svk
/
elasticsearch
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
elasticsearch/pipelines/mailboxlog.json

189 lines
14 KiB
JSON
Raw Permalink Blame History

{
"processors" : [
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(|%{USERDATA1}|%{USERDATA2})\\] mailop - (%{MOVINGMESSAGE}|%{ADDINGMESSAGE}|%{DELETEMESSAGE})"
],
"pattern_definitions" : {
"MAILSERVICE" : "%{DATA:mail.service}(|-%{POSINT:mail.pid})(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})",
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
"USERDATA1" : "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};oip=%{IP:mail.remote_ip};port=%{POSINT:mail.port};ua=%{DATA:mail.ua};soapId=%{DATA:mail.soap_id};",
"USERDATA2" : "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};(||ip=%{IP:mail.ip};)",
"ADDINGMESSAGE" : "%{DATA:mail.command}: id=%{NONNEGINT:mail.id}, Message-ID=<%{DATA:mail.message_id}>, parentId=%{DATA}, folderId=%{NONNEGINT:mail.folder_id}, folderName=%{DATA:mail.folder_name} acct=%{NUMBER:mail.acct}.",
"MOVINGMESSAGE" : "%{DATA:mail.command} \\(id=%{NONNEGINT:mail.id}\\) to Folder %{DATA:mail.folder_name} \\(id=%{NONNEGINT:mail.folder_id}\\)",
"DELETEMESSAGE" : "%{DATA:mail.command} \\(id=%{NONNEGINT:mail.id}\\).",
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(|%{USERDATA1}|%{USERDATA2})\\] nginxlookup - %{DATA:mail.reason}:%{GREEDYDATA:mail.client_name}"
],
"pattern_definitions" : {
"MAILSERVICE" : "%{DATA:mail.service}-%{POSINT:mail.pid}(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})",
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
"USERDATA1" : "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};oip=%{IP:mail.remote_ip};port=%{POSINT:mail.port};ua=%{DATA:mail.ua};soapId=%{DATA:mail.soap_id};",
"USERDATA2" : "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};ip=%{IP:mail.ip};",
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok": {
"field": "message",
"patterns": ["%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(%{USERDATA1}|%{USERDATA2}|%{USERDATA3}|%{USERDATA4}|%{USERDATA5}|%{USERDATA6})\\] %{WORD} - %{COMMAND:mail.command} %{GREEDYDATA:mail.reason}"],
"pattern_definitions" : {
"MAILSERVICE": "%{DATA:mail.service}-%{POSINT:mail.pid}(|:(%{DATA:mail.http_method}:|)%{URI:mail.http_request_url})",
"ACCOUNT": "(%{WORD}|%{EMAIL})",
"USERDATA1": "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};",
"USERDATA2": "name=%{ACCOUNT:mail.client_name};ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};",
"USERDATA3": "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};",
"USERDATA4": "ip=%{IP:mail.ip};cid=%{POSINT:mail.cid};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via}\\);ua=%{DATA:mail.ua};",
"USERDATA5": "(name=%{ACCOUNT:mail.client_name};ip=%{IP:mail.remote_ip};port=%{POSINT:mail.port};|)ua=%{DATA:mail.ua};(via=%{DATA:mail.via};|)soapId=%{DATA:mail.soap_id};", "USERDATA6": "(name=%{ACCOUNT:mail.client_name};|)oip=%{IP:mail.remote_ip};oport=%{POSINT:mail.port};oproto=%{WORD:mail.proto};soapId=%{DATA:mail.soap_id};(mid=%{POSINT};ds=%{WORD}};|)",
"COMMAND": "%{WORD}(| %{WORD})",
"LOGDATE": "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(|%{USERDATA1}|%{USERDATA2})\\] index - %{DATA:mail.reason} \\{%{GREEDYDATA:mail.message}\\}"
],
"pattern_definitions" : {
"MAILSERVICE" : "%{DATA:mail.service}-%{POSINT:mail.pid}(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})",
"ACCOUNT" : "(%{WORD}|%{EMAILADDRESS})",
