On 17 avr. 2014, at 08:33, Robert Schetterer wrote: > perhaps off topic, with using postix and graylog2 i was advised to use > massive pre filter with syslog daemon before "inject" to graylog2 > so this may help you tmp too, but for sure ,its very complex
I'm currently trying to adapt grok patterns to parse Postfix logs (and Milter-greylist, and Amavisd-new, and Dovecot - but Postfix is the big part). It's quite hard to test/debug even though I'm re-using a previous work from someone else. The process with logstash/elasticsearch is probably the same: postfix->syslog->pattern filter->JSON->elasticsearch. As you wrote, it's very complex. But more importantly it's almost certainly useless because next change in Postfix settings or next Postfix update can also change log outputs and break your patterns. Now imagine you host several Postfix instances, with different settings/usages/versions... Patrick
