{ "processors" : [ { "grok" : { "field" : "message", "patterns" : [ "%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(|%{USERDATA1}|%{USERDATA2})\\] mailop - (%{MOVINGMESSAGE}|%{ADDINGMESSAGE}|%{DELETEMESSAGE})" ], "pattern_definitions" : { "MAILSERVICE" : "%{DATA:mail.service}(|-%{POSINT:mail.pid})(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})", "ACCOUNT" : "(%{WORD}|%{EMAIL})", "USERDATA1" : "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};oip=%{IP:mail.remote_ip};port=%{POSINT:mail.port};ua=%{DATA:mail.ua};soapId=%{DATA:mail.soap_id};", "USERDATA2" : "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};(||ip=%{IP:mail.ip};)", "ADDINGMESSAGE" : "%{DATA:mail.command}: id=%{NONNEGINT:mail.id}, Message-ID=<%{DATA:mail.message_id}>, parentId=%{DATA}, folderId=%{NONNEGINT:mail.folder_id}, folderName=%{DATA:mail.folder_name} acct=%{NUMBER:mail.acct}.", "MOVINGMESSAGE" : "%{DATA:mail.command} \\(id=%{NONNEGINT:mail.id}\\) to Folder %{DATA:mail.folder_name} \\(id=%{NONNEGINT:mail.folder_id}\\)", "DELETEMESSAGE" : "%{DATA:mail.command} \\(id=%{NONNEGINT:mail.id}\\).", "LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}", "EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}" }, "ignore_failure" : true } }, { "grok" : { "field" : "message", "patterns" : [ "%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(|%{USERDATA1}|%{USERDATA2})\\] nginxlookup - %{DATA:mail.reason}:%{GREEDYDATA:mail.client_name}" ], "pattern_definitions" : { "MAILSERVICE" : "%{DATA:mail.service}-%{POSINT:mail.pid}(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})", "ACCOUNT" : "(%{WORD}|%{EMAIL})", "USERDATA1" : "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};oip=%{IP:mail.remote_ip};port=%{POSINT:mail.port};ua=%{DATA:mail.ua};soapId=%{DATA:mail.soap_id};", "USERDATA2" : "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};ip=%{IP:mail.ip};", "LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}", "EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}" }, "ignore_failure" : true } }, { "grok": { "field": "message", "patterns": ["%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(%{USERDATA1}|%{USERDATA2}|%{USERDATA3}|%{USERDATA4}|%{USERDATA5}|%{USERDATA6})\\] %{WORD} - %{COMMAND:mail.command} %{GREEDYDATA:mail.reason}"], "pattern_definitions" : { "MAILSERVICE": "%{DATA:mail.service}-%{POSINT:mail.pid}(|:(%{DATA:mail.http_method}:|)%{URI:mail.http_request_url})", "ACCOUNT": "(%{WORD}|%{EMAIL})", "USERDATA1": "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};", "USERDATA2": "name=%{ACCOUNT:mail.client_name};ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};", "USERDATA3": "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};", "USERDATA4": "ip=%{IP:mail.ip};cid=%{POSINT:mail.cid};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via}\\);ua=%{DATA:mail.ua};", "USERDATA5": "(name=%{ACCOUNT:mail.client_name};ip=%{IP:mail.remote_ip};port=%{POSINT:mail.port};|)ua=%{DATA:mail.ua};(via=%{DATA:mail.via};|)soapId=%{DATA:mail.soap_id};", "USERDATA6": "(name=%{ACCOUNT:mail.client_name};|)oip=%{IP:mail.remote_ip};oport=%{POSINT:mail.port};oproto=%{WORD:mail.proto};soapId=%{DATA:mail.soap_id};(mid=%{POSINT};ds=%{WORD}};|)", "COMMAND": "%{WORD}(| %{WORD})", "LOGDATE": "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}", "EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}" }, "ignore_failure" : true } }, { "grok" : { "field" : "message", "patterns" : [ "%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(|%{USERDATA1}|%{USERDATA2})\\] index - %{DATA:mail.reason} \\{%{GREEDYDATA:mail.message}\\}" ], "pattern_definitions" : { "MAILSERVICE" : "%{DATA:mail.service}-%{POSINT:mail.pid}(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})", "ACCOUNT" : "(%{WORD}|%{EMAILADDRESS})", "USERDATA1" : "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};oip=%{IP:mail.remote_ip};port=%{POSINT:mail.port};ua=%{DATA:mail.ua};soapId=%{DATA:mail.soap_id};", "USERDATA2" : "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};ip=%{IP:mail.ip};", "LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}" }, "ignore_failure" : true } }, { "grok": { "field": "message", "patterns": ["%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(|%{USERDATA1}|%{USERDATA2})\\] nginxlookup - %{DATA:mail.reason}:%{GREEDYDATA:mail.client_name}"], "pattern_definitions" : { "MAILSERVICE": "%{DATA:mail.service}-%{POSINT:mail.pid}(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})", "ACCOUNT": "(%{WORD}|%{EMAIL})", "USERDATA1": "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};oip=%{IP:mail.remote_ip};port=%{POSINT:mail.port};ua=%{DATA:mail.ua};soapId=%{DATA:mail.soap_id};", "USERDATA2": "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};ip=%{IP:mail.ip};", "LOGDATE": "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}", "EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}" }, "ignore_failure" : true } }, { "grok": { "field": "message", "patterns": ["%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(%{USERDATA1}|%{USERDATA2}|%{USERDATA3}|%{USERDATA4}|%{USERDATA5}|%{USERDATA6}|%{USERDATA7})\\] %{WORD} - %{COMMAND:mail.command} %{GREEDYDATA:mail.reason}"], "pattern_definitions" : { "MAILSERVICE": "%{DATA:mail.service}-%{POSINT:mail.pid}(|:(%{DATA:mail.http_method}:|)%{URI:mail.http_request_url})", "ACCOUNT": "(%{WORD}|%{EMAIL})", "USERDATA1": "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};(ip=%{IP:mail.ip};|)oip=%{IP:mail.remote_ip};(via=%{DATA:mail.via};|)ua=%{DATA:mail.ua};(cid=%{POSINT:mail.cid};|)", "USERDATA2": "name=%{ACCOUNT:mail.client_name};ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};(via=%{DATA:mail.via};|)(ua=%{DATA:mail.ua};|)cid=%{POSINT:mail.cid};", "USERDATA3": "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};", "USERDATA4": "ip=%{IP:mail.ip};cid=%{POSINT:mail.cid};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via}\\);ua=%{DATA:mail.ua};", "USERDATA5": "(name=%{ACCOUNT:mail.client_name};(aname=%{ACCOUNT:mail.mail.client_account};|)(mid=%{POSINT:mail.mid};|)ip=%{IP:mail.ip};port=%{POSINT:mail.port};|)ua=%{DATA:mail.ua};(via=%{DATA:mail.via};|)soapId=%{DATA:mail.soap_id};", "USERDATA7": "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};oip=%{IP:mail.remote_ip};(port=%{POSINT:mail.port};|)ua=%{DATA:mail.ua};soapId=%{DATA:mail.soap_id};", "USERDATA6": "(name=%{ACCOUNT:mail.client_name};|)oip=%{IP:mail.remote_ip};oport=%{POSINT:mail.port};oproto=%{WORD:mail.proto};soapId=%{DATA:mail.soap_id};(mid=%{POSINT};ds=%{WORD}};|)", "COMMAND": "%{WORD}(| %{WORD})", "LOGDATE": "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}", "EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}" }, "ignore_failure" : true } }, { "grok": { "field": "message", "patterns": ["%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(|%{USERDATA1}|%{USERDATA2}|%{USERDATA3})\\] mailop - (%{MOVINGMESSAGE}|%{ADDINGMESSAGE}|%{DELETEMESSAGE})"], "pattern_definitions" : { "MAILSERVICE": "%{DATA:mail.service}(|-%{POSINT:mail.pid})(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})", "ACCOUNT": "(%{WORD}|%{EMAIL})", "USERDATA1": "name=%{ACCOUNT:mail.client_name};(aname=%{ACCOUNT:mail.client_account};|)mid=%{POSINT:mail.mid};oip=%{IP:mail.remote_ip};port=%{POSINT:mail.port};ua=%{DATA:mail.ua};soapId=%{DATA:mail.soap_id};", "USERDATA2": "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};(||ip=%{IP:mail.ip};)", "USERDATA3": "name=%{ACCOUNT:mail.client_name};ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};cid=%{POSINT:mail.cid};", "ADDINGMESSAGE": "%{DATA:mail.command}: id=%{NONNEGINT:mail.id}, Message-ID=<%{DATA:mail.message_id}>, parentId=%{DATA}, folderId=%{NONNEGINT:mail.folder_id}, folderName=%{DATA:mail.folder_name} acct=%{GREEDYDATA:mail.acct}.", "MOVINGMESSAGE": "%{DATA:mail.command} \\(id=%{NONNEGINT:mail.id}\\) to Folder %{DATA:mail.folder_name} \\(id=%{NONNEGINT:mail.folder_id}\\)", "DELETEMESSAGE": "%{DATA:mail.command} \\(id=%{NONNEGINT:mail.id}\\).", "LOGDATE": "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}", "EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}" }, "ignore_failure" : true } }, { "grok": { "field": "message", "patterns": ["%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(%{USERDATA5}|%{USERDATA7})\\] %{COMMAND:mail.command} - %{UPLOAD_COMMAND:mail.commands} %{GREEDYDATA:mail.reason}"], "pattern_definitions" : { "MAILSERVICE": "%{DATA:mail.service}-%{POSINT:mail.pid}(|:(%{DATA:mail.http_method}:|)%{URI:mail.http_request_url})", "ACCOUNT": "(%{WORD}|%{EMAIL})", "USERDATA5": "(name=%{ACCOUNT:mail.client_name};(aname=%{ACCOUNT:mail.client_account};|)(mid=%{POSINT:mail.mid};|)ip=%{IP:mail.ip};port=%{POSINT:mail.port};|)ua=%{DATA:mail.ua};(via=%{DATA:mail.via};|)soapId=%{DATA:mail.soap_id};", "USERDATA7": "name=%{ACCOUNT:mail.client_name};(aname=%{ACCOUNT:mail.client_account};|)mid=%{POSINT:mail.mid};oip=%{IP:mail.remote_ip};(port=%{POSINT:mail.port};|)ua=%{DATA:mail.ua};(soapId=%{DATA:mail.soap_id};|)", "COMMAND": "%{WORD}", "LOGDATE": "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}", "UPLOAD_COMMAND": "(Received plain: Upload:|saveUpload\\(\\): received Upload:)", "EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}" }, "ignore_failure" : true } }, { "grok" : { "field" : "message", "patterns" : [ "%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(%{USERDATA1}|%{USERDATA2}|%{USERDATA3}|%{USERDATA4})\\] security - %{REASON:mail.reason}" ], "pattern_definitions" : { "MAILSERVICE" : "%{DATA:mail.service}-%{NONNEGINT:mail.pid}(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})", "ACCOUNT" : "(%{WORD}|%{EMAIL})", "USERDATA1" : "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};cid=%{POSINT:mail.cid};", "USERDATA2" : "name=%{ACCOUNT:mail.client_name};ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};", "USERDATA3" : "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};", "USERDATA4" : "ip=%{IP:mail.ip};cid=%{POSINT:mail.cid};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via}\\);ua=%{DATA:mail.ua};", "REASON" : "Account is lockout, %{GREEDYDATA}", "LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}", "EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}" }, "ignore_failure" : true } }, { "grok" : { "field" : "message", "patterns" : [ "%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(%{USERDATA1}|%{USERDATA2}|%{USERDATA3}|%{USERDATA4})\\] security - cmd=%{DATA:mail.command}; account=%{ACCOUNT:mail.client_account}; protocol=%{WORD:mail.protocol}; error=%{DATA:mail.error} \\[%{EMAIL:mail.client_name}\\], %{REASON:mail.reason};" ], "pattern_definitions" : { "MAILSERVICE" : "%{DATA:mail.service}-%{NONNEGINT:mail.pid}(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})", "ACCOUNT" : "(%{WORD}|%{EMAIL})", "USERDATA1" : "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};cid=%{POSINT:mail.cid};", "USERDATA2" : "name=%{ACCOUNT:mail.client_name};ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};", "USERDATA3" : "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};", "USERDATA4" : "ip=%{IP:mail.ip};cid=%{POSINT:mail.cid};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via}\\);ua=%{DATA:mail.ua};", "LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}", "REASON" : "%{DATA}", "EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}" }, "ignore_failure" : true } } ] }