cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

How to use mail alert body data in external script for user defined alerts (thresholds)

Hi,

I have set up thresholds in smart view monitor to send SNMP trap alert on policy push.
As configured I am receiving mail alert every time a policy is pushed with policy information as mail body.

Now I want an external script to get triggered by the same scenario
and I want to use policy information in the external script.

External script is getting triggered.
How can I use policy information(send by mail alert as mail body) in an external script?
Is there any variable which I can send as an argument to get this data in the script?

14 Replies
Admin
Admin

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

I'm pretty sure the same information is sent in both circumstances (through stdin to the command that is being called).

0 Kudos

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Hi,

We need to pass some argument to the script. Is it some specific argument name which I need to pass to stdin?

I tried passing "alert" as the argument with my script in following way but didn't work:

path_to_script/myscript.sh "alert"

0 Kudos
Admin
Admin

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

I assume you should be able to read the arguments passed via the CLI command that calls your script in the standard way.

Unless we're not passing the arguments when the script is called (which is possible).

The data that is provided as part of the log that triggers the script would be passed through stdin (I believe). 

0 Kudos

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Dameon Welch Abernathy  How can we get the list of arguments / parameters so i can use the same in my external script.

Thanks

0 Kudos
Admin
Admin

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

We are not passing specific arguments. 

We are passing the relevant log entry thru stdin to the script.

What is passed will depend on the log entry.

Viewing logs using the CLI command "fw log" will give you a rough idea of what is sent (and it will vary depending on the log entry).

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Dameon Welch Abernathy Thanks for replying. How can I call that specific log from the script?

0 Kudos
Admin
Admin

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

When you specify tracking for a given rule as, e.g. User Defined 1, the appropriate script defined in Global Properties for User Defined 1 is called with the relevant to log entry sent through the standard input.

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Dameon Welch AbernathyThank you for the reply.

As you can see I have defined my external script here so once a matching rule is met the script is executing successfully.

In the script (UD_SCRIPT) I have a simple code which will print lines and a text into a text file .Below is my script content.

If the policy is met the following script will execute.

so when i view the text file that was created by the script I can see that the script executed successfully.

What I want is to get the following values through my external script

HeaderDateHour: 24May2018 17:36:51; ContentVersion: x; HighLevelLogKey: N/A; LogUid: N/A; SequenceNum: N/A; Action: ctl; Origin: xxxxx; IfDir: >; IfName: N/A; Alert: mail; OriginSicName: CN=xxxxxxxxx,O=cpm.xxxx; OriginSicName: CN=xxxxxxxxxxx,O=cxxxxxxxx..xxxx; HighLevelLogKey: xxxxxxxxxxx; cluster_info: (ClusterXL) member 1 (xx.xx.xx.xx) is down.; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

How can I do this? Thanks for your time and for replying

0 Kudos
Admin
Admin

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

$1 is the first argument passed to the script, which is not the same thing as standard input.

You want to use the "read" command.

Using your sample, it'd be something like:

#!/bin/bash

echo "-----------" >> /tmp/kbs1.txt

read input

echo $input >> /tmp/kbs1.txt

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Dameon Welch Abernathy‌ Thank you very much this worked!

0 Kudos

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Am I to understand there is NO facility to format the email that gets sent via sendmail form the SMS when enabling alerts? No XML, no text file? Really? This is just gibberish for a customer. What was the purpose for the alerts? Is there any COMPLETE documentation on the abilities or the lack thereof?

0 Kudos

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Hello, Is there any way to format these emails? This is all gibberish to the customer. No xml? no text files? to adjust only the fields we want to see? Any documentation on what all these fields are?

