Logstash grok 过滤器来标记接收和退回的消息 [英] Logstash grok filter to tag received and bounced messages

查看：44 发布时间：2021/12/13 12:26:10 regex nginx elasticsearch logstash logstash-grok

本文介绍了Logstash grok 过滤器来标记接收和退回的消息的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

Sthg 让我发疯了，我想解析 Postfix 日志以了解电子邮件的状态，这是我目前尝试的方法:

输入{文件{路径=>/var/log/mail.log"}}筛选 {千伏{修剪 =><>"}if [message] =~/[ "status=bounced" ]/{神通{patterns_dir =>/etc/logstash/patterns"匹配 =>{消息"=>"%{SYSLOGBASE} (?[0-9A-F]{10}): %{GREEDYDATA:message}"}add_tag =>弹跳"}}}输出 {如果[标签]中的弹跳"{标准输出 { 编解码器 =>红宝石调试 }}}

<小时>

mail.log 示例:

7 月 26 日 04:18:34 mx12 postfix/cleanup[20659]:3mfHGL1r9gzyQP:message-id=<3mfHGL1r9gzyQP@www.mydomain.fr>>

7 月 26 日 04:18:34 mx12 postfix/smtp[20662]:3mfHGL1r9gzyQP:to=，relay=127.0.0.2[127.0.0.2]:25，delay=0.53，delays=0.1/0/0.23/0.16, dsn=2.0.0, status=sent/退回

<小时>

结果 1:

我向现有电子邮件地址发送电子邮件，mail.log 中的状态为:

<块引用>

已发送 (250 ok) : OKAY

但这是 Logstash 所说的:

.. 我看到每个 postfix 程序(qmgr、smtp、qmgr 再次..)生成的每条消息.换句话说，对于所有甚至不包含status=bounced"的消息.

然后我也试过:

 if [message] =~/[ "bounced" ]/{变异{add_tag =>[反弹"]}}if [message] =~/[ "message-id", "(.*)@www.mydomain.fr" ]/{变异 { add_tag =>[ 发送" ] }}神通{匹配 =>{消息"=>"%{SYSLOGBASE} (?[0-9A-F]{10}): %{GREEDYDATA:message}"}}

结果 2:Logstash 总是在这里添加 2 个标签:反弹 + 发送 :(

<小时>

预期结果:

我尝试做的是正是这个配置文件，但它是用旧版本的 Logstash 制作的(例如grep"现在不可用)，但是这正是我试图使工作:

http://tales.itnobody.com/2013/07/using-logstash-to-log-smtp-bounces-like-a-boss.html

一句话:

任何带有 DSN 的条目 – 记录:QID、dsn
任何匹配 message-id=< 的条目hashRegex > – 记录:QID，消息 ID

如下:

 输出{如果[标签]中的弹跳"{执行{命令 =>php -f/path/LogDSN.php %{QID} %{dsn} &"}}如果发送"在 [标签] {执行{命令 =>php -f/path/LogOutbound.php %{QID} %{message-id} &"}}}

但是我的过滤器有问题，这让我很抓狂，

有什么想法吗??

解决方案

我发现了问题.

它来自这个测试:

if [message] =~/[ "bounced" ]/{变异{add_tag =>[反弹"]}}

正则表达式是 / 之间的部分，所以你的正则表达式是这样评估的:https://regex101.com/r/eaB5jp/2

因此您的所有行都将匹配并获得标签.

为了工作，测试应该是:

if [message] =~/bounced/{变异{add_tag =>[反弹"]}}

Sthg makes me crazy, I would like to parse Postfix logs to know the status of emails, here is what I tried so far :

input {
   file {path => "/var/log/mail.log"}
}

filter {
    kv {
        trim => "<>"
    }

    if [message] =~ /[ "status=bounced" ]/ {
        grok {
            patterns_dir => "/etc/logstash/patterns"
            match => {"message" => "%{SYSLOGBASE} (?<QID>[0-9A-F]{10}): %{GREEDYDATA:message}"}
            add_tag => "bounce"
        }
    }

}
output {
   if "bounce" in [tags] {
      stdout { codec => rubydebug }
   }
}

Example of mail.log :

Jul 26 04:18:34 mx12 postfix/cleanup[20659]: 3mfHGL1r9gzyQP: message-id=<3mfHGL1r9gzyQP@www.mydomain.fr>

Jul 26 04:18:34 mx12 postfix/smtp[20662]: 3mfHGL1r9gzyQP: to=, relay=127.0.0.2[127.0.0.2]:25, delay=0.53, delays=0.13/0/0.23/0.16, dsn=2.0.0, status=sent / bounced

Result 1 :

I send an email to an existing email address, the status in mail.log is :

sent (250 ok) : OKAY

But here is what Logstash tells :

.. and I see that for every message generated by each postfix program (qmgr, smtp, qmgr again..). In other words, for all messages that even not contain "status=bounced".

Then I also tried :

   if [message] =~ /[ "bounced" ]/ {
     mutate {add_tag => [ "bounce" ]}
  }

  if [message] =~ /[ "message-id", "(.*)@www.mydomain.fr" ]/ {
      mutate { add_tag => [ "send" ] }
  }
  grok {
       match => {"message" => "%{SYSLOGBASE} (?<QID>[0-9A-F]{10}): %{GREEDYDATA:message}"}
  }

Result 2 : Logstash add here always 2 tags : bounce + send :(

Result expected :

What I try to do is exactly this config file, but it was made with an old version of Logstash ("grep" for example is not available now), but this is exactly what I try to make working :

http://tales.itnobody.com/2013/07/using-logstash-to-log-smtp-bounces-like-a-boss.html

In one word :

Any entries with a DSN – RECORD: QID, dsn
Any entries matching message-id=< hashRegex > – RECORD: QID, message-id

As follow :

    output{
       if "bounce" in [tags] {
           exec {
                command => "php -f /path/LogDSN.php %{QID} %{dsn} &"
           }
       }

       if "send" in [tags] {
           exec {
                command => "php -f /path/LogOutbound.php %{QID} %{message-id} &"
           }
       }
     }

But there is a problem in my filter, that makes me crazy,

Any idea ??

解决方案

I have found the problem.

It's coming from this test:

if [message] =~ /[ "bounced" ]/ {
  mutate {add_tag => [ "bounce" ]}
}

The regex is the part between the /, so your regex is evaluated like that : https://regex101.com/r/eaB5jp/2

So all your lines will match and get the tag.

In order to work, the test should be:

if [message] =~ /bounced/ {
  mutate {add_tag => [ "bounce" ]}
}

这篇关于Logstash grok 过滤器来标记接收和退回的消息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

Logstash grok 过滤器来标记接收和退回的消息 [英] Logstash grok filter to tag received and bounced messages

问题描述

相关文章

其他开发最新文章

热门教程

热门工具

登录关闭

Logstash grok 过滤器来标记接收和退回的消息 [英] Logstash grok filter to tag received and bounced messages

问题描述

相关文章

其他开发最新文章

热门教程

热门工具

登录 关闭

登录关闭