Thanks Brent,
I thought since the Phase 1 picked up the hostname as the status I was
screwed from collecting it with regex but I was wrong. here is my
local_decoder for it:
[\.+]\s+[\.+]
(.*)
extra_data
NotificationException:
com.sun.mail.smtp.SMTPSendFailedException:
(.*)
Creating custom decoders isn't too terribly difficult to do; and I bet you
could pay someone else if you wanted to farm that out (I'm thinking of the
companies that specialize in OSSEC you may already know of).
But doing it yourself probably wouldn't be as difficult as it sounds... and
once