Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing "discarding EHLO keywords" #205

Open
ulab opened this issue Nov 21, 2024 · 4 comments · May be fixed by #206
Open

Missing "discarding EHLO keywords" #205

ulab opened this issue Nov 21, 2024 · 4 comments · May be fixed by #206

Comments

@ulab
Copy link
Contributor

ulab commented Nov 21, 2024

I have found a missing message:

Nov 21 10:48:44 mailserver postfix/smtpd[12345]: discarding EHLO keywords: CHUNKING

Since this might help identify issues, do we want to add this to the patterns in some form?

http://www.postfix.org/BDAT_README.html

@whyscream
Copy link
Owner

I'm not really seeing a pattern here: it's just a message. Using a pattern to parse the line can separate the keywords from the discarding EHLO keywords introduction, but I don't think that many installs have a large set of keyword discards configured (per clientor in general), meaning that it would be useful to have this information available in some structured form. But feel free to create a PR, of course :)

@ulab ulab linked a pull request Dec 3, 2024 that will close this issue
@ulab
Copy link
Contributor Author

ulab commented Dec 3, 2024

I wasn't looking for a structured form, but mostly not losing the message because of a missing pattern. While this is just informational, it might help in case people report problems.

I did it similar to what POSTFIX_QMGR_INFO is doing. Which might be a case for a named capture too?

@whyscream
Copy link
Owner

Just wondering: your message should never be lost, right? It's already there, normally (i.e. basic syslog format), looking something like: {"program: "postfix/smtpd", "message": "discarding EHLO keywords: CHUNKING"} with some additional stuff.

Your PR proposes to 'enhance' the pristine message with a single new field postfix_message which contains a verbatim copy of the original message field, but only in very specific circumstances. What problem are you trying to solve? Is this a real-world situation that you ran into?

@ulab
Copy link
Contributor Author

ulab commented Dec 3, 2024

The message stems from a security workaround that was introduced early this year.

While you are right that it only duplicates the message, I'd want it to be set similar to the rest of the postfix_message attributes that are already in use and not get tagged a _grok_postfix_smtpd_nomatch.

If you have a table of postfix data in Kibana, you might not want to have the regular message field in there. Or you might want to have a graph of postfix_message counts by type to see if something is off.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants