775 lines
35 KiB
JSON
775 lines
35 KiB
JSON
{
|
|
"processors" : [
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{SEVERITY:mail.severity} \\[%{MAILSERVICE:mail.service}-%{NONNEGINT:mail.pid}\\] \\[name=%{EMAIL:mail.client_name};ip=%{IP:mail.ip};oip=%{IP:mail.mail.remote_ip};via=%{IP:mail.relay_ip}\\(%{DATA}\\);%{DATA}\\] %{DATA} - %{REASON:mail.reason}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"RELAYPORT" : "[0-9]+",
|
|
"REASON" : "(?:.+)",
|
|
"SEVERITY" : "(?:.+)",
|
|
"CONNECTIONSTATUS" : "connect|disconnect",
|
|
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
|
|
"MAILSERVICE" : "(?:.+)",
|
|
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{SEVERITY:mail.severity} \\[%{URLDATA}\\] \\[%{CLIENTDATA}\\] %{COMMAND}; account=%{ACCOUNT:mail.client_account}; protocol=%{DATA:mail.auth_protocol};"
|
|
],
|
|
"pattern_definitions" : {
|
|
"URLDATA" : "%{DATA:mail.qtp}-%{ID:mail.id}:(%{DATA}:%{URI:mail.zimbra_url}|%{URI:mail.zimbra_url})",
|
|
"ID" : "(?:[0-9]+)",
|
|
"CLIENTDATA" : "name=%{EMAIL:mail.client_name};oip=%{IP:mail.remote_ip};oport=%{REMOTEPORT:mail.remote_port};oproto=%{PROTOCOL:mail.protocol};%{SOAPID};",
|
|
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
|
|
"REMOTEPORT" : "[0-9]+",
|
|
"SOAPID" : "soapId=%{DATA:mail.soap_id}",
|
|
"PROTOCOL" : "%{WORD}",
|
|
"SEVERITY" : "(?:.+)",
|
|
"COMMAND" : "%{DATA} cmd=%{WORD:mail.command}",
|
|
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
|
|
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{SEVERITY:mail.severity} \\[%{URLDATA}\\] \\[%{CLIENTDATA}\\] %{COMMAND}; account=%{ACCOUNT:mail.client_account};"
|
|
],
|
|
"pattern_definitions" : {
|
|
"URLDATA" : "%{DATA:mail.qtp}-%{ID:mail.id}:(%{DATA}:%{URI:mail.zimbra_url}|%{URI:mail.zimbra_url})",
|
|
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
|
|
"ID" : "(?:[0-9]+)",
|
|
"SOAPID" : "soapId=%{WORD:mail.soap_id}",
|
|
"CLIENTDATA" : "name=%{ACCOUNT:mail.client_name};ua=%{DATA:mail.ua};%{SOAPID};",
|
|
"REMOTEPORT" : "[0-9]+",
|
|
"PROTOCOL" : "%{WORD}",
|
|
"SEVERITY" : "(?:.+)",
|
|
"COMMAND" : "%{DATA} cmd=%{WORD:mail.command}",
|
|
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
|
|
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{SEVERITY:mail.severity} \\[%{URLDATA}\\] \\[%{CLIENTDATA}\\] %{COMMAND}; account=%{ACCOUNT:mail.client_account}; protocol=%{DATA:mail.auth_protocol};"
|
|
],
|
|
"pattern_definitions" : {
|
|
"URLDATA" : "%{DATA:mail.qtp}-%{ID:mail.id}:(%{DATA}:%{URI:mail.zimbra_url}|%{URI:mail.zimbra_url})",
|
|
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
|
|
"ID" : "(?:[0-9]+)",
|
|
"CLIENTDATA" : "name=%{ACCOUNT:mail.client_name};oip=%{IP:mail.remote_ip};oport=%{REMOTEPORT:mail.remote_port};oproto=%{PROTOCOL:mail.protocol};%{SOAPID};",
|
|
"REMOTEPORT" : "[0-9]+",
|
|
"SOAPID" : "soapId=%{DATA:mail.soap_id}",
|
|
"SEVERITY" : "(?:.+)",
|
|
"PROTOCOL" : "%{WORD}",
|
|
"COMMAND" : "%{DATA} cmd=%{WORD:mail.command}",
|
|
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
|
|
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{SEVERITY:mail.severity} \\[%{URLDATA}\\] \\[%{CLIENTDATA}\\] %{COMMAND}; account=%{ACCOUNT:mail.client_account}; protocol=%{DATA:mail.auth_protocol};"
|
|
],
|
|
"pattern_definitions" : {
|
|
"URLDATA" : "%{DATA:mail.qtp}-%{ID:mail.id}:(%{DATA}:%{URI:mail.zimbra_url}|%{URI:mail.zimbra_url})",
|
|
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
|
|
"ID" : "(?:[0-9]+)",
|
|
"CLIENTDATA" : "name=%{ACCOUNT:mail.client_name};ua=%{DATA:mail.ua};%{SOAPID};",
