188 lines
9.9 KiB
JSON
188 lines
9.9 KiB
JSON
{
|
|
"processors": [
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: \\(%{PID2:mail.pid2}\\) %{WORD:mail.command}: %{WORD:mail.amavis_result} %{DATA:mail.reason}, From: <%{EMAIL:mail.from}>"
|
|
],
|
|
"pattern_definitions" : {
|
|
"PORT" : "(?:[0-9]+)",
|
|
"PID2" : "(?:[0-9]+-[0-9]+(-[0-9]+|))",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
|
|
"MAILSERVICE" : "%{WORD:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: \\(%{PID2:mail.pid2}\\) %{DATA:mail.amavis_result}, <%{EMAIL:mail.from}> -> (<%{EMAIL:mail.to}>,)+ %{DATA:mail.amavis_spam_tag}, score=%{DATA:mail.amavis_spam_score} required=%{DATA} tests=\\[%{GREEDYDATA:mail.amavis_spam_result}\\]"
|
|
],
|
|
"pattern_definitions" : {
|
|
"PORT" : "(?:[0-9]+)",
|
|
"PID2" : "(?:[0-9]+-[0-9]+(-[0-9]+|))",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
|
|
"MAILSERVICE" : "%{WORD:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: \\(%{PID2:mail.pid2}\\) %{DATA} %{DATA:mail.amavis_result} from <%{EMAIL:mail.from}> -> (<%{EMAIL:mail.to}>,)+ %{DATA:mail.reason}: queued as %{QUEUEID:mail.qid}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"PORT" : "(?:[0-9]+)",
|
|
"PID2" : "(?:[0-9]+-[0-9]+)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
|
|
"MAILSERVICE" : "%{WORD:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: \\(%{PID2:mail.pid2}\\) %{DATA:mail.amavis_result} \\{%{DATA:mail.amavis_way}\\}, %{DATA:mail.reason} \\[%{IP:mail.host}\\]:%{PORT:mail.port} <%{EMAIL:mail.from}> -> <%{EMAIL:mail.to}>, Queue-ID: %{QUEUEID:mail.qid}, Message-ID: <%{DATA:mail.message_id}>, mail_id: %{DATA:mail.id}, Hits: %{DATA:mail.amavis_hits}, size: %{POSINT:mail.size}, queued_as: %{QUEUEID:mail.amavis_qid}, dkim_sd=%{DATA:mail.dkim}, %{POSINT:mail.amavis_delay} ms"
|
|
],
|
|
"pattern_definitions" : {
|
|
"PORT" : "(?:[0-9]+)",
|
|
"PID2" : "(?:[0-9]+-[0-9]+)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
|
|
"MAILSERVICE" : "%{WORD:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: \\(%{PID2:mail.pid2}\\) %{DATA} :%{PORT:mail.port} %{DATA:mail.amavis_file}: <%{EMAIL:mail.from}> -> <%{EMAIL:mail.to}> (SIZE=%{POSINT:mail.size} |)(BODY=%{WORD} |)%{DATA:mail.amavis_result}: from %{HOSTNAME:mail.remote_host} \\(\\[%{IP:mail.remote_ip}\\]\\) by %{DATA} \\(%{HOSTNAME:mail.host} \\[%{IP:mail.ip}\\]\\) \\(%{DATA}\\) %{DATA:mail.reason}; %{GREEDYDATA:mail.amavis_datetime}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"PORT" : "(?:[0-9]+)",
|
|
"PID2" : "(?:[0-9]+-[0-9]+)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
|
|
"MAILSERVICE" : "%{WORD:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: \\(%{PID2:mail.pid2}\\) %{DATA:mail.amavis_result}: %{DATA:mail.amavis_qid} (%{DATA:mail.reason} |)\\[%{IP:mail.remote_ip}\\] <%{EMAIL:mail.from}> -> <%{EMAIL:mail.to}>"
|
|
],
|
|
"pattern_definitions" : {
|
|
"PORT" : "(?:[0-9]+)",
|
|
"PID2" : "(?:[0-9]+-[0-9]+(-[0-9]+|))",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
|
|
"MAILSERVICE" : "%{WORD:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: \\(%{PID2:mail.pid2}\\) %{WORD:mail.amavis_qid} %{DATA:mail.amavis_result} from <%{EMAIL:mail.from}> -> <%{EMAIL:mail.to}>, %{DATA} from %{WORD}\\(%{WORD}:\\[%{IP:mail.remote_ip}\\]:%{PORT:mail.remote_port}\\): %{DATA:mail.reason}: queued as %{WORD:mail.qid}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"PORT" : "(?:[0-9]+)",
|
|
"PID2" : "(?:[0-9]+-[0-9]+(-[0-9]+|))",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
