Replace single filters with a more generic one (#39)

widhalmt · web-flow · commit e17c04dab8d5 · 2022-09-27T10:16:01.000+02:00
helps with #32 helps with #37
diff --git a/filter-50-smtps.conf b/filter-50-smtps.conf
@@ -1,12 +1,9 @@
 filter {
   if [postfix][component] == "smtps" {
 
-    # matches connect from and disconnect from
-    # not very efficient to check every log this way
-    # contributions with better checks are very welcome :-)
-    if [message] =~ /connect from/ {
+    if [message] =~ /from/ {
       grok {
-        match => ["message","(dis)?connect from %{HOSTNAME:[client][domain]}\[%{IP:[client][address]}\](%{GREEDYDATA:[@metadata][connectdetail]})?"]
+        match => ["message","%{DATA:[postfix][connection]} from %{HOSTNAME:[client][domain]}\[%{IP:[client][address]}\](: %{GREEDYDATA:[postfix][detail]})?"]
         id => "postfix_smtps_connect"
         tag_on_failure => ["_grokparsefailure","postfix_smtps_connect_failed"]
         add_field => {
@@ -15,21 +12,7 @@ filter {
         add_tag => "grokked"
       }
 
-    }
-
-    if [message] =~ /^lost connection after/ {
-      grok {
-        match => ["message","lost connection after %{WORD:[postfix][action]} from %{HOSTNAME:[client][domain]}\[%{IP:[client][address]}\]"]
-        id => "postfix_smtps_lostconnection"
-        tag_on_failure => ["_grokparsefailure","postfix_smtps_lostconnection"]
-        add_field => {
-          "[postfix][eventtype]" => "smtps_lostconnection"
-        }
-        add_tag => "grokked"
-      }
-    }
-
-    if [message] =~ /^warning: .*authentication failed/ {
+    } else if [message] =~ /^warning: .*authentication failed/ {
       grok {
         match => ["message","warning: %{HOSTNAME:[client][domain]}\[%{IP:[client][address]}\]: %{GREEDYDATA:[postfix][detail]}"]
         id => "postfix_smtps_authenticationfailed"
@@ -40,24 +23,5 @@ filter {
         add_tag => "grokked"
       }
     }
-
-    if [message] =~ /^Anonymous TLS connection established from/ {
-      grok {
-        match => ["message","Anonymous TLS connection established from %{HOSTNAME:[client][domain]}\[%{IP:[client][address]}\]: %{GREEDYDATA:[postfix][detail]}"]
-        id => "postfix_smtps_anontls"
-        tag_on_failure => ["_grokparsefailure","postfix_smtps_anontls"]
-        add_field => {
-          "[postfix][eventtype]" => "smtps_anontls"
-        }
-        add_tag => "grokked"
-      }
-    }
-
-    if [@metadata][connectdetail] {
-      kv {
-        source => "[@metadata][connectdetail]"
-        target => "[postfix]"
-      }
-    }
   }
 }
