filter-50-cleanup.conf

filter {

  if [postfix][component] == "cleanup" {

    if [message] =~ /^message-id=/ {
      grok {
        match => ["message","message-id=<%{DATA:[postfix][msgid_long]}>"]
        tag_on_failure => ["_grokparsefailure","postfix_cleanup_failed"]
        id => "postfix_cleanup"
        add_field => {
          "[postfix][eventtype]" => "cleanup"
        }
        add_tag => "grokked"
      }
    }

    if [message] =~ /^milter-reject:/ {
      if [message] =~ /^milter-reject: END-OF-MESSAGE/ {
        grok {
          match => ["message","milter-reject: END-OF-MESSAGE from %{HOSTNAME:[client][domain]}\[%{IP:[client][address]}\]: %{GREEDYDATA:[postfix][detail]}"]
          tag_on_failure => ["_grokparsefailure","postfix_cleanup_milter_eom"]
          id => "postfix_cleanup_milter_eom"
          add_field => {
            "[postfix][eventtype]" => "cleanup_milter_eom"
          }
          add_tag => "grokked"
        }
      }
    }

    if [message] =~ /^reject:/ {
      if [message] =~ /^reject: header/ {
        grok {
          match => ["message","reject: header %{DATA:[postfix][header]} from %{HOSTNAME:[client][address]}\[%{IP:[client][ip]}\]; from=<(%{DATA:[destination][user][email]})?> to=<%{DATA:[destination][user][email]}> proto=%{WORD:[postfx][proto]} helo=%{DATA:[postfix][helo]}: %{GREEDYDATA:[postfix][detail]}"]
          tag_on_failure => ["_grokparsefailure","postfix_cleanup_reject_header"]
          id => "postfix_cleanup_reject_header"
          add_field => {
            "[postfix][eventtype]" => "cleanup_reject_header"
          }
          add_tag => "grokked"
        }
      }
    }

    mutate {
      add_field => {
        "[ecs][version]" => "1.5.0"
      }
    }

  }
}

# TODO
# replace: header Received: from [