Zane C. Bowers-Hadley


Search::ESsearcher::Templates::syslog - Provides postfix support for essearcher.


Version 0.0.1


This uses a logstash configuration below.

    input {
      syslog {
        host => ""
        port => 11514
        type => "syslog"
    filter { }
    output {
      if [type] == "syslog" {
        elasticsearch {
          hosts => [ "" ]

The important bit is "type" being set to "syslog". If that is not used, use the command line options field and fieldv.

Install for pulling apart the postfix messages. These files are included with this as well.


--host <log host>

The syslog server.

--src <src server>

The source server sending to the syslog server.

--size <count>

The number of items to return.

--pid <pid>

The PID that sent the message.

--dgt <date>

Date greater than.

--dgte <date>

Date greater than or equal to.

--dlt <date>

Date less than.

--dlte <date>

Date less than or equal to.

--msg <message>

Messages to match.

--field <field>

The term field to use for matching them all.

--fieldv <fieldv>

The value of the term field to matching them all.

--mid <msg id>

Search based on the message ID.

--from <address>

The from address to search for.

--to <address>

The to address to search for.

--oto <address>

The original to address to search for.


Search for rejected messages, NOQUEUE.

--ip <ip>

The client IP to search for.

--chost <host>

The client hostname to search for.

--status <status>

Search using SMTP status codes.


Do not display the country code for the client IP.


Do not display the region code for the client IP.


Do not display the city name for the client IP.


Do not display the postal code for the client IP.


Show alias warnings.


Show the parsed out /postfix\_.*/ keys.


Do not show the message.


Show the syslog program name as well.


Show the syslog PID as well.

AND, OR, or NOT shortcut

    , OR
    + AND
    ! NOT

A list seperated by any of those will be transformed

These may be used with program, facility, pid, or host.

    example: --program postfix,spamd
    results: postfix OR spamd



/^-/ appends "now" to it. So "-5m" becomes "now-5m".

/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a unix time value.

Any thing not matching maching any of the above will just be passed on.