extract fields from json-wrapped postfix logs?

cgosnell — Fri, 26 May 2023 21:53:33 GMT

I have logs landing in Splunk Cloud that are normal `postfix_syslog` lines, but are wrapped in a `json` object. 3 Examples:

{"line":"May 26 21:20:53 postfix postfix/smtpd[5654]: disconnect from ip-10-0-8-152.ec2.internal[10.0.8.152] commands=0/0","source":"stdout","tag":"c38633d4c285"}

{"line":"May 26 20:54:03 postfix postfix/relay/smtp[5646]: 7EC2D34FCCBB3F9BF5AE0: to=\u003cuser@domain.com\u003e, relay=none, delay=265110, delays=265050/0.03/60/0, dsn=4.4.1, status=deferred (connect to otherdomain-com.mail.protection.outlook.com[104.47.66.10]:25: Connection timed out)","source":"stdout","tag":"c38633d4c285"}

{"line":"May 26 18:48:19 postfix postfix/relay/smtp[188]: 785A2C8161D5BF5DB2B20: to=\u003cuser@domain.com\u003e, relay=anotherdomain-com.mail.protection.outlook.com[104.47.59.138]:25, delay=1.7, delays=0.14/0.03/0.32/1.2, dsn=2.6.0, status=sent (250 2.6.0 \u003c20230428184817.785A2C8161D5BF5DB2B20@postfix\u003e [InternalId=19529216330946, Hostname=serial.number.prod.outlook.com] 8233 bytes in 0.374, 21.462 KB/sec Queued mail for delivery)","source":"stdout","tag":"e6a9651d6930"}

I would like to have the same fields for these logs extracted as if they were plain `postfix_syslog` lines. Simply setting source_type `postfix_syslog` does not work, a couple of fields get extracted, but most do not.

How should I deal with this?

Implement a source type that "calls" the `postfix_syslog` source_type on the value of the `line` json element?
Write a custom source type that saves the value of the `line` element to a variable `actual_log_content`, copy/paste all the configuration of the `postfix_syslog` source type but modify it to be looking at the `actual_log_content` variable?
Go in and hack at the thing handing logs to Splunk to prevent it from json-wrapping the lines?

What's the right way to cope?

topic extract fields from json-wrapped postfix logs? in Splunk Search

extract fields from json-wrapped postfix logs?