Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ekta_Siwani1
Contributor

How to use mail alert body data in external script for user defined alerts (thresholds)

Hi,

I have set up thresholds in smart view monitor to send SNMP trap alert on policy push.
As configured I am receiving mail alert every time a policy is pushed with policy information as mail body.

Now I want an external script to get triggered by the same scenario
and I want to use policy information in the external script.

External script is getting triggered.
How can I use policy information(send by mail alert as mail body) in an external script?
Is there any variable which I can send as an argument to get this data in the script?

16 Replies
PhoneBoy
Admin
Admin

I'm pretty sure the same information is sent in both circumstances (through stdin to the command that is being called).

0 Kudos
Ekta_Siwani1
Contributor

Hi,

We need to pass some argument to the script. Is it some specific argument name which I need to pass to stdin?

I tried passing "alert" as the argument with my script in following way but didn't work:

path_to_script/myscript.sh "alert"

0 Kudos
PhoneBoy
Admin
Admin

I assume you should be able to read the arguments passed via the CLI command that calls your script in the standard way.

Unless we're not passing the arguments when the script is called (which is possible).

The data that is provided as part of the log that triggers the script would be passed through stdin (I believe). 

0 Kudos
Shehan_Wickrama
Collaborator

Dameon Welch Abernathy  How can we get the list of arguments / parameters so i can use the same in my external script.

Thanks

0 Kudos
PhoneBoy
Admin
Admin

We are not passing specific arguments. 

We are passing the relevant log entry thru stdin to the script.

What is passed will depend on the log entry.

Viewing logs using the CLI command "fw log" will give you a rough idea of what is sent (and it will vary depending on the log entry).

Shehan_Wickrama
Collaborator

Dameon Welch Abernathy Thanks for replying. How can I call that specific log from the script?

0 Kudos
PhoneBoy
Admin
Admin

When you specify tracking for a given rule as, e.g. User Defined 1, the appropriate script defined in Global Properties for User Defined 1 is called with the relevant to log entry sent through the standard input.
Shehan_Wickrama
Collaborator

Dameon Welch AbernathyThank you for the reply.

As you can see I have defined my external script here so once a matching rule is met the script is executing successfully.

In the script (UD_SCRIPT) I have a simple code which will print lines and a text into a text file .Below is my script content.

If the policy is met the following script will execute.

so when i view the text file that was created by the script I can see that the script executed successfully.

What I want is to get the following values through my external script

HeaderDateHour: 24May2018 17:36:51; ContentVersion: x; HighLevelLogKey: N/A; LogUid: N/A; SequenceNum: N/A; Action: ctl; Origin: xxxxx; IfDir: >; IfName: N/A; Alert: mail; OriginSicName: CN=xxxxxxxxx,O=cpm.xxxx; OriginSicName: CN=xxxxxxxxxxx,O=cxxxxxxxx..xxxx; HighLevelLogKey: xxxxxxxxxxx; cluster_info: (ClusterXL) member 1 (xx.xx.xx.xx) is down.; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

How can I do this? Thanks for your time and for replying

0 Kudos
PhoneBoy
Admin
Admin

$1 is the first argument passed to the script, which is not the same thing as standard input.

You want to use the "read" command.

Using your sample, it'd be something like:

#!/bin/bash

echo "-----------" >> /tmp/kbs1.txt

read input

echo $input >> /tmp/kbs1.txt

Shehan_Wickrama
Collaborator

Dameon Welch Abernathy‌ Thank you very much this worked!

0 Kudos
jerryroy1
Participant

Am I to understand there is NO facility to format the email that gets sent via sendmail form the SMS when enabling alerts? No XML, no text file? Really? This is just gibberish for a customer. What was the purpose for the alerts? Is there any COMPLETE documentation on the abilities or the lack thereof?

0 Kudos
jerryroy1
Participant

Hello, Is there any way to format these emails? This is all gibberish to the customer. No xml? no text files? to adjust only the fields we want to see? Any documentation on what all these fields are?

