cscli parsers install crowdsecurity/amavis-logsThis parser detects logs generated when a message is blocked by amavis:
Feb 23 04:55:57 xyz amavis[4051607]: (4051607-09) Blocked INFECTED (Porcupine.Phishing.55542.UNOFFICIAL) {DiscardedInbound,Quarantined}, [192.168.0.1]:1434 [192.168.0.1] <someone1@something1.com> -> <someon2@something2.com>, quarantine: 2/virus-26W2lJY63nCZ, Queue-ID: 83B741009CD35, Message-ID: <20240223075525.8CD9941B67@xxx.xxx.shop>, mail_id: 26W2lJY63nCZ, Hits: -, size: 28646, 104 ms1onsuccess: next_stage2name: crowdsecurity/amavis-logs3description: "Parse amavis logs"4filter: "evt.Parsed.program == 'amavis'"5pattern_syntax:6 AMAVIS_MESSAGEID: "Message-ID: <%{DATA:amavis_message-id}>"7 AMAVIS_SIZE: "size: %{POSINT:amavis_size}"8 AMAVIS_TESTS: 'Tests: \[%{DATA:amavis_tests}\]'9 AMAVIS_FROM: "From: %{DATA:amavis_header_from}"10 AMAVIS_HITS: "Hits: %{NUMBER:amavis_hits}"11 AMAVIS_QUARANTINE: "quarantine: %{NOTSPACE:amavis_quarantine}"12 AMAVIS_SUBJECT: 'Subject: "%{DATA:amavis_subject}"'13 AMAVIS_KV: "((%{AMAVIS_MESSAGEID}|%{AMAVIS_SIZE}|%{AMAVIS_TESTS}|%{AMAVIS_FROM}|%{AMAVIS_HITS}|%{AMAVIS_QUARANTINE}|%{AMAVIS_SUBJECT}|%{DATA}), )*"14 AMAVIS: '\(%{DATA:amavis_id}\) %{WORD:amavis_action} %{NOTSPACE:amavis_category}( \(%{DATA:amavis_match}\))( \{%{DATA:amavis_acions}\})?, \[(IPv6:)?%{IP:amavis_relay_ip}\]:%{POSINT:src_port} \[(IPv6:)?%{IP:amavis_amavis_origin_ip}\] <%{DATA:amavis_from}> -> <%{DATA:amavis_to}>, %{AMAVIS_KV}%{POSINT:amavis_elapsedtime} ms'15grok:16 name: "AMAVIS"17 apply_on: message18statics:19 - meta: service20 value: amavis21 - meta: log_type22 value: "amavis"23 - meta: source_ip24 expression: "evt.Parsed.amavis_relay_ip"25 - meta: amavis_category26 expression: "evt.Parsed.amavis_category"27 - meta: amavis_match28 expression: "evt.Parsed.amavis_match"29