Amazon customer service reps reaction after answering a call.
I feel like I am caught in an episode of bad customer service TV show, except this is real and it’s from Amazon.
Hello customer. I’ll be glad to help you, but first, please verify you are a customer.
But, but, that’s the reason I am calling….
I am sorry, I can’t help you if you can not prove you are a customer.
As a long time Amazon Prime customer, I have 2FA turns on. It’s the usual send a code to my phone, with the fall back is to run an authenticator app on the phone and enter code from that app. All well and good, works well for some time now. Except that phone happens to be my work phone, and now that I am no longer working there, I do not have the phone anymore. Oops!
In my defense, I did remember to update all other online accounts to use my personal phone. The only one I forgot was my Amazon account.
Last night, Friday, after coming home from my last day at $WORK. I tried updating my Amazon account and immediately run into problems. I can’t login since Amazon want to send code to my work phone, which I do not have any longer. I can not use code from authenticator app (Google Authenticator), since it’s also tied to that phone. I contacted Amazon customer service via the phone number that popped up when I was having problem login.
Cue dramatic music. The customer service rep was courteous and nice, but could not help me because I could not tell him the code that he sent to my phone…. LOL. I tried explaining that I no longer have that phone. This person did not know what to do, put me on hold for 10 minutes and come back online to tell me he can’t help me. I asked to escalate to his manager, his answer was because he could not verify that I am who I said I am, he can not escalate and can not help me…. I hang up and sent an email to Amazon support asking for help, explaining my problem and ask them to call my house phone number to verify (my house number is in my account settings).
I got an email reply from Amazon support telling me that they can not call me, but they gave me a number to call for help. I called the number and run into the same problem. The service rep can not verify me by sending a code to “my phone”. After explaining again the issue, the rep said that he will check with someone. I was put on hold for more than 10 minutes, and got disconnected while waiting.
By this point, I was not happy, so I clicked on the support email feedback which takes me to an Amazon web page. After giving the lowest rating and clicking submit, right away I got a popup that ask for my current phone number (so Amazon can call you back). After entering my home number, I immediately got a call from Amazon support. We went through the same process as before, where we got to the verification point and the customer service rep realized I do not have phone to receive verification code and I can not run authenticator app on that phone. This rep also asked to put me on hold so he can consult with someone. After a long 15 minutes or so wait, he came back and said someone will email me with instruction on how to resolve this.
That conversation was around noon today (Saturday 4/29/2017). It is now almost 6pm, I still have not seen any email from Amazon support.
It’s hard to believe that I am the first Amazon customer to run into this issue. This over reliance on using a phone as the proof of identity is single point of failure. What about all the other information? Such as my home phone? Obviously they can and do call my home phone as my earlier support call from them show. They could and did ask about other information in my account to verify, why is that not enough?
I have shot off another email to Amazon support asking for escalation. Funny thing, while trying to send this email to support, Amazon wants me to login to my account…. arrrgggg!
I’ll just post this experience here as a tale of how not to design your 2FA without adequate fall back. Problems happen and you need to have another method to reset login that does not depends on the very device that is used for 2FA. Most importantly, you need to give your customer service personnel ways to deal with unexpected circumstances, beyond just reading from scripts. My experiences with Amazon customer service was terrible! Refusing to help me because they can’t verify me? Will not escalate until I can prove I am a customer? Seriously?
Update 2017/04/30 Sun – Amazon service responded to my last email asking for help with the response that they are going to reset my password. That’s not going to help. I know my password, I don’t have my phone so I can’t login. This reminds me of another person’s trouble trying to get help from Amazon customer service.
Update 2017/04/30 Sun – once more, I clicked on the feedback button in the support email, and gave a 1 star review. Got a popup to enter my phone number so Amazon can call me. This time, I got someone calling from state of Washington (last 3 times were from non-US support centers). Fourth time was the charm. This service rep had run into another customer with similar problem as mine before and she knew what was needed. She had to pass me over to the 2FA customer service team (hmmm). They sent me an email with link to: Amazon 2FA recovery web page.
Essentially, I have to verify my identity by uploading a picture (scan or photo) of government-issued identity document. It will take 1-2 days after that for Amazon to do what they need and remove the 2FA from my account.
Took a picture of my driver license, blacked out sensitive data, leaving only my name and home address and submitted it to the recovery page. I find it amusing that Amazon think this is more secure. With today’s graphic editors, I could have easily created a fake photo ID claiming to be me.
Update 2017/05/01 Mon – I received an email from Amazon support saying that they have disabled my 2FA. I tested it and was able to login to my account. I went to reset 2FA to my new personal phone and tested it again. Finally! Everything is working again.
Conclusion
Terrible customer experience. Bad security theater. I understand the need to verify users and protect their data, but the methods for doing so and the training Amazon provide to their customer service personnel is very lacking.
Customer Service training
Amazon need to train service reps on how to deal with the unexpected, beyond their scripted responses. They should enable their reps to escalate to higher level of support as needed. The big fail was refusing to help because a user can not provide proof of their identity. Imagine you just got robbed and now the police refused to help you because you can not prove your identity.
Bad security
Requiring additional verification when the primary method failed or not available is fine. But making users jump through hoop based on perceived security is not. Requiring users to send in photos or scans of government issued IDs is security theater. With modern graphic editing tools, and so many scanned pictures already available on the internet, it is easy to create spoofed IDs and submitting them. Especially when the only requirement was the name and home address on the ID has to match what Amazon has about user.
Since Amazon already have shared information about the users, why not query the user on that as proof of identity? If there are concern about access to personal data, then have dedicated support team that is only for this identity verification task. This team can only access a particular user’s data when that user need to be verified. The access is logged and documented.
I have seen questions on the web about how to migrate (copy/move) files from one GDrive account to another. There are many reasons, such as migrating from one Google account (such as company) to your personal account, etc.
WARNING: you may be violating your company policy by moving/copying files from your company Google account to a personal. I advise you to consult your company security officer or equivalent before doing this.
There are other reasons for wanting to copy or moving large number of files from one GDrive to another. Such as for me. I shared a folder in my GDrive with my family for putting our family photos in a central location. My family have G account, and there own GDrive. It seem that Google make it painful to copy files from one GDrive to another. Their suggestions is some form of downloading the files to your local drive first, and then uploading it to the other GDrive that you want.
This is painful!!! There are so many reasons why it’s painful…. 😉
The solution I’ve used is to install Google Drive app (supports OSX, Windows, Linux, Android and IOS).
Link Google Drive app to one Google account, and now you can treat the files in it as on your local drive and drag from there to the GDrive account you want to copy to.
Substitute in the version ‘4.5.1’ with the version you are upgrading to. So far I’ve seen it since Kibana 4.1.x to 4.5.1.
It seem that if you upgrade Kibana, there is a timing bug in how Kibana note its current version. You will get lots of these errors in Kibana logs:
log [08:08:30.649] [error][status][plugin:elasticsearch] Status changed from green to red - [document_already_exists_exception] [config][4.5.1]: document already exists, with: {"shard":"0","index":".kibana"}
These came from me upgrading version 4.5.0 to 4.5.1. I’ve seen same thing when I went from 4.1.4 to 4.5.0.
The fix is to delete the config record in your .kibana index. Don’t worry, it gets recreated again. No loss as far as I know.
If you have a need to encrypt communication between your Elasticsearch nodes, but do not (yet) need the complicated ACL provided from either Shield (Elastic commercial product) or Search-Guard (open source), then you can use Search-Guard-SSL (open source).
I am going to show you how to add Search-Guard-SSL (SG-SSL for short) to Elasticsearch. There are a few requirements.
SG-SSL requires Elasticsearch version 2.0.x or newer. Make sure you are using the correct version!
First, download the correct version (zip) file from here.
Second, verify the integrity of your downloaded file.
$ curl -o search-guard-ssl-2.2.1.7.jar https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-ssl/2.2.1.7/search-guard-ssl-2.2.1.7.jar
$ curl -o search-guard-ssl-2.2.1.7.jar.asc https://oss.sonatype.org/content/repositories/releases/com/floragunn/search-guard-ssl/2.2.1.7/search-guard-ssl-2.2.1.7.jar.asc
Third, you need to use a cert — either generate your own; or one that you have purchased/generated by your Corp IT — I am not going to go into it here.
Fourth, decide where your trust store and cert are going to reside and configure elasticsearch.yml as appropriate.
Below is just the configuration specific to SG-SSL that need to be added to your elasticsearch.yml. Edit it as appropriate and add it to your Elasticsearch config.
