Summary: I have several outgoing SMTP servers and centralized mail logs via rsyslog to the server on which I use logstash, displaying the search in elasticsearch, searching using kibana.
I would like to mark it as "BOUNCED" for Postfix mail journal entries, for example:
2013-02-01T16:50:14+02:00 XXSMTPXX postfix/smtp[10879]: BC54A65BD4: to=<xxxx.yy yyyy@zzzz.com.t >, relay=none, delay=0.3, delays=0.01/0/0.29/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=gozdesigorta.com.t type=AAAA: Host not found)
the grok filter that I used in logstash.conf looks like:
grok { patterns_dir => "/etc/logstash/patterns" tags => "postfix/bounce" pattern => "%{POSTFIXBOUNCE}" add_tag => "BOUNCED" named_captures_only => true }
the template file I am using is https://gist.github.com/4691822
I was unable to mark those log lines as BOUNCED ... What am I missing?
source share