logstash: Postfix-Logzeilen parsen

Falls es mal jemand braucht:

# expects you to apply "%{SYSLOGBASE}%{SPACE}%{GREEDYDATA:message_remainder}" beforehand

# more processing for postfix log entries
if [program] =~ /^postfix/ {
  # i like my tags :)
  noop {
    add_tag       => ["postfix"]
  }
  # try to extract component
  grok {
    match         => ["program", "^postfix/%{WORD:component}"]
    add_tag       => ["postfix_component"]
  }
  # if we got usuable data...
  if "_grokparsefailure" not in [tags] {
    # try parsing "easier" mesages (with queue id and key=value format)
    if [message_remainder] =~ /^[A-F0-9]{5,15}{1}/ {
      # extract queue id
      grok {
        match         => ["message_remainder", "(?<queue_id>[A-F0-9]{5,15}{1}): %{GREEDYDATA:kv_message}"]
        add_tag       => ["postfix_queue_id"]
      }
      if [kv_message] == "removed" {
        # qmgr is done with a message
        noop {
          add_tag       => ["postfix_message_done"]
        }
      } else {
        # extract key/value pairs
        kv {
          source        => ["kv_message"]
          trim          => ["<>,"]
          add_tag       => ["postfix_kv"]
        }
        # if we got a "status" field, try to log remote repsonse
        if [status] {
          grok {
            match       => ["message_remainder", "status=%{WORD} %{GREEDYDATA:remote_response}"]
            add_tag     => ["postfix_remote_response"]
          }
        }
      }
    }
    # cleanup helper fields
    noop {
      remove_field  => ["message_remainder", "kv_message"]
    }
  }
}

Wie gesagt, geht davon aus, dass man das SYSLOGBASE-Pattern angewandt hat, und dass alles nach dem Programm und der PID in ekckigen Klammern im Feld message_remainder zur Verfügung steht.