filter-50-submission.conf

filter {
  if [postfix][component] == "submission" {

    # matches connect from and disconnect from
    # not very efficient to check every log this way
    # contributions with better checks are very welcome :-)
    if [message] =~ /connect from/ {
      grok {
        match => ["message","(dis)?connect from %{HOSTNAME:[client][domain]}\[%{IP:[client][address]}\](%{GREEDYDATA:[@metadata][connectdetail]})?"]
        id => "postfix_submission_connect"
        tag_on_failure => ["_grokparsefailure","postfix_submission_connect_failed"]
        add_field => {
          "[postfix][eventtype]" => "submission_connect"
        }
        add_tag => "grokked"
      }
    }

    if [message] =~ /^warning: .*authentication failed/ {
      grok {
        match => ["message","warning: %{HOSTNAME:[client][domain]}\[%{IP:[client][address]}\]: %{GREEDYDATA:[postfix][detail]}"]
        id => "postfix_submission_authenticationfailed"
        tag_on_failure => ["_grokparsefailure","postfix_submission_authenticationfailed"]
        add_field => {
          "[postfix][eventtype]" => "submission_authenticationfailed"
        }
        add_tag => "grokked"
      }
    }

    if [message] =~ /^Anonymous TLS connection established from/ {
      grok {
        match => ["message","Anonymous TLS connection established from %{HOSTNAME:[client][domain]}\[%{IP:[client][address]}\]: %{GREEDYDATA:[postfix][detail]}"]
        id => "postfix_submission_anontls"
        tag_on_failure => ["_grokparsefailure","postfix_submission_anontls"]
        add_field => {
          "[postfix][eventtype]" => "submission_anontls"
        }
        add_tag => "grokked"
      }
    }

    if [@metadata][connectdetail] {
      kv {
        source => "[@metadata][connectdetail]"
        target => "[postfix]"
      }
    }
  }
}