Сравнение постов

Различия между постами #128398 (21.10.2019 18:01) и #220909 (17.09.2021 10:34).
1
input {
2
  beats {
3
    port => 5044
4
 }
5
}
6
filter {
7
     grok {
8
      match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST} %{DATA:program}(?:\[%{POSINT}\])?: %{GREEDYDATA:message}" }
9
      overwrite => "message"
10
    }
11
mutate {
12
   rename => ["host", "server"]
13
   convert => {"server" => "string"}
14
}
15
16
17
}
18
19
20
filter {
21
    # grok log lines by program name (listed alpabetically)
22
    if [program] =~ /^postfix.*\/anvil$/ {
23
        grok {
24
            patterns_dir   => "/etc/logstash/patterns"
25
            match          => [ "message", "^%{POSTFIX_ANVIL}$" ]
26
            tag_on_failure => [ "_grok_postfix_anvil_nomatch" ]
27
            add_tag        => [ "_grok_postfix_success" ]
28
        }
29
    } else if [program] =~ /^postfix.*\/bounce$/ {
30
        grok {
31
            patterns_dir   => "/etc/logstash/patterns"
32
            match          => [ "message", "^%{POSTFIX_BOUNCE}$" ]
33
            tag_on_failure => [ "_grok_postfix_bounce_nomatch" ]
34
            add_tag        => [ "_grok_postfix_success" ]
35
        }
36
    } else if [program] =~ /^postfix.*\/cleanup$/ {
37
        grok {
38
            patterns_dir   => "/etc/logstash/patterns"
39
            match          => [ "message", "^%{POSTFIX_CLEANUP}$" ]
40
            tag_on_failure => [ "_grok_postfix_cleanup_nomatch" ]
41
            add_tag        => [ "_grok_postfix_success" ]
42
        }
43
    } else if [program] =~ /^postfix.*\/dnsblog$/ {
44
        grok {
45
            patterns_dir   => "/etc/logstash/patterns"
46
            match          => [ "message", "^%{POSTFIX_DNSBLOG}$" ]
47
            tag_on_failure => [ "_grok_postfix_dnsblog_nomatch" ]
48
            add_tag        => [ "_grok_postfix_success" ]
49
        }
50
    } else if [program] =~ /^postfix.*\/error$/ {
51
        grok {
52
            patterns_dir   => "/etc/logstash/patterns"
53
            match          => [ "message", "^%{POSTFIX_ERROR}$" ]
54
            tag_on_failure => [ "_grok_postfix_error_nomatch" ]
55
            add_tag        => [ "_grok_postfix_success" ]
56
        }
57
    } else if [program] =~ /^postfix.*\/local$/ {
58
        grok {
59
            patterns_dir   => "/etc/logstash/patterns"
60
            match          => [ "message", "^%{POSTFIX_LOCAL}$" ]
61
            tag_on_failure => [ "_grok_postfix_local_nomatch" ]
62
            add_tag        => [ "_grok_postfix_success" ]
63
        }
64
    } else if [program] =~ /^postfix.*\/master$/ {
65
        grok {
66
            patterns_dir   => "/etc/logstash/patterns"
67
            match          => [ "message", "^%{POSTFIX_MASTER}$" ]
68
            tag_on_failure => [ "_grok_postfix_master_nomatch" ]
69
            add_tag        => [ "_grok_postfix_success" ]
70
        }
71
    } else if [program] =~ /^postfix.*\/pickup$/ {
72
        grok {
73
            patterns_dir   => "/etc/logstash/patterns"
74
            match          => [ "message", "^%{POSTFIX_PICKUP}$" ]
75
            tag_on_failure => [ "_grok_postfix_pickup_nomatch" ]
76
            add_tag        => [ "_grok_postfix_success" ]
77
        }
78
    } else if [program] =~ /^postfix.*\/pipe$/ {
79
        grok {
80
            patterns_dir   => "/etc/logstash/patterns"
81
            match          => [ "message", "^%{POSTFIX_PIPE}$" ]
82
            tag_on_failure => [ "_grok_postfix_pipe_nomatch" ]
83
            add_tag        => [ "_grok_postfix_success" ]
84
        }
85
    } else if [program] =~ /^postfix.*\/postdrop$/ {
86
        grok {
87
            patterns_dir   => "/etc/logstash/patterns"
88
            match          => [ "message", "^%{POSTFIX_POSTDROP}$" ]
89
            tag_on_failure => [ "_grok_postfix_postdrop_nomatch" ]
90
            add_tag        => [ "_grok_postfix_success" ]
91
        }
92
    } else if [program] =~ /^postfix.*\/postscreen$/ {
93
        grok {
94
            patterns_dir   => "/etc/logstash/patterns"
95
            match          => [ "message", "^%{POSTFIX_POSTSCREEN}$" ]
96
            tag_on_failure => [ "_grok_postfix_postscreen_nomatch" ]
97
            add_tag        => [ "_grok_postfix_success" ]
98
        }
99
    } else if [program] =~ /^postfix.*\/qmgr$/ {
100
        grok {
101
            patterns_dir   => "/etc/logstash/patterns"
102