"USERDATA1" : "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};oip=%{IP:mail.remote_ip};port=%{POSINT:mail.port};ua=%{DATA:mail.ua};soapId=%{DATA:mail.soap_id};",
"USERDATA2" : "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};ip=%{IP:mail.ip};",
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}"
},
"ignore_failure" : true
}
},
{
"grok": {
"field": "message",
"patterns": ["%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(|%{USERDATA1}|%{USERDATA2})\\] nginxlookup - %{DATA:mail.reason}:%{GREEDYDATA:mail.client_name}"],
"pattern_definitions" : {
"MAILSERVICE": "%{DATA:mail.service}-%{POSINT:mail.pid}(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})",
"ACCOUNT": "(%{WORD}|%{EMAIL})",
"USERDATA1": "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};oip=%{IP:mail.remote_ip};port=%{POSINT:mail.port};ua=%{DATA:mail.ua};soapId=%{DATA:mail.soap_id};",
"USERDATA2": "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};ip=%{IP:mail.ip};",
"LOGDATE": "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok": {
"field": "message",
"patterns": ["%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(%{USERDATA1}|%{USERDATA2}|%{USERDATA3}|%{USERDATA4}|%{USERDATA5}|%{USERDATA6}|%{USERDATA7})\\] %{WORD} - %{COMMAND:mail.command} %{GREEDYDATA:mail.reason}"],
"pattern_definitions" : {
"MAILSERVICE": "%{DATA:mail.service}-%{POSINT:mail.pid}(|:(%{DATA:mail.http_method}:|)%{URI:mail.http_request_url})",
"ACCOUNT": "(%{WORD}|%{EMAIL})",
"USERDATA1": "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};(ip=%{IP:mail.ip};|)oip=%{IP:mail.remote_ip};(via=%{DATA:mail.via};|)ua=%{DATA:mail.ua};(cid=%{POSINT:mail.cid};|)",
"USERDATA2": "name=%{ACCOUNT:mail.client_name};ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};(via=%{DATA:mail.via};|)(ua=%{DATA:mail.ua};|)cid=%{POSINT:mail.cid};", "USERDATA3": "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};",
"USERDATA4": "ip=%{IP:mail.ip};cid=%{POSINT:mail.cid};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via}\\);ua=%{DATA:mail.ua};",
"USERDATA5": "(name=%{ACCOUNT:mail.client_name};(aname=%{ACCOUNT:mail.mail.client_account};|)(mid=%{POSINT:mail.mid};|)ip=%{IP:mail.ip};port=%{POSINT:mail.port};|)ua=%{DATA:mail.ua};(via=%{DATA:mail.via};|)soapId=%{DATA:mail.soap_id};",
"USERDATA7": "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};oip=%{IP:mail.remote_ip};(port=%{POSINT:mail.port};|)ua=%{DATA:mail.ua};soapId=%{DATA:mail.soap_id};",
"USERDATA6": "(name=%{ACCOUNT:mail.client_name};|)oip=%{IP:mail.remote_ip};oport=%{POSINT:mail.port};oproto=%{WORD:mail.proto};soapId=%{DATA:mail.soap_id};(mid=%{POSINT};ds=%{WORD}};|)",
"COMMAND": "%{WORD}(| %{WORD})",
"LOGDATE": "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok": {
"field": "message",
"patterns": ["%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(|%{USERDATA1}|%{USERDATA2}|%{USERDATA3})\\] mailop - (%{MOVINGMESSAGE}|%{ADDINGMESSAGE}|%{DELETEMESSAGE})"],
"pattern_definitions" : {
"MAILSERVICE": "%{DATA:mail.service}(|-%{POSINT:mail.pid})(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})",
"ACCOUNT": "(%{WORD}|%{EMAIL})",
"USERDATA1": "name=%{ACCOUNT:mail.client_name};(aname=%{ACCOUNT:mail.client_account};|)mid=%{POSINT:mail.mid};oip=%{IP:mail.remote_ip};port=%{POSINT:mail.port};ua=%{DATA:mail.ua};soapId=%{DATA:mail.soap_id};",
"USERDATA2": "name=%{ACCOUNT:mail.client_name};mid=%{POSINT:mail.mid};(||ip=%{IP:mail.ip};)",
