input { beats { port => 5044 } } filter { grok { match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST} %{DATA:program}(?:\[%{POSINT}\])?: %{GREEDYDATA:message}" } overwrite => "message" } } filter { # grok log lines by program name (listed alpabetically) if [program] =~ /^postfix.*\/anvil$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_ANVIL}$" ] tag_on_failure => [ "_grok_postfix_anvil_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/bounce$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_BOUNCE}$" ] tag_on_failure => [ "_grok_postfix_bounce_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/cleanup$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_CLEANUP}$" ] tag_on_failure => [ "_grok_postfix_cleanup_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/dnsblog$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_DNSBLOG}$" ] tag_on_failure => [ "_grok_postfix_dnsblog_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/error$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_ERROR}$" ] tag_on_failure => [ "_grok_postfix_error_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/local$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_LOCAL}$" ] tag_on_failure => [ "_grok_postfix_local_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/master$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_MASTER}$" ] tag_on_failure => [ "_grok_postfix_master_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/pickup$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_PICKUP}$" ] tag_on_failure => [ "_grok_postfix_pickup_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/pipe$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_PIPE}$" ] tag_on_failure => [ "_grok_postfix_pipe_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/postdrop$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_POSTDROP}$" ] tag_on_failure => [ "_grok_postfix_postdrop_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/postscreen$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_POSTSCREEN}$" ] tag_on_failure => [ "_grok_postfix_postscreen_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/qmgr$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_QMGR}$" ] tag_on_failure => [ "_grok_postfix_qmgr_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/scache$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_SCACHE}$" ] tag_on_failure => [ "_grok_postfix_scache_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/sendmail$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_SENDMAIL}$" ] tag_on_failure => [ "_grok_postfix_sendmail_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/smtp$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_SMTP}$" ] tag_on_failure => [ "_grok_postfix_smtp_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/lmtp$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_LMTP}$" ] tag_on_failure => [ "_grok_postfix_lmtp_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/smtpd$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_SMTPD}$" ] tag_on_failure => [ "_grok_postfix_smtpd_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/postsuper$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_POSTSUPER}$" ] tag_on_failure => [ "_grok_postfix_postsuper_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/tlsmgr$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_TLSMGR}$" ] tag_on_failure => [ "_grok_postfix_tlsmgr_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/tlsproxy$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_TLSPROXY}$" ] tag_on_failure => [ "_grok_postfix_tlsproxy_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/trivial-rewrite$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_TRIVIAL_REWRITE}$" ] tag_on_failure => [ "_grok_postfix_trivial_rewrite_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/discard$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_DISCARD}$" ] tag_on_failure => [ "_grok_postfix_discard_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/virtual$/ { grok { patterns_dir => "/etc/logstash/patterns" match => [ "message", "^%{POSTFIX_VIRTUAL}$" ] tag_on_failure => [ "_grok_postfix_virtual_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*/ { mutate { add_tag => [ "_grok_postfix_program_nomatch" ] } } # process key-value data if it exists if [postfix.keyvalue_data] { kv { source => "postfix.keyvalue_data" trim_value => "<>," prefix => "postfix." remove_field => [ "postfix_keyvalue_data" ] } # some post processing of key-value data if [postfix.client] { grok { patterns_dir => "/etc/logstash/patterns" match => ["postfix.client", "^%{POSTFIX_CLIENT_INFO}$"] tag_on_failure => [ "_grok_kv_postfix_client_nomatch" ] remove_field => [ "postfix_client" ] } } if [postfix.relay] { grok { patterns_dir => "/etc/logstash/patterns" match => ["postfix.relay", "^%{POSTFIX_RELAY_INFO}$"] tag_on_failure => [ "_grok_kv_postfix_relay_nomatch" ] remove_field => [ "postfix_relay" ] } } if [postfix.delays] { grok { patterns_dir => "/etc/logstash/patterns" match => ["postfix.delays", "^%{POSTFIX_DELAYS}$"] tag_on_failure => [ "_grok_kv_postfix_delays_nomatch" ] remove_field => [ "postfix_delays" ] } } } # process command counter data if it exists if [postfix.command_counter_data] { grok { patterns_dir => "/etc/logstash/patterns" match => ["postfix_command_counter_data", "^%{POSTFIX_COMMAND_COUNTER_DATA}$"] tag_on_failure => ["_grok_postfix_command_counter_data_nomatch"] remove_field => ["postfix_command_counter_data"] } } # Do some data type conversions mutate { convert => [ # list of integer fields "postfix.anvil_cache_size", "integer", "postfix.anvil_conn_count", "integer", "postfix.anvil_conn_rate", "integer", "postfix.client_port", "integer", "postfix.cmd_auth", "integer", "postfix.cmd_auth_accepted", "integer", "postfix.cmd_count", "integer", "postfix.cmd_count_accepted", "integer", "postfix.cmd_data", "integer", "postfix.cmd_data_accepted", "integer", "postfix.cmd_ehlo", "integer", "postfix.cmd_ehlo_accepted", "integer", "postfix.cmd_helo", "integer", "postfix.cmd_helo_accepted", "integer", "postfix.cmd_mail", "integer", "postfix.cmd_mail_accepted", "integer", "postfix.cmd_quit", "integer", "postfix.cmd_quit_accepted", "integer", "postfix.cmd_rcpt", "integer", "postfix.cmd_rcpt_accepted", "integer", "postfix.cmd_rset", "integer", "postfix.cmd_rset_accepted", "integer", "postfix.cmd_starttls", "integer", "postfix.cmd_starttls_accepted", "integer", "postfix.cmd_unknown", "integer", "postfix.cmd_unknown_accepted", "integer", "postfix.nrcpt", "integer", "postfix.postscreen_cache_dropped", "integer", "postfix.postscreen_cache_retained", "integer", "postfix.postscreen_dnsbl_rank", "integer", "postfix.relay_port", "integer", "postfix.server_port", "integer", "postfix.size", "integer", "postfix.status_code", "integer", "postfix.termination_signal", "integer", # list of float fields "postfix.delay", "float", "postfix.delay_before_qmgr", "float", "postfix.delay_conn_setup", "float", "postfix.delay_in_qmgr", "float", "postfix.delay_transmission", "float", "postfix.postscreen_violation_time", "float" ] } } output { elasticsearch { hosts => "localhost:9200" index => "postfix10-%{+YYYY.MM.dd}" } }