Menu
I am using Logstash to parse postfix logs. I am mainly focused to get bounced email logs from postfix logs, and store it in database.
In order to get logs, first I need to find ID generated by postfix corresponding to my message-id, and using that Id, I need to find status of an email. For following configuation, I am able to get the logs.
grok {
patterns_dir => "patterns"
match => [
"message", "%{SYSLOGBASE} %{POSTFIXCLEANUP}",
"message", "%{SYSLOGBASE} %{POSTFIXBOUNCE}"
]
named_captures_only => true
}
I am using following if condition to store logs that match the patterns:
if "_grokparsefailure" not in [tags] {
#database call
}
As you have seen, I am using two patterns to find corresponding two different logs from one log file.
Now, I want to differentiate both pattern based on tags. So I have modified my configuration as follows:
grok {
patterns_dir => "patterns"
match => [
"message", "%{SYSLOGBASE} %{POSTFIXBOUNCE}"
]
add_tag => ["BOUNCED"]
remove_tag => ["_grokparsefailure"]
named_captures_only => true
}
grok {
patterns_dir => "patterns"
match => [
"message", "%{SYSLOGBASE} %{POSTFIXCLEANUP}"
]
add_tag => ["INTIALIZATION"]
remove_tag => ["_grokparsefailure"]
named_captures_only => true
}
Now, it only store %{POSTFIXCLEANUP} pattern logs. If I reverse the order, it only store %{POSTFIXBOUNCE} pattern.
so, after removing that if condition, I found that message being parsed from first filter have "_grokparsefailure" tag and first filter tag, and because of that it is not storing that record.
Can anybody tell me what need to be done to rectify this? Am I am making any mistake?
986
#NOTE: GREEDYDATA is the way Logstash Grok expresses the regex .*
Grok works by combining text patterns into something that matches your logs. The SYNTAX is the name of the pattern that will match your text. For example, “3.44” will be matched by the NUMBER pattern and “55.3. 244.1” will be matched by the IP pattern.
Grok analyses data against pre-defined or custom regex patterns. If the pattern matches a piece of text it stores the data into a new field. Creating a Grok pattern provides more valuable information by turning unstructured data from incoming data sources into structured data.
You need to protect the 2nd grok block -- ie don't execute it if the first one succeeds.
if ("BOUNCED" not in [tags]) {
grok {
patterns_dir => "patterns"
match => [
"message", "%{SYSLOGBASE} %{POSTFIXCLEANUP}"
]
add_tag => ["INTIALIZATION"]
remove_tag => ["_grokparsefailure"]
named_captures_only => true
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
