I am trying to correlate some logs from spamassassin, so far it seems to be working out for simple rules. As an example user X sends more than Y messages classified as spam per timeunit, no problems to catch that one.
But correlating the ipadresses are harder since they end up on a different line compared to the spamtag. Example line for extracting the ipadress: amavis[processid]: (IDNUMBER) Checking: "randomtext" [X.X.X.X] <[email protected]> Example line for determening that spam is being processed amavis[processid]: (IDNUMBER) header_edits_for_quar: <[email protected]> BLA BLA BLA classified as ugly spam Can I write one or many rules that uses IDNUMBER as the common denominer and spits out an active response relating to the ipadress and username? I know how to do this by calling external scripts in python but that is what I am trying to avoid here. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
