Splunk Search

extract fields from json-wrapped postfix logs?

New Member

I have logs landing in Splunk Cloud that are normal `postfix_syslog` lines, but are wrapped in a `json` object. 3 Examples:

{"line":"May 26 21:20:53 postfix postfix/smtpd[5654]: disconnect from ip-10-0-8-152.ec2.internal[] commands=0/0","source":"stdout","tag":"c38633d4c285"}

{"line":"May 26 20:54:03 postfix postfix/relay/smtp[5646]: 7EC2D34FCCBB3F9BF5AE0: to=\u003cuser@domain.com\u003e, relay=none, delay=265110, delays=265050/0.03/60/0, dsn=4.4.1, status=deferred (connect to otherdomain-com.mail.protection.outlook.com[]:25: Connection timed out)","source":"stdout","tag":"c38633d4c285"}

{"line":"May 26 18:48:19 postfix postfix/relay/smtp[188]: 785A2C8161D5BF5DB2B20: to=\u003cuser@domain.com\u003e, relay=anotherdomain-com.mail.protection.outlook.com[]:25, delay=1.7, delays=0.14/0.03/0.32/1.2, dsn=2.6.0, status=sent (250 2.6.0 \u003c20230428184817.785A2C8161D5BF5DB2B20@postfix\u003e [InternalId=19529216330946, Hostname=serial.number.prod.outlook.com] 8233 bytes in 0.374, 21.462 KB/sec Queued mail for delivery)","source":"stdout","tag":"e6a9651d6930"}

I would like to have the same fields for these logs extracted as if they were plain `postfix_syslog` lines. Simply setting source_type `postfix_syslog` does not work, a couple of fields get extracted, but most do not.

How should I deal with this?

  • Implement a source type that "calls" the `postfix_syslog` source_type on the value of the `line` json element?
  • Write a custom source type that saves the value of the `line` element to a variable `actual_log_content`,  copy/paste all the configuration of the `postfix_syslog` source type but modify it to be looking at the `actual_log_content` variable?
  • Go in and hack at the thing handing logs to Splunk to prevent it from json-wrapping the lines?

What's the right way to cope?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...