I have trouble finding the right approach / documentation how to parse logs where the content is in two following lines
smtp connected address=43.zzz.yy.xx host=<unknown> smtp failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not supported"
The second line is indicating that someone tried to login on my smtp server which is not possible. No good user would try to do this. So I want to block the ip address which is in the line before. Unfortunately, “host=” is not a trigger.
I have figured out to find line #2 but don’t know how to get the IP from the previous line