├── README.md ├── conf.d ├── 50-filter-postfix.conf ├── 60-filter-cbpolicyd.conf └── 65-filter-spamd.conf └── patterns.d ├── cbpolicyd.grok ├── postfix.grok └── spamd.grok /README.md: -------------------------------------------------------------------------------- 1 | Logstash patterns and conf for parsing and storing maillogs. 2 | 3 | With Logstash, you'll also need input and output specified and saved under conf.d. Below is an example input-output-config. 4 | 5 | ``` 6 | input { 7 | # For standard maillog sent from rsyslogd or syslog-ng. 8 | syslog { 9 | type => "mailserver-log" 10 | port => "9473" 11 | } 12 | 13 | # For a bit more secure transport you can use Lumberjack. 14 | # Find out more at https://www.elastic.co/guide/en/logstash/current/plugins-inputs-lumberjack.html 15 | lumberjack { 16 | port => "9474" 17 | type => "mailserver-log" 18 | ssl_certificate => "/etc/logstash/ssl/logstash-forwarder.crt" 19 | ssl_key => "/etc/logstash/ssl/logstash-forwarder.key" 20 | } 21 | } 22 | 23 | output { 24 | # You can also use standard Elasticsearch plugin! 25 | # Find out more at https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html 26 | elasticsearch_http { 27 | host => "your.elasticsearch.server" 28 | } 29 | 30 | # For debugging 31 | # file { 32 | # path => "/var/log/logstash/logstash-debug.log" 33 | # } 34 | } 35 | ``` 36 | -------------------------------------------------------------------------------- /conf.d/50-filter-postfix.conf: -------------------------------------------------------------------------------- 1 | # originally from https://github.com/whyscream/postfix-grok-patterns/blob/master/50-filter-postfix.conf 2 | # added a few more 3 | 4 | filter { 5 | if [program] =~ /^postfix.*\/anvil$/ { 6 | grok { 7 | patterns_dir => "/etc/logstash/patterns.d" 8 | match => [ "message", "%{POSTFIX_ANVIL}" ] 9 | tag_on_failure => [ "_grok_postfix_anvil_nomatch" ] 10 | add_tag => [ "_grok_postfix_anvil_success" ] 11 | } 12 | } else if [program] =~ /^postfix.*\/bounce$/ { 13 | grok { 14 | patterns_dir => "/etc/logstash/patterns.d" 15 | match => [ "message", "%{POSTFIX_BOUNCE}" ] 16 | tag_on_failure => [ "_grok_postfix_bounce_nomatch" ] 17 | add_tag => [ "_grok_postfix_bounce_success" ] 18 | } 19 | } else if [program] =~ /^postfix.*\/cleanup$/ { 20 | grok { 21 | patterns_dir => "/etc/logstash/patterns.d" 22 | match => [ "message", "%{POSTFIX_CLEANUP}" ] 23 | tag_on_failure => [ "_grok_postfix_cleanup_nomatch" ] 24 | add_tag => [ "_grok_postfix_cleanup_success" ] 25 | } 26 | } else if [program] =~ /^postfix.*\/dnsblog$/ { 27 | grok { 28 | patterns_dir => "/etc/logstash/patterns.d" 29 | match => [ "message", "%{POSTFIX_DNSBLOG}" ] 30 | tag_on_failure => [ "_grok_postfix_dnsblog_nomatch" ] 31 | add_tag => [ "_grok_postfix_dnsblog_success" ] 32 | } 33 | } else if [program] =~ /^postfix.