Logstash's grok GREEDYDATA pattern takes word before it starts

Marko_Todoric · March 5, 2019, 6:50pm

Hello everyone,

I've been modifying GROK patterns for postfix from GitHub - ActionScripted/elastic-kibana-postfix: Kibana dashboards, visualizations and searches for Postfix so that it can include "warning" from postfix' header_check since I've added subject to appear in log file.
I've also modified rsyslog so that log file from postfix' header_check goes into separate file.
Basically i wanted specific "postfix_to" and "postfix_from" with "subject" field. Since there is no 'subject' field i just wanted it to go to postfix_message, so there is no need to chase it through logs. But. There is a catch.

Example from log file is like this:

6F4234C1362: warning: header Subject: Embedded Net DVR: Motion Detected On Channel A3 from mail.xxx.rs[77.66.77.66]; from=from@mail.rs to=another@recipient.com proto=ESMTP helo=<mail.xxx.rs>

I've setup a pattern like this:

SEPARATOR from ([a-zA-Z0-9.]{3,}[[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}]
POSTFIX_WARNING_WITH_SUBJECT (%{POSTFIX_QUEUEID:postfix_queueid}: )?warning: header %{GREEDYDATA:postfix_message} %{SEPARATOR} from=<%{DATA:postfix_from}> to=<%{DATA:postfix_to}> proto=.*

And this pattern checks out JUST FINE in Dev Tools/Grok Debugger. But when live..
All is good except postfix_message which should contain JUST the subject with Subject prefix... But instead, it contains a word before GREEDYDATA and a word AFTER.

This is from Grok Debugger:

{
"postfix_to": "another@recipient.com",
"postfix_queueid": "6F4234C1362",
"postfix_subject": "Subject: Embedded Net DVR: Motion Detected On Channel A3 ",
"postfix_from": "from@mail.rs"
}

I love this ! This is cool!
But live i get this

"postfix_message": " header Subject: Embedded Net DVR: Motion Detected On Channel A3 from mail.3dnet.rs[77.105.38.87]"

to, from and queueid are fine.
Why is that so ?

Badger · March 5, 2019, 8:37pm

You have not given us the definitons of all the patterns you are using, so it is hard to tell.

Marko_Todoric · March 6, 2019, 5:22pm

These are the patterns

github.com

whyscream/postfix-grok-patterns/blob/master/postfix.grok

# common postfix patterns
POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{12,})
POSTFIX_CLIENT_INFO %{HOSTNAME:postfix_client_hostname}?\[%{IP:postfix_client_ip}\](:%{INT:postfix_client_port})?
POSTFIX_RELAY_INFO %{HOSTNAME:postfix_relay_hostname}?\[(%{IP:postfix_relay_ip}|%{DATA:postfix_relay_service})\](:%{INT:postfix_relay_port})?|%{WORD:postfix_relay_service}
POSTFIX_SMTP_STAGE (CONNECT|HELO|EHLO|STARTTLS|AUTH|MAIL( FROM)?|RCPT( TO)?|(end of )?DATA|RSET|UNKNOWN|END-OF-MESSAGE|VRFY|\.)
POSTFIX_ACTION (accept|defer|discard|filter|header-redirect|reject)
POSTFIX_STATUS_CODE \d{3}
POSTFIX_STATUS_CODE_ENHANCED \d\.\d\.\d
POSTFIX_DNSBL_MESSAGE Service unavailable; .* \[%{GREEDYDATA:postfix_status_data}\] %{GREEDYDATA:postfix_status_message};
POSTFIX_PS_ACCESS_ACTION (DISCONNECT|BLACKLISTED|WHITELISTED|WHITELIST VETO|PASS NEW|PASS OLD)
POSTFIX_PS_VIOLATION (BARE NEWLINE|COMMAND (TIME|COUNT|LENGTH) LIMIT|COMMAND PIPELINING|DNSBL|HANGUP|NON-SMTP COMMAND|PREGREET)
POSTFIX_TIME_UNIT %{NUMBER}[smhd]
POSTFIX_KEYVALUE_DATA [\w-]+=[^;]*
POSTFIX_KEYVALUE %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
POSTFIX_WARNING_LEVEL (warning|fatal|info)

POSTFIX_TLSCONN (Anonymous|Trusted|Untrusted|Verified) TLS connection established (to %{POSTFIX_RELAY_INFO}|from %{POSTFIX_CLIENT_INFO}): %{DATA:postfix_tls_version} with cipher %{DATA:postfix_tls_cipher} \(%{DATA:postfix_tls_cipher_size} bits\)
POSTFIX_TLSVERIFICATION certificate verification failed for %{POSTFIX_RELAY_INFO}: %{GREEDYDATA:postfix_tls_error}

POSTFIX_DELAYS %{NUMBER:postfix_delay_before_qmgr}/%{NUMBER:postfix_delay_in_qmgr}/%{NUMBER:postfix_delay_conn_setup}/%{NUMBER:postfix_delay_transmission}

This file has been truncated. show original

I've added only SEPARATOR and POSTFIX_WARNING_WITH_SUBJECT in same file.
And edited:

POSTFIX_WARNING %{POSTFIX_WARNING_WITH_KV}|%{POSTFIX_WARNING_WITHOUT_KV}

to

POSTFIX_WARNING %{POSTFIX_WARNING_WITH_KV}|%{POSTFIX_WARNING_WITHOUT_KV}|%{POSTFIX_WARNING_WITH_SUBJECT}

However, I've noticed that if i move POSTFIX_WARNING_WITH_SUBJECT to be the first one:

POSTFIX_WARNING %{POSTFIX_WARNING_WITH_SUBJECT}|%{POSTFIX_WARNING_WITH_KV}|%{POSTFIX_WARNING_WITHOUT_KV}

Now everything is OK! I just can't figure out why. My pattern is (should be) more precise. Since it includes to and from.

Topic		Replies	Views
[SOLVED] Grok and Greedydata regex Logstash	9	8217	February 13, 2017
Grok pattern from within kibana dev tools Kibana	5	1002	November 9, 2017
Logstash grok match pattern for message field Logstash	34	18090	July 6, 2017
Logstash Grok pattern GREEDYDATA does not match Logstash	5	1297	December 26, 2018
Grok parser not working as expected with GREEDYDATA Logstash	13	8052	April 26, 2018

Logstash's grok GREEDYDATA pattern takes word before it starts

Related topics