Logstash grok filter to tag received and bounced messages

Question

Sthg makes me crazy, I would like to parse Postfix logs to know the status of emails, here is what I tried so far :

input {
   file {path => \"/var/log/ma         


        

Answer 1

I have found the problem.

It's coming from this test:

if [message] =~ /[ "bounced" ]/ {
  mutate {add_tag => [ "bounce" ]}
}

The regex is the part between the /, so your regex is evaluated like that : https://regex101.com/r/eaB5jp/2

So all your lines will match and get the tag.

In order to work, the test should be:

if [message] =~ /bounced/ {
  mutate {add_tag => [ "bounce" ]}
}