cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

How to use mail alert body data in external script for user defined alerts (thresholds)

Hi,

I have set up thresholds in smart view monitor to send SNMP trap alert on policy push.
As configured I am receiving mail alert every time a policy is pushed with policy information as mail body.

Now I want an external script to get triggered by the same scenario
and I want to use policy information in the external script.

External script is getting triggered.
How can I use policy information(send by mail alert as mail body) in an external script?
Is there any variable which I can send as an argument to get this data in the script?

12 Replies
Admin
Admin

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

I'm pretty sure the same information is sent in both circumstances (through stdin to the command that is being called).

0 Kudos

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Hi,

We need to pass some argument to the script. Is it some specific argument name which I need to pass to stdin?

I tried passing "alert" as the argument with my script in following way but didn't work:

path_to_script/myscript.sh "alert"

0 Kudos
Admin
Admin

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

I assume you should be able to read the arguments passed via the CLI command that calls your script in the standard way.

Unless we're not passing the arguments when the script is called (which is possible).

The data that is provided as part of the log that triggers the script would be passed through stdin (I believe). 

0 Kudos

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Dameon Welch Abernathy  How can we get the list of arguments / parameters so i can use the same in my external script.

Thanks

0 Kudos
Admin
Admin

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

We are not passing specific arguments. 

We are passing the relevant log entry thru stdin to the script.

What is passed will depend on the log entry.

Viewing logs using the CLI command "fw log" will give you a rough idea of what is sent (and it will vary depending on the log entry).

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Dameon Welch Abernathy Thanks for replying. How can I call that specific log from the script?

0 Kudos
Admin
Admin

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

When you specify tracking for a given rule as, e.g. User Defined 1, the appropriate script defined in Global Properties for User Defined 1 is called with the relevant to log entry sent through the standard input.

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Dameon Welch AbernathyThank you for the reply.

As you can see I have defined my external script here so once a matching rule is met the script is executing successfully.

In the script (UD_SCRIPT) I have a simple code which will print lines and a text into a text file .Below is my script content.

If the policy is met the following script will execute.

so when i view the text file that was created by the script I can see that the script executed successfully.

What I want is to get the following values through my external script

HeaderDateHour: 24May2018 17:36:51; ContentVersion: x; HighLevelLogKey: N/A; LogUid: N/A; SequenceNum: N/A; Action: ctl; Origin: xxxxx; IfDir: >; IfName: N/A; Alert: mail; OriginSicName: CN=xxxxxxxxx,O=cpm.xxxx; OriginSicName: CN=xxxxxxxxxxx,O=cxxxxxxxx..xxxx; HighLevelLogKey: xxxxxxxxxxx; cluster_info: (ClusterXL) member 1 (xx.xx.xx.xx) is down.; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

How can I do this? Thanks for your time and for replying

0 Kudos
Admin
Admin

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

$1 is the first argument passed to the script, which is not the same thing as standard input.

You want to use the "read" command.

Using your sample, it'd be something like:

#!/bin/bash

echo "-----------" >> /tmp/kbs1.txt

read input

echo $input >> /tmp/kbs1.txt

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Dameon Welch Abernathy‌ Thank you very much this worked!

0 Kudos
jerryroy1
Ivory

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Am I to understand there is NO facility to format the email that gets sent via sendmail form the SMS when enabling alerts? No XML, no text file? Really? This is just gibberish for a customer. What was the purpose for the alerts? Is there any COMPLETE documentation on the abilities or the lack thereof?

0 Kudos
jerryroy1
Ivory

Re: How to use mail alert body data in external script for user defined alerts (thresholds)

Hello, Is there any way to format these emails? This is all gibberish to the customer. No xml? no text files? to adjust only the fields we want to see? Any documentation on what all these fields are?

HeaderDateHour: 20Mar2019 0:22:33; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x5c91c009,0x0,0x17000b0a,0xc0000002}; SequenceNum: 1; Action: accept; Origin: GCBFW2; IfDir: >; InterfaceName: eth2; Alert: mail; OriginSicName: CN=GCBFW2,O=PGCB-Mgmt..7dm32n; OriginSicName: CN=GCBFW2,O=PGCB-Mgmt..7dm32n; HighLevelLogKey: 18446744073709551615; inzone: Internal; outzone: Local; service_id: ssh; src: V84af7e3e-e52f-4e45-8b5e-ce3a21a5d21e; dst: GCBFW2; proto: tcp; xlatesrc: ; xlatedst: ; NAT_rulenum: 107; NAT_addtnl_rulenum: 1; security_inzone: Interface_inside; security_outzone: ; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 272f1cae-8179-4bb4-b5e6-e46943b12057; layer_name: Hbg_5600_Cluster Network; rule_uid: 379515d1-7b4f-42f9-99f3-3ec0fba782d1; rule_name: SSH Access to GW's or SMS will generate an email.; action: 2; parent_rule: 0; ROW_END: 0; UP_match_table: TABLE_END; UP_alert_table: TABLE_START; ROW_START: 0; alert: mail; ROW_END: 0; UP_alert_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ssh; sport_svc: 57388; xlatedport_svc: ; xlatesport_svc: ; ProductFamily: Network;

0 Kudos