Hi
I have successfully created 2 rules that mach lines i want to act on but
I'm struggling in finding a way to correlate them.
First description what i want to get
Generate an event for a threshold ie 10 events in 1 hour the problem is
i don't quite get how to count them correctly
First is a line that has username and mailid for example:
Jun 3 06:46:13 server1 postfix/smtpd[3268]: 626C5802295:
client=unknown[8.8.8.8], sasl_method=LOGIN,
sasl_username=lo...@some.domain.com
Im maching it with pattern
pattern=postfix.*\]: (?<MSGID>\S+): .* sasl_username=(?<LOGIN>\S+)
the threshold should be for unique LOGINS and should count events mached
by the second rule ie lines like these:
Jun 3 06:46:14 server1 postfix/smtp[23808]: 626C5802295:
to=<somb...@somewhere.com>, relay=somewhere.com[9.9.9.9]:25, delay=1,
delays=1/0.03/21/20, dsn=5.0.0, status=bounced (host
somewhere.com[9.9.9.9] said: 550-The mail server could not deliver mail
to somb...@somewhere.com. 550-The account or domain may not exist, they
may be blacklisted, or missing 550 the proper dns entries. (in reply to
RCPT TO command))
Im maching this line with pattern
pattern=postfix\/smtp.*\]: (?<MSGID>\S+):.*dsn=5.*
the MSGID is identical in both lines
Im trying to count the bounces and execute an action if there are too
many of them for single sasl_username in a time period
Btw MSGID can repeat themselvs in longer preiods of time but should be
unique within the treshold period.
I would be very thankfull for any help
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
