From 839223422968abc9bb7300144451797217a757f3 Mon Sep 17 00:00:00 2001
From: Pablo Castorino <castorinop@gmail.com>
Date: Wed, 28 Sep 2016 10:57:33 -0300
Subject: [PATCH] add custom amavis grok from @tomav.

---
 elk/Dockerfile  |  4 ++--
 elk/amavis.grok | 11 +++++++++++
 2 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 elk/amavis.grok

diff --git a/elk/Dockerfile b/elk/Dockerfile
index 700b57a1..9860497b 100644
--- a/elk/Dockerfile
+++ b/elk/Dockerfile
@@ -4,8 +4,8 @@ RUN mkdir /etc/logstash/patterns.d
 #postfix grok and filter
 RUN curl -L https://raw.githubusercontent.com/whyscream/postfix-grok-patterns/master/postfix.grok > /etc/logstash/patterns.d/postfix.grok
 RUN curl -L https://raw.githubusercontent.com/whyscream/postfix-grok-patterns/master/50-filter-postfix.conf > /etc/logstash/conf.d/15-filter-postfix.conf
-# amavis grok and filter
-RUN curl -L https://raw.githubusercontent.com/ninech/logstash-patterns/master/patterns.d/amavis.grok > /etc/logstash/patterns.d/amavis.grok
+# custom amavis grok and filter
+ADD amavis.grok  /etc/logstash/patterns.d
 RUN curl -L https://raw.githubusercontent.com/ninech/logstash-patterns/master/exmples/50-filter-amavis.conf > /etc/logstash/conf.d/16-filter-amavis.conf
 # dovecot grok and filter
 RUN curl -L https://raw.githubusercontent.com/ninech/logstash-patterns/master/patterns.d/dovecot.grok > /etc/logstash/patterns.d/dovecot.grok
diff --git a/elk/amavis.grok b/elk/amavis.grok
new file mode 100644
index 00000000..4bc74859
--- /dev/null
+++ b/elk/amavis.grok
@@ -0,0 +1,11 @@
+MAVIS_MESSAGEID Message-ID: <%{DATA:amavis_message-id}>
+AMAVIS_SIZE size: %{POSINT:amavis_size}
+AMAVIS_TESTS Tests: \[%{DATA:amavis_tests}\]
+AMAVIS_FROM From: %{DATA:amavis_header_from}
+AMAVIS_HITS Hits: %{NUMBER:amavis_hits}
+AMAVIS_QUARANTINE quarantine: %{NOTSPACE:amavis_quarantine}
+AMAVIS_SUBJECT Subject: "%{DATA:amavis_subject}"
+AMAVIS_KV ((%{AMAVIS_MESSAGEID}|%{AMAVIS_SIZE}|%{AMAVIS_TESTS}|%{AMAVIS_FROM}|%{AMAVIS_HITS}|%{AMAVIS_QUARANTINE}|%{AMAVIS_SUBJECT}|%{DATA}), )*
+
+AMAVIS \(%{DATA:amavis_id}\) %{DATA:amavis_action} %{DATA:amavis_status} {%{DATA:amavis_relaytype}},( %{GREEDYDATA:amavis_policybank})? \[%{IP:remote_ip}\]:%{POSINT:remote_port} \[%{IP:amavis_ip}\] <%{DATA:from}> -> <%{DATA:to}>(, quarantine: %{DATA:quarantine_id})?, Queue-ID: %{DATA:queue_id}(, Message-ID: <%{DATA:message_id}>)?(, mail_id: %{DATA:mail_id})?, Hits: %{NUMBER:amavis_hits}, size: %{POSINT:amavis_size}(, queued_as: %{DATA:amavis_queue_id})?(, dkim_sd=%{DATA:amavis_dkim})?, %{NUMBER:amavis_duration} ms
+