from docker elk customize image with

* https://github.com/whyscream/postfix-grok-patterns * custom imput * override syslog filter.
2016-09-23 16:03:36 -03:00 · 2016-09-23 16:03:36 -03:00 · 0380938a64
parent e08d7c2e19
commit 0380938a64
3 changed files with 32 additions and 0 deletions
--- a/elk/01-mailserver.conf
+++ b/elk/01-mailserver.conf
@ -0,0 +1,7 @@
+input {
+  udp {
+    port => 10514
+    type => "syslog"
+  }
+}
+
--- a/elk/10-syslog.conf
+++ b/elk/10-syslog.conf
@ -0,0 +1,14 @@
+filter {
+  if [type] == "syslog" {
+    grok {
+      match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:message}" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+      add_field => [ "received_from", "%{host}" ]
+    }
+    syslog_pri { }
+    date {
+      match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
+    }
+  }
+}
+
--- a/elk/Dockerfile
+++ b/elk/Dockerfile
@ -0,0 +1,11 @@
+FROM sebp/elk
+
+RUN mkdir /etc/logstash/patterns.d
+RUN curl -L https://raw.githubusercontent.com/whyscream/postfix-grok-patterns/master/postfix.grok > /etc/logstash/patterns.d/postfix.grok
+RUN curl -L https://raw.githubusercontent.com/whyscream/postfix-grok-patterns/master/50-filter-postfix.conf > /etc/logstash/conf.d/15-filter-postfix.conf
+
+# add mailserver listen
+ADD 01-mailserver.conf /etc/logstash/conf.d/
+# override syslog
+ADD 10-syslog.conf /etc/logstash/conf.d/
+