Mercurial > logstash
annotate sendmail.pattern @ 33:0faebb0b0fa4
update to kibana 3, logstash 1.2.1, es 0.90.5
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Mon, 23 Sep 2013 11:50:21 -0700 |
parents | 59fe08a2fcbe |
children |
rev | line source |
---|---|
0 | 1 # https://raw.github.com/augieschwer/grok-patterns/master/sendmail.grok |
2 # | |
3 | |
1
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
4 LOGIN [.a-zA-Z0-9_-]+ |
0 | 5 EMAIL %{LOGIN}@%{IPORHOST} |
6 DSN [0-9][.][0-9][.][0-9] | |
1
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
7 QID [A-za-z0-9]{14} |
0 | 8 |
9 # Match a relay that gives us a QID in the return status. | |
10 SENDMAIL_TO_1 %{SYSLOGBASE} %{QID:qid}: to=<%{EMAIL:to}>, (%{WORD}=%{DATA},)+ relay=%{IPORHOST:relay} \[%{IP}\], dsn=%{DSN:dsn}, stat=%{DATA:status} \(%{QID:qid} %{GREEDYDATA:status_message}\) | |
11 | |
12 # Match a relay that does NOT give us a QID in the return status. | |
13 SENDMAIL_TO_2 %{SYSLOGBASE} %{QID:qid}: to=<%{EMAIL:to}>, (%{WORD}=%{DATA},)+ relay=%{IPORHOST:relay} \[%{IP}\], dsn=%{DSN:dsn}, stat=%{DATA:status} \(%{GREEDYDATA:status_message}\) | |
14 | |
15 # Match a message with no relay IP address or status message. | |
16 SENDMAIL_TO_3 %{SYSLOGBASE} %{QID:qid}: to=<%{EMAIL:to}>, (%{WORD}=%{DATA},)+ relay=%{IPORHOST:relay}, dsn=%{DSN:dsn}, stat=%{GREEDYDATA:status} | |
17 | |
18 # Match a message with no relay info at all. | |
19 SENDMAIL_TO_4 %{SYSLOGBASE} %{QID:qid}: to=<%{EMAIL:to}>, (%{WORD}=%{DATA},)+ stat=%{GREEDYDATA:status} | |
20 | |
21 ### TODO - match multiple recipients in To: field. | |
22 #SENDMAIL_TO_5 %{SYSLOGBASE} %{QID:qid}: to=(<%{EMAIL:to}>,)+ (%{WORD}=%{DATA},)+ %{GREEDYDATA:status} | |
23 | |
24 SENDMAIL_TO (%{SENDMAIL_TO_1}|%{SENDMAIL_TO_2}|%{SENDMAIL_TO_3}|%{SENDMAIL_TO_4}) | |
25 | |
26 SENDMAIL_FROM %{SYSLOGBASE} %{QID:qid}: from=<%{EMAIL:from}>, (%{WORD}=%{DATA},)+ relay=%{IPORHOST:relay} \[%{IP}\] | |
27 | |
28 SENDMAIL_OTHER_1 %{SYSLOGBASE} %{QID:qid}: %{GREEDYDATA:message} | |
29 SENDMAIL_OTHER_2 %{SYSLOGBASE} STARTTLS=(client|server), relay=(\[)?%{IPORHOST:relay}(\])?%{GREEDYDATA:message} | |
30 SENDMAIL_OTHER_3 %{SYSLOGBASE} STARTTLS: %{GREEDYDATA:message} | |
31 SENDMAIL_OTHER_4 %{SYSLOGBASE} ruleset=tls_server, arg1=SOFTWARE, relay=%{IPORHOST:relay}, %{GREEDYDATA:message} | |
32 SENDMAIL_OTHER_5 %{SYSLOGBASE} STARTTLS=client, error: %{GREEDYDATA:message} | |
33 | |
34 SENDMAIL_RELAY %{SYSLOGBASE} ruleset=check_relay, arg1=(\[)?%{IPORHOST}(\])?, arg2=%{IP:ip}, relay=(\[)?%{IPORHOST:relay}(\])??%{GREEDYDATA:message} | |
35 | |
36 SENDMAIL_AUTH_1 %{SYSLOGBASE} AUTH=server, relay=%{IPORHOST:relay} \[%{IP}\]( \(may be forged\))?, authid=%{LOGIN:user}(@%{IPORHOST})?, %{GREEDYDATA:message} | |
37 SENDMAIL_AUTH_2 %{SYSLOGBASE} AUTH=server, relay=\[%{IP}\], authid=%{LOGIN:user}(@%{IPORHOST})?, %{GREEDYDATA:message} | |
38 SENDMAIL_AUTH (%{SENDMAIL_AUTH_1}|%{SENDMAIL_AUTH_2}) | |
39 | |
40 SENDMAIL_OTHER (%{SENDMAIL_OTHER_1}|%{SENDMAIL_OTHER_2}|%{SENDMAIL_OTHER_3}|%{SENDMAIL_OTHER_4}|%{SENDMAIL_OTHER_5}) | |
41 | |
42 SENDMAIL (%{SENDMAIL_TO}|%{SENDMAIL_FROM}|%{SENDMAIL_OTHER}|%{SENDMAIL_AUTH}|%{SENDMAIL_RELAY}) |