Parse dovecot 2.2 logs with logstash

Bruno Galindro da Costa bruno.galindro at gmail.com
Thu Jun 12 11:51:48 UTC 2014


Jarkko, many, many and many thanks! This will save a LOT of work...



2014-06-11 4:52 GMT-03:00 Jarkko Mourujärvi <jarkko.mourujarvi at dovecot.fi>:

> On 10 Jun 2014, at 20:31, Bruno Galindro da Costa <
> bruno.galindro at gmail.com> wrote:
>
> > Guys,
> >
> >   I need to parse my dovecot log files with logstash grok patterns. Is
> > there any document specifying the patterns used by dovecot to write it's
> > logs?
> >
> >    I need to find all the log possibilities that could be writed to log
> > files by dovecot. So, if a document like that exists or if anyone could
> > answer my question, I'll could make the parser with less difficult.
>
> kv filter in logstash is very useful with dovecot, below is short snippet
> that will extract key=value pairs specified in “include_keys” from log line.
>
> Additionally you might want to set mail_log_prefix to be something like
> “service=%s, user=%s, ” to make it easier to parse.
>
> filter {
>     if [syslog_program] == "dovecot" {
>       kv {
>         source => "syslog_message"
>         trim => ","
>         include_keys => [ "box", "from", "in", "lip", "method", "mpid",
> "msgid", "out", "rip", "session", "size", "user" ]
>       }
>     }
> }
>



-- 
Att.
Bruno Galindro da Costa


More information about the dovecot mailing list