|
|
"REMOTEPORT" : "[0-9]+",
|
|
"SOAPID" : "soapId=%{WORD:mail.soap_id}",
|
|
"PROTOCOL" : "%{WORD}",
|
|
"SEVERITY" : "(?:.+)",
|
|
"COMMAND" : "%{DATA} cmd=%{WORD:mail.command}",
|
|
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
|
|
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{SEVERITY:mail.severity} \\[%{URLDATA}\\] \\[%{CLIENTDATA}\\] %{COMMAND}; account=%{ACCOUNT:mail.client_account}; protocol=%{DATA:mail.auth_protocol}; %{ERRORMESSAGE};"
|
|
],
|
|
"pattern_definitions" : {
|
|
"URLDATA" : "%{DATA:mail.qtp}-%{ID:mail.id}:(%{DATA}:%{URI:mail.zimbra_url}|%{URI:mail.zimbra_url})",
|
|
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
|
|
"ID" : "(?:[0-9]+)",
|
|
"CLIENTDATA" : "name=%{ACCOUNT:mail.client_name};oip=%{IP:mail.remote_ip};oport=%{REMOTEPORT:mail.remote_port};oproto=%{PROTOCOL:mail.protocol};%{SOAPID};",
|
|
"REMOTEPORT" : "[0-9]+",
|
|
"SOAPID" : "soapId=%{DATA:mail.soap_id}",
|
|
"PROTOCOL" : "%{WORD}",
|
|
"SEVERITY" : "(?:.+)",
|
|
"COMMAND" : "%{DATA} cmd=%{WORD:mail.command}",
|
|
"ERRORMESSAGE" : "error=%{DATA:mail.error}( \\[%{ACCOUNT}\\]|), %{DATA:mail.reason}",
|
|
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
|
|
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{SEVERITY:mail.severity} \\[%{URLDATA}\\] \\[%{CLIENTDATA}\\] %{COMMAND}; account=%{ACCOUNT:mail.client_account}; protocol=%{DATA:mail.auth_protocol};"
|
|
],
|
|
"pattern_definitions" : {
|
|
"URLDATA" : "%{DATA:mail.qtp}-%{ID:mail.id}:(%{DATA}:%{URI:mail.zimbra_url}|%{URI:mail.zimbra_url})",
|
|
"ID" : "(?:[0-9]+)",
|
|
"CLIENTDATA" : "name=%{EMAIL:mail.client_name};oip=%{IP:mail.remote_ip};ua=%{DATA:mail.ua};%{SOAPID};",
|
|
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
|
|
"REMOTEPORT" : "[0-9]+",
|
|
"SOAPID" : "soapId=%{DATA:mail.soap_id}",
|
|
"PROTOCOL" : "%{WORD}",
|
|
"SEVERITY" : "(?:.+)",
|
|
"COMMAND" : "%{DATA} cmd=%{WORD:mail.command}",
|
|
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
|
|
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(%{USERDATA1}|%{USERDATA2}|%{USERDATA3}|%{USERDATA4})\\] security - cmd=%{COMMAND:mail.command}; account=%{ACCOUNT:mail.client_name}; protocol=%{WORD:mail.protocol}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"MAILSERVICE" : "%{DATA:mail.service}-%{NONNEGINT:mail.pid}(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})",
|
|
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
|
|
"USERDATA1" : "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};cid=%{POSINT:mail.cid};",
|
|
"USERDATA2" : "name=%{ACCOUNT:mail.client_name};ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};",
|
|
"USERDATA3" : "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};",
|
|
"USERDATA4" : "ip=%{IP:mail.ip};cid=%{POSINT:mail.cid};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via}\\);ua=%{DATA:mail.ua};",
|
|
"COMMAND" : "%{WORD}",
|
|
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
|
|
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: to=<%{DATA:mail.to}>,(?:\\sorig_to=<%{EMAIL:mail.orig_to}>,)? relay=%{RELAY}, delay=%{NUMBER:mail.delay}, delays=%{DELAYS}, dsn=%{DSN:mail.dsn}, status=%{STATUS:mail.status} \\(%{DATA:mail.reason}\\)"
|
|
],
|
|
"pattern_definitions" : {
|
|
"RELAY" : "(?:%{HOSTNAME:mail.relay_host}(?:\\[%{IP:mail.relay_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
|
|
"DSN" : "%{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}",
|
|
