search

logstash-plugins / logstash-patterns-core

Apache License 2.0
2.17k stars 980 forks source link

Feat: ecs-ify EXIM captures #290

Closed kares closed 3 years ago

kares commented 3 years ago

following up on https://github.com/logstash-plugins/logstash-patterns-core/pull/283 we know have smt to ECS-ify.

We're only handling a single type of exim's log format: logging (mail) message arrival, simplified log example:

2010-09-13 05:00:13 [1487] 1Ov4tU-0000Nz-Rm <= mailling.list@domain.com H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 P=esmtps S=21778  T="Daily List: Chameleon" for user@example.com

matching as:

"process"=>{"pid"=>1487},
"exim"=>{
  "log"=>{
    "message"=>{
      "id"=>"1Ov4tU-0000Nz-Rm", 
      "subject"=>"Daily List: Chameleon", 
      "size"=>21778
    }, 
    "header_id"=>"384a86a39e83be0d9b3a94d1feb3119f@domain.com",
    "sender"=>{"email"=>"mailling.list@domain.com"}, 
    "flags"=>"<=", 
    "recipient"=>{"email"=>"user@example.com"}
  }
}, 
"destination"=>{"ip"=>"67.215.162.175", "port"=>25}, 
"source"=>{"ip"=>"208.42.54.2", "address"=>"mailhost.domain.com", "port"=>51792},
"network"=>{"protocol"=>"esmtps"}

Struggled a bit with naming, I've outlined the reasoning bellow in the comments ...

kares commented 3 years ago

// cc @ebeahan @webmat if you guys feel like dropping a review here for us