Chained grok pattern issue


(Bruce Givens) #1

Hello,

has anyone had success in integrating the postfix grok patterns from https://github.com/whyscream/postfix-grok-patterns/blob/master/postfix.grok in graylog?

The issue I am running up against seems to be related to duplicate field names in a chained grok pattern and can be seen when setting up a new grok extractor.

Example message:

2A4F522229: to=<username@example.com>, relay=mail.example.com[192.168.1.2]:25, delay=0.3, delays=0.17/0.06/0.03/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5F34F419F7)

grok pattern:

%{POSTFIX_SMTP}

extractor preview:

POSTFIX_KEYVALUE
    2A4F522229: to=<username@example.com>, relay=mail.example.com[192.168.1.2]:25, delay=0.3, delays=0.17/0.06/0.03/0.03, dsn=2.0.0,
POSTFIX_SMTP
    2A4F522229: to=<username@example.com>, relay=mail.example.com[192.168.1.2]:25, delay=0.3, delays=0.17/0.06/0.03/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5F34F419F7)
POSTFIX_SMTP_DELIVERY
    2A4F522229: to=<username@example.com>, relay=mail.example.com[192.168.1.2]:25, delay=0.3, delays=0.17/0.06/0.03/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5F34F419F7)
postfix_status
    sent

Here are the relevant grok patterns:

POSTFIX_SMTP (%{POSTFIX_SMTP_DELIVERY}|%{POSTFIX_SMTP_CONNERR}|%{POSTFIX_SMTP_LOSTCONN}|%{POSTFIX_SMTP_TIMEOUT}|%{POSTFIX_SMTP_RELAYERR}|%{POSTFIX_TLSCONN}|%{POSTFIX_WARNING})
POSTFIX_SMTP_DELIVERY %{POSTFIX_KEYVALUE} status=%{WORD:postfix_status}( \(%{GREEDYDATA:postfix_smtp_response}\))?
POSTFIX_SMTP_RELAYERR %{POSTFIX_QUEUEID:postfix_queueid}: host %{POSTFIX_RELAY_INFO} said: %{GREEDYDATA:postfix_smtp_response} \(in reply to %{POSTFIX_SMTP_STAGE:postfix_smtp_stage} command\)

As can be seen above, postfix_status is extracted, but not postfix_smtp_response.
Note that postfix_smtp_response is in %{POSTFIX_SMTP_DELIVERY} and %{POSTFIX_SMTP_RELAYERR}, which are both part of %{POSTFIX_SMTP}.

The “missing” value is extracted if the field name postfix_smtp_response is changed to postfix_smtp_response1 in one of the grok patterns:

POSTFIX_KEYVALUE
    2A4F522229: to=<username@example.com>, relay=mail.example.com[192.168.1.2]:25, delay=0.3, delays=0.17/0.06/0.03/0.03, dsn=2.0.0,
POSTFIX_SMTP
    2A4F522229: to=<username@example.com>, relay=mail.example.com[192.168.1.2]:25, delay=0.3, delays=0.17/0.06/0.03/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5F34F419F7)
POSTFIX_SMTP_DELIVERY
    2A4F522229: to=<username@example.com>, relay=mail.example.com[192.168.1.2]:25, delay=0.3, delays=0.17/0.06/0.03/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5F34F419F7)
postfix_smtp_response1
    250 2.0.0 Ok: queued as 5F34F419F7
postfix_status
    sent

So it appears that the field name can only be used once.

Is this behavior correct? I would have expected that if the the patterns were OR’d as in %{POSTFIX_SMTP} that the field names could be reused.

Any insight is appreciated!

Thanks,
Bruce


(system) #2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.