*\/local$/ { 34 | grok { 35 | patterns_dir => "/etc/logstash/patterns.d" 36 | match => [ "message", "%{POSTFIX_LOCAL}" ] 37 | tag_on_failure => [ "_grok_postfix_local_nomatch" ] 38 | add_tag => [ "_grok_postfix_local_success" ] 39 | } 40 | } else if [program] =~ /^postfix.*\/master$/ { 41 | grok { 42 | patterns_dir => "/etc/logstash/patterns.d" 43 | match => [ "message", "%{POSTFIX_MASTER}" ] 44 | tag_on_failure => [ "_grok_postfix_master_nomatch" ] 45 | add_tag => [ "_grok_postfix_master_success" ] 46 | } 47 | } else if [program] =~ /^postfix.*\/pickup$/ { 48 | grok { 49 | patterns_dir => "/etc/logstash/patterns.d" 50 | match => [ "message", "%{POSTFIX_PICKUP}" ] 51 | tag_on_failure => [ "_grok_postfix_pickup_nomatch" ] 52 | add_tag => [ "_grok_postfix_pickup_success" ] 53 | } 54 | } else if [program] =~ /^postfix.*\/pipe$/ { 55 | grok { 56 | patterns_dir => "/etc/logstash/patterns.d" 57 | match => [ "message", "%{POSTFIX_PIPE}" ] 58 | tag_on_failure => [ "_grok_postfix_pipe_nomatch" ] 59 | add_tag => [ "_grok_postfix_pipe_success" ] 60 | } 61 | } else if [program] =~ /^postfix.*\/postdrop$/ { 62 | grok { 63 | patterns_dir => "/etc/logstash/patterns.d" 64 | match => [ "message", "%{POSTFIX_POSTDROP}" ] 65 | tag_on_failure => [ "_grok_postfix_postdrop_nomatch" ] 66 | add_tag => [ "_grok_postfix_postdrop_success" ] 67 | } 68 | } else if [program] =~ /^postfix.*\/postscreen$/ { 69 | grok { 70 | patterns_dir => "/etc/logstash/patterns.d" 71 | match => [ "message", "%{POSTFIX_POSTSCREEN}" ] 72 | tag_on_failure => [ "_grok_postfix_postscreen_nomatch" ] 73 | add_tag => [ "_grok_postfix_postscreen_success" ] 74 | } 75 | } else if [program] =~ /^postfix.*\/qmgr$/ { 76 | grok { 77 | patterns_dir => "/etc/logstash/patterns.d" 78 | match => [ "message", "%{POSTFIX_QMGR}" ] 79 | tag_on_failure => [ "_grok_postfix_qmgr_nomatch" ] 80 | add_tag => [ "_grok_postfix_qmgr_success" ] 81 | } 82 | } else if [program] =~ /^postfix.*\/sendmail$/ { 83 | grok { 84 | patterns_dir => "/etc/logstash/patterns.d" 85 | match => [ "message", "%{POSTFIX_SENDMAIL}" ] 86 | tag_on_failure => [ "_grok_postfix_sendmail_nomatch" ] 87 | add_tag => [ "_grok_postfix_sendmail_success" ] 88 | } 89 | } else if [program] =~ /^postfix.*\/smtp$/ { 90 | if [message] =~ /^.*prepend.*$/ { 91 | grok { 92 | patterns_dir => "/etc/logstash/patterns.d" 93 | match => [ "message", "%{POSTFIX_PREPEND}" ] 94 | tag_on_failure => [ "_grok_postfix_predend_nomatch" ] 95 | add_tag => [ "_grok_postfix_prepend_success" ] 96 | } 97 | } else { 98 | grok { 99 | patterns_dir => "/etc/logstash/patterns.d" 100 | match => [ "message", "%{POSTFIX_SMTP}" ] 101 | tag_on_failure => [ "_grok_postfix_smtp_nomatch" ] 102 | add_tag => [ "_grok_postfix_smtp_success" ] 103 | } 104 | } 105 | } else if [program] =~ /^postfix.