Stuck with regex/rename/strings

Hi,
the goal → parsing a postfix logfile, looking for failed logins (lines contains always a ‘SASL’), put a “counter” into influx and make a grafana dashboard with failed logins in the last 5 minutes.
Example of the logfile

Jan 25 18:30:47 mail postfix/smtpd[60487]: warning: unknown[80.94.95.228]: SASL LOGIN authentication failed: authentication failure, sasl_username=maurice@domain.tld

What i got so far is:

[global_tags]

[agent]
    interval = "10s"
    hostname = "mail.domain"
    round_interval = true
    flush_interval = "10s"
    flush_jitter = "0s"
    collection_jitter = "0s"
    metric_batch_size = 1000
    metric_buffer_limit = 10000
    quiet = false
    debug = false
    omit_hostname = false

[[outputs.influxdb]]
    urls = ["https://10.0.0.50:8086"]
    database = "experimental"
    username = "experimental"
    password = "secret"
    insecure_skip_verify = true
    timeout = "0s"
    retention_policy = ""
    skip_database_creation = true

[[outputs.file]]
  files = ["stdout", "/tmp/metrics.out"]
  data_format = "influx"

[[inputs.postfix]]
  queue_directory = "/var/spool/postfix"

[[inputs.tail]]
  files = ["/var/log/maillog"]
  from_beginning = false
  name_override = "postfix_log"
  grok_patterns = ["%{CUSTOM_LOG}"]
  grok_custom_patterns = '''CUSTOM_LOG %{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST} %{DATA:program}(?:\[%{POSINT}\])?: %{GREEDYDATA:message}(?<message>(.*SASL.*))'''
  data_format = "grok"
  fieldinclude = ["message"]
  
#[[processors.strings]]
#  [[processors.strings.replace]]
#    tag = "message"
#    old = ".*"
#    new = "1"


[[processors.regex]]
  namepass = ["postfix_log"]

  [[processors.regex.tags]]
    key = "message"
    pattern = ".*"
    replacement = "1"

The [[input.tail]] part works, but i don’t want to bloat the database with all the textstuff and simply replace all the text into a “1” which would also making it much easier to work within grafana.

Any help is very much appreciated
Gav

Can you post an example telegraf output line without any post processing on it?

Of course.
The config:

[global_tags]

[agent]
    interval = "10s"
    hostname = "mail.domain"
    round_interval = true
    flush_interval = "10s"
    flush_jitter = "0s"
    collection_jitter = "0s"
    metric_batch_size = 1000
    metric_buffer_limit = 10000
    quiet = false
    debug = false
    omit_hostname = false

[[outputs.file]]
  files = ["stdout", "/tmp/metrics.out"]
  data_format = "influx"

[[inputs.postfix]]
  queue_directory = "/var/spool/postfix"

[[inputs.tail]]
  files = ["/var/log/maillog"]
  from_beginning = false
  name_override = "postfix_log"
  grok_patterns = ["%{CUSTOM_LOG}"]
  grok_custom_patterns = '''CUSTOM_LOG %{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST} %{DATA:program}(?:\[%{POSINT}\])?: %{GREEDYDATA:message}(?<message>(.*SASL.*))'''
  data_format = "grok"
  fieldinclude = ["message"]

The output

  1 postfix_log,host=mail.domain,path=/var/log/maillog message="SASL LOGIN authentication failed: authentication failure, sasl_username=branden@domain.tld" 1738079405917893052
  2 postfix_log,host=mail.domain,path=/var/log/maillog message="SASL LOGIN authentication failed: authentication failure, sasl_username=mm@domain.tld" 1738079408933357194
  3 postfix_queue,host=mail.domain,queue=active length=0i,size=0i,age=0i 1738079410000000000
  4 postfix_queue,host=mail.domain,queue=hold age=0i,length=0i,size=0i 1738079410000000000
  5 postfix_queue,host=mail.domain,queue=incoming length=0i,size=0i,age=0i 1738079410000000000
  6 postfix_queue,host=mail.domain,queue=maildrop length=0i,size=0i,age=0i 1738079410000000000
  7 postfix_queue,host=mail.domain,queue=deferred length=4i,size=3610991i,age=1935i 1738079410000000000
  8 postfix_log,host=mail.domain,path=/var/log/maillog message="SASL LOGIN authentication failed: authentication failure, sasl_username=brandi@domain.tld" 1738079418159907888
  9 postfix_queue,host=mail.domain,queue=active length=0i,size=0i,age=0i 1738079420000000000
 10 postfix_queue,host=mail.domain,queue=hold length=0i,size=0i,age=0i 1738079420000000000
 11 postfix_queue,host=mail.domain,queue=incoming length=0i,size=0i,age=0i 1738079420000000000
 12 postfix_queue,host=mail.domain,queue=maildrop length=0i,size=0i,age=0i 1738079420000000000
 13 postfix_queue,host=mail.domain,queue=deferred age=1945i,length=4i,size=3610991i 1738079420000000000
 14 postfix_log,host=mail.domain,path=/var/log/maillog message="SASL LOGIN authentication failed: authentication failure, sasl_username=cuda@domain.tld" 1738079420577987386

Thanks
Gavilaan

1 Like
[[processors.regex]]
  [[processors.regex.fields]]
    key = "message"
    pattern = "^SASL.*"
    replacement = "1"
1 Like

Works perfect. Thank you very much
Gav

1 Like