Add pattern to parse warnings from postfix/postmap

whyscream · Jan 31, 2023 · 232fa22 · 232fa22
1 parent ab39dd3
commit 232fa22
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/50-filter-postfix.conf b/50-filter-postfix.conf
@@ -161,6 +161,13 @@ filter {
             tag_on_failure => [ "_grok_postfix_virtual_nomatch" ]
             add_tag        => [ "_grok_postfix_success" ]
         }
+    } else if [program] =~ /^postfix.*\/postmap$/ {
+        grok {
+            patterns_dir   => "/etc/logstash/patterns.d"
+            match          => [ "message", "^%{POSTFIX_POSTMAP}$" ]
+            tag_on_failure => [ "_grok_postfix_postmap_nomatch" ]
+            add_tag        => [ "_grok_postfix_success" ]
+        }
     } else if [program] =~ /^postfix.*/ {
         mutate {
             add_tag => [ "_grok_postfix_program_nomatch" ]

diff --git a/postfix.grok b/postfix.grok
@@ -137,3 +137,4 @@ POSTFIX_LOCAL %{POSTFIX_KEYVALUE}|%{POSTFIX_WARNING}
 POSTFIX_VIRTUAL %{POSTFIX_SMTP_DELIVERY}
 POSTFIX_ERROR %{POSTFIX_ERROR_ANY}
 POSTFIX_POSTSUPER %{POSTFIX_POSTSUPER_ACTION}|%{POSTFIX_POSTSUPER_SUMMARY}
+POSTFIX_POSTMAP %{POSTFIX_WARNING}
diff --git a/test/postmap_0001.yaml b/test/postmap_0001.yaml
@@ -0,0 +1,5 @@
+pattern: ^%{POSTFIX_POSTMAP}$
+data: "warning: /etc/postfix/conf.d/users.db: duplicate entry: \"[email protected]\""
+results:
+    postfix_message_level: warning
+    postfix_message: "/etc/postfix/conf.d/users.db: duplicate entry: \"[email protected]\""