*\/smtpd$/ { 106 | grok { 107 | patterns_dir => "/etc/logstash/patterns.d" 108 | match => [ "message", "%{POSTFIX_SMTPD}" ] 109 | tag_on_failure => [ "_grok_postfix_smtpd_nomatch" ] 110 | add_tag => [ "_grok_postfix_smtpd_success" ] 111 | } 112 | } else if [program] =~ /^postfix.*\/tlsmgr$/ { 113 | grok { 114 | patterns_dir => "/etc/logstash/patterns.d" 115 | match => [ "message", "%{POSTFIX_TLSMGR}" ] 116 | tag_on_failure => [ "_grok_postfix_tlsmgr_nomatch" ] 117 | add_tag => [ "_grok_postfix_tlsmgr_success" ] 118 | } 119 | } else if [program] =~ /^postfix.*\/tlsproxy$/ { 120 | grok { 121 | patterns_dir => "/etc/logstash/patterns.d" 122 | match => [ "message", "%{POSTFIX_TLSPROXY}" ] 123 | tag_on_failure => [ "_grok_postfix_tlsproxy_nomatch" ] 124 | add_tag => [ "_grok_postfix_tlsproxy_success" ] 125 | } 126 | } else if [program] =~ /^postfix.*\/trivial-rewrite$/ { 127 | grok { 128 | patterns_dir => "/etc/logstash/patterns.d" 129 | match => [ "message", "%{POSTFIX_TRIVIAL_REWRITE}" ] 130 | tag_on_failure => [ "_grok_postfix_trivial_rewrite_nomatch" ] 131 | add_tag => [ "_grok_postfix_trivial_rewrite_success" ] 132 | } 133 | } 134 | 135 | # process key-value data is it exists 136 | if [postfix_keyvalue_data] { 137 | kv { 138 | source => "postfix_keyvalue_data" 139 | trim => "<>," 140 | prefix => "postfix_" 141 | remove_field => [ "postfix_keyvalue_data" ] 142 | } 143 | 144 | # some post processing of key-value data 145 | if [postfix_client] { 146 | grok { 147 | patterns_dir => "/etc/logstash/patterns.d" 148 | match => ["postfix_client", "%{POSTFIX_CLIENT_INFO}"] 149 | tag_on_failure => [ "_grok_kv_postfix_client_nomatch" ] 150 | remove_field => [ "postfix_client" ] 151 | } 152 | } 153 | if [postfix_relay] { 154 | grok { 155 | patterns_dir => "/etc/logstash/patterns.d" 156 | match => ["postfix_relay", "%{POSTFIX_RELAY_INFO}"] 157 | tag_on_failure => [ "_grok_kv_postfix_relay_nomatch" ] 158 | remove_field => [ "postfix_relay" ] 159 | } 160 | } 161 | if [postfix_delays] { 162 | grok { 163 | patterns_dir => "/etc/logstash/patterns.d" 164 | match => ["postfix_delays", "%{POSTFIX_DELAYS}"] 165 | tag_on_failure => [ "_grok_kv_postfix_delays_nomatch" ] 166 | remove_field => [ "postfix_delays" ] 167 | } 168 | } 169 | } 170 | 171 | # Do some data type conversions 172 | mutate { 173 | convert => [ 174 | # list of integer fields 175 | "postfix_anvil_cache_size", "integer", 176 | "postfix_anvil_conn_count", "integer", 177 | "postfix_anvil_conn_rate", "integer", 178 | "postfix_client_port", "integer", 179 | "postfix_nrcpt", "integer", 180 | "postfix_postscreen_cache_dropped", "integer", 181 | "postfix_postscreen_cache_retained", "integer", 182 | "postfix_postscreen_dnsbl_rank", "integer", 