postfix = { # The name of the log format log.format.format_label = "Postfix Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "postfix" log.format.autodetect_lines = "100" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # An entry in this log is called a "message" in the statistics statistics.miscellaneous.entry_name = "messages" # This disables the collection of unclosed entries # log.format.collected_entry_lifespan = "0" log.format.accept_expired_entries = false # Log fields log.fields = { server = { label = "$lang_stats.field_labels.server" type = "flat" index = 0 subindex = 0 } # server uid = { label = "$lang_stats.field_labels.uid" type = "flat" index = 0 subindex = 0 } # uid message_id = { label = "$lang_stats.field_labels.message_id" type = "flat" index = 0 subindex = 0 } # message_id # user = { # label = "$lang_stats.field_labels.user" # type = "flat" # index = 0 # subindex = 0 # } # user from = { label = "$lang_stats.field_labels.from" type = "flat" index = 0 subindex = 0 } # from to = { label = "$lang_stats.field_labels.to" type = "flat" index = 0 subindex = 0 } # to size = { label = "$lang_stats.field_labels.size" type = "size" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # size num_recipients = { label = "$lang_stats.field_labels.num_recipients" type = "flat" index = 0 subindex = 0 } # num_recipients relay = { label = "$lang_stats.field_labels.relay" type = "flat" index = 0 subindex = 0 } # relay delay = { label = "$lang_stats.field_labels.delay" type = "flat" index = 0 subindex = 0 } # delay status = { label = "$lang_stats.field_labels.status" type = "flat" index = 0 subindex = 0 } # status origin_hostname = { label = "$lang_stats.field_labels.origin_hostname" type = "host" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # origin_hostname origin_ip = { label = "$lang_stats.field_labels.origin_ip" type = "flat" index = 0 subindex = 0 } # origin_ip virus = { label = "$lang_stats.field_labels.virus" type = "flat" index = 0 subindex = 0 } # virus } # log.fields # # Log Parsing Filters log.parsing_filters = { # user = { # label = "1" # comment = "" # value = ` #if (matches_regular_expression(v.syslog_message, 'LOGIN, user=([^,]+)')) then ( # set_collected_field('', 'user', $1); #) #` # } # user # rekey on client= lines. The syslog parses the date/time right before this, into the empty key, and we rekey here # to use the real key. # Note: for some reason, this was looking for message-id, even though the comment above says client=. client= comes first # and should be used, not message-id-- if you use message-id, it will lose the client= line information. # I've left the line below, commented out, in case there's a reason it was that way. # Note2: We've seen a lot of Postfix logs now which don't have a client-id either-- they have *nothing* but a from and to # line. In these cases, we can't be using message-id or client-id-- we have to use from=. So that's what we're doing now. # This loses client-id information, which is a shame, but counting all froms and tos is much more important! Hopefully, # in version 7 we can create a more flexible plug-in. # reverse_rekey_collected_entry "[ ]([0-9A-Z]+):() message-id=<" "" "" "" 2 = { label = "2" comment = "" value = "if (matches_regular_expression(current_log_line(), '[ ]([0-9A-Z]+):() from=')) then rekey_collected_entry($2, $1);" } # 2 # Parse /smtpd client= lines 3 = { label = "3" comment = "" value = "collect_fields_using_regexp('/smtpd.* ([A-F0-9]+): client=([^[]+)\\\\[([^]]+)\\\\]', '*KEY*,origin_hostname,origin_ip')" } # 3 # Parse /pickup lines 4 = { label = "4" comment = "" value = "collect_fields_using_regexp('/pickup.* ([A-F0-9]+): uid=([0-9]*) from=<([^>]*)>', '*KEY*,uid,from')" } # 4 # Parse /cleanup lines 5 = { label = "5" comment = "" value = "collect_fields_using_regexp('/cleanup.* ([A-F0-9]+): message-id=(.*)$', '*KEY*,message_id')" } # 5 # Parse /qmgr from lines 6 = { label = "6" comment = "" value = "collect_fields_using_regexp('/(qmgr|nqmgr).* ([A-F0-9]+): from=<([^>]*)>, size=([0-9]*), nrcpt=([0-9]*)', 'dummy,*KEY*,from,size,num_recipients')" } # 6 # Parse /qmgr to lines 7 = { label = "7" comment = "" value = "collect_fields_using_regexp('/(qmgr|nqmgr|pipe).* ([A-F0-9]+): to=<([^>]*)>, relay=([^,]+), delay=([^,]+), status=([^,]+)', 'dummy,*KEY*,to,relay,delay,status')" } # 7 # Parse /local lines 9 = { label = "9" comment = "" value = "collect_fields_using_regexp('/local.* ([A-F0-9]+): to=<([^>]*)>, relay=([^,]*), delay=([0-9]*), status=([^ ]*) ', '*KEY*,to,relay,delay,status')" } # 9 # Parse /smtp lines (added by FG 8/05/2002) 10 = { label = "10" comment = "" value = "collect_fields_using_regexp('/smtp.* ([A-F0-9]+): to=<([^>]*)>, relay=([^,]*), delay=([0-9]*), status=([^ ]*) ', '*KEY*,to,relay,delay,status')" } # 10 # Accept this log entry if it's a /smtp to=.*status=sent line # Accept this log entry if it's a /local to=.*status=sentline # Save and restore the user field for the next imap entry 11 = { label = "11" comment = "" value = ` if (matches_regular_expression(v.syslog_message, '/.* ([A-F0-9]+): to=.*status=sent') or matches_regular_expression(v.syslog_message, '/local.* ([A-F0-9]+): to=.*status=sent')) then ( # v.user = get_collected_field($1, 'user'); # set_collected_field($1, 'user', ''); accept_collected_entry($1, true); # set_collected_field($1, 'user', v.user); ) ` } # 11 ## Handle Vexira virus lines. Note that these are not correllated to any other fields, because ## virus lines do not contain the key value for the message. # Parse virus Alert lines 13 = { label = "13" comment = "" value = "collect_fields_using_regexp('()vagatefwd.*Alert. the file .* contains .(.*). worm', '*KEY*,virus')" } # 13 # Accept virus Alert lines 14 = { label = "14" comment = "" value = "accept_collected_entry_using_regexp('()vagatefwd.*Alert. the file .* contains ..*. worm', false)" } # 14 } # log.parsing_filters # Database fields database.fields = { # user = { # label = "$lang_stats.field_labels.user" # log_field = "user" # type = "string" # suppress_top = 0 # suppress_bottom = 2 # } # user from = { label = "$lang_stats.field_labels.from" log_field = "from" type = "string" suppress_top = 0 suppress_bottom = 2 } # from to = { label = "$lang_stats.field_labels.to" log_field = "to" type = "string" suppress_top = 0 suppress_bottom = 2 } # to server = { label = "$lang_stats.field_labels.server" log_field = "server" type = "string" suppress_top = 0 suppress_bottom = 2 } # server uid = { label = "$lang_stats.field_labels.uid" log_field = "uid" type = "string" suppress_top = 0 suppress_bottom = 2 } # uid relay = { label = "$lang_stats.field_labels.relay" log_field = "relay" type = "string" suppress_top = 0 suppress_bottom = 2 } # relay status = { label = "$lang_stats.field_labels.status" log_field = "status" type = "string" suppress_top = 0 suppress_bottom = 2 } # status num_recipients = { label = "$lang_stats.field_labels.num_recipients" log_field = "num_recipients" type = "string" suppress_top = 0 suppress_bottom = 2 } # num_recipients origin_hostname = { label = "$lang_stats.field_labels.origin_hostname" log_field = "origin_hostname" type = "string" suppress_top = 0 suppress_bottom = 2 } # origin_hostname origin_ip = { label = "$lang_stats.field_labels.origin_ip" log_field = "origin_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # origin_ip virus = { label = "$lang_stats.field_labels.virus" log_field = "virus" type = "string" suppress_top = 0 suppress_bottom = 2 } # virus } # database.fields database.numerical_fields = { messages = { label = "$lang_stats.field_labels.messages" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages size = { label = "$lang_stats.field_labels.size" default = false requires_log_field = true log_field = "size" type = "float" display_format_type = "bandwidth" } # size } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'messages = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" # user = true from = true to = true server = true uid = true relay = true status = true num_recipients = true origin_hostname = true origin_ip = true virus = true } # report_groups } # create_profile_wizard_options not_supported = { visitors = true sessions = true pageviews = true } # not_supported } # postfix