JSON logging, to Splunk

Joolee amavisd at joolee.nl
Sun Oct 5 13:32:43 CEST 2014


It wouldn't be that hard to create a plugin for that using the amavis
custom hooks api. I'm planning on writing one myself to feed KairosDB with
statistical information and log some extra information about a mail to
db/file.

On 5 October 2014 13:11, Patrick Proniewski <
patrick.proniewski at univ-lyon2.fr> wrote:

> Hello,
>
> I've given up on ELK (ElasticSearch/Logstash/Kibana), and I'm moving to
> Splunk. Amavisd-new ability to log in JSON format is a very great feature,
> and I would like to be able to pipe my JSON logs to Splunk.
>
> The redis output is still defined, from my past tests with ELK and I have
> defined this:
>
> $log_templ = <<'EOD';
> [:report_json]
> EOD
>
> Unfortunately I've got some problem feeding logs into Splunk:
>
> - Splunk won't pull data from a Redis server. It just does not have proper
> connector for that.
> - Amavisd-new will not log pure JSON into a file, there's always regular
> log lines (start/stop for example) and every mail analysis log entry is
> prefixed with "time-stamp hostname binary-path[PID]: (thread-number)", JSON
> comes only after all those informations. Hence, Splunk fails to recognize
> proper JSON, and won't index the log file.
> - Using Syslog with JSON output is not an option, on FreeBSD syslogd can't
> handle lines longer than 1000 Bytes.
>
> Any help is greatly appreciated.
>
> I'm registered to digest, feel free to {B}Cc me.
>
> Patrick PRONIEWSKI
> --
> Responsable pôle Opérations - DSI - Université Lumière Lyon 2
> Responsable Sécurité des Systèmes d'Information
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20141005/a13c03c7/attachment.html>


More information about the amavis-users mailing list