Zane C. Bowers-Hadley

NAME

Search::ESsearcher::Templates::syslog - Provides postfix support for essearcher.

VERSION

Version 0.0.1

LOGSTASH

This uses a logstash configuration below.

    input {
      syslog {
        host => "10.10.10.10"
        port => 11514
        type => "syslog"
      }
    }
    
    filter { }
    
    output {
      if [type] == "syslog" {
        elasticsearch {
          hosts => [ "127.0.0.1:9200" ]
        }
      }
    }

The important bit is "type" being set to "syslog". If that is not used, use the command line options field and fieldv.

Install https://github.com/whyscream/postfix-grok-patterns for pulling apart the postfix messages. These files are included with this as well.

Options

--host <log host>

The syslog server.

--src <src server>

The source server sending to the syslog server.

--size <count>

The number of items to return.

--pid <pid>

The PID that sent the message.

--dgt <date>

Date greater than.

--dgte <date>

Date greater than or equal to.

--dlt <date>

Date less than.

--dlte <date>

Date less than or equal to.

--msg <message>

Messages to match.

--field <field>

The term field to use for matching them all.

--fieldv <fieldv>

The value of the term field to matching them all.

--mid <msg id>

Search based on the message ID.

--from <address>

The from address to search for.

--to <address>

The to address to search for.

--oto <address>

The original to address to search for.

--noq

Search for rejected messages, NOQUEUE.

--ip <ip>

The client IP to search for.

--chost <host>

The client hostname to search for.

--status <status>

Search using SMTP status codes.

--nocountry

Do not display the country code for the client IP.

--noregion

Do not display the region code for the client IP.

--nocity

Do not display the city name for the client IP.

--nopostal

Do not display the postal code for the client IP.

--aliaswarn

Show alias warnings.

--showkeys

Show the parsed out /postfix\_.*/ keys.

--nomsg

Do not show the message.

--showprogram

Show the syslog program name as well.

--showpid

Show the syslog PID as well.

AND, OR, or NOT shortcut

    , OR
    + AND
    ! NOT

A list seperated by any of those will be transformed

These may be used with program, facility, pid, or host.

    example: --program postfix,spamd
    
    results: postfix OR spamd

date

date

/^-/ appends "now" to it. So "-5m" becomes "now-5m".

/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a unix time value.

Any thing not matching maching any of the above will just be passed on.