On Thu, Nov 7, 2013 at 8:18 AM, Per-Erik Persson <[email protected]> wrote: > I am trying to correlate some logs from spamassassin, so far it seems to be > working out for simple rules. > As an example user X sends more than Y messages classified as spam per > timeunit, no problems to catch that one. > > But correlating the ipadresses are harder since they end up on a different > line compared to the spamtag. > > Example line for extracting the ipadress: > amavis[processid]: (IDNUMBER) Checking: "randomtext" [X.X.X.X] > <[email protected]> > > Example line for determening that spam is being processed > amavis[processid]: (IDNUMBER) header_edits_for_quar: <[email protected]> BLA > BLA BLA classified as ugly spam > > Can I write one or many rules that uses IDNUMBER as the common denominer and > spits out an active response relating to the ipadress and username? > > I know how to do this by calling external scripts in python but that is what > I am trying to avoid here. > >
Not with the current code. We have no way to track events over multiple log lines, unless you're using the multi-line log format. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