######################################################################################
# HTTP/REST layer SSL
# NOTE: Here, I am only using transport (node to node) encryption.
# I am NOT using HTTP encryption as I want to be able to use the REST API without
# requiring HTTPS. I have HTTP (port 9200) bind to localhost only. You may need to
# turn it on depending on your security policy.
######################################################################################
searchh.guard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_type: PKCS12
searchguard.ssl.transport.keystore_filepath: /export/apps/my-elk-cluster/var/identity.p12
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.keystore_alias: my_alias
# passwords here are not really in use. Java has a bug where password-less keystores don't work.
searchguard.ssl.transport.keystore_password: my-keystore-password
searchguard.ssl.transport.truststore_type: JKS
searchguard.ssl.transport.truststore_filepath: /etc/pki/certs/cacerts
# Alias name (default: first alias which could be found)
#searchguard.ssl.transport.truststore_alias: my_alias
searchguard.ssl.transport.truststore_password: changeit
searchguard.ssl.transport.truststore_alias: my-alias
searchguard.ssl.transport.enforce_hostname_verification: true
searchguard.ssl.transport.resolve_hostname: true
searchguard.ssl.transport.enable_openssl_if_available: false
#####################################################################################
# Enable or disable rest layer security - https, (default: false)
searchguard.ssl.http.enabled: false
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.http.keystore_type: PKCS12
# Relative path to the keystore file (this stores the server certificates), must be placed under the config/ d
ir
#searchguard.ssl.http.keystore_filepath: keystore_https_node1.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.http.keystore_alias: my_alias
# Keystore password (default: changeit)
#searchguard.ssl.http.keystore_password: changeit
# Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, defaul
t is false
#searchguard.ssl.http.enforce_clientauth: false
# JKS or PKCS12 (default: JKS)
#searchguard.ssl.http.truststore_type: PKCS12
# Relative path to the truststore file (this stores the client certificates), must be placed under the config/
dir
#searchguard.ssl.http.truststore_filepath: truststore_https.jks
# Alias name (default: first alias which could be found)
#searchguard.ssl.http.truststore_alias: my_alias
# Truststore password (default: changeit)
#searchguard.ssl.http.truststore_password: changeit
# Use native Open SSL instead of JDK SSL if available (default: true)
searchguard.ssl.http.enable_openssl_if_available: false
That’s it. Now deploy to all your nodes in cluster and the nodes should be communicating over SSL. The above SG-SSL config only turn on SSL for node(transport) but leave REST (HTTP) un-encrypted. This is because I have my ES nodes bind HTTP (9200) to localhost, you have to be able to login to my ES nodes to access the REST port.
NOTE
ES 2.0 and newer has the JDK security policy manager on by default. This will prevent SG-SSL from reading your truststore and certs if it is not located in ES config directory tree.
You will need to provide your own security policy file to give ES read permission to these files.
Here is how to do that:.
First is that you must tell the JDK you want to use your security policy mapping.
$ cat /export/apps/my-elk-instance/var/java.policy
/* this lets ES mess with a folder in a strange place. */
grant {
permission java.io.FilePermission "/export/apps/my-elk-instance/-", "read";
permission java.io.FilePermission "/etc/pki/certs/*", "read";
};
I use tribe nodes quite a lot at $work. It’s how we federate disparate ELK clusters and able to search across them. There are many reasons to have distinct ELK clusters in each data center and/or region.
Some of these are:
1. Elasticsearch does not work well when there is network latencies, which is guaranteed when your nodes are located geographically distant places. You could spend a lot of money to get fast network connection, or you can just have only local clusters. (Me? I pick saving money and avoiding head aches :-)).
2. It can get insanely expensive to create an ES cluster that span data centers/regions. The network bandwidth requirement, the data charges, the care and feeding of such a latency sensitive cluster…. OMG!
3. I don’t really think a 3rd reason is needed.
Although tribe nodes are great for federating ES clusters, there are some quirks in setting them up and caring for them (not as bad as ES clusters that span datacenter though).
One big gotcha for many people who are setting up tribe nodes for the first time is that tribe node can not create index. Tribe can only update, modify an existing index. What this mean is that if you point Kibana at a tribe node, you must first make sure you Kibana index is already created in one of the downstream ES cluster. Otherwise, you will have to create it yourself.
Otherwise, the first time you create an index pattern and tried to save it, you will get an error similar to the subject of this post.
MasterNotDiscoveredException
The error message is wrong and misleading. It has nothing to do with Master node. It has everything to do with tribe node not able to create (PUT) a Kibana index.
Personally, I prefer to make the Kibana index that I use with tribe to have its own unique name. So I run a dedicated Kibana instance pointing to the dedicated tribe (client) node.
Here are the steps I do to get a tribe node and its associated Kibana ready for use.
