add ELK support (#331)

* add support to forward logs to ELK stack. * from docker elk customize image with * https://github.com/whyscream/postfix-grok-patterns * custom imput * override syslog filter. * fix typo. * Explicit forwarder vars and messages. * add amavis grok * add dovecot grok * add geoip db * add logstash geoip plugin * add custom amavis grok from @tomav. * switch to filebeats input * refactor syslog filter * add filebeat * add template config * replace rsyslog with filebeat.
2025-08-03 17:44:49 +02:00 · 2016-09-29 22:52:05 +02:00 · 2016-09-29 22:52:05 +02:00 · e4bab5b996
commit e4bab5b996
parent c2eb975ace
8 changed files with 124 additions and 1 deletions
--- a/target/filebeat.yml.tmpl
+++ b/target/filebeat.yml.tmpl
@ -0,0 +1,13 @@
+output:
+  logstash:
+    enabled: true
+    hosts:
+      - $ELK_HOST:$ELK_PORT
+
+filebeat:
+  prospectors:
+    -
+      paths:
+        - /var/log/mail/mail.log
+      document_type: syslog
+
--- a/target/start-mailserver.sh
+++ b/target/start-mailserver.sh
@ -354,10 +354,22 @@ if [ "$ONE_DIR" = 1 -a -d $statedir ]; then
    fi
  done
 fi
+if [ "$ENABLE_ELK_FORWARDER" = 1 ]; then
+ELK_PORT=${ELK_PORT:="5044"}
+ELK_HOST=${ELK_HOST:="elk"}
+echo "Enabling log forwarding to ELK ($ELK_HOST:$ELK_PORT)"
+cat /etc/filebeat/filebeat.yml.tmpl \
+	| sed "s@\$ELK_HOST@$ELK_HOST@g" \
+	| sed "s@\$ELK_PORT@$ELK_PORT@g" \
+	 > /etc/filebeat/filebeat.yml
+fi

 echo "Starting daemons"
 cron
 /etc/init.d/rsyslog start
+if [ "$ENABLE_ELK_FORWARDER" = 1 ]; then
+/etc/init.d/filebeat start
+fi

 # Enable Managesieve service by setting the symlink
 # to the configuration file Dovecot will actually find