Parse dovecot 2.2 logs with logstash

Robert Schetterer rs at sys4.de
Thu Jun 12 13:22:20 UTC 2014


Am 12.06.2014 13:51, schrieb Bruno Galindro da Costa:
> Jarkko, many, many and many thanks! This will save a LOT of work...
> 
> 
> 
> 2014-06-11 4:52 GMT-03:00 Jarkko Mourujärvi <jarkko.mourujarvi at dovecot.fi>:
> 
>> On 10 Jun 2014, at 20:31, Bruno Galindro da Costa <
>> bruno.galindro at gmail.com> wrote:
>>
>>> Guys,
>>>
>>>   I need to parse my dovecot log files with logstash grok patterns. Is
>>> there any document specifying the patterns used by dovecot to write it's
>>> logs?
>>>
>>>    I need to find all the log possibilities that could be writed to log
>>> files by dovecot. So, if a document like that exists or if anyone could
>>> answer my question, I'll could make the parser with less difficult.
>>
>> kv filter in logstash is very useful with dovecot, below is short snippet
>> that will extract key=value pairs specified in “include_keys” from log line.
>>
>> Additionally you might want to set mail_log_prefix to be something like
>> “service=%s, user=%s, ” to make it easier to parse.
>>
>> filter {
>>     if [syslog_program] == "dovecot" {
>>       kv {
>>         source => "syslog_message"
>>         trim => ","
>>         include_keys => [ "box", "from", "in", "lip", "method", "mpid",
>> "msgid", "out", "rip", "session", "size", "user" ]
>>       }
>>     }
>> }
>>
> 
> 
> 

should go into wiki, too


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein


More information about the dovecot mailing list