Falls es mal jemand braucht:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
# expects you to apply "%{SYSLOGBASE}%{SPACE}%{GREEDYDATA:message_remainder}" beforehand
# more processing for postfix log entries
if [program] =~ /^postfix/ {
# i like my tags :)
noop {
add_tag => ["postfix"]
}
# try to extract component
grok {
match => ["program", "^postfix/%{WORD:component}"]
add_tag => ["postfix_component"]
}
# if we got usuable data...
if "_grokparsefailure" not in [tags] {
# try parsing "easier" mesages (with queue id and key=value format)
if [message_remainder] =~ /^[A-F0-9]{5,15}{1}/ {
# extract queue id
grok {
match => ["message_remainder", "(?<queue_id>[A-F0-9]{5,15}{1}): %{GREEDYDATA:kv_message}"]
add_tag => ["postfix_queue_id"]
}
if [kv_message] == "removed" {
# qmgr is done with a message
noop {
add_tag => ["postfix_message_done"]
}
} else {
# extract key/value pairs
kv {
source => ["kv_message"]
trim => ["<>,"]
add_tag => ["postfix_kv"]
}
# if we got a "status" field, try to log remote repsonse
if [status] {
grok {
match => ["message_remainder", "status=%{WORD} %{GREEDYDATA:remote_response}"]
add_tag => ["postfix_remote_response"]
}
}
}
}
# cleanup helper fields
noop {
remove_field => ["message_remainder", "kv_message"]
}
}
}
|
Wie gesagt, geht davon aus, dass man das SYSLOGBASE
-Pattern angewandt hat, und
dass alles nach dem Programm und der PID
in ekckigen Klammern im Feld
message_remainder
zur Verfügung steht.