Nicolas, Over on the ossec-dev list there was a patch created by Brad Lhotsky that does what you want, since it appears both of the lines you want to combine share an ID of 19378(?). Anyways, I believe his patch only supports alert generation based on multiple events (aka "composite" rules where you define a frequency).
There was another patch prepared by another gentleman that allowed you to combine multiple lines, but it was buggy and ultimately got pulled from the OSSEC 2.7 release to give the developer more time to investigate On Dec 4, 2012, at 11:54 AM, Nicolas Zin <[email protected]> wrote: > Hi, > > in my (mail)log I want to join information present (seldomly) in my maillog > on 2 lines. Example: > > Dec 2 08:03:44 ns15 sm-acceptingconnections[19378]: qB2D3g8Q019378: AUTH > failure (LOGIN): authentication failure (-13) SASL(-13): authentication > failure: checkpass failed > Dec 2 08:03:45 ns15 sm-acceptingconnections[19378]: qB2D3g8Q019378: > modemcable105.183-177-173.mc.videotron.ca [173.177.183.105] did not issue > MAIL/EXPN/VRFY/ETRN during connection to MSA-SSL > > My goal is to trigger an active-response for the autentification failure. The > problem is : the IP is on the second line. > I saw there is a "multi-line" option is log_format, but in my case, mail log > is not composed systematically of 2 lines. > > Is it possible to correlate this 2 lines only with ossec configuration? > > > Regards, > > > Nicolas Zin