            match          => [ "message", "^%{POSTFIX_QMGR}$" ]
103
            tag_on_failure => [ "_grok_postfix_qmgr_nomatch" ]
104
            add_tag        => [ "_grok_postfix_success" ]
105
        }
106
    } else if [program] =~ /^postfix.*\/scache$/ {
107
        grok {
108
            patterns_dir   => "/etc/logstash/patterns"
109
            match          => [ "message", "^%{POSTFIX_SCACHE}$" ]
110
            tag_on_failure => [ "_grok_postfix_scache_nomatch" ]
111
            add_tag        => [ "_grok_postfix_success" ]
112
        }
113
    } else if [program] =~ /^postfix.*\/sendmail$/ {
114
        grok {
115
            patterns_dir   => "/etc/logstash/patterns"
116
            match          => [ "message", "^%{POSTFIX_SENDMAIL}$" ]
117
            tag_on_failure => [ "_grok_postfix_sendmail_nomatch" ]
118
            add_tag        => [ "_grok_postfix_success" ]
119
        }
120
    } else if [program] =~ /^postfix.*\/smtp$/ {
121
        grok {
122
            patterns_dir   => "/etc/logstash/patterns"
123
            match          => [ "message", "^%{POSTFIX_SMTP}$" ]
124
            tag_on_failure => [ "_grok_postfix_smtp_nomatch" ]
125
            add_tag        => [ "_grok_postfix_success" ]
126
        }
127
    } else if [program] =~ /^postfix.*\/lmtp$/ {
128
        grok {
129
            patterns_dir   => "/etc/logstash/patterns"
130
            match          => [ "message", "^%{POSTFIX_LMTP}$" ]
131
            tag_on_failure => [ "_grok_postfix_lmtp_nomatch" ]
132
            add_tag        => [ "_grok_postfix_success" ]
133
        }
134
    } else if [program] =~ /^postfix.*\/smtpd$/ {
135
        grok {
136
            patterns_dir   => "/etc/logstash/patterns"
137
            match          => [ "message", "^%{POSTFIX_SMTPD}$" ]
138
            tag_on_failure => [ "_grok_postfix_smtpd_nomatch" ]
139
            add_tag        => [ "_grok_postfix_success" ]
140
        }
141
    } else if [program] =~ /^postfix.*\/postsuper$/ {
142
        grok {
143
            patterns_dir   => "/etc/logstash/patterns"
144
            match          => [ "message", "^%{POSTFIX_POSTSUPER}$" ]
145
            tag_on_failure => [ "_grok_postfix_postsuper_nomatch" ]
146
            add_tag        => [ "_grok_postfix_success" ]
147
        }
148
    } else if [program] =~ /^postfix.*\/tlsmgr$/ {
149
        grok {
150
            patterns_dir   => "/etc/logstash/patterns"
151
            match          => [ "message", "^%{POSTFIX_TLSMGR}$" ]
152
            tag_on_failure => [ "_grok_postfix_tlsmgr_nomatch" ]
153
            add_tag        => [ "_grok_postfix_success" ]
154
        }
155
    } else if [program] =~ /^postfix.*\/tlsproxy$/ {
156
        grok {
157
            patterns_dir   => "/etc/logstash/patterns"
158
            match          => [ "message", "^%{POSTFIX_TLSPROXY}$" ]
159
            tag_on_failure => [ "_grok_postfix_tlsproxy_nomatch" ]
160
            add_tag        => [ "_grok_postfix_success" ]
161
        }
162
    } else if [program] =~ /^postfix.*\/trivial-rewrite$/ {
163
        grok {
164
            patterns_dir   => "/etc/logstash/patterns"
165
            match          => [ "message", "^%{POSTFIX_TRIVIAL_REWRITE}$" ]
166
            tag_on_failure => [ "_grok_postfix_trivial_rewrite_nomatch" ]
167
            add_tag        => [ "_grok_postfix_success" ]
168
        }
169
    } else if [program] =~ /^postfix.*\/discard$/ {
170
        grok {
171
            patterns_dir   => "/etc/logstash/patterns"
172
            match          => [ "message", "^%{POSTFIX_DISCARD}$" ]
173
            tag_on_failure => [ "_grok_postfix_discard_nomatch" ]
174
            add_tag        => [ "_grok_postfix_success" ]
175
        }
176
    } else if [program] =~ /^postfix.*\/virtual$/ {
177
        grok {
178
            patterns_dir   => "/etc/logstash/patterns"
179
            match          => [ "message", "^%{POSTFIX_VIRTUAL}$" ]
180
            tag_on_failure => [ "_grok_postfix_virtual_nomatch" ]
181
            add_tag        => [ "_grok_postfix_success" ]
182
        }
183
    } else if [program] =~ /^postfix.*/ {
184
        mutate {
185
            add_tag => [ "_grok_postfix_program_nomatch" ]
186
        }
187
    }
188
189
    # process key-value data if it exists
190
    if [postfix.keyvalue_data] {
191
        kv {
192
            source       => "postfix.keyvalue_data"
193
            trim_value   => "<>,"
194
            prefix       => "postfix."
