Hi All,
I am working on getting the logs from our smtp gateway into elasticsearch and use logstash to parse the separate syslog events. Now, unfortunately the gateway events are kind of tricky.
Each event has a different format which I am able to parse with different grok patterns. I am, however, not able yet to aggregate the events.
Each incoming mail has an unique smtp-id (like a postfix queue id) but for each incoming mail I have multiple syslog entries.
What I would like to do is to aggregate all events with the same smtp-id but with different fields into one elasticsearch document.
Unfortunately I have no idea yet how to achieve this.
Any tipps will be highly appreciated.
Cheers!
Jack