Add pattern to extract warnings from postfix-script loglines

Author: whyscream

50-filter-postfix.conf

@@ -168,6 +168,13 @@ filter {
             tag_on_failure => [ "_grok_postfix_postmap_nomatch" ]
             add_tag        => [ "_grok_postfix_success" ]
         }
+    } else if [program] =~ /^postfix.*\/postfix-script$/ {
+        grok {
+            patterns_dir   => "/etc/logstash/patterns.d"
+            match          => [ "message", "^%{POSTFIX_SCRIPT}$" ]
+            tag_on_failure => [ "_grok_postfix_script_nomatch" ]
+            add_tag        => [ "_grok_postfix_success" ]
+        }
     } else if [program] =~ /^postfix.*/ {
         mutate {
             add_tag => [ "_grok_postfix_program_nomatch" ]

postfix.grok

@@ -138,3 +138,4 @@ POSTFIX_VIRTUAL %{POSTFIX_SMTP_DELIVERY}
 POSTFIX_ERROR %{POSTFIX_ERROR_ANY}
 POSTFIX_POSTSUPER %{POSTFIX_POSTSUPER_ACTION}|%{POSTFIX_POSTSUPER_SUMMARY}
 POSTFIX_POSTMAP %{POSTFIX_WARNING}
+POSTFIX_SCRIPT %{POSTFIX_WARNING}

test/script_0001.yaml

@@ -0,0 +1,5 @@
+pattern: ^%{POSTFIX_SCRIPT}$
+data: "warning: symlink leaves directory: /etc/postfix/./makedefs.out"
+results:
+    postfix_message_level: warning
+    postfix_message: "symlink leaves directory: /etc/postfix/./makedefs.out"