Hello,
I try to use crowdsecurity/postfix-spam with systemd-journald.
The problem, I think, is that postfix and systemd journald is “complicated”:
$ sudo systemctl list-units --type=service | grep postfix
postfix-mta-sts-resolver.service loaded active running Provide MTA-STS policy map to Postfix
postfix.service loaded active exited Postfix Mail Transport Agent
postfix@-.service loaded activ
$ sudo journalctl --unit=postfix
-- Journal begins at Thu 2022-09-29 19:15:01 CEST, ends at Thu 2022-09-29 19:43:50 CEST. --
-- No entries --
The postfix unit has different names in the log:
$ sudo journalctl --unit=postfix*
[...]
Sep 29 19:20:11 mail1 postfix/smtps/smtpd[969408]: xxx
Sep 29 19:20:26 mail1 postfix/cleanup[972330]: xxx
Sep 29 19:20:26 mail1 postfix/qmgr[1874]: xxx
Sep 29 19:20:27 mail1 postfix/smtp[976622]: xxx
Sep 29 19:20:27 mail1 postfix/smtp[976622]: xxx
My acquis.yml config is:
source: journalctl
journalctl_filter:
- "_SYSTEMD_UNIT=postfix"
labels:
type: journald
But only 1 line is read (while a lot of new postfix log entries are added to journald):
$ sudo cscli metrics
INFO[29-09-2022 07:48:00 PM] Acquisition Metrics:
+---------------------------------------------+------------+--------------+----------------+------------------------+
| SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+---------------------------------------------+------------+--------------+----------------+------------------------+
| journalctl:journalctl-_SYSTEMD_UNIT=postfix | 1 | - | 1 | - |
+---------------------------------------------+------------+--------------+----------------+------------------------+
this stays the same when using "_SYSTEMD_UNIT=postfix"
.
Debian Bullseye, crowdsec 1.4.1 from packagecloud, hub updated and upgraded → all current
Any hints on what to do? Thanks a lot!