Add pattern to extract warnings from postfix-script loglines

whyscream · Jan 31, 2023 · 0529d69 · 0529d69
1 parent 232fa22
commit 0529d69
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/50-filter-postfix.conf b/50-filter-postfix.conf
@@ -168,6 +168,13 @@ filter {
             tag_on_failure => [ "_grok_postfix_postmap_nomatch" ]
             add_tag        => [ "_grok_postfix_success" ]
         }
+    } else if [program] =~ /^postfix.*\/postfix-script$/ {
+        grok {
+            patterns_dir   => "/etc/logstash/patterns.d"
+            match          => [ "message", "^%{POSTFIX_SCRIPT}$" ]
+            tag_on_failure => [ "_grok_postfix_script_nomatch" ]
+            add_tag        => [ "_grok_postfix_success" ]
+        }
     } else if [program] =~ /^postfix.*/ {
         mutate {
             add_tag => [ "_grok_postfix_program_nomatch" ]

diff --git a/postfix.grok b/postfix.grok
@@ -138,3 +138,4 @@ POSTFIX_VIRTUAL %{POSTFIX_SMTP_DELIVERY}
 POSTFIX_ERROR %{POSTFIX_ERROR_ANY}
 POSTFIX_POSTSUPER %{POSTFIX_POSTSUPER_ACTION}|%{POSTFIX_POSTSUPER_SUMMARY}
 POSTFIX_POSTMAP %{POSTFIX_WARNING}
+POSTFIX_SCRIPT %{POSTFIX_WARNING}
diff --git a/test/script_0001.yaml b/test/script_0001.yaml
@@ -0,0 +1,5 @@
+pattern: ^%{POSTFIX_SCRIPT}$
+data: "warning: symlink leaves directory: /etc/postfix/./makedefs.out"
+results:
+    postfix_message_level: warning
+    postfix_message: "symlink leaves directory: /etc/postfix/./makedefs.out"