filter { # grok log lines by program name (listed alpabetically) if [program] =~ /^postfix.*\/anvil$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_ANVIL}$" ] tag_on_failure => [ "_grok_postfix_anvil_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/bounce$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_BOUNCE}$" ] tag_on_failure => [ "_grok_postfix_bounce_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/cleanup$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_CLEANUP}$" ] tag_on_failure => [ "_grok_postfix_cleanup_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/dnsblog$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_DNSBLOG}$" ] tag_on_failure => [ "_grok_postfix_dnsblog_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/error$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_ERROR}$" ] tag_on_failure => [ "_grok_postfix_error_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/local$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_LOCAL}$" ] tag_on_failure => [ "_grok_postfix_local_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/master$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_MASTER}$" ] tag_on_failure => [ "_grok_postfix_master_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/pickup$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_PICKUP}$" ] tag_on_failure => [ "_grok_postfix_pickup_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/pipe$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_PIPE}$" ] tag_on_failure => [ "_grok_postfix_pipe_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/postdrop$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_POSTDROP}$" ] tag_on_failure => [ "_grok_postfix_postdrop_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/postscreen$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_POSTSCREEN}$" ] tag_on_failure => [ "_grok_postfix_postscreen_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/qmgr$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_QMGR}$" ] tag_on_failure => [ "_grok_postfix_qmgr_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/scache$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_SCACHE}$" ] tag_on_failure => [ "_grok_postfix_scache_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/sendmail$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_SENDMAIL}$" ] tag_on_failure => [ "_grok_postfix_sendmail_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/smtp$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_SMTP}$" ] tag_on_failure => [ "_grok_postfix_smtp_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/lmtp$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_LMTP}$" ] tag_on_failure => [ "_grok_postfix_lmtp_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/smtpd$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_SMTPD}$" ] tag_on_failure => [ "_grok_postfix_smtpd_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/postsuper$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_POSTSUPER}$" ] tag_on_failure => [ "_grok_postfix_postsuper_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/tlsmgr$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_TLSMGR}$" ] tag_on_failure => [ "_grok_postfix_tlsmgr_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/tlsproxy$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_TLSPROXY}$" ] tag_on_failure => [ "_grok_postfix_tlsproxy_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/trivial-rewrite$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_TRIVIAL_REWRITE}$" ] tag_on_failure => [ "_grok_postfix_trivial_rewrite_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/discard$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_DISCARD}$" ] tag_on_failure => [ "_grok_postfix_discard_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/virtual$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_VIRTUAL}$" ] tag_on_failure => [ "_grok_postfix_virtual_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/postmap$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_POSTMAP}$" ] tag_on_failure => [ "_grok_postfix_postmap_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/postfix-script$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_SCRIPT}$" ] tag_on_failure => [ "_grok_postfix_script_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/verify$/ { grok { patterns_dir => "/etc/logstash/patterns.d" match => [ "message", "^%{POSTFIX_VERIFY}$" ] tag_on_failure => [ "_grok_postfix_verify_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*/ { mutate { add_tag => [ "_grok_postfix_program_nomatch" ] } } # process key-value data if it exists if [postfix_keyvalue_data] { kv { source => "postfix_keyvalue_data" trim_value => "<>," prefix => "postfix_" remove_field => [ "postfix_keyvalue_data" ] } # some post processing of key-value data if [postfix_client] { grok { patterns_dir => "/etc/logstash/patterns.d" match => ["postfix_client", "^%{POSTFIX_CLIENT}$"] tag_on_failure => [ "_grok_kv_postfix_client_nomatch" ] remove_field => [ "postfix_client" ] } } if [postfix_relay] { grok { patterns_dir => "/etc/logstash/patterns.d" match => ["postfix_relay", "^%{POSTFIX_RELAY}$"] tag_on_failure => [ "_grok_kv_postfix_relay_nomatch" ] remove_field => [ "postfix_relay" ] } } if [postfix_delays] { grok { patterns_dir => "/etc/logstash/patterns.d" match => ["postfix_delays", "^%{POSTFIX_DELAYS}$"] tag_on_failure => [ "_grok_kv_postfix_delays_nomatch" ] remove_field => [ "postfix_delays" ] } } } # process command counter data if it exists if [postfix_command_counter_data] { grok { patterns_dir => "/etc/logstash/patterns.d" match => ["postfix_command_counter_data", "^%{POSTFIX_COMMAND_COUNTER_DATA}$"] tag_on_failure => ["_grok_postfix_command_counter_data_nomatch"] remove_field => ["postfix_command_counter_data"] } } # Do some data type conversions mutate { convert => [ # list of integer fields "postfix_anvil_cache_size", "integer", "postfix_anvil_conn_count", "integer", "postfix_anvil_conn_rate", "integer", "postfix_client_port", "integer", "postfix_cmd_auth", "integer", "postfix_cmd_auth_accepted", "integer", "postfix_cmd_bdat", "integer", "postfix_cmd_bdat_accepted", "integer", "postfix_cmd_count", "integer", "postfix_cmd_count_accepted", "integer", "postfix_cmd_data", "integer", "postfix_cmd_data_accepted", "integer", "postfix_cmd_ehlo", "integer", "postfix_cmd_ehlo_accepted", "integer", "postfix_cmd_helo", "integer", "postfix_cmd_helo_accepted", "integer", "postfix_cmd_mail", "integer", "postfix_cmd_mail_accepted", "integer", "postfix_cmd_noop", "integer", "postfix_cmd_noop_accepted", "integer", "postfix_cmd_quit", "integer", "postfix_cmd_quit_accepted", "integer", "postfix_cmd_rcpt", "integer", "postfix_cmd_rcpt_accepted", "integer", "postfix_cmd_rset", "integer", "postfix_cmd_rset_accepted", "integer", "postfix_cmd_starttls", "integer", "postfix_cmd_starttls_accepted", "integer", "postfix_cmd_unknown", "integer", "postfix_cmd_unknown_accepted", "integer", "postfix_nrcpt", "integer", "postfix_postscreen_cache_dropped", "integer", "postfix_postscreen_cache_retained", "integer", "postfix_postscreen_dnsbl_rank", "integer", "postfix_relay_port", "integer", "postfix_server_port", "integer", "postfix_size", "integer", "postfix_status_code", "integer", "postfix_termination_signal", "integer", "postfix_tls_server_signature_size", "integer", "postfix_verify_cache_dropped", "integer", "postfix_verify_cache_retained", "integer", # list of float fields "postfix_delay", "float", "postfix_delay_before_qmgr", "float", "postfix_delay_conn_setup", "float", "postfix_delay_in_qmgr", "float", "postfix_delay_transmission", "float", "postfix_postscreen_violation_time", "float" ] } }