1

I'm trying to figure out how it works logstash and grok to parse messages. I have found that example ftp://ftp.linux-magazine.com/pub/listings/magazine/185/ELKstack/configfiles/etc_logstash/conf.d/5003-postfix-filter.conf

which start like this:

filter {
     # grok log lines by program name (listed alpabetically)
     if [program] =~ /^postfix.*\/anvil$/ {
         grok{...

But don't understand where [program] is parsed. I'm using logstash 2.2 That example are not working in my logstash installation, nothing is parsed.

Miquel Àngel
  • 149
  • 1
  • 3
  • 11

1 Answers1

1

I answer myself.

The example assumes that the events come from syslog (in that case the field "program" are present), instead filebeats which is what I'm using to send the events to logstash.

To fix-it:

https://github.com/whyscream/postfix-grok-patterns/blob/master/ALTERNATIVE-INPUTS.md

Miquel Àngel
  • 149
  • 1
  • 3
  • 11