195
            remove_field => [ "postfix_keyvalue_data" ]
196
        }
197
198
        # some post processing of key-value data
199
        if [postfix.client] {
200
            grok {
201
                patterns_dir   => "/etc/logstash/patterns"
202
                match          => ["postfix.client", "^%{POSTFIX_CLIENT_INFO}$"]
203
                tag_on_failure => [ "_grok_kv_postfix_client_nomatch" ]
204
                remove_field   => [ "postfix_client" ]
205
            }
206
        }
207
        if [postfix.relay] {
208
            grok {
209
                patterns_dir   => "/etc/logstash/patterns"
210
                match          => ["postfix.relay", "^%{POSTFIX_RELAY_INFO}$"]
211
                tag_on_failure => [ "_grok_kv_postfix_relay_nomatch" ]
212
                remove_field   => [ "postfix_relay" ]
213
            }
214
        }
215
        if [postfix.delays] {
216
            grok {
217
                patterns_dir   => "/etc/logstash/patterns"
218
                match          => ["postfix.delays", "^%{POSTFIX_DELAYS}$"]
219
                tag_on_failure => [ "_grok_kv_postfix_delays_nomatch" ]
220
                remove_field   => [ "postfix_delays" ]
221
            }
222
        }
223
    }
224
225
    # process command counter data if it exists
226
    if [postfix.command_counter_data] {
227
        grok {
228
            patterns_dir   => "/etc/logstash/patterns"
229
            match          => ["postfix_command_counter_data", "^%{POSTFIX_COMMAND_COUNTER_DATA}$"]
230
            tag_on_failure => ["_grok_postfix_command_counter_data_nomatch"]
231
            remove_field   => ["postfix_command_counter_data"]
232
        }
233
    }
234
235
    # Do some data type conversions
236
    mutate {
237
        convert => [
238
            # list of integer fields
239
            "postfix.anvil_cache_size", "integer",
240
            "postfix.anvil_conn_count", "integer",
241
            "postfix.anvil_conn_rate", "integer",
242
            "postfix.client_port", "integer",
243
            "postfix.cmd_auth", "integer",
244
            "postfix.cmd_auth_accepted", "integer",
245
            "postfix.cmd_count", "integer",
246
            "postfix.cmd_count_accepted", "integer",
247
            "postfix.cmd_data", "integer",
248
            "postfix.cmd_data_accepted", "integer",
249
            "postfix.cmd_ehlo", "integer",
250
            "postfix.cmd_ehlo_accepted", "integer",
251
            "postfix.cmd_helo", "integer",
252
            "postfix.cmd_helo_accepted", "integer",
253
            "postfix.cmd_mail", "integer",
254
            "postfix.cmd_mail_accepted", "integer",
255
            "postfix.cmd_quit", "integer",
256
            "postfix.cmd_quit_accepted", "integer",
257
            "postfix.cmd_rcpt", "integer",
258
            "postfix.cmd_rcpt_accepted", "integer",
259
            "postfix.cmd_rset", "integer",
260
            "postfix.cmd_rset_accepted", "integer",
261
            "postfix.cmd_starttls", "integer",
262
            "postfix.cmd_starttls_accepted", "integer",
263
            "postfix.cmd_unknown", "integer",
264
            "postfix.cmd_unknown_accepted", "integer",
265
            "postfix.nrcpt", "integer",
266
            "postfix.postscreen_cache_dropped", "integer",
267
            "postfix.postscreen_cache_retained", "integer",
268
            "postfix.postscreen_dnsbl_rank", "integer",
269
            "postfix.relay_port", "integer",
270
            "postfix.server_port", "integer",
271
            "postfix.size", "integer",
272
            "postfix.status_code", "integer",
273
            "postfix.termination_signal", "integer",
274
275
            # list of float fields
276
            "postfix.delay", "float",
277
            "postfix.delay_before_qmgr", "float",
278
            "postfix.delay_conn_setup", "float",
279
            "postfix.delay_in_qmgr", "float",
280
            "postfix.delay_transmission", "float",
281
            "postfix.postscreen_violation_time", "float"
282
        ]
283
    }
284
mutate {
285
   rename => ["host", "server"]
286
   convert => {"server" => "string"}
287
}
288
289
}
290
291
output {
292
        elasticsearch {
293
            hosts    => "localhost:9200"
294
            index    => "postfix-%{+YYYY.MM.dd}"
295
        }
296
297
}
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315