syslog_payload}" ]
	singles => true
	}
	# Postfix pads single-digit numbers with spaces (WHYYYYY)
	mutate { gsub => [ "timestamp", " ", " 0" ] }
	date { match => [ "timestamp", "MMM dd HH:mm:ss"] }

	# Tag email_specific events (events that are about a particular email)
	if [_syslog_payload] =~ /[0-9A-F]+: / {
	grok {
	singles => true
	match => [ "_syslog_payload", "%{BASE16NUM:queue_id}: %{GREEDYDATA:details}" ]
	}
	}

	# We assume there are key-value pairs in details if it contains
	# an '=' character.
	if [details] =~ /=/ {
	kv { source => "details" trim => "<>," }
	}

	mutate { remove_field => [ "_syslog_payload" ] }
	}
	}


	This ends up producing entries like:

	{
	"@fields": {
	"delay": "1.2",
	"delays": "0.01/0.01/0.7/0.47",
	"details": "to=<[email protected]>, relay=email-smtp.us-east-1.amazonaws.com[54.243.69.182]:25, delay=1.2, delays=0.01/0.01/0.7/0.47, dsn=2.0.0, status=sent (250 Ok 0000015017ae82c0-141b91c6-6fbc-42f2-a1f7-fafd14ca53c0-000000)",
	"dsn": "2.0.0",
	"logsource": "blahblah",
	"pid": "11720",
	"program": "postfix/smtp",
	"queue_id": "BDD053BA050",
	"relay": "email-smtp.us-east-1.amazonaws.com[54.243.69.182]:25",
	"status": "sent",
	"timestamp": "Jul 25 21:14:10",
	"to": "[email protected]"
	},
	"@message": "Jul 25 21:14:10 onep-01 postfix/smtp[11720]: BDD053BA050: to=<[email protected]>, relay=email-smtp.us-east-1.amazonaws.com[54.243.69.182]:25, delay=1.2, delays=0.01/0.01/0.7/0.47, dsn=2.0.0, status=sent (250 Ok 0000015017ae82c0-141b91c6-6fbc-42f2-a1f7-fafd14ca53c0-000000)",
	"@source": "file://log-abc.exosite.biz//tmp/crap.log",
	"@source_host": "log-abc.exosite.biz",
	"@source_path": "//tmp/crap.log",
	"@tags": [
	"email_specific",
	"structured"
	],
	"@timestamp": "2013-07-25T21:14:10.000Z",
	"@type": "postfix"
	}