1. Configure the tribe node to know all the ES clusters I want to federate data from.
tribe.elasticsearch.yml:
cluster.name: toplevel_tribe
node.name: ${HOSTNAME}
node.master: false
node.data: false
tribe:
DC1-appservice:
cluster.name: logging-DC1
network.host: 0.0.0.0
network.publish_host: ${HOSTNAME}
discovery.zen.ping.unicast.hosts:
- dc1-app13225.prod.example.com
- dc1-app13226.prod.example.com
- dc1-app13227.prod.example.com
DC2-appservice:
cluster.name: logging-DC2
network.host: 0.0.0.0
network.publish_host: ${HOSTNAME}
discovery.zen.ping.unicast.hosts:
- dc2-app12281.prod.example.com
- dc2-app12282.prod.example.com
- dc2-app12283.prod.example.com
DC3.....etc to DCNN
my-es-dedicated-config-cluster:
cluster.name: es-config-CORP
network.host: 0.0.0.0
network.publish_host: ${HOSTNAME}
discovery.zen.ping.unicast.hosts:
- corp-app1234.example.com
on_conflict: prefer_my-es-dedicated-config-cluster
2. Now pre-create the Kibana index in my-ES-dedicated-config-cluster. This is a small cluster in my admin/corp data center that is only for housing configurations, Kibana dashboards, etc.
3. A simpler and more correct way is to temporary point Kibana to the dedicated ES cluster (instead of the tribe).
Do this via this setting in your kibana.yml file:
# The Elasticsearch instance to use for all your queries.
elasticsearch.url: “http://ES-node:9200”
Start Kibana, let it create the index. Then stop it, change the setting back to point to your tribe node.
Doing it this way ensure that your kibana is correct.
curl command for pre-creating kibana (3 and 4) index:
Elasticsearch (and the entire ELK stack) is pretty useful open source piece of software for analyzing large datasets. I manage a fairly large ELK infrastructure at work — around 90+ ES clusters, 300+ TB of data. One of things I’ve found myself having to do is copying and/or reindexing one or more index(es). Sometime to the same ES cluster, sometime moving index(es) to another cluster.
Regardless, it is just something that is done often enough, but yet in an ad-hoc manner. It’s not worth setting up logstash config to do this and then tearing them down.
Here is an example logstash config to do something like this.
This gets old fast when there are many indices. So I wrote a tool to do this in Go. I used the elastic go library from Olivere (https://github.com/olivere/elastic).
You will need to download it, and make sure you have a golang build environment setup. Then change into the source where espipe.go is located and type go build.
If you don’t have golang build environment setup and just want the binary to use, you can d/l espipe (this is built for linux x86_64).
Simple usage:
$ ./espipe -h
Usage of ./espipe:
-bulksize int
Number of docs to send to ES per chunk (default to 500) (default 500)
-dst string
Destination ES cluster (default to http://localhost:9200) (default "http://localhost:9200")
-sidx string
Source index(es) to copy (default to all '*') (default "logstash*")
-src string
Source ES cluster (default to http://localhost:9200) (default "http://localhost:9200")
-tidx string
Target index to copy (default to 'copyidx') (default "copyidx")
# the following copy all nginx-access-YYYY.MM.DD indices from local cluster to
# anothercluster and consolidated all into one index
$ ./espipe -dst http://localhost:9200 -src http://anothercluster:9200 -sidx 'nginx-access*' -tidx 'nginx-consolidated' -bulksize 1000
I’ve been using pflogsumm for the longest time to monitor my postfix logs. When I used to manage hundreds of domains and many more mailing lists, it was important to keep an eye on my mail servers.
These days, it is just my own personal mail server for my dozens of domains. I don’t even need to, what with Google and other low cost email services. It’s for fun and to keep my skills sharp.
Since I have been working with ELK stack a lot lately, I have been wanting to send all my logs — nginx, syslog and postfix maillog — into ELK. There is already existing grok patterns in logstash for nginx, apache and syslog, but none for postfix. So I do what I always do, sit down and dived in.
To be clear, I don’t believe in re-inventing the wheel, so I did due diligence and searched for what others have done first. There were several places that posted their grok recipes for postfix. But none were exactly plug-n-play for me. I’ll list them here.
I ended up using a modified version of antispin’s patterns. I don’t use Amavisd, but I do use Dovecot. So I added new patterns and modified what was there for my particular installation.
My installation is
Fedora 21 (now 23) x86_64
Postfix 2.xx
Dovecot 2.xx
Elasticsearch v1.7.3
logstash v1.5.5
Kibana 4.1.3.
