svk
/
elasticsearch
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
elasticsearch/pipelines/maillog.json

775 lines
35 KiB
JSON
Raw Permalink Blame History

{
"processors" : [
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{SEVERITY:mail.severity} \\[%{MAILSERVICE:mail.service}-%{NONNEGINT:mail.pid}\\] \\[name=%{EMAIL:mail.client_name};ip=%{IP:mail.ip};oip=%{IP:mail.mail.remote_ip};via=%{IP:mail.relay_ip}\\(%{DATA}\\);%{DATA}\\] %{DATA} - %{REASON:mail.reason}"
],
"pattern_definitions" : {
"RELAYPORT" : "[0-9]+",
"REASON" : "(?:.+)",
"SEVERITY" : "(?:.+)",
"CONNECTIONSTATUS" : "connect|disconnect",
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"MAILSERVICE" : "(?:.+)",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{SEVERITY:mail.severity} \\[%{URLDATA}\\] \\[%{CLIENTDATA}\\] %{COMMAND}; account=%{ACCOUNT:mail.client_account}; protocol=%{DATA:mail.auth_protocol};"
],
"pattern_definitions" : {
"URLDATA" : "%{DATA:mail.qtp}-%{ID:mail.id}:(%{DATA}:%{URI:mail.zimbra_url}|%{URI:mail.zimbra_url})",
"ID" : "(?:[0-9]+)",
"CLIENTDATA" : "name=%{EMAIL:mail.client_name};oip=%{IP:mail.remote_ip};oport=%{REMOTEPORT:mail.remote_port};oproto=%{PROTOCOL:mail.protocol};%{SOAPID};",
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
"REMOTEPORT" : "[0-9]+",
"SOAPID" : "soapId=%{DATA:mail.soap_id}",
"PROTOCOL" : "%{WORD}",
"SEVERITY" : "(?:.+)",
"COMMAND" : "%{DATA} cmd=%{WORD:mail.command}",
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{SEVERITY:mail.severity} \\[%{URLDATA}\\] \\[%{CLIENTDATA}\\] %{COMMAND}; account=%{ACCOUNT:mail.client_account};"
],
"pattern_definitions" : {
"URLDATA" : "%{DATA:mail.qtp}-%{ID:mail.id}:(%{DATA}:%{URI:mail.zimbra_url}|%{URI:mail.zimbra_url})",
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
"ID" : "(?:[0-9]+)",
"SOAPID" : "soapId=%{WORD:mail.soap_id}",
"CLIENTDATA" : "name=%{ACCOUNT:mail.client_name};ua=%{DATA:mail.ua};%{SOAPID};",
"REMOTEPORT" : "[0-9]+",
"PROTOCOL" : "%{WORD}",
"SEVERITY" : "(?:.+)",
"COMMAND" : "%{DATA} cmd=%{WORD:mail.command}",
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{SEVERITY:mail.severity} \\[%{URLDATA}\\] \\[%{CLIENTDATA}\\] %{COMMAND}; account=%{ACCOUNT:mail.client_account}; protocol=%{DATA:mail.auth_protocol};"
],
"pattern_definitions" : {
"URLDATA" : "%{DATA:mail.qtp}-%{ID:mail.id}:(%{DATA}:%{URI:mail.zimbra_url}|%{URI:mail.zimbra_url})",
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
"ID" : "(?:[0-9]+)",
"CLIENTDATA" : "name=%{ACCOUNT:mail.client_name};oip=%{IP:mail.remote_ip};oport=%{REMOTEPORT:mail.remote_port};oproto=%{PROTOCOL:mail.protocol};%{SOAPID};",
"REMOTEPORT" : "[0-9]+",
"SOAPID" : "soapId=%{DATA:mail.soap_id}",
"SEVERITY" : "(?:.+)",
"PROTOCOL" : "%{WORD}",
"COMMAND" : "%{DATA} cmd=%{WORD:mail.command}",
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{SEVERITY:mail.severity} \\[%{URLDATA}\\] \\[%{CLIENTDATA}\\] %{COMMAND}; account=%{ACCOUNT:mail.client_account}; protocol=%{DATA:mail.auth_protocol};"
],
"pattern_definitions" : {
"URLDATA" : "%{DATA:mail.qtp}-%{ID:mail.id}:(%{DATA}:%{URI:mail.zimbra_url}|%{URI:mail.zimbra_url})",
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
"ID" : "(?:[0-9]+)",
"CLIENTDATA" : "name=%{ACCOUNT:mail.client_name};ua=%{DATA:mail.ua};%{SOAPID};",
"REMOTEPORT" : "[0-9]+",
"SOAPID" : "soapId=%{WORD:mail.soap_id}",
"PROTOCOL" : "%{WORD}",
"SEVERITY" : "(?:.+)",
"COMMAND" : "%{DATA} cmd=%{WORD:mail.command}",
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{SEVERITY:mail.severity} \\[%{URLDATA}\\] \\[%{CLIENTDATA}\\] %{COMMAND}; account=%{ACCOUNT:mail.client_account}; protocol=%{DATA:mail.auth_protocol}; %{ERRORMESSAGE};"
],
"pattern_definitions" : {
"URLDATA" : "%{DATA:mail.qtp}-%{ID:mail.id}:(%{DATA}:%{URI:mail.zimbra_url}|%{URI:mail.zimbra_url})",
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
"ID" : "(?:[0-9]+)",
"CLIENTDATA" : "name=%{ACCOUNT:mail.client_name};oip=%{IP:mail.remote_ip};oport=%{REMOTEPORT:mail.remote_port};oproto=%{PROTOCOL:mail.protocol};%{SOAPID};",
"REMOTEPORT" : "[0-9]+",
"SOAPID" : "soapId=%{DATA:mail.soap_id}",
"PROTOCOL" : "%{WORD}",
"SEVERITY" : "(?:.+)",
"COMMAND" : "%{DATA} cmd=%{WORD:mail.command}",
"ERRORMESSAGE" : "error=%{DATA:mail.error}( \\[%{ACCOUNT}\\]|), %{DATA:mail.reason}",
