From 232fa2244d2473412c6f74b4f634f2f6fc8b44ee Mon Sep 17 00:00:00 2001
From: Tom Hendrikx <tom@whyscream.net>
Date: Tue, 31 Jan 2023 21:34:52 +0100
Subject: [PATCH] Add pattern to parse warnings from `postfix/postmap`

---
 50-filter-postfix.conf | 7 +++++++
 postfix.grok           | 1 +
 test/postmap_0001.yaml | 5 +++++
 3 files changed, 13 insertions(+)
 create mode 100644 test/postmap_0001.yaml

diff --git a/50-filter-postfix.conf b/50-filter-postfix.conf
index 070da86..a4c533a 100644
--- a/50-filter-postfix.conf
+++ b/50-filter-postfix.conf
@@ -161,6 +161,13 @@ filter {
             tag_on_failure => [ "_grok_postfix_virtual_nomatch" ]
             add_tag        => [ "_grok_postfix_success" ]
         }
+    } else if [program] =~ /^postfix.*\/postmap$/ {
+        grok {
+            patterns_dir   => "/etc/logstash/patterns.d"
+            match          => [ "message", "^%{POSTFIX_POSTMAP}$" ]
+            tag_on_failure => [ "_grok_postfix_postmap_nomatch" ]
+            add_tag        => [ "_grok_postfix_success" ]
+        }
     } else if [program] =~ /^postfix.*/ {
         mutate {
             add_tag => [ "_grok_postfix_program_nomatch" ]
diff --git a/postfix.grok b/postfix.grok
index 6337631..953e3a6 100644
--- a/postfix.grok
+++ b/postfix.grok
@@ -137,3 +137,4 @@ POSTFIX_LOCAL %{POSTFIX_KEYVALUE}|%{POSTFIX_WARNING}
 POSTFIX_VIRTUAL %{POSTFIX_SMTP_DELIVERY}
 POSTFIX_ERROR %{POSTFIX_ERROR_ANY}
 POSTFIX_POSTSUPER %{POSTFIX_POSTSUPER_ACTION}|%{POSTFIX_POSTSUPER_SUMMARY}
+POSTFIX_POSTMAP %{POSTFIX_WARNING}
diff --git a/test/postmap_0001.yaml b/test/postmap_0001.yaml
new file mode 100644
index 0000000..6b6738f
--- /dev/null
+++ b/test/postmap_0001.yaml
@@ -0,0 +1,5 @@
+pattern: ^%{POSTFIX_POSTMAP}$
+data: "warning: /etc/postfix/conf.d/users.db: duplicate entry: \"xxx@yyy.com\""
+results:
+    postfix_message_level: warning
+    postfix_message: "/etc/postfix/conf.d/users.db: duplicate entry: \"xxx@yyy.com\""