/ 
Search-ESsearcher-0.4.4
River stage zero No dependents
/ Search::ESsearcher::Templates::postfix

NAME

Search::ESsearcher::Templates::syslog - Provides postfix support for essearcher.

VERSION

Version 0.1.1

LOGSTASH

This uses a logstash configuration below.

input {
  syslog {
    host => "10.10.10.10"
    port => 11514
    type => "syslog"
  }
}

filter { }

output {
  if [type] == "syslog" {
    elasticsearch {
      hosts => [ "127.0.0.1:9200" ]
    }
  }
}

The important bit is "type" being set to "syslog". If that is not used, use the command line options field and fieldv.

Install https://github.com/whyscream/postfix-grok-patterns for pulling apart the postfix messages. These files are included with this as well. You will likely not want to use 51-filter-postfix-aggregate.conf as that is a bit buggy.

Options

--host <log host>

The syslog server.

The search is done with .keyword appended to the field name.

--hostx <log host>

The syslog server.

Does not run the it through aonHost.

The search is done with .keyword appended to the field name.

--src <src server>

The source server sending to the syslog server.

The search is done with .keyword appended to the field name.

--srcx <src server>

The source server sending to the syslog server.

Does not run the it through aonHost.

The search is done with .keyword appended to the field name.

--size <count>

The number of items to return.

--pid <pid>

The PID that sent the message.

--dgt <date>

Date greater than.

--dgte <date>

Date greater than or equal to.

--dlt <date>

Date less than.

--dlte <date>

Date less than or equal to.

--msg <message>

Messages to match.

--field <field>

The term field to use for matching them all.

--fieldv <fieldv>

The value of the term field to matching them all.

--mid <msg id>

Search based on the message ID.

--from <address>

The from address to search for.

--to <address>

The to address to search for.

--oto <address>

The original to address to search for.

--noq

Search for rejected messages, NOQUEUE.

--ip <ip>

The client IP to search for.

--chost <host>

The client hostname to search for.

--status <status>

Search using SMTP status codes.

--nocountry

Do not display the country code for the client IP.

--noregion

Do not display the region code for the client IP.

--nocity

Do not display the city name for the client IP.

--nopostal

Do not display the postal code for the client IP.

--aliaswarn

Show alias warnings.

--showkeys

Show the parsed out /postfix\_.*/ keys.

--nomsg

Do not show the message.

--showprogram

Show the syslog program name as well.

--showpid

Show the syslog PID as well.

AND, OR, or NOT shortcut

, OR
+ AND
! NOT

A list seperated by any of those will be transformed

These may be used with program, facility, pid, or host.

example: --program postfix,spamd

results: postfix OR spamd

HOST AND, OR, or NOT shortcut

, OR
+ AND
! NOT

A list of hosts seperated by any of those will be transformed. A host name should always end in a period unless it is a FQDN.

These may be used with host and src.

example: --src foo.,mail.bar.

results: /foo./ OR /mail.bar./

date

date

/^-/ appends "now" to it. So "-5m" becomes "now-5m".

/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a unix time value.

Any thing not matching maching any of the above will just be passed on.