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{SEVERITY:mail.severity} \\[%{URLDATA}\\] \\[%{CLIENTDATA}\\] %{COMMAND}; account=%{ACCOUNT:mail.client_account}; protocol=%{DATA:mail.auth_protocol};"
],
"pattern_definitions" : {
"URLDATA" : "%{DATA:mail.qtp}-%{ID:mail.id}:(%{DATA}:%{URI:mail.zimbra_url}|%{URI:mail.zimbra_url})",
"ID" : "(?:[0-9]+)",
"CLIENTDATA" : "name=%{EMAIL:mail.client_name};oip=%{IP:mail.remote_ip};ua=%{DATA:mail.ua};%{SOAPID};",
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
"REMOTEPORT" : "[0-9]+",
"SOAPID" : "soapId=%{DATA:mail.soap_id}",
"PROTOCOL" : "%{WORD}",
"SEVERITY" : "(?:.+)",
"COMMAND" : "%{DATA} cmd=%{WORD:mail.command}",
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{WORD:mail.severity}(\\s.+)\\[%{MAILSERVICE}\\] \\[(%{USERDATA1}|%{USERDATA2}|%{USERDATA3}|%{USERDATA4})\\] security - cmd=%{COMMAND:mail.command}; account=%{ACCOUNT:mail.client_name}; protocol=%{WORD:mail.protocol}"
],
"pattern_definitions" : {
"MAILSERVICE" : "%{DATA:mail.service}-%{NONNEGINT:mail.pid}(|:%{DATA:mail.http_method}:%{URI:mail.http_request_url})",
"ACCOUNT" : "(%{WORD}|%{EMAIL})",
"USERDATA1" : "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};cid=%{POSINT:mail.cid};",
"USERDATA2" : "name=%{ACCOUNT:mail.client_name};ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};",
"USERDATA3" : "ip=%{IP:mail.ip};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via};ua=%{DATA:mail.ua};cid=%{POSINT:mail.cid};",
"USERDATA4" : "ip=%{IP:mail.ip};cid=%{POSINT:mail.cid};oip=%{IP:mail.remote_ip};via=%{DATA:mail.via}\\);ua=%{DATA:mail.ua};",
"COMMAND" : "%{WORD}",
"LOGDATE" : "20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: to=<%{DATA:mail.to}>,(?:\\sorig_to=<%{EMAIL:mail.orig_to}>,)? relay=%{RELAY}, delay=%{NUMBER:mail.delay}, delays=%{DELAYS}, dsn=%{DSN:mail.dsn}, status=%{STATUS:mail.status} \\(%{DATA:mail.reason}\\)"
],
"pattern_definitions" : {
"RELAY" : "(?:%{HOSTNAME:mail.relay_host}(?:\\[%{IP:mail.relay_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
"DSN" : "%{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}",
"PERMERROR" : "5[0-9]{2}",
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"STATUS" : "sent|deferred|bounced|expired",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)",
"DELAYS" : "%{NUMBER:mail.delay_prequeued}/%{NUMBER:mail.delay_queued}/%{NUMBER:mail.delay_connection}/%{NUMBER:mail.delay_sended}"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: %{POSTFIXACTION:mail.postfix_action}: %{DATA:mail.command} from %{REMOTE}: %{PERMERROR:mail.response_code} %{DSN:mail.dsn} %{DATA}: %{DATA:mail.reason}; (from=<%{EMAIL:mail.from}> |)to=<%{EMAIL:mail.to}> proto=%{DATA:mail.proto} helo=<%{HELO}>"
],
"pattern_definitions" : {
"POSTFIXACTION" : "discard|dunno|filter|hold|ignore|info|prepend|redirect|replace|reject|warn",
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
"PERMERROR" : "(4|5)[0-9][0-9]",
"DSN" : "%{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}",
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"HELO" : "(?:\\[%{IP:mail.helo}\\]|%{HOSTNAME:mail.helo}|%{DATA:mail.helo})",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{MESSAGELEVEL:mail.message_level}: hostname %{HOSTNAME:mail.remote_host} %{DATA:\n } address %{IP:mail.remote_ip}"
],
"pattern_definitions" : {
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
"MESSAGELEVEL" : "reject|warning|error|fatal|panic",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{CONNECTIONSTATUS:mail.connection_status} %{DIRECTION:mail.connect_direction} %{REMOTE}:%{REMOTEPORT:mail.remote_port}: %{REASON:mail.reason}"
],
"pattern_definitions" : {
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
"REMOTEPORT" : "[0-9]+",
"REASON" : "(?:.+)",
"CONNECTIONSTATUS" : "connect|disconnect",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)",
"DIRECTION" : "(to|from)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{CONNECTIONSTATUS:mail.connection_status} %{DIRECTION:mail.connect_direction} %{REMOTE}"
],
"pattern_definitions" : {
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
"REMOTEPORT" : "[0-9]+",
"REASON" : "(?:.+)",
"CONNECTIONSTATUS" : "connect|disconnect",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)",
