input { beats { type => "postfix" port => 5044 } } filter { if [type] == "postfix" { grok { match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST} %{DATA:program}(?:\[%{POSINT}\])?: %{GREEDYDATA:message}" } } } } output { elasticsearch { type => "postfix" hosts => "localhost:9200" index => "postfix-%{+YYYY.MM.dd}" } }