diff --git a/elk/01-mailserver.conf b/elk/01-mailserver.conf
new file mode 100644
index 00000000..d7e4a74d
--- /dev/null
+++ b/elk/01-mailserver.conf
@@ -0,0 +1,7 @@
+input {
+  udp {
+    port => 10514
+    type => "syslog"
+  }
+}
+
diff --git a/elk/10-syslog.conf b/elk/10-syslog.conf
new file mode 100644
index 00000000..335100cc
--- /dev/null
+++ b/elk/10-syslog.conf
@@ -0,0 +1,14 @@
+filter {
+  if [type] == "syslog" {
+    grok {
+      match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:message}" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+      add_field => [ "received_from", "%{host}" ]
+    }
+    syslog_pri { }
+    date {
+      match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
+    }
+  }
+}
+
diff --git a/elk/Dockerfile b/elk/Dockerfile
new file mode 100644
index 00000000..40f4486b
--- /dev/null
+++ b/elk/Dockerfile
@@ -0,0 +1,11 @@
+FROM sebp/elk
+
+RUN mkdir /etc/logstash/patterns.d
+RUN curl -L https://raw.githubusercontent.com/whyscream/postfix-grok-patterns/master/postfix.grok > /etc/logstash/patterns.d/postfix.grok
+RUN curl -L https://raw.githubusercontent.com/whyscream/postfix-grok-patterns/master/50-filter-postfix.conf > /etc/logstash/conf.d/15-filter-postfix.conf
+
+# add mailserver listen
+ADD 01-mailserver.conf /etc/logstash/conf.d/
+# override syslog
+ADD 10-syslog.conf /etc/logstash/conf.d/
+