"DIRECTION" : "(to|from)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{CONNECTIONSTATUS:mail.connection_status} from \\[%{IPORHOST:mail.remote_host}\\]:%{PORT:mail.remote_port} to \\[%{IPORHOST:mail.local_host}\\]:%{PORT:mail.local_port}"
],
"pattern_definitions" : {
"PORT" : "[0-9]+",
"CONNECTIONSTATUS" : "CONNECT|DISCONNECT|connect|disconnect",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{CONNECTIONSTATUS:mail.connection_status} after %{DATA:mail.command} from %{REMOTE}"
],
"pattern_definitions" : {
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
"CONNECTIONSTATUS" : "lost connection",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: client=%{REMOTE}, sasl_method=%{DATA:mail.sasl_method}, sasl_username=%{EMAIL:mail.username}"
],
"pattern_definitions" : {
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: message-id=(|<)%{DATA:mail.message_id}(|>)"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: from=<%{EMAIL:mail.from}>, size=%{DATA:mail.size}, nrcpt=%{DATA:mail.nrcpt} \\(%{DATA:mail.reason}\\)"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: %{MESSAGESTATUS:mail.reason}"
],
"pattern_definitions" : {
"MESSAGESTATUS" : "removed",
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{SEVERITY:mail.severity}: (%{HOSTDATA}:\\s|\\s)%{DATA:mail.error}: %{GREEDYDATA:mail.reason}"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"HOSTDATA" : "%{HOSTNAME:mail.remote_host}\\[%{IPORHOST:mail.remote_ip}\\]",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
"SEVERITY" : "(warning|info|error)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: client=%{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\]"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{DATA:mail.reason} \\[%{IP:mail.remote_ip}\\]:%{NONNEGINT:mail.remote_port}"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
"EMAIL" : "([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{DATA:mail.reason} from %{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\]: TLS%{DATA:mail.tls_proto} \\(%{DATA}\\)"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: client=%{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\]"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}(|:) %{CONNECTIONSTATUS:mail.connection_status} from %{REMOTE} ehlo=%{NONNEGINT:mail.ehlo} mail=%{DATA} rcpt=%{NONNEGINT:mail.rcpt} data=%{WORD:mail.data} (noop=%{NONNEGINT:mail.noop} |)quit=%{NONNEGINT:mail.quit} commands=%{NONNEGINT:mail.commands}"
],
"pattern_definitions" : {
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
"CONNECTIONSTATUS" : "connect|disconnect",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{SEVERITY:mail.severity}: hostname %{HOSTNAME:mail.remote_host} %{DATA:mail.reason} address %{IP:mail.remote_ip}"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{NONNEGINT:mail.pid}\\]",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)",
"SEVERITY" : "(warning|info)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{SEVERITY:mail.severity}: %{SASL:mail.sasl_message}: %{GREEDYDATA:mail.reason}"
],
"pattern_definitions" : {
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"SASL" : "SASL %{DATA}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"SEVERITY" : "(warning|info)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{POSTFIXACTION:mail.postfix_action}: %{GREEDYDATA:mail.reason}"
],
"pattern_definitions" : {
"POSTFIXACTION" : "statistics",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{POSTFIXACTION:mail.postfix_action} %{GREEDYDATA:mail.reason}: retained=%{NONNEGINT:mail_cache_retained} dropped=%{NONNEGINT:mail.cache_dropped} entries"
],
"pattern_definitions" : {
"POSTFIXACTION" : "cache",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: %{MSG:mail.reason}: %{QUEUEID:mail.qid2}"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"MSG" : "(sender (non-delivery|delivery status) notification)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: resent-message-id=<%{DATA:mail.message_id}>"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"MSG" : "sender non-delivery notification"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: host %{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\] said: %{GREEDYDATA:mail.reason}"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: conversation with %{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\] %{GREEDYDATA:mail.reason}"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: from=<%{EMAIL:mail.from}>, status=%{WORD:mail.status}, %{GREEDYDATA:mail.reason}"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: host %{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\] %{STATUS:mail.status} %{DATA}: %{DATA:mail.reason};"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})",
