Miquel Àngel
Reputation: 164
Parsing postfix events with grok
I'm trying to figure out how it works logstash and grok to parse messages. I have found that example ftp://ftp.linux-magazine.com/pub/listings/magazine/185/ELKstack/configfiles/etc_logstash/conf.d/5003-postfix-filter.conf
which start like this:
filter {
# grok log lines by program name (listed alpabetically)
if [program] =~ /^postfix.*\/anvil$/ {
grok{...
But don't understand where [program] is parsed. I'm using logstash 2.2 That example are not working in my logstash installation, nothing is parsed.
Upvotes: 1
Views: 1716
Answers (1)
Miquel Àngel
Reputation: 164
I answer myself.
The example assumes that the events come from syslog (in that case the field "program" are present), instead filebeats which is what I'm using to send the events to logstash.
To fix-it:
https://github.com/whyscream/postfix-grok-patterns/blob/master/ALTERNATIVE-INPUTS.md
Upvotes: 1
Related Questions
- Logstash grok filter to tag bounced messages
- Postfix Logs + Logstash + Aggregate
- How to get multiple entries of similar pattern from the same input line using grok pattern?
- Parsing log data throught grok filter (logstash)
- How to handle non-matching Logstash grok filters
- Custom metrics using grok with logstash
- Logstash '_grokparsefailure' issue
- How does the grok filter work in logstash
- Grok pattern issues with logstash and postfix