"PERMERROR" : "5[0-9]{2}",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"STATUS" : "sent|deferred|bounced|expired",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)",
|
|
"DELAYS" : "%{NUMBER:mail.delay_prequeued}/%{NUMBER:mail.delay_queued}/%{NUMBER:mail.delay_connection}/%{NUMBER:mail.delay_sended}"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: %{POSTFIXACTION:mail.postfix_action}: %{DATA:mail.command} from %{REMOTE}: %{PERMERROR:mail.response_code} %{DSN:mail.dsn} %{DATA}: %{DATA:mail.reason}; (from=<%{EMAIL:mail.from}> |)to=<%{EMAIL:mail.to}> proto=%{DATA:mail.proto} helo=<%{HELO}>"
|
|
],
|
|
"pattern_definitions" : {
|
|
"POSTFIXACTION" : "discard|dunno|filter|hold|ignore|info|prepend|redirect|replace|reject|warn",
|
|
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
|
|
"PERMERROR" : "(4|5)[0-9][0-9]",
|
|
"DSN" : "%{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"HELO" : "(?:\\[%{IP:mail.helo}\\]|%{HOSTNAME:mail.helo}|%{DATA:mail.helo})",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
|
|
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{MESSAGELEVEL:mail.message_level}: hostname %{HOSTNAME:mail.remote_host} %{DATA:\n } address %{IP:mail.remote_ip}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
|
|
"MESSAGELEVEL" : "reject|warning|error|fatal|panic",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{CONNECTIONSTATUS:mail.connection_status} %{DIRECTION:mail.connect_direction} %{REMOTE}:%{REMOTEPORT:mail.remote_port}: %{REASON:mail.reason}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
|
|
"REMOTEPORT" : "[0-9]+",
|
|
"REASON" : "(?:.+)",
|
|
"CONNECTIONSTATUS" : "connect|disconnect",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)",
|
|
"DIRECTION" : "(to|from)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{CONNECTIONSTATUS:mail.connection_status} %{DIRECTION:mail.connect_direction} %{REMOTE}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
|
|
"REMOTEPORT" : "[0-9]+",
|
|
"REASON" : "(?:.+)",
|
|
"CONNECTIONSTATUS" : "connect|disconnect",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)",
|
|
"DIRECTION" : "(to|from)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{CONNECTIONSTATUS:mail.connection_status} from \\[%{IPORHOST:mail.remote_host}\\]:%{PORT:mail.remote_port} to \\[%{IPORHOST:mail.local_host}\\]:%{PORT:mail.local_port}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"PORT" : "[0-9]+",
|
|
"CONNECTIONSTATUS" : "CONNECT|DISCONNECT|connect|disconnect",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{CONNECTIONSTATUS:mail.connection_status} after %{DATA:mail.command} from %{REMOTE}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
|
|
"CONNECTIONSTATUS" : "lost connection",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: client=%{REMOTE}, sasl_method=%{DATA:mail.sasl_method}, sasl_username=%{EMAIL:mail.username}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
|
|
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: message-id=(|<)%{DATA:mail.message_id}(|>)"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: from=<%{EMAIL:mail.from}>, size=%{DATA:mail.size}, nrcpt=%{DATA:mail.nrcpt} \\(%{DATA:mail.reason}\\)"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
|
|
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: %{MESSAGESTATUS:mail.reason}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"MESSAGESTATUS" : "removed",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{SEVERITY:mail.severity}: (%{HOSTDATA}:\\s|\\s)%{DATA:mail.error}: %{GREEDYDATA:mail.reason}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"HOSTDATA" : "%{HOSTNAME:mail.remote_host}\\[%{IPORHOST:mail.remote_ip}\\]",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
