{ "processors": [ { "grok" : { "field" : "message", "patterns" : [ "%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{CONNECTION:mail.connection_status} from %{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\](%{DATA:mail.reason}|)$" ], "pattern_definitions" : { "HOSTNAME" : "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)", "LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}", "MAILSERVICE" : "%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]", "CONNECTION" : "(connect|disconnect)" }, "ignore_failure" : true } }, { "grok" : { "field" : "message", "patterns" : [ "%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUED:mail.qid}: client=%{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\]" ], "pattern_definitions" : { "HOSTNAME" : "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)", "LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}", "MAILSERVICE" : "%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]", "QUEUED" : "(?:[A-F0-9]+|NOQUEUE)" }, "ignore_failure" : true } }, { "grok" : { "field" : "message", "patterns" : [ "%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUED:mail.qid}: filter: %{DATA} from %{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\]: %{DATA}; from=<%{EMAIL:mail.from}> to=<%{EMAIL:mail.to}> proto=%{DATA:mail.protocol} helo=<%{HOSTNAME:mail.helo}>" ], "pattern_definitions" : { "HOSTNAME" : "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)", "PORT" : "(?:[0-9]+)", "LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}", "MAILSERVICE" : "%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]", "EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)", "QUEUED" : "(?:[A-F0-9]+|NOQUEUE)" }, "ignore_failure" : true } }, { "grok" : { "field" : "message", "patterns" : [ "%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUED:mail.qid}: to=<%{EMAIL:mail.to}>, (|(orig_to=<%{EMAIL:mail.orig_to}>, ))((relay=%{HOSTNAME:mail.relay_host}\\[%{IP:mail.relay_ip}\\]:%{PORT:mail.relay_port})|(relay=%{WORD:mail.relay_host})), (conn_use=%{WORD}, |)delay=%{NUMBER:mail.delay}, delays=%{DELAYS}, dsn=%{DSN:mail.dsn}, status=%{WORD:mail.status} \\(%{DATA:mail.reason}\\)((: %{DATA}: queued as %{QUEUED:mail.qid2})|)$" ], "pattern_definitions" : { "HOSTNAME" : "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)", "PORT" : "(?:[0-9]+)", "LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}", "MAILSERVICE" : "%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]", "EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)", "DELAYS" : "%{NUMBER:mail.delay_prequeued}/%{NUMBER:mail.delay_queued}/%{NUMBER:mail.delay_connection}/%{NUMBER:mail.delay_sended}", "DSN" : "%{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}", "QUEUED" : "(?:[A-F0-9]+|NOQUEUE)" }, "ignore_failure" : true } }, { "grok" : { "field" : "message", "patterns" : [ "%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUED:mail.qid}: from=<%{EMAIL:mail.from}>, size=%{WORD:mail.size}, nrcpt=%{WORD} \\(%{DATA:mail.reason}\\)$" ], "pattern_definitions" : { "HOSTNAME" : "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)", "PORT" : "(?:[0-9]+)", "LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}", "MAILSERVICE" : "%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]", "EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)", "DELAYS" : "%{NUMBER:mail.delay_prequeued}/%{NUMBER:mail.delay_queued}/%{NUMBER:mail.delay_connection}/%{NUMBER:mail.delay_sended}", "DSN" : "%{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}", "QUEUED" : "(?:[A-F0-9]+|NOQUEUE)" }, "ignore_failure" : true } } ] }