183 | "postfix_relay_port", "integer", 184 | "postfix_server_port", "integer", 185 | "postfix_size", "integer", 186 | "postfix_status_code", "integer", 187 | "postfix_termination_signal", "integer", 188 | "postfix_uid", "integer", 189 | 190 | # list of float fields 191 | "postfix_delay", "float", 192 | "postfix_delay_before_qmgr", "float", 193 | "postfix_delay_conn_setup", "float", 194 | "postfix_delay_in_qmgr", "float", 195 | "postfix_delay_transmission", "float", 196 | "postfix_postscreen_violation_time", "float" 197 | ] 198 | } 199 | } 200 | -------------------------------------------------------------------------------- /conf.d/60-filter-cbpolicyd.conf: -------------------------------------------------------------------------------- 1 | filter { 2 | if [program] =~ /^cbpolicyd$/ { 3 | grok { 4 | patterns_dir => "/etc/logstash/patterns.d" 5 | match => [ "message", "%{CBPOLICYD_ACCOUNTING}" ] 6 | tag_on_failure => [ "_grok_cbpolicyd_nomatch" ] 7 | add_tag => [ "_grok_cbpolicyd_success" ] 8 | } 9 | } 10 | } 11 | 12 | -------------------------------------------------------------------------------- /conf.d/65-filter-spamd.conf: -------------------------------------------------------------------------------- 1 | filter { 2 | if [program] =~ /^spamd$/ { 3 | 4 | if [message] =~ /^spamd\: processing message.*$/ { 5 | grok { 6 | patterns_dir => "/etc/logstash/patterns.d" 7 | match => [ "message", "%{SPAMD_PROCESSING}" ] 8 | tag_on_failure => [ "_grok_spamd_processing_nomatch" ] 9 | add_tag => [ "_grok_spamd_processing_success" ] 10 | } 11 | } else if [message] =~ /^spamd\: result\:.*$/ { 12 | grok { 13 | patterns_dir => "/etc/logstash/patterns.d" 14 | match => [ "message", "%{SPAMD_SCANINFO}" ] 15 | tag_on_failure => [ "_grok_spamd_scaninfo_nomatch" ] 16 | add_tag => [ "_grok_spamd_scaninfo_success" ] 17 | } 18 | mutate { 19 | split => { "filter_rules" => "," } 20 | } 21 | } else if [message] =~ /^spamd\: server successfully spawned.*$/ { 22 | grok { 23 | patterns_dir => "/etc/logstash/patterns.d" 24 | match => [ "message", "%{SPAMD_CHILD}" ] 25 | tag_on_failure => [ "_grok_spamd_child_nomatch" ] 26 | add_tag => [ "_grok_spamd_child_success" ] 27 | } 28 | } else if [message] =~ /^spamd\: connection from.*$/ { 29 | grok { 30 | patterns_dir => "/etc/logstash/patterns.d" 31 | match => [ "message", "%{SPAMD_CONNECTION}" ] 32 | tag_on_failure => [ "_grok_spamd_connection_nomatch" ] 33 | add_tag => [ "_grok_spamd_connection_success" ] 34 | } 35 | } else if [message] =~ /^spamd\: clean message.*$/ { 36 | grok { 37 | patterns_dir => "/etc/logstash/patterns.d" 38 | match => [ "message", "%{SPAMD_RESULT}" ] 39 | tag_on_failure => [ "_grok_spamd_clean_nomatch" ] 40 | add_tag => [ "_grok_spamd_clean_success" ] 41 | } 42 | } else if [message] =~ /^spamd\: identified spam.