HeaderDateHour: 20Mar2019 0:22:33; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x5c91c009,0x0,0x17000b0a,0xc0000002}; SequenceNum: 1; Action: accept; Origin: GCBFW2; IfDir: >; InterfaceName: eth2; Alert: mail; OriginSicName: CN=GCBFW2,O=PGCB-Mgmt..7dm32n; OriginSicName: CN=GCBFW2,O=PGCB-Mgmt..7dm32n; HighLevelLogKey: 18446744073709551615; inzone: Internal; outzone: Local; service_id: ssh; src: V84af7e3e-e52f-4e45-8b5e-ce3a21a5d21e; dst: GCBFW2; proto: tcp; xlatesrc: ; xlatedst: ; NAT_rulenum: 107; NAT_addtnl_rulenum: 1; security_inzone: Interface_inside; security_outzone: ; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 272f1cae-8179-4bb4-b5e6-e46943b12057; layer_name: Hbg_5600_Cluster Network; rule_uid: 379515d1-7b4f-42f9-99f3-3ec0fba782d1; rule_name: SSH Access to GW's or SMS will generate an email.; action: 2; parent_rule: 0; ROW_END: 0; UP_match_table: TABLE_END; UP_alert_table: TABLE_START; ROW_START: 0; alert: mail; ROW_END: 0; UP_alert_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ssh; sport_svc: 57388; xlatedport_svc: ; xlatesport_svc: ; ProductFamily: Network;

Maciej_Maczka
Contributor

Hi, good question. Is there any way to format these emails?

mmm
Eli_Faskha
Participant
Participant

After reading the questions and answers, I found myself with the same problem of trying to get the information in a readable-ish format, and going through an Office 365 cloud server. The internal_sendmail command wasn't working for me because the Mgmt server's hostname was only FW-MGT (didn't have an FQDN), so Office365 always rejected it. So I'm using the regular sendmail in Gaia. 

Note: In the Office365 Exchange Admin, I went to the spam whitelist and added the NAT address of the Mgmt server so that Office365 accepts the emails. It doesn't allow relays because the connection is not authenticated, and getting Auth to work was more trouble than I wanted.

The script reads the standard input and puts it into an $input variable. Then I use sed to replace the semi-colon with newlines, and write it to a file. Then I read the file again with sed, to output only the line that has either 'System Alert' or 'cluster_info' (the two most common events I found, but you can add more if you want), and put it into a $subject variable.

I then erase the file by writing the 'To:  ' line, i.e 'To: SOC team'.

Then I append the 'Subject: Check Point: $subject' line to the file, so that it's apparent what's going on from the subject of the email.

Then I append a blank line, and then append the $input processed as before with sed, changing semi-colons to newlines.

Finally I use sendmail with the --domain parameter so that Office365 accepts the EHLO command, -f as the email sender, -v as the email destination address, host as the mail server, and the input is the file we create above. As you can see I use Office365 with the yourdomain-com.mail.protection.outlook.com host.

The entire script looks like this:

 

#!/bin/bash
read input
echo $input | sed 's/;/\n/g' >mail.txt
subject="$(sed -n -e '/cluster_info/p' -e '/System Alert/p' mail.txt)"
echo "TO: SOC Team" > mail.txt
echo "Subject: Check Point: $subject" >> mail.txt
echo "" >>mail.txt
echo $input | sed 's/;/\n/g' >>mail.txt
sendmail --domain=checkpoint.com -f cpalerts@checkpoint.com -v alerts@yourdomain.com --host=yourdomain-com.mail.protection.outlook.com 

 

Remember to chmod 555 the script so that it can run, and then use it in the User defined alerts of Global Properties.

The email you receive will look something like:

 

Subject: Check Point:  System Alert message: CLUSTER-CP is disconnected

 HeaderDateHour: 5Aug2019 21:34:21
 ContentVersion: 5
 HighLevelLogKey: N/A
 Uuid: {0x0,0x0,0x0,0x0}
 SequenceNum: 1
 Action:
 Origin: FW-MGT
 IfDir: <
 IfName: N/A
 Alert: useralert
 OriginSicName: N/A
 System Alert message: GW1 is disconnected
 Object: GW1
 Event: Exception
 Parameter: status_connection
 Condition: is
 Current value: 8
 ProductName: System Monitor
 ProductFamily: Network

 

 

Gawel
Explorer

Hi

I also would like to use this feature but so far no luck 😕

For this moment I use simple script just to confirm that I can capture the log data as below:

[Expert@sms01:0]# ll $FWDIR/bin/ud_script.sh
-rwxrwxrwx 1 admin bin 92 Jul 1 14:06 /opt/CPsuite-R81/fw1/bin/ud_script.sh

[Expert@sms:0]# cat $FWDIR/bin/ud_script.sh
#!/bin/bash
echo "-----------" >> /tmp/kbs1.txt
read input
echo $input >> /tmp/kbs1.txt

 

In Global Properties I checked "Run UserDefined Script" and set path:
$FWDIR/bin/ud_script.sh

I set track method on access rule to "Log - User Alert 1"

kbs1.txt file is not being created in /tmp. 

Can someone give me a clue why this feature is not working ?

0 Kudos
da1
Explorer

you need to put the script inside the management machine, NOT the FW machine. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events