Hardware is:
Dell XPS1210 laptop (3.5GB RAM and 250GB HD)
ASUS Eee PC 900A (Atom N270, 2GB RAM and 4GB SSD, with 80GB external USB2 drive) – this one run Fedora 21 X86 (32 bit). Note that I have not seen any problems with mixing 32, 64 bit systems wrt ELK data.
On Fedora, postfix and dovecot logs go to syslogs and end up in /var/log/maillog.
I have logstash installed in /home/logstash. So I added in postfix pattern file in /home/logstash/patterns and called it (what else) postfix.
Also want to say that the site grokdebug really saved me a lot of time and headache. Use it if you ever have to create new grok patterns!
Here is the content of that file.
# Syslog stuff
COMPONENT ([\w._\/%-]+)
COMPID postfix\/%{COMPONENT:component}(?:\[%{NUMBER:pid}\])?
POSTFIX (?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{COMPID}:
# POSTFIX %{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{COMPID}: %{QUEUEID:queueid}
# POSTFIX_MESSAGE %{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:host} %{DATA:program}/%{DATA:subprog}\[%{NUMBER:pid}\]: %{POSTFIX_QUEUEID:queueid}:
# Milter
HELO (?:\[%{IP:helo}\]|%{HOST:helo}|%{DATA:helo})
MILTERCONNECT %{QUEUEID:qid}: milter-reject: CONNECT from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto}
MILTERUNKNOWN %{QUEUEID:qid}: milter-reject: UNKNOWN from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto}
MILTEREHLO %{QUEUEID:qid}: milter-reject: EHLO from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto} helo=<%{HELO}>
MILTERMAIL %{QUEUEID:qid}: milter-reject: MAIL from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; from=<%{EMAILADDRESS:from}> proto=%{WORD:proto} helo=<%{HELO}>
MILTERHELO %{QUEUEID:qid}: milter-reject: HELO from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; proto=%{WORD:proto} helo=<%{HELO}>
MILTERRCPT %{QUEUEID:qid}: milter-reject: RCPT from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{WORD:proto} helo=<%{HELO}>
MILTERENDOFMESSAGE %{QUEUEID:qid}: milter-reject: END-OF-MESSAGE from %{RELAY:relay}: %{GREEDYDATA:milter_reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{WORD:proto} helo=<%{HELO}>
# Postfix stuff
QUEUEID (?:[A-F0-9]+|NOQUEUE)
EMAILADDRESSPART [a-zA-Z0-9_.+-=:~]+
EMAILADDRESS %{EMAILADDRESSPART:local}@%{EMAILADDRESSPART:remote}
RELAY (?:%{HOSTNAME:relayhost}(?:\[%{IP:relayip}\](?::[0-9]+(.[0-9]+)?)?)?)
#RELAY (?:%{HOSTNAME:relayhost}(?:\[%{IP:relayip}\](?:%{POSREAL:relayport})))
POSREAL [0-9]+(.[0-9]+)?
#DELAYS %{POSREAL:a}/%{POSREAL:b}/%{POSREAL:c}/%{POSREAL:d}
#DELAYS (%{POSREAL}[/]*)+
DSN %{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}
STATUS sent|deferred|bounced|expired
PERMERROR 5[0-9]{2}
MESSAGELEVEL reject|warning|error|fatal|panic
POSTFIXSMTPMESSAGE %{MESSAGELEVEL}: %{GREEDYDATA:reason}
POSTFIXACTION discard|dunno|filter|hold|ignore|info|prepend|redirect|replace|reject|warn
# postfix/smtp and postfix/lmtp, postfix/local and postfix/error
POSTFIXSMTP %{POSTFIXSMTPRELAY}|%{POSTFIXSMTPCONNECT}|%{POSTFIXSMTP5XX}|%{POSTFIXSMTPREFUSAL}|%{POSTFIXSMTPLOSTCONNECTION}|%{POSTFIXSMTPTIMEOUT}
