Elastic-agent and postfix logs

Has anyone integrated elastic-agent and postfix in a really good way? As in made the agent split the log messages up into useful fields.

I've successfully configured the Custom Logs integration to pull in my postfix logs, but there is no automatic parsing of them.

I'm guessing there is a way to do so via the advanced config, but haven't dug into how that might work yet. I'm really hoping someone else would be willing to share their solution.

Oh, and I'll throw out the suggestion that Elastic should add an official postfix integration.

Thanks in advance!

Adding processors does work in the Custom configurations field.

At least for dropping some events.

I tried using the dissect processor like so:

  processors:
  - dissect:
      tokenizer: '%{log_timestamp} %{host.name} %{process}[%{pid}]: %{queueid}: %{message}'
      field: "message"
      target_prefix: ""

But nothing happened. I'm guessing the tokenizer splits things up on spaces, so the timestamp having spaces in it would make things not match.

I also discovered you can use grok in ingest pipelines. But I am unsure how to apply a pipeline to a specific data stream. I don't think we want to apply it to every doc that gets pushed into my stack...

Thanks to My Elastic Stack Observability Wishlist - #2 by cjcenizal I was able to add my pipeline to my custom logs via the Custom configurations field.

Just add pipeline: name-of-pipeline.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.