Summary: I've a few outbound smtp servers and centralized mail logs via rsyslog to a server on which i'm Using logstash, outputting to elasticsearch, searching with kibana.
I would like to tag as "BOUNCED" for Postfix mail log entries like:
2013-02-01T16:50:14+02:00 XXSMTPXX postfix/smtp[10879]: BC54A65BD4: to=<xxxx.yyyyyy@zzzz.com.t>, relay=none, delay=0.3, delays=0.01/0/0.29/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=gozdesigorta.com.t type=AAAA: Host not found)
the grok filter i've used in logstash.conf is like:
grok {
patterns_dir => "/etc/logstash/patterns"
tags => "postfix/bounce"
pattern => "%{POSTFIXBOUNCE}"
add_tag => "BOUNCED"
named_captures_only => true
}
patterns file i'm using is https://gist.github.com/4691822
I could not manage to tag those log lines as BOUNCED... What am i missing?
I changed the pattern as:
%{TIMESTAMP_ISO8601} %{HOST} %{SYSLOGPROG}: %{QUEUEID}: to=<%{EMAILADDRESS:to}>, relay=%{RELAY}, delay=%{POSREAL:delay}, delays=%{DELAYS}, dsn=%{DSN}, status=%{STATUS} %{GREEDYDATA:reason}
Now i can grok ;)