CODEWITHSUNDEEP
logstashlogstash-forwarder
P.T.
P.T.

Reputation: 3240

Format postfix in logstash with logstash forwarder

I am setting up the ELK stack with logstash and logstash forwarders. I am currently trying to use this grok pattern for postfix logging; https://github.com/whyscream/postfix-grok-patterns

Within logstash, I included the 2 files that are mentioned in the repository.

This is what's in my forwarder;

"files": [
  {
    "paths": [ "/var/log/maillog" ],
    "fields": { "type": "postfix" }
  }
]

This is the result I am getting back;

      "message" => "Jul 18 10:00:05 XXXX postfix/smtp[XXXX]: XXXX: to=<XXXX>, orig_to=<XXX>, relay=XXXXX, delay=0.35, delays=0/0.02/0.09/0.24, dsn=2.0.0, status=sent (250 Ok XXXXX)",
      "@version" => "1",
      "@timestamp" => "2015-07-18T20:17:06.796Z",
      "type" => "postfix",
      "file" => "/var/log/maillog",
      "host" => "XXXX",
      "offset" => "285776"

I believe I am missing a vital part. I think I need to do something upfront since "syslogs" is mentioned in the repository and within the grok, a check is being performed for program.

Which step am I missing? I am using logstash 1.5.x

Thanks for your help!

Upvotes: 0

Views: 2186

Answers (1)

P.T.
P.T.

Reputation: 3240

This finally did the trick

filter {   
  if [type] =~ "postfix" {
    grok {
      match => [ "message", "%{SYSLOGBASE} %{GREEDYDATA:message}" ]
      overwrite => [ "message" ]
    }     
  } 
}

Upvotes: 1

Related Questions