"USERDATA3": "name=%{ACCOUNT:mail.client_name};ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};cid=%{POSINT:mail.cid};",
"ADDINGMESSAGE": "%{DATA:mail.command}: id=%{NONNEGINT:mail.id}, Message-ID=<%{DATA:mail.message_id}>, parentId=%{DATA}, folderId=%{NONNEGINT:mail.folder_id}, folderName=%{DATA:mail.folder_name} acct=%{GREEDYDATA:mail.acct}.",
"MOVINGMESSAGE": "%{DATA:mail.command} \\(id=%{NONNEGINT:mail.id}\\) to Folder %{DATA:mail.folder_name} \\(id=%{NONNEGINT:mail.folder_id}\\)",
"DELETEMESSAGE": "%{DATA:mail.command} \\(id=%{NONNEGINT:mail.id}\\).",
"LOGDATE": "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok": {
"field": "message",
"patterns": ["%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(%{USERDATA5}|%{USERDATA7})\\] %{COMMAND:mail.command} - %{UPLOAD_COMMAND:mail.commands} %{GREEDYDATA:mail.reason}"],
"pattern_definitions" : {
"MAILSERVICE": "%{DATA:mail.service}-%{POSINT:mail.pid}(|:(%{DATA:mail.http_method}:|)%{URI:mail.http_request_url})",
"ACCOUNT": "(%{WORD}|%{EMAIL})",
"USERDATA5": "(name=%{ACCOUNT:mail.client_name};(aname=%{ACCOUNT:mail.client_account};|)(mid=%{POSINT:mail.mid};|)ip=%{IP:mail.ip};port=%{POSINT:mail.port};|)ua=%{DATA:mail.ua};(via=%{DATA:mail.via};|)soapId=%{DATA:mail.soap_id};",
"USERDATA7": "name=%{ACCOUNT:mail.client_name};(aname=%{ACCOUNT:mail.client_account};|)mid=%{POSINT:mail.mid};oip=%{IP:mail.remote_ip};(port=%{POSINT:mail.port};|)ua=%{DATA:mail.ua};(soapId=%{DATA:mail.soap_id};|)",
"COMMAND": "%{WORD}",
"LOGDATE": "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"UPLOAD_COMMAND": "(Received plain: Upload:|saveUpload\\(\\): received Upload:)",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(%{USERDATA1}|%{USERDATA2}|%{USERDATA3}|%{USERDATA4})\\] security - %{REASON:mail.reason}"
],
"pattern_definitions" : {
"MAILSERVICE" : "%{DATA:mail.service}-%{NONNEGINT:mail.pid}(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})",
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
"USERDATA1" : "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};cid=%{POSINT:mail.cid};",
"USERDATA2" : "name=%{ACCOUNT:mail.client_name};ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};",
"USERDATA3" : "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};",
"USERDATA4" : "ip=%{IP:mail.ip};cid=%{POSINT:mail.cid};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via}\\);ua=%{DATA:mail.ua};",
"REASON" : "Account is lockout, %{GREEDYDATA}",
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(%{USERDATA1}|%{USERDATA2}|%{USERDATA3}|%{USERDATA4})\\] security - cmd=%{DATA:mail.command}; account=%{ACCOUNT:mail.client_account}; protocol=%{WORD:mail.protocol}; error=%{DATA:mail.error} \\[%{EMAIL:mail.client_name}\\], %{REASON:mail.reason};"
],
"pattern_definitions" : {
"MAILSERVICE" : "%{DATA:mail.service}-%{NONNEGINT:mail.pid}(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})",
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
"USERDATA1" : "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};cid=%{POSINT:mail.cid};",
"USERDATA2" : "name=%{ACCOUNT:mail.client_name};ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};",
"USERDATA3" : "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};",
"USERDATA4" : "ip=%{IP:mail.ip};cid=%{POSINT:mail.cid};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via}\\);ua=%{DATA:mail.ua};",
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"REASON" : "%{DATA}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink