Splunk Search

extract fields from json-wrapped postfix logs?

New Member

I have logs landing in Splunk Cloud that are normal `postfix_syslog` lines, but are wrapped in a `json` object. 3 Examples:

{"line":"May 26 21:20:53 postfix postfix/smtpd[5654]: disconnect from ip-10-0-8-152.ec2.internal[] commands=0/0","source":"stdout","tag":"c38633d4c285"}

{"line":"May 26 20:54:03 postfix postfix/relay/smtp[5646]: 7EC2D34FCCBB3F9BF5AE0: to=\u003cuser@domain.com\u003e, relay=none, delay=265110, delays=265050/0.03/60/0, dsn=4.4.1, status=deferred (connect to otherdomain-com.mail.protection.outlook.com[]:25: Connection timed out)","source":"stdout","tag":"c38633d4c285"}

{"line":"May 26 18:48:19 postfix postfix/relay/smtp[188]: 785A2C8161D5BF5DB2B20: to=\u003cuser@domain.com\u003e, relay=anotherdomain-com.mail.protection.outlook.com[]:25, delay=1.7, delays=0.14/0.03/0.32/1.2, dsn=2.6.0, status=sent (250 2.6.0 \u003c20230428184817.785A2C8161D5BF5DB2B20@postfix\u003e [InternalId=19529216330946, Hostname=serial.number.prod.outlook.com] 8233 bytes in 0.374, 21.462 KB/sec Queued mail for delivery)","source":"stdout","tag":"e6a9651d6930"}

I would like to have the same fields for these logs extracted as if they were plain `postfix_syslog` lines. Simply setting source_type `postfix_syslog` does not work, a couple of fields get extracted, but most do not.

How should I deal with this?

  • Implement a source type that "calls" the `postfix_syslog` source_type on the value of the `line` json element?
  • Write a custom source type that saves the value of the `line` element to a variable `actual_log_content`,  copy/paste all the configuration of the `postfix_syslog` source type but modify it to be looking at the `actual_log_content` variable?
  • Go in and hack at the thing handing logs to Splunk to prevent it from json-wrapping the lines?

What's the right way to cope?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...