Parse dovecot 2.2 logs with logstash

Jarkko Mourujärvi jarkko.mourujarvi at dovecot.fi
Wed Jun 11 07:52:08 UTC 2014


On 10 Jun 2014, at 20:31, Bruno Galindro da Costa <bruno.galindro at gmail.com> wrote:

> Guys,
> 
>   I need to parse my dovecot log files with logstash grok patterns. Is
> there any document specifying the patterns used by dovecot to write it's
> logs?
> 
>    I need to find all the log possibilities that could be writed to log
> files by dovecot. So, if a document like that exists or if anyone could
> answer my question, I'll could make the parser with less difficult.

kv filter in logstash is very useful with dovecot, below is short snippet that will extract key=value pairs specified in “include_keys” from log line. 

Additionally you might want to set mail_log_prefix to be something like “service=%s, user=%s, ” to make it easier to parse.

filter {
    if [syslog_program] == "dovecot" {
      kv {
        source => "syslog_message"
        trim => ","
        include_keys => [ "box", "from", "in", "lip", "method", "mpid", "msgid", "out", "rip", "session", "size", "user" ] 
      }
    }
}



More information about the dovecot mailing list