From 85132d992ae1d39f75c21be0d56f0499ffe864b4 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 25 Sep 2024 13:19:00 +0200 Subject: [PATCH 1/4] Parse [postfix][detail] even further --- filter-60-detail.conf | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 filter-60-detail.conf diff --git a/filter-60-detail.conf b/filter-60-detail.conf new file mode 100644 index 0000000..a49ed06 --- /dev/null +++ b/filter-60-detail.conf @@ -0,0 +1,9 @@ +filter { + + if [message] =~ /^delivered to command/ { + grok { + match => ["[postfix][detail]","delivered to command:%{SPACE}%{GREEDYDATA:[postfix][command]}" + } + } + +} From 6551af62571d5091bf6698f9bc064a000460647c Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 25 Sep 2024 13:23:30 +0200 Subject: [PATCH 2/4] Rename command field --- filter-60-detail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filter-60-detail.conf b/filter-60-detail.conf index a49ed06..a46decc 100644 --- a/filter-60-detail.conf +++ b/filter-60-detail.conf @@ -2,7 +2,7 @@ filter { if [message] =~ /^delivered to command/ { grok { - match => ["[postfix][detail]","delivered to command:%{SPACE}%{GREEDYDATA:[postfix][command]}" + match => ["[postfix][detail]","delivered to command:%{SPACE}%{GREEDYDATA:[postfix][delivered][command]}" } } From ebab3e36e9612e41a969b36c168fd5e696d2bab6 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 25 Sep 2024 13:53:27 +0200 Subject: [PATCH 3/4] Add "queud for delivery" --- filter-60-detail.conf | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/filter-60-detail.conf b/filter-60-detail.conf index a46decc..4b8e855 100644 --- a/filter-60-detail.conf +++ b/filter-60-detail.conf @@ -1,9 +1,17 @@ filter { - if [message] =~ /^delivered to command/ { + if [postfix][detail] =~ /^delivered to command/ { + + grok { + match => ["[postfix][detail]","delivered to command:%{SPACE}%{GREEDYDATA:[postfix][delivered][command]}]" + } + + } else if [postfix][detail] =~ /^\d\d\d / { + grok { - match => ["[postfix][detail]","delivered to command:%{SPACE}%{GREEDYDATA:[postfix][delivered][command]}" + match => ["[postfix][detail]","%{INT:[postfix][delivered][returncode]:string} %{DATA:[postfix][delivered][dsn]} <%{DATA:[postfix][delivered][sender]}> \[InternalId=%{INT:[postfix][delivered][internalid]}, Hostname=%{IPORHOST:[postfix][delivered][hostname]}\] %{INT:[postfix][bytes]:int} bytes in %{NUMBER:[postfix][seconds]:float}, %{NUMBER:[postfix][kbps]:float} KB/sec %{GREEDYDATA:[postfix][delivered][result]}\)"] } + } } From b573257c694f90347e648bb395d5418ab2ed34f2 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 25 Sep 2024 13:58:42 +0200 Subject: [PATCH 4/4] Typo --- filter-60-detail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filter-60-detail.conf b/filter-60-detail.conf index 4b8e855..f081dac 100644 --- a/filter-60-detail.conf +++ b/filter-60-detail.conf @@ -3,7 +3,7 @@ filter { if [postfix][detail] =~ /^delivered to command/ { grok { - match => ["[postfix][detail]","delivered to command:%{SPACE}%{GREEDYDATA:[postfix][delivered][command]}]" + match => ["[postfix][detail]","delivered to command:%{SPACE}%{GREEDYDATA:[postfix][delivered][command]}"] } } else if [postfix][detail] =~ /^\d\d\d / {