From 0380938a64500d1a1aa971dfde89dbdc3a1d68c4 Mon Sep 17 00:00:00 2001
From: Pablo Castorino <castorinop@gmail.com>
Date: Fri, 23 Sep 2016 16:03:36 -0300
Subject: [PATCH] from docker elk customize image with *
 https://github.com/whyscream/postfix-grok-patterns * custom imput * override
 syslog filter.

---
 elk/01-mailserver.conf |  7 +++++++
 elk/10-syslog.conf     | 14 ++++++++++++++
 elk/Dockerfile         | 11 +++++++++++
 3 files changed, 32 insertions(+)
 create mode 100644 elk/01-mailserver.conf
 create mode 100644 elk/10-syslog.conf
 create mode 100644 elk/Dockerfile

diff --git a/elk/01-mailserver.conf b/elk/01-mailserver.conf
new file mode 100644
index 00000000..d7e4a74d
--- /dev/null
+++ b/elk/01-mailserver.conf
@@ -0,0 +1,7 @@
+input {
+  udp {
+    port => 10514
+    type => "syslog"
+  }
+}
+
diff --git a/elk/10-syslog.conf b/elk/10-syslog.conf
new file mode 100644
index 00000000..335100cc
--- /dev/null
+++ b/elk/10-syslog.conf
@@ -0,0 +1,14 @@
+filter {
+  if [type] == "syslog" {
+    grok {
+      match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:message}" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+      add_field => [ "received_from", "%{host}" ]
+    }
+    syslog_pri { }
+    date {
+      match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
+    }
+  }
+}
+
diff --git a/elk/Dockerfile b/elk/Dockerfile
new file mode 100644
index 00000000..40f4486b
--- /dev/null
+++ b/elk/Dockerfile
@@ -0,0 +1,11 @@
+FROM sebp/elk
+
+RUN mkdir /etc/logstash/patterns.d
+RUN curl -L https://raw.githubusercontent.com/whyscream/postfix-grok-patterns/master/postfix.grok > /etc/logstash/patterns.d/postfix.grok
+RUN curl -L https://raw.githubusercontent.com/whyscream/postfix-grok-patterns/master/50-filter-postfix.conf > /etc/logstash/conf.d/15-filter-postfix.conf
+
+# add mailserver listen
+ADD 01-mailserver.conf /etc/logstash/conf.d/
+# override syslog
+ADD 10-syslog.conf /etc/logstash/conf.d/
+