diff --git a/elk/16-amavis.conf b/elk/16-amavis.conf
new file mode 100644
index 00000000..ad60eff6
--- /dev/null
+++ b/elk/16-amavis.conf
@@ -0,0 +1,23 @@
+filter {
+    # grok log lines by program name
+    if [program] == 'amavis' {
+        grok {
+            patterns_dir   => "/etc/logstash/patterns.d"
+            match          => [ "message", "%{AMAVIS}" ]
+            tag_on_failure => [ "_grok_amavis_nomatch" ]
+            add_tag        => [ "_grok_amavis_success" ]
+        }
+    }
+
+    # Do some data type conversions
+    mutate {
+        convert => [
+            # list of integer fields
+            "amavis_size", "integer",
+            "amavis_duration", "integer",
+
+            # list of float fields
+            "amavis_hits", "float"
+        ]
+    }
+}
diff --git a/elk/Dockerfile b/elk/Dockerfile
index dc62c270..1ffeb104 100644
--- a/elk/Dockerfile
+++ b/elk/Dockerfile
@@ -6,7 +6,7 @@ RUN curl -L https://raw.githubusercontent.com/whyscream/postfix-grok-patterns/ma
 RUN curl -L https://raw.githubusercontent.com/whyscream/postfix-grok-patterns/master/50-filter-postfix.conf > /etc/logstash/conf.d/15-filter-postfix.conf
 # custom amavis grok and filter
 ADD amavis.grok  /etc/logstash/patterns.d
-RUN curl -L https://raw.githubusercontent.com/ninech/logstash-patterns/master/exmples/50-filter-amavis.conf > /etc/logstash/conf.d/16-filter-amavis.conf
+ADD 16-amavis.conf /etc/logstash/conf.d
 # dovecot grok and filter
 RUN curl -L https://raw.githubusercontent.com/ninech/logstash-patterns/master/patterns.d/dovecot.grok > /etc/logstash/patterns.d/dovecot.grok
 RUN curl -L https://raw.githubusercontent.com/ninech/logstash-patterns/master/exmples/50-filter-dovecot.conf > /etc/logstash/conf.d/17-filter-dovecot.conf
@@ -21,6 +21,3 @@ RUN gosu logstash bin/logstash-plugin install --local --no-verify logstash-filte
 ADD 02-beats-input.conf /etc/logstash/conf.d/
 # override syslog
 ADD 10-syslog.conf /etc/logstash/conf.d/
-
-
-
diff --git a/elk/amavis.grok b/elk/amavis.grok
index 4bc74859..36713188 100644
--- a/elk/amavis.grok
+++ b/elk/amavis.grok
@@ -1,11 +1 @@
-MAVIS_MESSAGEID Message-ID: <%{DATA:amavis_message-id}>
-AMAVIS_SIZE size: %{POSINT:amavis_size}
-AMAVIS_TESTS Tests: \[%{DATA:amavis_tests}\]
-AMAVIS_FROM From: %{DATA:amavis_header_from}
-AMAVIS_HITS Hits: %{NUMBER:amavis_hits}
-AMAVIS_QUARANTINE quarantine: %{NOTSPACE:amavis_quarantine}
-AMAVIS_SUBJECT Subject: "%{DATA:amavis_subject}"
-AMAVIS_KV ((%{AMAVIS_MESSAGEID}|%{AMAVIS_SIZE}|%{AMAVIS_TESTS}|%{AMAVIS_FROM}|%{AMAVIS_HITS}|%{AMAVIS_QUARANTINE}|%{AMAVIS_SUBJECT}|%{DATA}), )*
-
 AMAVIS \(%{DATA:amavis_id}\) %{DATA:amavis_action} %{DATA:amavis_status} {%{DATA:amavis_relaytype}},( %{GREEDYDATA:amavis_policybank})? \[%{IP:remote_ip}\]:%{POSINT:remote_port} \[%{IP:amavis_ip}\] <%{DATA:from}> -> <%{DATA:to}>(, quarantine: %{DATA:quarantine_id})?, Queue-ID: %{DATA:queue_id}(, Message-ID: <%{DATA:message_id}>)?(, mail_id: %{DATA:mail_id})?, Hits: %{NUMBER:amavis_hits}, size: %{POSINT:amavis_size}(, queued_as: %{DATA:amavis_queue_id})?(, dkim_sd=%{DATA:amavis_dkim})?, %{NUMBER:amavis_duration} ms
-