svk
/
elasticsearch
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
elasticsearch/pipelines/zimbralog.json

89 lines
4.2 KiB
JSON
Raw Permalink Blame History

{
"processors": [
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{CONNECTION:mail.connection_status} from %{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\](%{DATA:mail.reason}|)$"
],
"pattern_definitions" : {
"HOSTNAME" : "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
"MAILSERVICE" : "%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"CONNECTION" : "(connect|disconnect)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUED:mail.qid}: client=%{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\]"
],
"pattern_definitions" : {
"HOSTNAME" : "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
"MAILSERVICE" : "%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"QUEUED" : "(?:[A-F0-9]+|NOQUEUE)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUED:mail.qid}: filter: %{DATA} from %{HOSTNAME:mail.remote_host}\\[%{IP:mail.remote_ip}\\]: %{DATA}; from=<%{EMAIL:mail.from}> to=<%{EMAIL:mail.to}> proto=%{DATA:mail.protocol} helo=<%{HOSTNAME:mail.helo}>"
],
"pattern_definitions" : {
"HOSTNAME" : "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)",
"PORT" : "(?:[0-9]+)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
"MAILSERVICE" : "%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)",
"QUEUED" : "(?:[A-F0-9]+|NOQUEUE)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUED:mail.qid}: to=<%{EMAIL:mail.to}>, (|(orig_to=<%{EMAIL:mail.orig_to}>, ))((relay=%{HOSTNAME:mail.relay_host}\\[%{IP:mail.relay_ip}\\]:%{PORT:mail.relay_port})|(relay=%{WORD:mail.relay_host})), (conn_use=%{WORD}, |)delay=%{NUMBER:mail.delay}, delays=%{DELAYS}, dsn=%{DSN:mail.dsn}, status=%{WORD:mail.status} \\(%{DATA:mail.reason}\\)((: %{DATA}: queued as %{QUEUED:mail.qid2})|)$"
],
"pattern_definitions" : {
"HOSTNAME" : "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)",
"PORT" : "(?:[0-9]+)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
"MAILSERVICE" : "%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)",
"DELAYS" : "%{NUMBER:mail.delay_prequeued}/%{NUMBER:mail.delay_queued}/%{NUMBER:mail.delay_connection}/%{NUMBER:mail.delay_sended}",
"DSN" : "%{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}",
"QUEUED" : "(?:[A-F0-9]+|NOQUEUE)"
},
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "message",
"patterns" : [
"%{LOGDATE:mail.log_datetime} %{DATA} %{MAILSERVICE}: %{QUEUED:mail.qid}: from=<%{EMAIL:mail.from}>, size=%{WORD:mail.size}, nrcpt=%{WORD} \\(%{DATA:mail.reason}\\)$"
],
"pattern_definitions" : {
"HOSTNAME" : "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)",
"PORT" : "(?:[0-9]+)",
"LOGDATE" : "%{MONTH}(\\s+)%{MONTHDAY} %{TIME}",
"MAILSERVICE" : "%{DATA:mail.service}\\[%{POSINT:mail.pid}\\]",
"EMAIL" : "(([?a-zA-Z0-9_.+-=:]+)@%{HOSTNAME}|)",
"DELAYS" : "%{NUMBER:mail.delay_prequeued}/%{NUMBER:mail.delay_queued}/%{NUMBER:mail.delay_connection}/%{NUMBER:mail.delay_sended}",
"DSN" : "%{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}",
"QUEUED" : "(?:[A-F0-9]+|NOQUEUE)"
},
"ignore_failure" : true
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink