Hi, in my (mail)log I want to join information present (seldomly) in my maillog on 2 lines. Example:
Dec 2 08:03:44 ns15 sm-acceptingconnections[19378]: qB2D3g8Q019378: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed Dec 2 08:03:45 ns15 sm-acceptingconnections[19378]: qB2D3g8Q019378: modemcable105.183-177-173.mc.videotron.ca [173.177.183.105] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA-SSL My goal is to trigger an active-response for the autentification failure. The problem is : the IP is on the second line. I saw there is a "multi-line" option is log_format, but in my case, mail log is not composed systematically of 2 lines. Is it possible to correlate this 2 lines only with ossec configuration? Regards, Nicolas Zin