"STATUS" : "refused",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}(:|) %{QUEUEID:mail.qid}: %{POSTFIXACTION:mail.postfix_action}: %{DATA:mail.command} from %{REMOTE}: <%{EMAIL:mail.client}>: %{DATA:mail.reason}; from=<%{EMAIL:mail.from}> to=<%{EMAIL:mail.to}> proto=%{DATA:mail.proto} helo=<%{HELO}>"
],
"pattern_definitions" : {
"POSTFIXACTION" : "discard|dunno|filter|hold|ignore|info|prepend|redirect|replace|reject|warn",
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
"DSN" : "%{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}",
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"HELO" : "(?:\\[%{IP:mail.helo}\\]|%{HOSTNAME:mail.helo}|%{DATA:mail.helo})",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"EMAIL" : "(|([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME})",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE} %{QUEUEID:mail.qid}: client=%{REMOTE}"
],
"pattern_definitions" : {
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{SEVERITY:mail.severity}: %{STATUS:mail.connection_status}: %{DATA:mail.reason} from %{REMOTE}"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"STATUS" : "reject",
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)",
"SEVERITY" : "(warning|info)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{REASON:mail.reason} after %{DATA:mail.command} from %{REMOTE}"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"REASON" : "((too many errors)|(timeout))",
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{SEVERITY:mail.severity}: %{DATA:mail.reason} from %{REMOTE} in %{DATA:mail.command} command: %{GREEDYDATA:mail.message}"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"STATUS" : "reject",
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)",
"SEVERITY" : "(warning|info)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUEID:mail.qid}: %{DATA:mail.reason} for %{REMOTE}$"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"STATUS" : "reject",
"REMOTE" : "(?:%{HOSTNAME:mail.remote_host}(?:\\[%{IP:mail.remote_ip}\\](?::[0-9]+(.[0-9]+)?)?)?)",
"HOSTNAME" : "\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\b)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{SEVERITY:mail.severity}: %{DATA:mail.reason} for %{HOSTNAME:mail.remote_host}: %{IP:mail.remote_ip}"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"SEVERITY" : "(warning|error|info)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{SEVERITY:mail.severity}: %{DATA:mail.reason} (from|with) %{HOSTDATA}%{GREEDYDATA:mail.message}"
],
"pattern_definitions" : {
"QUEUEID" : "(?:[A-F0-9]+|NOQUEUE)",
"HOSTDATA" : "%{HOSTNAME:mail.remote_host}\\[%{IPORHOST:mail.remote_ip}\\]",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY}(\\s+)%{TIME}",
"MAILSERVICE" : "%{WORD}/%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"SEVERITY" : "(warning|info)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{IP:mail.remote_ip}:%{POSINT:mail.remote_port} -%{REMOTEUSER}- \\[%{LOGDATETIME:mail.log_datetime} %{ISO8601_TIMEZONE}\\](\\s.+?|)\\\"%{REQUEST}\\ %{POSINT:mail.http_status} %{NONNEGINT:mail.http_bytes_sent} \\\"%{REFERER:mail.http_referer}\\\" \\\"%{DATA:mail.http_user_agent}\\\" \\\"%{IP:mail.ip1}:%{POSINT:mail.port1}\\\" (\\\"%{IP:mail.ip2}:%{POSINT:mail.port2}\\\")"
],
"pattern_definitions" : {
"REASON" : "(?:.+)",
"REMOTEUSER" : "(\\s|%{DATA:mail.remote_user})",
"REQUEST" : "%{DATA:mail.http_method} %{URI:mail.http_request_url} %{DATA}",
"REFERER" : "%{URI}|-",
"SEVERITY" : "(?:.+)",
"LOGDATETIME" : "%{MONTHDAY}/%{MONTH}/20%{YEAR}:%{TIME}"
},
"ignore_failure" : true
}
},
{
"date_index_name" : {
"field" : "@timestamp",
"index_name_prefix" : "maillog_filebeat-",
"date_rounding" : "d",
"index_name_format" : "yyyy-MM-dd"
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink