forked from philhagen/sof-elk
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy path6022-courier.conf
24 lines (23 loc) · 1.17 KB
/
6022-courier.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# SOF-ELK® Configuration File
# (C)2016 Lewes Technology Consulting, LLC
#
# This file contains filters, transforms, and enrichments for Courier IMAP/POP3 messages
# Note that this file is UNSUPPORTED. By default, it is not enabled in SOF-ELK.
filter {
if [type] == "syslog" {
if [syslog_program] == "courier-pop3d" or [syslog_program] =~ /courier-imap(d|s)/ {
# LOGIN, user=user@host.tld, ip=[::ffff:1.2.3.4], port=[63641]
# LOGIN FAILED, user=user@host.tld, ip=[::ffff:1.2.3.4]
# TIMEOUT, user=user@host.tld, ip=[::ffff:1.2.3.4], headers=0, body=0, rcvd=740, sent=4580, time=7558, starttls=1
# Connection, ip=[::ffff:1.2.3.4]
# Disconnected, ip=[::ffff:1.2.3.4]
# Maximum connection limit reached for ::ffff:1.2.3.4
grok {
match => [ "message", "^%{DATA:event},(?: user=%{NOTSPACE:user},)? ip=\[::ffff:%{IP:source_ip}\](?:, port=\[%{POSINT:source_port}\])?" ]
match => [ "message", "^%{DATA:event} for ::ffff:%{IP:source_ip}" ]
add_tag => [ "got_courier_event", "parse_done" ]
tag_on_failure => [ "_gpfail_courierevent" ]
}
}
}
}