Extract TLS security and downgrade levels from 'postfix_tls' field

Author: whyscream

50-filter-postfix.conf

@@ -222,6 +222,14 @@ filter {
                 remove_field   => [ "postfix_delays" ]
             }
         }
+        if [postfix_tls] {
+            grok {
+                patterns_dir   => "/etc/logstash/patterns.d"
+                match          => ["postfix_tls", "^%{POSTFIX_TLS_FEATURES}$"]
+                tag_on_failure => [ "_grok_kv_postfix_tls_nomatch" ]
+                remove_field   => [ "postfix_tls" ]
+            }
+        }
     }
 
     # process command counter data if it exists

postfix.grok

@@ -121,6 +121,9 @@ POSTFIX_VERIFY_CACHE cache %{DATA} (?<postfix_verify_cleanup_type>(full|partial)
 # local patterns
 POSTFIX_LOCAL_DELIVERY %{POSTFIX_KEYVALUE} status=%{STATUS_WORD:postfix_status}( \(%{GREEDYDATA:postfix_local_response}\))?
 
+# TLS features
+POSTFIX_TLS_FEATURES %{STATUS_WORD:postfix_tls_security_level}(:%{STATUS_WORD:postfix_tls_downgrade_level})?
+
 # aggregate all patterns
 POSTFIX_SMTPD %{POSTFIX_SMTPD_CONNECT}|%{POSTFIX_SMTPD_DISCONNECT}|%{POSTFIX_SMTPD_LOSTCONN}|%{POSTFIX_SMTPD_NOQUEUE}|%{POSTFIX_SMTPD_PIPELINING}|%{POSTFIX_TLSCONN}|%{POSTFIX_WARNING}|%{POSTFIX_SMTPD_PROXY}|%{POSTFIX_KEYVALUE}
 POSTFIX_CLEANUP %{POSTFIX_CLEANUP_MESSAGEID}|%{POSTFIX_CLEANUP_MILTER}|%{POSTFIX_CLEANUP_PREPEND}|%{POSTFIX_WARNING}|%{POSTFIX_KEYVALUE}

test/tls_features_0007.yaml

@@ -0,0 +1,4 @@
+pattern: "^%{POSTFIX_TLS_FEATURES}$"
+data: "dane"
+results:
+    postfix_tls_security_level: dane

test/tls_features_0008.yaml

@@ -0,0 +1,5 @@
+pattern: "^%{POSTFIX_TLS_FEATURES}$"
+data: "dane:none"
+results:
+    postfix_tls_security_level: dane
+    postfix_tls_downgrade_level: none

test_pipeline.sh

@@ -63,6 +63,8 @@ CONTAINER_ID=$(docker run --rm --detach \
 
 printf "Waiting for output from logstash "
 until test -s "$OUTPUT"; do
+  # For debugging a crashing container (probably invalid configuration)
+  # docker inspect "$CONTAINER_ID" | jq '.[0].State'
   printf "."
   sleep 2
 done