*$/ { 43 | grok { 44 | patterns_dir => "/etc/logstash/patterns.d" 45 | match => [ "message", "%{SPAMD_RESULT}" ] 46 | tag_on_failure => [ "_grok_spamd_identified_nomatch" ] 47 | add_tag => [ "_grok_spamd_identified_success" ] 48 | } 49 | } else if [message] =~ /^prefork\:.*$/ { 50 | grok { 51 | patterns_dir => "/etc/logstash/patterns.d" 52 | match => [ "message", "%{SPAMD_PREFORK}" ] 53 | tag_on_failure => [ "_grok_spamd_prefork_nomatch" ] 54 | add_tag => [ "_grok_spamd_prefork_success" ] 55 | } 56 | } else { 57 | grok { 58 | add_tag => [ "_grok_spamd_no_match" ] 59 | } 60 | } 61 | } 62 | } 63 | 64 | -------------------------------------------------------------------------------- /patterns.d/cbpolicyd.grok: -------------------------------------------------------------------------------- 1 | # common 2 | YEARMONTHDAY %{YEAR}-%{MONTHNUM}-%{MONTHDAY} 3 | 4 | # patterns 5 | CBPOLICYD_ACCOUNTING module=Accounting, mode=%{GREEDYDATA:mode}\, host=%{IP:postfix_client_ip}, helo=.?%{IPORHOST:postfix_client}.?, from=%{GREEDYDATA:from}\, to=%{GREEDYDATA:to}\, reason=(accounting_update|accounting_create), policy=%{INT:policy_number}, accounting=%{INT:accounting_number}, track=Sender:%{GREEDYDATA:tracked_sender}\, period=%{YEARMONTHDAY:period}, count=%{INT:policy_count}/%{INT:policy_max} \(%{NUMBER:quota_percent}\%\), size=/- 6 | -------------------------------------------------------------------------------- /patterns.d/postfix.grok: -------------------------------------------------------------------------------- 1 | # originally from https://github.com/whyscream/postfix-grok-patterns/blob/master/postfix.grok 2 | 3 | # common postfix patterns 4 | POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{15,}|NOQUEUE) 5 | POSTFIX_CLIENT_INFO %{HOST:postfix_client_hostname}?\[%{IP:postfix_client_ip}\](:%{INT:postfix_client_port})? 6 | POSTFIX_RELAY_INFO %{HOST:postfix_relay_hostname}?\[%{IP:postfix_relay_ip}\](:%{INT:postfix_relay_port})?|%{WORD:postfix_relay_service} 7 | POSTFIX_SMTP_STAGE (CONNECT|HELO|EHLO|STARTTLS|AUTH|MAIL|RCPT|DATA|RSET|UNKNOWN|END-OF-MESSAGE|VRFY|\.) 8 | POSTFIX_ACTION (reject|defer) 9 | POSTFIX_STATUS_CODE \d{3} 10 | POSTFIX_STATUS_CODE_ENHANCED \d\.\d\.\d 11 | POSTFIX_DNSBL_MESSAGE Service unavailable; .* \[%{GREEDYDATA:postfix_status_data}\] %{GREEDYDATA:postfix_status_message}; 12 | POSTFIX_PS_ACCESS_ACTION (DISCONNECT|BLACKLISTED|WHITELISTED|WHITELIST VETO|PASS NEW|PASS OLD) 13 | POSTFIX_PS_VIOLATION (BARE NEWLINE|COMMAND (TIME|COUNT|LENGTH) LIMIT|COMMAND PIPELINING|DNSBL|HANGUP|NON-SMTP COMMAND|PREGREET) 14 | POSTFIX_TIME_UNIT %{NUMBER}[smhd] 15 | POSTFIX_KEYVALUE %{POSTFIX_QUEUEID:postfix_queueid}: %{GREEDYDATA:postfix_keyvalue_data} 16 | POSTFIX_WARNING (warning|fatal): %{GREEDYDATA:postfix_warning} 