SpamTitan / Postfix extractors?

network_master · April 9, 2021, 7:20am

Just wondering if anyone has a decent set of Extractors they would be willing to share for Postfix and/or SpamTitan (which is postfix anyway).

Not really looking to match up whole email messages, i have seen those threads.
My main aim is to get the data indexed

I have spent most of the day trying to get something working from between

github.com

whyscream/postfix-grok-patterns/blob/master/postfix.grok

# Version: 1.0.0

# common postfix patterns
POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{12,}|NOQUEUE)
POSTFIX_CLIENT_INFO %{HOSTNAME:postfix_client_hostname}?\[%{IP:postfix_client_ip}\](:%{INT:postfix_client_port})?
POSTFIX_RELAY_INFO %{HOSTNAME:postfix_relay_hostname}?\[(%{IP:postfix_relay_ip}|%{DATA:postfix_relay_service})\](:%{INT:postfix_relay_port})?|%{WORD:postfix_relay_service}
POSTFIX_SMTP_STAGE (CONNECT|HELO|EHLO|STARTTLS|AUTH|MAIL( FROM)?|RCPT( TO)?|(end of )?DATA|RSET|UNKNOWN|END-OF-MESSAGE|VRFY|\.)
POSTFIX_ACTION (accept|defer|discard|filter|header-redirect|reject)
POSTFIX_STATUS_CODE \d{3}
POSTFIX_STATUS_CODE_ENHANCED \d\.\d\.\d
POSTFIX_DNSBL_MESSAGE Service unavailable; .* \[%{GREEDYDATA:postfix_status_data}\] %{GREEDYDATA:postfix_status_message};
POSTFIX_PS_ACCESS_ACTION (DISCONNECT|BLACKLISTED|WHITELISTED|WHITELIST VETO|PASS NEW|PASS OLD)
POSTFIX_PS_VIOLATION (BARE NEWLINE|COMMAND (TIME|COUNT|LENGTH) LIMIT|COMMAND PIPELINING|DNSBL|HANGUP|NON-SMTP COMMAND|PREGREET)
POSTFIX_TIME_UNIT %{NUMBER}[smhd]
POSTFIX_KEYVALUE_DATA [\w-]+=[^;]*
POSTFIX_KEYVALUE %{POSTFIX_QUEUEID:postfix_queueid}: %{POSTFIX_KEYVALUE_DATA:postfix_keyvalue_data}
POSTFIX_WARNING_LEVEL (warning|fatal|info)

POSTFIX_TLSCONN (Anonymous|Trusted|Untrusted|Verified) TLS connection established (to %{POSTFIX_RELAY_INFO}|from %{POSTFIX_CLIENT_INFO}): %{DATA:postfix_tls_version} with cipher %{DATA:postfix_tls_cipher} \(%{DATA:postfix_tls_cipher_size} bits\)
POSTFIX_TLSVERIFICATION certificate verification failed for %{POSTFIX_RELAY_INFO}: %{GREEDYDATA:postfix_tls_error}

This file has been truncated. show original

and

gist.github.com

https://gist.github.com/oleksandriegorov/1c8103e660109d01feb56cc4623cabb8

postfix

# Syslog stuff
COMPONENT ([\w._\/%-]+)
COMPID postfix\/(%{DATA:instance}\/)?%{COMPONENT:component}(?:\[%{NUMBER:pid}\])?
POSTFIX (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{COMPID}:

# Milter
HELO (?:\[%{IP:helo}\]|%{HOST:helo}|%{DATA:helo})

MILTERCONNECT %{QUEUEID:qid}: milter-reject: CONNECT from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto}
MILTERUNKNOWN %{QUEUEID:qid}: milter-reject: UNKNOWN from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto}

This file has been truncated. show original

However at the end of the road, there was a lot of duplication that didn’t actually produce much of use (half extracts it / or matches on the wrong filter and fields end up with weird names)
I also found both took about 10 seconds per syslog message to process, so its not really viable

Just thought i’d see if anyone shares a common headache before i start down the road of writing my own

Thanks!

system · April 23, 2021, 7:20am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Chained grok pattern issue Graylog Central (peer support)	1	933	December 15, 2017
Graylog Exchange Message Tracking Log Extractor Graylog Central (peer support) sidecar , nxlog , nodatanx , send-csv-logsnx	11	9850	June 13, 2017
Extractor help needed Graylog Central (peer support)	2	717	March 15, 2021
Log Extractor Help Graylog Central (peer support) grok-patternspl	2	427	April 24, 2023
Creating Extractor Graylog Central (peer support)	8	3270	April 13, 2022

SpamTitan / Postfix extractors?

Related Topics