# Jun 17 04:41:52 dir postfix/smtp[14434]: CE4FC560C0D: to=, relay=localhost[127.0.0.1]:2525, delay=0.32, delays=0.05/0.01/0.19/0.07, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 1B6864661B2F)
POSTFIXSMTPRELAY %{QUEUEID:qid}: to=<%{DATA:to}>,(?:\sorig_to=<%{DATA:orig_to}>,)? relay=%{RELAY},(?: delay=%{POSREAL:delay},)?(?: delays=%{DATA:delays}?,)?(?: conn_use=%{POSREAL:conn_use},)?( %{WORD}=%{DATA},)+? dsn=%{DSN:dsn}, status=%{STATUS:result} %{GREEDYDATA:reason}
POSTFIXSMTPCONNECT connect to %{RELAY}: %{GREEDYDATA:reason}
POSTFIXSMTP5XX %{QUEUEID:qid}: to=<%{EMAILADDRESS:to}>,(?:\sorig_to=<%{EMAILADDRESS:orig_to}>,)? relay=%{RELAY}, (%{WORD}=%{DATA},)+ dsn=%{DSN:dsn}, status=%{STATUS:result} \(host %{HOSTNAME}\[%{IP}\] said: %{PERMERROR:responsecode} %{DATA:smtp_response} \(in reply to %{DATA:command} command\)\)
POSTFIXSMTPREFUSAL %{QUEUEID:qid}: host %{RELAY} refused to talk to me: %{GREEDYDATA:reason}
POSTFIXSMTPLOSTCONNECTION %{QUEUEID:qid}: lost connection with %{RELAY} while %{GREEDYDATA:reason}
POSTFIXSMTPTIMEOUT %{QUEUEID:qid}: conversation with %{RELAY} timed out while %{GREEDYDATA:reason}
# postfix/smtpd
POSTFIXSMTPD %{POSTFIXSMTPDCONNECTS}|%{POSTFIXSMTPDMILTER}|%{POSTFIXSMTPDACTIONS}|%{POSTFIXSMTPDTIMEOUTS}|%{POSTFIXSMTPDLOGIN}|%{POSTFIXSMTPDCLIENT}|%{POSTFIXSMTPDNOQUEUE}|%{POSTFIXSMTPDWARNING}|%{POSTFIXSMTPDLOSTCONNECTION}
POSTFIXSMTPDCONNECTS (?:dis)?connect from %{RELAY}
POSTFIXSMTPDMILTER %{MILTERCONNECT}|%{MILTERUNKNOWN}|%{MILTEREHLO}|%{MILTERMAIL}|%{MILTERHELO}|%{MILTERRCPT}
POSTFIXSMTPDACTIONS %{QUEUEID:qid}: %{POSTFIXACTION:postfix_action}: %{DATA:command} from %{RELAY}: %{PERMERROR:responsecode} %{DSN:dsn} %{DATA}: %{DATA:reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{DATA:proto} helo=<%{HELO}>
#POSTFIXSMTPDACTIONS %{QUEUEID:qid}: %{POSTFIXACTION:postfix_action}: %{DATA:command} from %{RELAY}: %{DATA:smtp_response}: %{DATA:reason}; from=<%{EMAILADDRESS:from}> to=<%{EMAILADDRESS:to}> proto=%{DATA:proto} helo=<%{HELO}>
POSTFIXSMTPDTIMEOUTS timeout after %{DATA:command} from %{RELAY}
POSTFIXSMTPDLOGIN %{QUEUEID:qid}: client=%{DATA:client}, sasl_method=%{DATA:saslmethod}, sasl_username=%{GREEDYDATA:saslusername}
POSTFIXSMTPDCLIENT %{QUEUEID:qid}: client=%{GREEDYDATA:client}
POSTFIXSMTPDNOQUEUE NOQUEUE: %{POSTFIXACTION:postfix_action}: %{DATA:command} from %{RELAY}: %{GREEDYDATA:reason}
POSTFIXSMTPDWARNING warning:( %{IP}: | hostname %{HOSTNAME} )?%{GREEDYDATA:reason}
# Jun 3 16:40:28 dir postfix/smtpd[16526]: improper command pipelining after HELO from 41.254.8.1.ZTE.WiMAX.dynamic.ltt.ly[41.254.8.1]: QUIT\r\n
POSTFIXSMTPDLOSTCONNECTION (?:lost connection after %{DATA:smtp_response} from %{RELAY}|improper command pipelining after HELO from %{GREEDYDATA:reason})
# postfix/cleanup
POSTFIXCLEANUP %{POSTFIXCLEANUPMESSAGE}|%{POSTFIXCLEANUPMILTER}
POSTFIXCLEANUPMESSAGE %{QUEUEID:qid}: (resent-)?message-id=(<)?%{GREEDYDATA:messageid}(>)?
POSTFIXCLEANUPMILTER %{MILTERENDOFMESSAGE}
# postfix/bounce
POSTFIXBOUNCE %{QUEUEID:qid}: sender (non-)?delivery( status)? notification: %{QUEUEID:bouncequeueid}
# postfix/qmgr and postfix/pickup
# Jun 15 14:33:26 dir postfix/qmgr[1282]: 76A5C560C09: from=<2924~aduong=saigon.com@cebounce.trainwithcft.org>, size=21928, nrcpt=1 (queue active)
POSTFIXQMGR %{QUEUEID:qid}: (?:removed|from=<(?:%{DATA:from})?>(?:, size=%{NUMBER:size}, nrcpt=%{NUMBER:nrcpt} \(%{GREEDYDATA:queuestatus}\))?)