17 | POSTFIX_TLSCONN (Anonymous|Trusted|Untrusted|Verified) TLS connection established (to %{POSTFIX_RELAY_INFO}|from %{POSTFIX_CLIENT_INFO}): %{DATA:postfix_tls_version} with cipher %{DATA:postfix_tls_cipher} \(%{DATA:postfix_tls_cipher_size} bits\) 18 | POSTFIX_DELAYS %{NUMBER:postfix_delay_before_qmgr}/%{NUMBER:postfix_delay_in_qmgr}/%{NUMBER:postfix_delay_conn_setup}/%{NUMBER:postfix_delay_transmission} 19 | POSTFIX_LOSTCONN (lost connection|timeout) 20 | 21 | # smtpd patterns 22 | POSTFIX_SMTPD_CONNECT connect from %{POSTFIX_CLIENT_INFO} 23 | POSTFIX_SMTPD_DISCONNECT disconnect from %{POSTFIX_CLIENT_INFO} 24 | POSTFIX_SMTPD_LOSTCONN (%{POSTFIX_LOSTCONN:postfix_smtpd_lostconn_data} after %{POSTFIX_SMTP_STAGE:postfix_smtp_stage}( \(%{INT} bytes\))? from %{POSTFIX_CLIENT_INFO}|%{GREEDYDATA:postfix_action} from %{POSTFIX_CLIENT_INFO}: %{POSTFIX_LOSTCONN:postfix_smtpd_lostconn_data}) 25 | POSTFIX_SMTPD_NOQUEUE NOQUEUE: %{POSTFIX_ACTION:postfix_action}: %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} from %{POSTFIX_CLIENT_INFO}: %{POSTFIX_STATUS_CODE:postfix_status_code} %{POSTFIX_STATUS_CODE_ENHANCED:postfix_status_code_enhanced}( <%{DATA:postfix_status_data}>:)? (%{POSTFIX_DNSBL_MESSAGE}|%{GREEDYDATA:postfix_status_message};) %{GREEDYDATA:postfix_keyvalue_data} 26 | POSTFIX_SMTPD_PIPELINING improper command pipelining after %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} from %{POSTFIX_CLIENT_INFO}: 27 | 28 | # cleanup patterns 29 | POSTFIX_CLEANUP_MILTER_REDIRECT %{POSTFIX_QUEUEID:postfix_queueid}: milter-header-redirect: %{GREEDYDATA:postfix_milter_redirect_data}; %{GREEDYDATA:postfix_keyvalue_data}: %{GREEDYDATA:postfix_milter_redirect_target} 30 | POSTFIX_CLEANUP_MILTER_REJECT %{POSTFIX_QUEUEID:postfix_queueid}: milter-reject: %{GREEDYDATA:postfix_milter_reject_data}; %{GREEDYDATA:postfix_keyvalue_data} 31 | 32 | # qmgr patterns 33 | POSTFIX_QMGR_REMOVED %{POSTFIX_QUEUEID:postfix_queueid}: removed 34 | POSTFIX_QMGR_ACTIVE %{POSTFIX_QUEUEID:postfix_queueid}: %{GREEDYDATA:postfix_keyvalue_data} \(queue active\) 35 | 36 | # pipe patterns 37 | POSTFIX_PIPE_DELIVERED %{POSTFIX_QUEUEID:postfix_queueid}: %{GREEDYDATA:postfix_keyvalue_data} \(delivered via %{WORD:postfix_pipe_service} service\) 38 | 39 | # postscreen patterns 40 | POSTFIX_PS_CONNECT CONNECT from %{POSTFIX_CLIENT_INFO} to \[%{IP:postfix_server_ip}\]:%{INT:postfix_server_port} 41 | POSTFIX_PS_ACCESS %{POSTFIX_PS_ACCESS_ACTION:postfix_postscreen_access} %{POSTFIX_CLIENT_INFO} 42 | POSTFIX_PS_NOQUEUE %{POSTFIX_SMTPD_NOQUEUE} 43 | POSTFIX_PS_TOOBUSY NOQUEUE: reject: CONNECT from %{POSTFIX_CLIENT_INFO}: %{GREEDYDATA:postfix_postscreen_toobusy_data} 44 | POSTFIX_PS_DNSBL %{POSTFIX_PS_VIOLATION:postfix_postscreen_violation} rank %{INT:postfix_postscreen_dnsbl_rank} for %{POSTFIX_CLIENT_INFO} 45 | POSTFIX_PS_CACHE cache %{DATA} full cleanup: retained=%{NUMBER:postfix_postscreen_cache_retained} dropped=%{NUMBER:postfix_postscreen_cache_dropped} entries 46 | POSTFIX_PS_VIOLATIONS %{POSTFIX_PS_VIOLATION:postfix_postscreen_violation}( %{INT})?