subin
(subin)
December 27, 2017, 6:25am
1
Hi,
My pattern works well in grok-debugger, but fails in Logstash's pipeline. I've been trying for hours; no luck. Here are the logs that I'm trying to parse:
Nov 10 20:06:05 mx1 postfix/qmgr[4016]: D134620D03: from=<info@domain.com>, size=6638, nrcpt=1 (queue active)
Nov 10 20:05:49 mx2 postfix/qmgr[4016]: 64FBB20D03: from=<>, size=5733, nrcpt=1 (queue active)
Nov 10 20:06:05 mx1 postfix/qmgr[4016]: 38A6B2090E: removed
EIther of the filters work for all three log-patterns, in grok-debugger:
POST_QMGR %{SYSLOGBASE} %{QUEUEID:qid}: (?:removed|from=<(?:%{FROM_EMAIL:from})?>(?:, size=%{NUMBER:size}, nrcpt=%{NUMBER:nrcpt} \(%{DATA:queuestatus}\))?)
POST_QMGR %{SYSLOGBASE} %{QUEUEID:qid}: (removed|from=<(%{FROM_EMAIL:from})?>(, size=%{NUMBER:size}, nrcpt=%{NUMBER:nrcpt} \(%{DATA:queuestatus}\))?)
where:
FROM_EMAIL %{USERNAME:[from][emailname]}@%{HOSTNAME:[from][domain]}
QUEUEID (?:[A-F0-9]+|NOQUEUE)
But, neither of them work for log no.1, in the pipeline. What modifications should be done?
Thanks.
warkolm
(Mark Walkom)
December 27, 2017, 7:44am
2
Please show your entire config file.
subin
(subin)
December 27, 2017, 7:58am
3
Please note that I've taken off %{SYSLOGBASE} from the aforementioned POST_QMGR syntax. So, now, my config file is:
input {
stdin {}
}
filter {
if [message] =~ /postfix\/qmgr\[\d+\]:/
{
grok {
patterns_dir => "/usr/share/logstash/patterns"
match => { "message" => "%{SYSLOGBASE} %{POST_QMGR}" }
tag_on_failure => [ "_grok_qmgr_fail" ]
add_tag => [ "_grok_postfix_success" ]
}
}
else {
mutate {
add_tag => ["_no_match"]
}
}
}
output {
elasticsearch {
hosts => [ "elk00.vpn:9200", "elk01.vpn:9200", "elk02.vpn:9200" ]
user => "logstash_logs"
password => "logstash_logs."
ssl => true
cacert => "/etc/logstash/ca.pem"
index => "logstash-postfix-%{+YYYY.MM.dd.HH.mm}"
}
stdout { codec => rubydebug }
This fails only for log no.1
Thanks.
subin
(subin)
December 27, 2017, 10:19am
4
I've found the pipeline failing (but successful in debugger) for another log and filter. The log-line is:
Nov 11 19:17:33 ezm06-pco postfix/pickup[7864]: 3364E62F1D: uid=5000 from=<maddistevens2001@gmail.com>
And the filter is:
POST_PICKUP %{QUEUEID:qid}: uid=%{NUMBER:uid} from=<(%{FROM_EMAIL:from})?>
The common thing here is the field from=<user@domain.tld>
that is contributing to the failure. If it's just from=<>
, the filter works well in pipeline.
Hope this helps.
subin
(subin)
December 27, 2017, 11:40am
5
Solved.
I replaced the initial syntax FROM_EMAIL
with a simpler new syntax EMAIL
:
EMAIL %{USERNAME:emailname}@%{HOSTNAME:domain}
It now works both in debugger and pipeline.
warkolm
(Mark Walkom)
December 27, 2017, 6:46pm
6
Thanks for sharing your solution!
system
(system)
Closed
January 24, 2018, 6:46pm
7
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.