Hi Peter, If you want to extract the source ip, you will need a new decoder. Something simple as the following should work:
<decoder name="mailfoundry"> <program_name>^in.smtpd</program_name> <prematch>^Rejecting connection from </prematch> <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) </regex> <order>srcip</order> </decoder> If you have more samples (or rules you made), please share with us to include in the next version. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Jun 9, 2008 at 2:37 PM, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings: > > Given an entry like: > > May 30 09:22:02 mailx in.smtpd: Rejecting connection from > 98.192.135.130 because the system load is too high > > or > > Jun 9 13:29:16 mailx in.smtpd: Rejecting connection from > 200.21.94.206 because of Red Listing > > would I need a custom decoder to handle http://mailfoundry.com/ > appliance logs (syslog format)? > > If not, would I just use the syslog format? > > Thank you. >