( after %{NUMBER:postfix_postscreen_violation_time})? from %{POSTFIX_CLIENT_INFO}( after %{POSTFIX_SMTP_STAGE:postfix_smtp_stage})? 47 | 48 | # dnsblog patterns 49 | POSTFIX_DNSBLOG_LISTING addr %{IP:postfix_client_ip} listed by domain %{HOST:postfix_dnsbl_domain} as %{IP:postfix_dnsbl_result} 50 | 51 | # tlsproxy patterns 52 | POSTFIX_TLSPROXY_CONN (DIS)?CONNECT( from)? %{POSTFIX_CLIENT_INFO} 53 | 54 | # anvil patterns 55 | POSTFIX_ANVIL_CONN_RATE statistics: max connection rate %{NUMBER:postfix_anvil_conn_rate}/%{POSTFIX_TIME_UNIT:postfix_anvil_conn_period} for \(%{DATA:postfix_service}:%{IP:postfix_client_ip}\) at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp} 56 | POSTFIX_ANVIL_CONN_CACHE statistics: max cache size %{NUMBER:postfix_anvil_cache_size} at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp} 57 | POSTFIX_ANVIL_CONN_COUNT statistics: max connection count %{NUMBER:postfix_anvil_conn_count} for \(%{DATA:postfix_service}:%{IP:postfix_client_ip}\) at %{SYSLOGTIMESTAMP:postfix_anvil_timestamp} 58 | 59 | # smtp patterns 60 | POSTFIX_SMTP_DELIVERY %{POSTFIX_KEYVALUE} \(%{GREEDYDATA:postfix_smtp_response}\) 61 | POSTFIX_SMTP_CONNERR connect to %{POSTFIX_RELAY_INFO}: (Connection timed out|No route to host) 62 | POSTFIX_SMTP_LOSTCONN %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_LOSTCONN} with %{POSTFIX_RELAY_INFO} 63 | 64 | # master patterns 65 | POSTFIX_MASTER_START (daemon started|reload) -- version %{DATA:postfix_version}, configuration %{PATH:postfix_config_path} 66 | POSTFIX_MASTER_EXIT terminating on signal %{INT:postfix_termination_signal} 67 | 68 | # bounce patterns 69 | POSTFIX_BOUNCE_NOTIFICATION %{POSTFIX_QUEUEID:postfix_queueid}: sender (non-delivery|delivery status|delay) notification: %{POSTFIX_QUEUEID:postfix_bounce_queueid} 70 | 71 | # scache patterns 72 | POSTFIX_SCACHE_LOOKUPS statistics: (address|domain) lookup hits=%{INT:postfix_scache_hits} miss=%{INT:postfix_scache_miss} success=%{INT:postfix_scache_success} 73 | POSTFIX_SCACHE_SIMULTANEOUS statistics: max simultaneous domains=%{INT:postfix_scache_domains} addresses=%{INT:postfix_scache_addresses} connection=%{INT:postfix_scache_connection} 74 | POSTFIX_SCACHE_TIMESTAMP statistics: start interval %{SYSLOGTIMESTAMP:postfix_scache_timestamp} 75 | 76 | # aggregate all patterns 77 | POSTFIX_SMTPD %{POSTFIX_SMTPD_CONNECT}|%{POSTFIX_SMTPD_DISCONNECT}|%{POSTFIX_SMTPD_LOSTCONN}|%{POSTFIX_SMTPD_NOQUEUE}|%{POSTFIX_SMTPD_PIPELINING}|%{POSTFIX_TLSCONN}|%{POSTFIX_WARNING}|%{POSTFIX_KEYVALUE} 78 | POSTFIX_CLEANUP %{POSTFIX_CLEANUP_MILTER_REDIRECT}|%{POSTFIX_CLEANUP_MILTER_REJECT}|%{POSTFIX_WARNING}|%{POSTFIX_KEYVALUE} 79 | POSTFIX_QMGR %{POSTFIX_QMGR_REMOVED}|%{POSTFIX_QMGR_ACTIVE}|%{POSTFIX_WARNING} 80 | POSTFIX_PIPE %{POSTFIX_PIPE_DELIVERED} 81 | POSTFIX_POSTSCREEN %{POSTFIX_PS_CONNECT}|%{POSTFIX_PS_ACCESS}|%{POSTFIX_PS_NOQUEUE}|%{POSTFIX_PS_TOOBUSY}|%{POSTFIX_PS_CACHE}|%{POSTFIX_PS_DNSBL}|%{POSTFIX_PS_VIOLATIONS}|%{POSTFIX_WARNING} 82 | POSTFIX_DNSBLOG %{POSTFIX_DNSBLOG_LISTING} 83 | POSTFIX_ANVIL %{POSTFIX_ANVIL_CONN_RATE}|%{POSTFIX_ANVIL_CONN_CACHE}|%{POSTFIX_ANVIL_CONN_COUNT} 84 | POSTFIX_SMTP %{POSTFIX_SMTP_DELIVERY}|%{POSTFIX_SMTP_CONNERR}|%{POSTFIX_SMTP_LOSTCONN}|%{POSTFIX_TLSCONN} 85 | POSTFIX_PICKUP %{POSTFIX_KEYVALUE} 86 | POSTFIX_PREPEND %{GREEDYDATA:postfix_queueid}\: prepend: header %{GREEDYDATA:header_name}\: %{GREEDYDATA:header_content}\: X-Backend-Scan: 1 87 | POSTFIX_TLSPROXY %{POSTFIX_TLSPROXY_CONN} 88 | POSTFIX_MASTER %{POSTFIX_MASTER_START}|%{POSTFIX_MASTER_EXIT} 89 | POSTFIX_BOUNCE %{POSTFIX_BOUNCE_NOTIFICATION} 90 | POSTFIX_SENDMAIL %{POSTFIX_WARNING} 91 | POSTFIX_POSTDROP %{POSTFIX_WARNING} 92 | POSTFIX_SCACHE %{POSTFIX_SCACHE_LOOKUPS}|%{POSTFIX_SCACHE_SIMULTANEOUS}|%{POSTFIX_SCACHE_TIMESTAMP} 93 | POSTFIX_TRIVIAL_REWRITE %{POSTFIX_WARNING} 94 | POSTFIX_TLSMGR %{POSTFIX_WARNING} 95 | POSTFIX_LOCAL %{POSTFIX_KEYVALUE} 96 | -------------------------------------------------------------------------------- /patterns.d/spamd.grok: -------------------------------------------------------------------------------- 1 | # common 2 | 3 | # patterns 4 | SPAMD_CHILD spamd: server successfully spawned child process, pid %{NUMBER:process_pid} 5 | SPAMD_CONNECTION spamd: connection from %{IPORHOST:hostname} \[%{IP:raddr}\] at port %{INT:rport} 6 | SPAMD_PROCESSING spamd: processing message (\(%{GREEDYDATA:sender}\)|<%{GREEDYDATA:msgname}\@%{GREEDYDATA:sender}\>) for %{GREEDYDATA:recipient}:%{INT:uid} 7 | SPAMD_SCANINFO spamd: result: . %{NUMBER:points} - %{GREEDYDATA:filter_rules}\ scantime=%{NUMBER:scantime},size=%{INT:msgsize},user=%{GREEDYDATA:recipient}\,uid=%{INT:uid},required_score=%{NUMBER:threshold},rhost=%{IPORHOST:remote_host},raddr=%{IP:remote_addr},rport=%{INT:remote_port},mid=(\(unknown\)|<%{GREEDYDATA:msgname}\@%{GREEDYDATA:sender}\>)(,bayes=%{BASE10NUM:bayes})?,autolearn=%{NOTSPACE:autolearn}( autolearn_force=%{GREEDYDATA:autolearn_force})? 8 | SPAMD_RESULT spamd: %{GREEDYDATA:result} (spam|message) \(%{NUMBER:points}/%{NUMBER:threshold}\) for %{GREEDYDATA:recipient}\:%{INT:uid} in %{NUMBER:scantime} seconds, %{NUMBER:msgsize} bytes. 9 | SPAMD_PREFORK prefork: %{GREEDYDATA:information} 10 | --------------------------------------------------------------------------------