Postfix logging of mail messages through the Logstash Syslog input has resulting in the postfix queue ID being parsed into the program field in Elasticsearch from the SYSLOGPROG pattern. I feel this is the better place to log this issue than with https://github.com/logstash-plugins/logstash-input-syslog

For all general issues, please provide the following details for fast resolution:

• Version: 4.0.2
• Operating System: CentOS 6.5
• Config File (if you have sensitive info, please remove it):
  input {
  syslog {
  port => 1028
  add_field => {
  "[@metadata][type]" => "syslog"
  }
  }
  }
• Sample Data:
  {
  "_index": "XXXXX",
  "_type": "XXXXX",
  "_id": "AVkI9o-g74i7gdEBG3oj",
  "_score": null,
  "_source": {
  "severity": 6,
  "pid": "32585",
  "program": [
  "postfix/smtp",
  "4101B87FB4"
  ],
  "message": " to=, relay=XXXXX[XXXXX]:25, delay=0.23, delays=0.17/0.04/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 6CC4741CBA)",
  "priority": 22,
  "logsource": "XXXXX",
  "tags": [],
  "@timestamp": "2016-12-16T18:48:13.000Z",
  "@Version": "1",
  "host": "XXXXX",
  "facility": 2,
  "severity_label": "Informational",
  "facility_label": "mail"
  }
  }
• Steps to Reproduce: Replay an RFC3164 compliant syslog message with the body shown above (Sensitive information redacted).

This was caused by a conflicting GROK pattern. Closing.