|
|
"SEVERITY" : "(warning|info|error)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: client=%{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\]"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
|
|
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{DATA:mail.reason} \\[%{IP:mail.remote_ip}\\]:%{NONNEGINT:mail.remote_port}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
|
|
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{DATA:mail.reason} from %{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\]: TLS%{DATA:mail.tls_proto} \\(%{DATA}\\)"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: client=%{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\]"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}(|:) %{CONNECTIONSTATUS:mail.connection_status} from %{REMOTE} ehlo=%{NONNEGINT:mail.ehlo} mail=%{DATA} rcpt=%{NONNEGINT:mail.rcpt} data=%{WORD:mail.data} (noop=%{NONNEGINT:mail.noop} |)quit=%{NONNEGINT:mail.quit} commands=%{NONNEGINT:mail.commands}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
|
|
"CONNECTIONSTATUS" : "connect|disconnect",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{SEVERITY:mail.severity}: hostname %{HOSTNAME:mail.remote_host} %{DATA:mail.reason} address %{IP:mail.remote_ip}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)",
|
|
"SEVERITY" : "(warning|info)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{SEVERITY:mail.severity}: %{SASL:mail.sasl_message}: %{GREEDYDATA:mail.reason}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"SASL" : "SASL %{DATA}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"SEVERITY" : "(warning|info)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{POSTFIXACTION:mail.postfix_action}: %{GREEDYDATA:mail.reason}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"POSTFIXACTION" : "statistics",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{POSTFIXACTION:mail.postfix_action} %{GREEDYDATA:mail.reason}: retained=%{NONNEGINT:mail_cache_retained} dropped=%{NONNEGINT:mail.cache_dropped} entries"
|
|
],
|
|
"pattern_definitions" : {
|
|
"POSTFIXACTION" : "cache",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: %{MSG:mail.reason}: %{QUEUEID:mail.qid2}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"MSG" : "(sender (non-delivery|delivery status) notification)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: resent-message-id=<%{DATA:mail.message_id}>"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"MSG" : "sender non-delivery notification"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: host %{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\] said: %{GREEDYDATA:mail.reason}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: conversation with %{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\] %{GREEDYDATA:mail.reason}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: from=<%{EMAIL:mail.from}>, status=%{WORD:mail.status}, %{GREEDYDATA:mail.reason}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: host %{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\] %{STATUS:mail.status} %{DATA}: %{DATA:mail.reason};"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})",
|
|
