postfix/local parsing about postfix-grok-patterns HOT 5 CLOSED

Hi Martin, thanks for your interest.

I don't have any patterns for local delivery because I don't use that. So no sample log lines, and no personal need. I'll add the examples you provided. Supporting them is easy since they are already covered by the default key-value parsing.

from postfix-grok-patterns.

The changes in #43 should work for logstash users, since the logstash config uses key-value processing after the grok work. I don't know if this solution works for fluentd (which you seem to use).

from postfix-grok-patterns.

Thank you, Tom.

Hmmm, does this also work with the delays=0.04/0/0/0.03 key value? Cause there it has several values in one key, my attempt at parsing them splitted them up like you did for the qmgr lines.

My filters parsed it as:

"postfix_delay_total":"1.1","postfix_delay_before_qmgr":0.98,"postfix_delay_in_qmgr":0.06,"postfix_delay_conn_setup":0,"postfix_delay_transmission":0.03,"postfix_status":"sent"

(okay, I don´t know whether the labels for the attributes are correct, I just reused your qmgr stuff, but I can look this up)

I am trying your pattern nevertheless as it would not fail on my second example line.

from postfix-grok-patterns.

Okay, now I get it. This parsing seems to be stacked. qmgr uses the same way. And well, it works and separates the delays nicely.

BTW I am preparing slides for a logfile analysis training, so I am looking at both fluentd and logstash. I don´t know yet, whether fluent-plugin-grok-parser can take these postfix patterns yet, but I may try.

from postfix-grok-patterns.

I guess the patterns should be fine as grok is a generic library. But the stacked approach and the k/v parsing is built as logstash functionality, and I have no idea if you can replicate that using fluentd.

Good luck with your training! :)

Regards,
Tom

from postfix-grok-patterns.