elastic-kibana-postfix icon indicating copy to clipboard operation
elastic-kibana-postfix copied to clipboard
verified publisher icon ActionScripted

Version requirements?

Open fribse opened this issue 5 years ago • 2 comments

Hi there I have a filebeat 6.5.1 and our elastic stack is also at 6.5.1. When I set up the filebeat it does say it finds 1 input (dedicated postfix server), but I don't see anything arriving on the logstash. It does have access, as I can telnet to the port from the filebeat server, so I was wondering if the syntax used in the configs.d is only available for 7.x filebeats?

fribse avatar Sep 04 '20 09:09 fribse

Hello, @fribse I had the same issue. FIxed it with following 51-filter-postfix-aggregate.conf:

filter {
  if [program] == "postfix/qmgr" and [postfix_from] {
    aggregate {
      task_id => "%{postfix_queueid}"
      code => "
        map['postfix_from'] = event.get('postfix_from')
        map['postfix_size'] = event.get('postfix_size')
        map['postfix_nrcpt'] = event.get('postfix_nrcpt')
      "
    }
  } else if [program] == "postfix/smtp" {
    aggregate {
      task_id => "%{postfix_queueid}"
      code => "
       map.each do |key, value|
         event.set(key, value)
       end
     "
    }
  }
  if [program] == "postfix/smtp" and [postfix_tls_version] {
     drop {}
  }
  if [postfix] and [program] != "postfix/smtp" {
    drop {}
  }
}

Working properly on ELK 6 and 7 Thank you

bmatsupa-gorilla avatar Jul 16 '21 20:07 bmatsupa-gorilla

I was trying with ELK 6.5 and it is asking for .ndjson files. Would it be possible for you to share the UI dashboard .json and configuration files that work with ELK 6 and 7?

skmessage avatar Oct 11 '23 06:10 skmessage