Are there ECS fields for Postfix logs? Or, rather, how would you break out postfix log messages into ECS fields?
I'm looking through the docs. But I'd love it if someone would share their prior experience.
Thanks!
Edit:
Let's describe what kind of info I'm actually trying to get.
I'd like to use the queueid to detect how many individual emails are being processed. You get 5+ log entries per message, depending on how long it takes the message to get out of the queue.
I'd like to use the from= and to= fields to detect if a specific address is sending, or receiving more, or less, emails than usual.
I'd like to watch for entries with errors like "Network is unreachable".
I have a feeling that the data in the delay= and delays= fields could be useful. But I need research what they actually mean first... :\
I'm not familiar with Postfix logs, so I don't have any prior experiences or examples to share. In general with ECS, you'll want to map portions of the original event to the relevant ECS fields. You mentioned reviewing the docs already, but I'll point you towards the Getting Started section which guides you through mapping a web server log as an example.
Work to add additional fields to support email use cases is underway as an ECS RFC. The effort has been on pause, but we're planning to resume work shortly.
Also, custom fields are a way to define additional fields not present in the schema. Many data sources (like Beats modules) will need additional custom fields to capture some of their data.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.