|
|
"MAILSERVICE" : "%{WORD:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: \\(%{PID2:mail.pid2}\\) %{DATA:mail.amavis_result} \\{%{DATA:mail.amavis_way}\\}, \\[%{IP:mail.remote_ip}\\]:%{PORT:mail.remote_port} \\[%{IP}\\] <%{EMAIL:mail.from}> -> (<%{EMAIL:mail.to}>,)+ Queue-ID: %{QUEUEID:mail.qid}, Message-ID: <%{DATA:mail.message_id}>, mail_id: %{DATA:mail.id}, Hits: %{DATA:mail.amavis_hits}, size: %{POSINT:mail.size}, (queued_as: %{QUEUEID:mail.amavis_qid}, |)%{POSINT:mail.amavis_delay} ms"
|
|
],
|
|
"pattern_definitions" : {
|
|
"PORT" : "(?:[0-9]+)",
|
|
"PID2" : "(?:[0-9]+-[0-9]+(-[0-9]+|))",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
|
|
"MAILSERVICE" : "%{WORD:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: \\(%{PID2:mail.pid2}\\) %{DATA:mail.amavis_result} \\{%{DATA:mail.amavis_way}\\}, %{DATA:mail.reason} \\[%{IP:mail.remote_ip}\\]:%{PORT:mail.remote_port} <%{EMAIL:mail.from}> -> <%{EMAIL:mail.to}>, Queue-ID: %{QUEUEID:mail.qid}, Message-ID: <%{DATA:mail.message_id}>, mail_id: %{DATA:mail.id}, Hits: %{DATA:mail.amavis_hits}, size: %{POSINT:mail.size}, queued_as: %{QUEUEID:mail.amavis_qid}, %{POSINT:mail.amavis_delay} ms"
|
|
],
|
|
"pattern_definitions" : {
|
|
"PORT" : "(?:[0-9]+)",
|
|
"PID2" : "(?:[0-9]+-[0-9]+(-[0-9]+|))",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
|
|
"MAILSERVICE" : "%{WORD:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: \\(%{PID2:mail.pid2}\\) size: %{POSINT:mail.size}, %{WORD:mail.amavis_result} \\[total %{POSINT:mail.amavis_check.total} ms, cpu %{POSINT:mail.amavis_check.cpu} ms((, AM-cpu %{POSINT} ms)|)((, SA-cpu %{POSINT} ms)|)\\] - SMTP greeting: %{BASE10NUM:mail.amavis_check.smtp_greeting} \\(%{PORT:mail.amavis_check.smtp_greeting_percent}\\%\\)%{WORD}, SMTP EHLO: %{BASE10NUM:mail.amavis_check.smtp_ehlo} \\(%{PORT:mail.amavis_check.smtp_ehlo_percent}\\%\\)%{WORD}, SMTP pre-MAIL: %{BASE10NUM:mail.amavis_check.smtp_pre_mail} \\(%{PORT:mail.amavis_check.smtp_pre_mail_percent}\\%\\)%{WORD}((, lookup_ldap: %{BASE10NUM:mail.amavis_check.lookup_ldap} \\(%{PORT:mail.amavis_check.lookup_ldap_percent}\\%\\)%{WORD})+), SMTP pre-DATA-flush: %{BASE10NUM:mail.amavis_check.smtp_pre_data_flush} \\(%{PORT:mail.amavis_check.smtp_pre_data_flush_percent}\\%\\)%{WORD}, SMTP DATA: %{BASE10NUM:mail.amavis_check.smtp_data} \\(%{PORT:mail.amavis_check.smtp_data_percent}\\%\\)%{WORD}, %{DATA}mime_decode: %{BASE10NUM:mail.amavis_check.mime_decode} \\(%{PORT:mail.amavis_check.mime_decode_percent}\\%\\)%{WORD}, %{DATA}SMTP pre-response: %{BASE10NUM:mail.amavis_check.smtp_pre_response} \\(%{PORT:mail.amavis_check.smtp_pre_response_percent}\\%\\)%{WORD}, SMTP response: %{BASE10NUM:mail.amavis_check.smtp_response} \\(%{PORT:mail.amavis_check.smtp_response_percent}\\%\\)%{WORD}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"PORT" : "(?:[0-9]+)",
|
|
"PID2" : "(?:[0-9]+-[0-9]+(-[0-9]+|))",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
|
|
"MAILSERVICE" : "%{WORD:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: \\(%{PID2:mail.pid2}\\) %{DATA} Content-Type: %{DATA:mail.content_type}(((, size: %{DATA:mail.size} B, name:)|)(( %{GREEDYDATA:mail.file_name})|)|)$"
|
|
],
|
|
"pattern_definitions" : {
|
|
"PID2" : "(?:[0-9]+-[0-9]+(-[0-9]+|))",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
|
|
"MAILSERVICE" : "%{WORD:mail.service}\\[%{POSINT:mail.pid}\\]"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
|
|
}
|
|
]
|
|
} |