Help with creating a Logstash configuration file for Postfix log analysis

Aleksandr_Terekhov · June 2, 2023, 12:38pm

Hello everybody

Can someone help to correctly create a configuration file that will display the fields from the postfix log

that
from
status
Message-id

in Kiban in one line and not as in the screenshot

I will be grateful for your help

thank you!

filter {
  if [fields][server] == "postfix" {
    grok {
      match => { "message" => "%{SYSLOGBASE:log_timestamp} %{DATA:log_source}: %{GREEDYDATA:log_message}" }
    }

    if [log_message] =~ /to=</ {
      grok {
        match => { "log_message" => "to=<(?<send_email_to>[^>]+)>" }
      }
      mutate {
        add_field => { "Send Email To" => "%{send_email_to}" }
      }
    }

    if [log_message] =~ /from=</ {
      grok {
        match => { "log_message" => "from=<(?<send_email_from>[^>]+)>" }
      }
      mutate {
        add_field => { "Send Email From" => "%{send_email_from}" }
      }
    }

    if [log_message] =~ /status/ {
      grok {
        match => { "log_message" => "status=%{DATA:status_send}\s" }
      }
      mutate {
        add_field => { "Status Send" => "%{status_send}" }
      }
    }

    if [log_message] =~ /message-id=<[^>]+>/ {
      grok {
        match => { "log_message" => "message-id=<%{DATA:message_id}>" }
      }
      mutate {
        add_field => { "Message ID" => "%{message_id}" }
      }
    }

    mutate {
      remove_field => ["log_message", "log_timestamp", "log_source", "send_email_to", "send_email_from", "status_send", "message_id"]
    }
  } else {
    drop {}
  }
}

system · June 30, 2023, 12:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.