From 06415f0e545f3be8cc5c05bbc53a6c88a4d7e16c Mon Sep 17 00:00:00 2001
From: Tom Hendrikx <tom@whyscream.net>
Date: Sat, 29 Nov 2025 20:42:20 +0100
Subject: [PATCH] Convert postfix timestamps in syslog format to logstash dates

---
 50-filter-postfix.conf | 16 ++++++++++++++++
 test_pipeline.sh       |  1 +
 2 files changed, 17 insertions(+)

diff --git a/50-filter-postfix.conf b/50-filter-postfix.conf
index 50ab186..422f323 100644
--- a/50-filter-postfix.conf
+++ b/50-filter-postfix.conf
@@ -305,4 +305,20 @@ filter {
             "postfix_requiretls", "requiretls", "true"
         ]
     }
+
+    # Convert timestamp fields from string to date
+    # NOTE: postfix timestamps don't contain a year value, which makes logstash assume the current year.
+    #   Beware when parsing historic log files!
+    date {
+        match => [
+            "postfix_anvil_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss"
+        ]
+        target => "postfix_anvil_timestamp"
+    }
+    date {
+        match => [
+            "postfix_scache_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss"
+        ]
+        target => "postfix_scache_timestamp"
+    }
 }
diff --git a/test_pipeline.sh b/test_pipeline.sh
index a236dcf..eaede7d 100755
--- a/test_pipeline.sh
+++ b/test_pipeline.sh
@@ -44,6 +44,7 @@ EOF
 
 cat 50-filter-postfix.conf >> "$PIPELINE"
 
+echo Preparing output config
 cat >> "$PIPELINE" << EOF
 output {
   file {