postfix rules

28 views
Skip to first unread message

George Paun

unread,
May 19, 2026, 5:59:31 AM (4 days ago) May 19
to Wazuh | Mailing List
Hi guys,

I'm trying to create some rules for Postfix or Rspamd that will trigger when someone sends multiple emails with the same subject in a short period of time, and another one for when someone sends a large volume of emails with different subjects. I have created the following decoders and rules.

Thanks,
George
reguli postfix.txt
decodoare postfix.txt

George Paun

unread,
May 19, 2026, 6:02:23 AM (4 days ago) May 19
to Wazuh | Mailing List
Also i put in Ossec:

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/exim_mainlog</location>
</localfile>

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/maillog</location>
</localfile>

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/mail.log</location>
</localfile>

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/rspamd/rspamd.log</location>
</localfile>

hasitha.u...@wazuh.com

unread,
May 19, 2026, 6:19:46 AM (4 days ago) May 19
to Wazuh | Mailing List
Hi George,

Please let me know if you encounter any issues with the shared custom ruleset or if you need any assistance improving the decoders or rules.

If you are still unable to get the expected results, could you please share the sample logs for each detection requirement separately? Also, please provide a clear description of the issue you are facing, including what you expected to happen and what result you are currently getting.

For example, you can refer to below documents to have more details regarding decoders and rules:

Let me know the update on this, with sample logs so we can check further.

George Paun

unread,
May 19, 2026, 6:22:27 AM (4 days ago) May 19
to hasitha.u...@wazuh.com, Wazuh | Mailing List
Hy Hasitha,

The rules dont trigger and i dont know if i do something wrong or i miss something

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/CfhCsaUSHOw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/e0d8459c-bf02-4572-98df-ec77c31bafebn%40googlegroups.com.
Message has been deleted

hasitha.u...@wazuh.com

unread,
May 19, 2026, 7:11:35 AM (4 days ago) May 19
to Wazuh | Mailing List

Hi George,

Thanks for the update.

To replicate this scenario on my end and review it properly, could you please share a few sample logs in text format? Please make sure to mask or remove any sensitive information before sharing them.

Without the sample logs, I won’t be able to accurately validate the decoders and rules or confirm what needs to be adjusted.

You can also test the sample logs using the wazuh-logtest tool to check how Wazuh is currently decoding and matching them.

Please let me know once you have an update, and I’ll be happy to check further.

hasitha.u...@wazuh.com

unread,
12:30 AM (11 hours ago) 12:30 AM
to Wazuh | Mailing List

Hi George,

If you still need help with this, please feel free to share some sample logs. I’ll review them and try to replicate the issue on my end.

Thanks!

Reply all
Reply to author
Forward
0 new messages