This repository has been archived by the owner on Dec 6, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 32
/
mail-imss.conf
61 lines (55 loc) · 1.89 KB
/
mail-imss.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# vim: syntax=python
# Please check https://github.com/cvandeplas/ELK-forensics for more information.
# Created by Christophe Vandeplas <[email protected]>
# Please look below and comment out the section about email archiving if you are not using it.
input {
tcp {
type => "mail_imss"
port => 18004
#codec => line { charset => "ISO-8859-1" }
}
}
filter {
if [type] == "mail_imss" {
csv {
separator => " "
columns => ["timestamp", "uuid", "email_src", "email_dst", "email_subject", "direction", "engine_action", "crap", "crap", "size", "crap", "crap", "action_id"]
}
if [action_id] == "0" {
# drop non-final lines - this is done to remove multiple lines per email,
# however it has the disadvantage as you lose some data
drop{}
}
date {
match => [ "timestamp", "YYYY/MM/dd HH:mm:ss 'GMT'ZZ" ]
}
# If you have configured a BCC in your IMSS software, this is the place to remove it from the logs
# Otherwise it will be present in all the recipients.
if ("[email protected]" in [email_dst]) {
# mutate the content of the recipient to remove out email archive system
mutate { gsub => [ email_dst, ";[email protected]", "" ] }
}
if [direction] == "1" {
mutate {
replace => ["direction", "in"]
}
} else {
mutate {
replace => ["direction", "out"]
}
}
mutate {
convert => ["size", "float"]
split => [email_dst, ";"]
remove_field => [ "message", "timestamp", "host", "crap", "column14", "column15", "column16", "column17", "column18", "column19", "column20", "column21", "column22", "column23", "column24", "column25", "column26", "column27", "column28", "column29", "column30" ]
}
}
}
output {
if [type] == "mail_imss" {
elasticsearch {
index => "logstash-%{[type]}-%{+YYYY.MM}"
host => "localhost"
}
}
}