I have successfully created 2 rules that mach lines i want to act on but I'm struggling in finding a way to correlate them.

First description what i want to get

Generate an event for a threshold ie 10 events in 1 hour the problem is i don't quite get how to count them correctly

First is a line that has username and mailid for example:

Jun  3 06:46:13 server1 postfix/smtpd[3268]: 626C5802295: client=unknown[], sasl_method=LOGIN, sasl_username=lo...@some.domain.com

Im maching it with pattern

pattern=postfix.*\]: (?<MSGID>\S+): .* sasl_username=(?<LOGIN>\S+)

the threshold should be for unique LOGINS and should count events mached by the second rule ie lines like these:

Jun  3 06:46:14 server1 postfix/smtp[23808]: 626C5802295: to=<somb...@somewhere.com>, relay=somewhere.com[]:25, delay=1, delays=1/0.03/21/20, dsn=5.0.0, status=bounced (host somewhere.com[] said: 550-The mail server could not deliver mail to somb...@somewhere.com.  550-The account or domain may not exist, they may be blacklisted, or missing 550 the proper dns entries. (in reply to RCPT TO command))

Im maching this line with pattern

pattern=postfix\/smtp.*\]: (?<MSGID>\S+):.*dsn=5.*

the MSGID is identical in both lines

Im trying to count the bounces and execute an action if there are too many of them for single sasl_username in a time period

Btw MSGID can repeat themselvs in longer preiods of time but should be unique within the treshold period.

I would be very thankfull for any help

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Simple-evcorr-users mailing list

Reply via email to