"STATUS" : "refused",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}(:|) %{QUEUEID:mail.qid}: %{POSTFIXACTION:mail.postfix_action}: %{DATA:mail.command} from %{REMOTE}: <%{EMAIL:mail.client}>: %{DATA:mail.reason}; from=<%{EMAIL:mail.from}> to=<%{EMAIL:mail.to}> proto=%{DATA:mail.proto} helo=<%{HELO}>"
|
|
],
|
|
"pattern_definitions" : {
|
|
"POSTFIXACTION" : "discard|dunno|filter|hold|ignore|info|prepend|redirect|replace|reject|warn",
|
|
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
|
|
"DSN" : "%{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"HELO" : "(?:\\[%{IP:mail.helo}\\]|%{HOSTNAME:mail.helo}|%{DATA:mail.helo})",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE} %{QUEUEID:mail.qid}: client=%{REMOTE}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{SEVERITY:mail.severity}: %{STATUS:mail.connection_status}: %{DATA:mail.reason} from %{REMOTE}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"STATUS" : "reject",
|
|
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)",
|
|
"SEVERITY" : "(warning|info)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{REASON:mail.reason} after %{DATA:mail.command} from %{REMOTE}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"REASON" : "((too many errors)|(timeout))",
|
|
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{SEVERITY:mail.severity}: %{DATA:mail.reason} from %{REMOTE} in %{DATA:mail.command} command: %{GREEDYDATA:mail.message}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"STATUS" : "reject",
|
|
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)",
|
|
"SEVERITY" : "(warning|info)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: %{DATA:mail.reason} for %{REMOTE}$"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"STATUS" : "reject",
|
|
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
|
|
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{SEVERITY:mail.severity}: %{DATA:mail.reason} for %{HOSTNAME:mail.remote_host}: %{IP:mail.remote_ip}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"SEVERITY" : "(warning|error|info)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{SEVERITY:mail.severity}: %{DATA:mail.reason} (from|with) %{HOSTDATA}%{GREEDYDATA:mail.message}"
|
|
],
|
|
"pattern_definitions" : {
|
|
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
|
|
"HOSTDATA" : "%{HOSTNAME:mail.remote_host}\\[%{IPORHOST:mail.remote_ip}\\]",
|
|
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
|
|
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
|
|
"SEVERITY" : "(warning|info)"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"grok" : {
|
|
"field" : "message",
|
|
"patterns" : [
|
|
"%{IP:mail.remote_ip}:%{POSINT:mail.remote_port} -%{REMOTEUSER}- \\[%{LOGDATETIME:mail.log_datetime} %{ISO8601_TIMEZONE}\\](\\s.+?|)\\\"%{REQUEST}\\ %{POSINT:mail.http_status} %{NONNEGINT:mail.http_bytes_sent} \\\"%{REFERER:mail.http_referer}\\\" \\\"%{DATA:mail.http_user_agent}\\\" \\\"%{IP:mail.ip1}:%{POSINT:mail.port1}\\\" (\\\"%{IP:mail.ip2}:%{POSINT:mail.port2}\\\")"
|
|
],
|
|
"pattern_definitions" : {
|
|
"REASON" : "(?:.+)",
|
|
"REMOTEUSER" : "(\\s|%{DATA:mail.remote_user})",
|
|
"REQUEST" : "%{DATA:mail.http_method} %{URI:mail.http_request_url} %{DATA}",
|
|
"REFERER" : "%{URI}|-",
|
|
"SEVERITY" : "(?:.+)",
|
|
"LOGDATETIME" : "%{MONTHDAY}/%{MONTH}/20%{YEAR}:%{TIME}"
|
|
},
|
|
"ignore_failure" : true
|
|
}
|
|
},
|
|
{
|
|
"date_index_name" : {
|
|
"field" : "@timestamp",
|
|
"index_name_prefix" : "maillog_filebeat-",
|
|
"date_rounding" : "d",
|
|
"index_name_format" : "yyyy-MM-dd"
|
|
}
|
|
}
|
|
]
|
|
|
|
}
|