How to evaluate content from multiple lines

hbauer · June 22, 2022, 7:43am

I have trouble finding the right approach / documentation how to parse logs where the content is in two following lines

smtp connected address=43.zzz.yy.xx host=<unknown>
smtp failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not supported"

The second line is indicating that someone tried to login on my smtp server which is not possible. No good user would try to do this. So I want to block the ip address which is in the line before. Unfortunately, “host=” is not a trigger.

I have figured out to find line #2 but don’t know how to get the IP from the previous line

alteredCoder · June 22, 2022, 8:25am

Hello,

Currently CrowdSec doesn’t support the parsing of multi lines

LuminatiHD · February 20, 2024, 9:16am

Is this still true? If yes, is there an effort being made to change that?

iiAmLoz · February 20, 2024, 10:23am

Multi line parsing is “kind of” supported since version 1.5 using the stash methods.

LuminatiHD · February 20, 2024, 11:48am

I will look into that. Thank you.

Topic		Replies	Views
Adding new smtp parser for failed logins crowdsec	1	803	June 21, 2022
Ban after number of attemps crowdsec	12	792	March 11, 2022
Is my setup working	4	1102	November 6, 2020
Journalctl parsers fails (solved) crowdsec	4	1163	March 5, 2023
How to do a SIMPLE log read and IP ban? crowdsec	7	201	June 16, 2024

How to evaluate content from multiple lines

Related topics