Hello,
we use our own log string for each action in acl (deny/accept/another action
using warn):
logwrite ="msg_class":"$acl_c_msg_class", "msg_view":"$acl_c_msg_view",
"acl_action":"$acl_c_acl_action", "acl_section":"$acl_c_section",
"acl_rule":"$acl_c_rule", "message_id":"$acl_c_message_id",
"to":"$acl_c_recipient",
"from":"$sender_address_local_part@$sender_address_domain",
"from_server":"$sender_fullhost",
"acl_score_mta_reason":"$acl_c_score_mta_reason",
"acl_spamlog":"$acl_c_spamlog", "acl_score_mta":"$acl_c_score_mta",
"acl_advlog_inc":"$acl_c_advlog_inc", "acl_advlog":"$acl_c_advlog",
"acl_score_mta_inc":"$acl_c_score_mta_inc",
"acl_score_mta_prev":"$acl_c_score_mta_prev"
Then log normalization rule on rsyslog made CEE log:
rule=ACL1_nomsgid_score:"msg_class":%msg_class:quoted-string%, "msg_view":
%msg_view:quoted-string%, "acl_action":%acl_action:quoted-string%,
"acl_section":%acl_section:quoted-string%, "acl_rule":%acl_rule:quoted-
string%, "message_id":%message_id:quoted-string%, "to":%to:quoted-string%,
"from":%from:quoted-string%, "from_server":%from_server:quoted-string%,
"acl_score_mta_reason":%acl_score_mta_reason:quoted-string%, "acl_spamlog":
%acl_spamlog:quoted-string%, "acl_score_mta":%acl_score_mta:quoted-string%,
"acl_advlog_inc":%acl_advlog_inc:quoted-string%, "acl_advlog":
%acl_c_advlog:quoted-string%, "acl_score_mta_inc":%acl_score_mta_inc:quoted-
string%, "acl_score_mta_prev":%acl_score_mta_prev:quoted-string%
rule=ACL1_msgid_score:%message_id:word% ....same as ACL1_nomsgid_score
After this we have logs in elasticsearch like
http://www.slideshare.net/eugeneistomin/istomin-eugene-zabbix-2014
, page 21.
---
Best regards,
Eugene Istomin
On Thursday, October 09, 2014 11:42:51 AM Graeme Fowler wrote:
> On Wed, 2014-10-08 at 09:58 +0000, Jasen Betts wrote:
> > IIRC one of the answers said to ask here.
>
> So far as I can ascertain from my (rather extensive) archive of the Exim
> lists, that's not the case.
>
> > the ability to add arbitrary content to log lines could be useful,
>
> Either of these will write arbitrary content to logs:
>
> warn log_message = Arbitrary Content
> logwrite = Arbitrary Content
>
> But actually changing the defined main log format is a dead end, because
> it will break all the tools that have been built up around the defined
> main log format.
>
> In the original case provided, exigrep can already pull out specific
> single elements of a message's lifetime and correlate them into one log
> entry for later processing. That doesn't help the exact request of the
> OP, but it gets some way towards it.
>
> Graeme