i would like to use crowdsec to evaluate my mail logs. My current idea is to 
block all users that try to login on port 25

smtp connected address=43.zzz.yy.xx host=<unknown>
smtp failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command 
not supported"
So the trigger is line 2 but the ip address is in line 1

Unfortunately there seems to be no way for crowdsec parser to evaluate 2 lines
Is there any chance or idea how I could change the logs to include the address 
in line 2


Hagen Bauer

Reply via email to