HeaderDateHour: 20Mar2019 0:22:33; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x5c91c009,0x0,0x17000b0a,0xc0000002}; SequenceNum: 1; Action: accept; Origin: GCBFW2; IfDir: >; InterfaceName: eth2; Alert: mail; OriginSicName: CN=GCBFW2,O=PGCB-Mgmt..7dm32n; OriginSicName: CN=GCBFW2,O=PGCB-Mgmt..7dm32n; HighLevelLogKey: 18446744073709551615; inzone: Internal; outzone: Local; service_id: ssh; src: V84af7e3e-e52f-4e45-8b5e-ce3a21a5d21e; dst: GCBFW2; proto: tcp; xlatesrc: ; xlatedst: ; NAT_rulenum: 107; NAT_addtnl_rulenum: 1; security_inzone: Interface_inside; security_outzone: ; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 272f1cae-8179-4bb4-b5e6-e46943b12057; layer_name: Hbg_5600_Cluster Network; rule_uid: 379515d1-7b4f-42f9-99f3-3ec0fba782d1; rule_name: SSH Access to GW's or SMS will generate an email.; action: 2; parent_rule: 0; ROW_END: 0; UP_match_table: TABLE_END; UP_alert_table: TABLE_START; ROW_START: 0; alert: mail; ROW_END: 0; UP_alert_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ssh; sport_svc: 57388; xlatedport_svc: ; xlatesport_svc: ; ProductFamily: Network;

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Hi, good question. Is there any way to format these emails?

mmm

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

After reading the questions and answers, I found myself with the same problem of trying to get the information in a readable-ish format, and going through an Office 365 cloud server. The internal_sendmail command wasn't working for me because the Mgmt server's hostname was only FW-MGT (didn't have an FQDN), so Office365 always rejected it. So I'm using the regular sendmail in Gaia. 

Note: In the Office365 Exchange Admin, I went to the spam whitelist and added the NAT address of the Mgmt server so that Office365 accepts the emails. It doesn't allow relays because the connection is not authenticated, and getting Auth to work was more trouble than I wanted.

The script reads the standard input and puts it into an $input variable. Then I use sed to replace the semi-colon with newlines, and write it to a file. Then I read the file again with sed, to output only the line that has either 'System Alert' or 'cluster_info' (the two most common events I found, but you can add more if you want), and put it into a $subject variable.

I then erase the file by writing the 'To:  ' line, i.e 'To: SOC team'.

Then I append the 'Subject: Check Point: $subject' line to the file, so that it's apparent what's going on from the subject of the email.

Then I append a blank line, and then append the $input processed as before with sed, changing semi-colons to newlines.

Finally I use sendmail with the --domain parameter so that Office365 accepts the EHLO command, -f as the email sender, -v as the email destination address, host as the mail server, and the input is the file we create above. As you can see I use Office365 with the yourdomain-com.mail.protection.outlook.com host.

The entire script looks like this:

 

#!/bin/bash
read input
echo $input | sed 's/;/\n/g' >mail.txt
subject="$(sed -n -e '/cluster_info/p' -e '/System Alert/p' mail.txt)"
echo "TO: SOC Team" > mail.txt
echo "Subject: Check Point: $subject" >> mail.txt
echo "" >>mail.txt
echo $input | sed 's/;/\n/g' >>mail.txt
sendmail --domain=checkpoint.com -f cpalerts@checkpoint.com -v alerts@yourdomain.com --host=yourdomain-com.mail.protection.outlook.com 

 

Remember to chmod 555 the script so that it can run, and then use it in the User defined alerts of Global Properties.

The email you receive will look something like:

 

Subject: Check Point:  System Alert message: CLUSTER-CP is disconnected

 HeaderDateHour: 5Aug2019 21:34:21
 ContentVersion: 5
 HighLevelLogKey: N/A
 Uuid: {0x0,0x0,0x0,0x0}
 SequenceNum: 1
 Action:
 Origin: FW-MGT
 IfDir: <
 IfName: N/A
 Alert: useralert
 OriginSicName: N/A
 System Alert message: GW1 is disconnected
 Object: GW1
 Event: Exception
 Parameter: status_connection
 Condition: is
 Current value: 8
 ProductName: System Monitor
 ProductFamily: Network

 

 

0 Kudos