-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfilter-50-smtpd.conf
63 lines (57 loc) · 2.05 KB
/
filter-50-smtpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
filter {
if [postfix][component] == "smtpd" {
# matches connect from and disconnect from
# not very efficient to check every log this way
# contributions with better checks are very welcome :-)
if [message] =~ /connect from/ {
grok {
match => ["message","(dis)?connect from %{HOSTNAME:[client][address]}\[%{IP:[client][ip]}\](%{GREEDYDATA:[@metadata][connectdetail]})?"]
id => "postfix_smtpd_connect"
tag_on_failure => ["_grokparsefailure","postfix_smtpd_connect_failed"]
add_field => {
"[postfix][eventtype]" => "smtpd_connect"
}
add_tag => "grokked"
}
}
if [message] =~ /^lost connection after/ {
grok {
match => ["message","lost connection after %{WORD:[postfix][action]} from %{HOSTNAME:[client][address]}\[%{IP:[client][ip]}\]"]
id => "postfix_smtpd_lostconnection"
tag_on_failure => ["_grokparsefailure","postfix_smtpd_lostconnection"]
add_field => {
"[postfix][eventtype]" => "smtpd_lostconnection"
}
add_tag => "grokked"
}
}
if [message] =~ /^client=/ {
grok {
match => ["message","client=%{HOSTNAME:[client][address]}\[%{IP:[client][ip]}\]"]
id => "postfix_smtpd_client"
tag_on_failure => ["_grokparsefailure","postfix_smtpd_client"]
add_field => {
"[postfix][eventtype]" => "smtpd_client"
}
add_tag => "grokked"
}
}
if [message] =~ /^Anonymous TLS connection established from/ {
grok {
match => ["message","Anonymous TLS connection established from %{HOSTNAME:[client][domain]}\[%{IP:[client][address]}\]: %{GREEDYDATA:[postfix][detail]}"]
id => "postfix_smtpd_anontls"
tag_on_failure => ["_grokparsefailure","postfix_smtpd_anontls"]
add_field => {
"[postfix][eventtype]" => "smtpd_anontls"
}
add_tag => "grokked"
}
}
if [@metadata][connectdetail] {
kv {
source => "[@metadata][connectdetail]"
target => "[postfix]"
}
}
}
}