Noob trying to process a file

Elastic Stack Logstash
1

Hi all,

So I'm trying to do something that I'm guessing is pretty basic but I am stuck and cannot find the answer.

Problems are with config file :frowning:

I've got an input file (postfix logs) that I want to parse with a grok (pattern).
Then parse with another grok filter which goes to grok patterns. (I'm a big noob and hope this horrible explanation makes sense. I think this is an input issue but I'm not sure.

I've tried a few variations but feel like I'm going in circles, is anyone able to point me in the right direction please.

input {
file {

path => "/home/user/Desktop/smtplogs/test2/*"
file_completed_log_path => "/home/user/Desktop/smtplogs/testlog"
mode => "read"
file_completed_action => "log"

filter {
if [message] =~ /^#/ {
drop { }
}

grok {
match => { "\A%{SYSLOGTIMESTAMP}%{SPACE}%{EMAILLOCALPART}%{SPACE}%{SYSLOGPROG}%{GREEDYDATA}" }
}

filter {
# grok log lines by program name (listed alpabetically)
if [program] =~ /^postfix.*/anvil$/ {
grok {
patterns_dir => "/etc/logstash/patterns.d"
match => [ "message", "^%{POSTFIX_ANVIL}" ] tag_on_failure => [ "_grok_postfix_anvil_nomatch" ] add_tag => [ "_grok_postfix_success" ] } } else if [program] =~ /^postfix.*\/bounce/ {
grok {
patterns_dir => "/etc/logstash/patterns.d"
match => [ "message", "^%{POSTFIX_BOUNCE}$" ]
tag_on_failure => [ "_grok_postfix_bounce_nomatch" ]
add_tag => [ "_grok_postfix_success" ]
}

more of the above

mutate {
convert => [
# list of integer fields
"postfix_anvil_cache_size", "integer",
"postfix_anvil_conn_count", "integer",
"postfix_anvil_conn_rate", "integer",
"postfix_client_port", "integer",
"postfix_cmd_auth", "integer",
"postfix_cmd_auth_accepted", "integer",
"postfix_cmd_count", "integer",
"postfix_cmd_count_accepted", "integer",
"postfix_cmd_data", "integer",
"postfix_cmd_data_accepted", "integer",
"postfix_cmd_ehlo", "integer",
"postfix_cmd_ehlo_accepted", "integer",
"postfix_cmd_helo", "integer",
"postfix_cmd_helo_accepted", "integer",
"postfix_cmd_mail", "integer",
"postfix_cmd_mail_accepted", "integer",
"postfix_cmd_quit", "integer",
"postfix_cmd_quit_accepted", "integer",
"postfix_cmd_rcpt", "integer",
"postfix_cmd_rcpt_accepted", "integer",
"postfix_cmd_rset", "integer",
"postfix_cmd_rset_accepted", "integer",
"postfix_cmd_starttls", "integer",
"postfix_cmd_starttls_accepted", "integer",
"postfix_cmd_unknown", "integer",
"postfix_cmd_unknown_accepted", "integer",
"postfix_nrcpt", "integer",
"postfix_postscreen_cache_dropped", "integer",
"postfix_postscreen_cache_retained", "integer",
"postfix_postscreen_dnsbl_rank", "integer",
"postfix_relay_port", "integer",
"postfix_server_port", "integer",
"postfix_size", "integer",
"postfix_status_code", "integer",
"postfix_termination_signal", "integer",

        # list of float fields
        "postfix_delay", "float",
        "postfix_delay_before_qmgr", "float",
        "postfix_delay_conn_setup", "float",
        "postfix_delay_in_qmgr", "float",
        "postfix_delay_transmission", "float",
        "postfix_postscreen_violation_time", "float"
    ]
}

}

}

output {

stdout { codec => rubydebug }

}

2

And what is the problem? Are you getting an error message?

3

Hi Badger,

Sorry I've only just seen this message for some reason... Thank you for responding.

Yes, It's failing to start - I tried multiple variants - I was hoping someone who had potentially parsed postfix logs before might chime in with what their config was.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.