How to evaluate content from multiple lines

I have trouble finding the right approach / documentation how to parse logs where the content is in two following lines

smtp connected address=43.zzz.yy.xx host=<unknown>
smtp failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not supported"

The second line is indicating that someone tried to login on my smtp server which is not possible. No good user would try to do this. So I want to block the ip address which is in the line before. Unfortunately, “host=” is not a trigger.

I have figured out to find line #2 but don’t know how to get the IP from the previous line


Currently CrowdSec doesn’t support the parsing of multi lines :confused: