from docker elk customize image with

* https://github.com/whyscream/postfix-grok-patterns
* custom imput
* override syslog filter.

elk/01-mailserver.conf

@@ -0,0 +1,7 @@
+input {
+  udp {
+    port => 10514
+    type => "syslog"
+  }
+}
+

elk/10-syslog.conf

@@ -0,0 +1,14 @@
+filter {
+  if [type] == "syslog" {
+    grok {
+      match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:message}" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+      add_field => [ "received_from", "%{host}" ]
+    }
+    syslog_pri { }
+    date {
+      match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
+    }
+  }
+}
+

elk/Dockerfile

@@ -0,0 +1,11 @@
+FROM sebp/elk
+
+RUN mkdir /etc/logstash/patterns.d
+RUN curl -L https://raw.githubusercontent.com/whyscream/postfix-grok-patterns/master/postfix.grok > /etc/logstash/patterns.d/postfix.grok
+RUN curl -L https://raw.githubusercontent.com/whyscream/postfix-grok-patterns/master/50-filter-postfix.conf > /etc/logstash/conf.d/15-filter-postfix.conf
+
+# add mailserver listen
+ADD 01-mailserver.conf /etc/logstash/conf.d/
+# override syslog
+ADD 10-syslog.conf /etc/logstash/conf.d/
+