# postfix/anvil
# May 19 19:33:17 dir postfix/scache[8102]: statistics: domain lookup hits=0 miss=1 success=0%
#POSTFIXANVIL statistics:( %{DATA:anvilstatistic})?( for %{DATA:remotehost})?( at )?%{SYSLOGTIMESTAMP:timestamp}
POSTFIXANVIL statistics: %{GREEDYDATA:reason}
# postfix/trivial-rewrite
POSTFIXREWRITE warning: do not list domain %{DATA:domain} in BOTH mydestination and virtual_alias_domains
# AMAVISD
USER_AGENT User-Agent|X-Mailer
RECIPIENTS <%{EMAILADDRESS:recipient}>(,<%{GREEDYDATA:recipientlist}>)?
ORIGIN (%{DATA:originating_net} )\[%{IP:relay}\](:%{NUMBER}) \[%{IP:originip}\]
AMAVIS %{SYSLOGBASE} \(%{DATA}\) %{WORD:action} %{WORD:ccat} \{%{GREEDYDATA:policybank}\}, %{ORIGIN} <(%{EMAILADDRESS:from})> -> %{GREEDYDATA}, Queue-ID: %{QUEUEID}, Message-ID: <%{DATA:messageid}>%{GREEDYDATA:rest_of_message}
#AMAVISDNEW %{SYSLOGBASE} \(%{DATA:amavisdid}\) %{WORD:action} %{WORD:ccat} %{GREEDYDATA:policybank}, (%{GREEDYDATA:origin_net}) \[%{IP:relayip}\](:%{POSINT}) \[%{IP:originip}\] <(%{EMAILADDRESS:from})?> -> %{RECIPIENTS:recipients}, Queue-ID:%{QUEUEID}, Message-ID: <%{DATA:messageid}>,( mail_id: %{DATA:mail_id},)? Hits: %{NUMBER:hits:float}, size: %{NUMBER:size:int},( queued_as: %{QUEUEID:qid},)? Subject: "%{DATA:subject}", From: %{DATA:from},( %{USER_AGENT}: %{DATA:user_agent},)? Tests: \[%{DATA:TESTS}\],( shortcircuit=%{WORD:shortcircuit},)?( autolearn=%{WORD:autolearn},)? %{POSINT:elapsedtime} ms
#AMAVISDNEW %{SYSLOGBASE} \(%{DATA:amavisdid}\) %{WORD:action} %{WORD:ccat} %{GREEDYDATA:policybank}, \[%{RELAY:relayip}\] \[%{IP:originip}\] <(%{EMAILADDRESS:from})?> -> %{RECIPIENTS:recipients}, Message-ID: <%{DATA:messageid}>,( mail_id: %{DATA:mail_id},)? Hits: %{NUMBER:hits:float}, size: %{NUMBER:size:int},( queued_as: %{QUEUEID:qid},)? Subject: "%{DATA:subject}", From: %{DATA:from},( %{USER_AGENT}: %{DATA:user_agent},)? Tests: \[%{DATA:TESTS}\],( shortcircuit=%{WORD:shortcircuit},)?( autolearn=%{WORD:autolearn},)? %{POSINT:elapsedtime} ms
# Dovecot
# Jun 17 21:30:16 dir dovecot: imap(tin): Disconnected: Logged out in=397 out=45702
# Jun 15 09:26:18 dir dovecot: imap(tin): Connection closed in=352 out=1726
# Jun 19 01:19:29 dir dovecot: imap(pnguyen): Connection closed in=0 out=362
#DOVEID dovecot: %{DATA:component}(?:\(%{DATA:user}\))?(:)?
