nginx-mail-logs Configuration

« nginx-mail-logs »
v0.2 by hitech95
Log parser

Parse Nginx Mail logs

Installation

cscli parsers install hitech95/nginx-mail-logs

Description

A generic parser for ngx_mail_core module:

Detect new session
Detect auth failures when using ngx_mail_auth_http_module

filenames:
  - /var/log/nginx/*.log
labels:
  type: nginx

YAML Configuration

1filter: "evt.Parsed.program startsWith 'nginx'"
2onsuccess: next_stage
3name: hitech95/nginx-mail-logs
4description: "Parse Nginx Mail logs"
5pattern_syntax:
6  NO_DOUBLE_QUOTE: '[^"]+'
7nodes:
8  - grok:
9      pattern: '%{NGINXERRTIME:time} \[%{LOGLEVEL:loglevel}\] %{NONNEGINT:pid}#%{NONNEGINT:tid}: (\*%{NONNEGINT:cid} )?client %{IPORHOST:remote_addr}:%{POSINT:remote_port} connected to %{IPORHOST:dest_ip}:%{POSINT:dest_port}'
10      apply_on: message
11      statics:
12        - meta: log_type
13          value: "mail_new_session"
14        - target: evt.StrTime
15          expression: evt.Parsed.time
16  - grok:
17      pattern: '%{NGINXERRTIME:time} \[%{LOGLEVEL:loglevel}\] %{NONNEGINT:pid}#%{NONNEGINT:tid}: (\*%{NONNEGINT:cid} )?%{GREEDYDATA:message}, client: %{IPORHOST:remote_addr}( using starttls,|,) server: %{IPORHOST:dest_ip}:%{POSINT:dest_port}(, login: "%{NO_DOUBLE_QUOTE:username}")?(, upstream: %{IPORHOST:proxy_ip}:%{POSINT:proxy_port})?'
18      apply_on: message
19    filter: "evt.Parsed.message contains 'client '"
20    statics:
21      - target: evt.StrTime
22        expression: evt.Parsed.time
23      - meta: username
24        expression: evt.Parsed.username
25      - meta: log_type
26        value: "mail_auth"
27    nodes:
28      - filter: "evt.Parsed.message contains 'logged in'"
29        statics:
30          - meta: sub_type
31            value: "auth_success"
32      - filter: "evt.Parsed.message contains 'login failed'"
33        pattern_syntax:
34          MAIL_HTTP_AUTH: 'client login failed: "%{NO_DOUBLE_QUOTE:auth_result}" while'
35        grok:
36          pattern: '%{MAIL_HTTP_AUTH}'
37          apply_on: message
38        statics:
39          - meta: sub_type
40            value: "auth_fail"
41          - meta: auth_result
42            expression: evt.Parsed.auth_result
43# these ones apply for both grok patterns
44statics:
45  - meta: service
46    value: mail
47  - meta: source_ip
48    expression: "evt.Parsed.remote_addr"
49  - meta: dest_ip
50    expression: "evt.Parsed.dest_ip"
51  - meta: dest_port
52    expression: "evt.Parsed.dest_port"
53

Hub configuration

« nginx-mail-logs »v0.2 by hitech95Log parser

« nginx-mail-logs »
v0.2 by hitech95
Log parser