I'm succesfully using Postfix on Debian to relay my internal e-mail and I am sending logs from the mail.log file to a Logstash instance, and I am showing them on a Kibana dashboards to look for not delivered and bounced e-mails.
The problem I am having is that Postfix send information about delivered e-mails on multiple log lines, for example:
Oct 9 18:19:58 mailserver postfix/smtpd[11513]: 7958440AA2: client=client.fqdn[123.123.123.123]
Oct 9 18:19:59 mailserver postfix/cleanup[11518]: 7958440AA2: message-id=<>
Oct 9 18:19:59 mailserver postfix/qmgr[26050]: 7958440AA2: from=<user@client.fqdn>, size=841, nrcpt=1 (queue active)
Oct 9 18:19:59 mailserver postfix/smtpd[11513]: disconnect from client.fqdn[123.123.123.123] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 9 18:20:10 mailserver postfix/smtp[11519]: 7958440AA2: to=<recipient@server.fqdn>, relay=relay.fqdn[111.111.111.111]:25, delay=12, delays=1/0.01/10/1.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 1F2BF9679C4)
Oct 9 18:20:10 mailserver postfix/qmgr[26050]: 7958440AA2: removed
On Kibana I am displaying logs with the status= tag, to find out if the message is successfully delivered or not but in this way I am losing the information about the sender, which is displayed on another log line from Postfix.
Is there a way to let Postfix insert the from= tag as well into the same log line with the success= tag?
Or, is there a way to "merge" multiple logs into Logstash to have both from= and success= tags into a Kibana dashboard?