DOVEIMAP imap\(%{DATA:user}\): %{DATA:reason} in=%{NUMBER:inbytes} out=%{NUMBER:outbytes}
# May 21 21:58:12 dir dovecot: master: Warning: /home/alex is no longer mounted. See http://wiki2.dovecot.org/Mountpoints
# Jun 5 16:13:31 dir dovecot: anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
DOVECMD anvil|auth|config|log|master
DOVEMISC %{DOVECMD:command}: %{GREEDYDATA:reason}
# DOVEMISC %{(anvil|auth|config|log|master):command}: %{GREEDYDATA:reason}
DOVELOGIN imap-login: %{DATA:action}:(?: user=<(%{DATA:user})?>, (method=%{DATA:loginmethod}, )?rip=%{IP:rip}, lip=%{IP:lip},( mpid=%{NUMBER:mpid},( %{DATA:sectype},)?| %{DATA:securesession},)? session=<%{DATA:session}>| %{GREEDYDATA:reason})
DOVELDA lda\((%{DATA:user})?\):( %{DATA:action}:)? msgid=(?:<%{DATA:mesgid}@%{DATA:domain}>|%{DATA:mesgid}):( saved mail to| stored mail into mailbox) .*?%{DATA:folder}.*?
DOVEAUTH auth-worker\(%{NUMBER:pid}\): pam\((?:%{USERNAME:user}|%{EMAILADDRESS:user}),%{IP:ip}\): %{GREEDYDATA:reason}
DOVECOT (?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} dovecot: (%{DOVEIMAP}|%{DOVELOGIN}|%{DOVELDA}|%{DOVEAUTH}|%{DOVEMISC})
#PF %{SYSLOGBASE} (%{POSTFIXSMTP}|%{POSTFIXANVIL}|%{POSTFIXQMGR}|%{POSTFIXBOUNCE}|%{POSTFIXCLEANUP}|%{POSTFIXSMTPD}|%{AMAVIS})
PF %{POSTFIX} (?:%{POSTFIXSMTP}|%{POSTFIXANVIL}|%{POSTFIXQMGR}|%{POSTFIXBOUNCE}|%{POSTFIXCLEANUP}|%{POSTFIXSMTPD}|%{POSTFIXREWRITE})
MAILLOG (%{PF}|%{DOVECOT})
Here is the logstash.conf file, which uses the file input plugin and elasticsearch output plugin, along with the grok filter to make use of our patterns. Note that after analyzing the default mapping of incoming data, I decided to create my own customized template and override the default logstash mapping. You can leave as is, I just happen to want more control over my data mappings. The custom mapping is included below.
input {
file {
path => "/var/log/maillog*"
exclude => "*.gz"
start_position => "beginning"
type => "maillog"
}
}
filter {
if [type] == "maillog" {
grok {
patterns_dir => ["/home/logstash/config/patterns"]
match => { "message" => ["%{PF}", "%{DOVECOT}" ] }
}
date {
match => [ "timestamp", "MMM dd HH:mm:ss" ]
}
}
# I wanted to monitor metrics and health of logstash
metrics {
meter => "events"
add_tag => "metric"
}
}
output {
if [type] == "maillog" {
elasticsearch {
index => "maillog-%{+YYYY.MM.dd}"
host => "localhost"
port => "9200"
protocol => "http"
flush_size => 1000
########################################################
# the next 4 lines are for explicit index mapping
manage_template => true
template_overwrite => true
template => "/home/logstash/config/templates/maillog.json"
template_name => "maillog"
}
}
if "metric" in [tags] {
stdout {
codec => line {
format => "rate: %{events.rate_1m}"
}
}
}
}
I’ve been running ELK clusters for over a year now, and want to share tips and tricks that I’ve found to be useful.
Feel free to post questions and corrections. I’ll try to answer and update when possible.
Elasticsearch
Split brained – this is when you have more than one node in your cluster becoming master.
It is best to avoid ever having this happen. Use the rule of thumb, e.g. if you have N nodes, the number of nodes that can be master is N/2 + 1. Even better, set aside a dedicated pool of master nodes (I recommend minimum of 3 master capable nodes).
If split brained does happen, you want to stop one of the master node ASAP. Depending on whether you have replicas or not, it could be easy fix, or you might end up having to re-index if your indices has gotten out of sync by having the replica promoted to primary and new index data sent to it.
Failed node(s) – one or more failed nodes. There are many scenarios, from failing hardware to outages causing data corruption, etc.
In 5.0 there is a tool which can be used to truncate corrupt translog files. This doesn't exist in 2.x but there is a workaround:
POST my_index/_close
PUT my_index/_settings
{ "index.engine.force_new_translog": true }
POST my_index/_open
PUT my_index/_settings
{ "index.engine.force_new_translog": false }
NOTE: Any data in the corrupted translog will be lost.
How to size a cluster?
I want to create a new Elasticsearch cluster. What are the recommended sizing guidelines?
Answer:
This is very much a use case dependent answer. The factors that should be taken into considerations are:
How much data do you expect to index?
Frequency of new data. How often is new data to be indexed? Daily? Hourly?
