cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Custom Mail alert

Hi, we want to get mail alert : 

HeaderDateHour: 25Sep2019 11:04:47;
ContentVersion: 5;
HighLevelLogKey: 6192227919086323757;
Uuid: {0x5d8b1f9f,0x6,0xd2f190a,0xc0000001};
SequenceNum: 68;
Action: drop;
Origin: fw1;
IfDir: >;
InterfaceName: bond1.600;
Alert: mail;

and etc.

but we have: 

HeaderDateHour: 25Sep2019 11:04:47; ContentVersion: 5; HighLevelLogKey: 6192227919086323757; Uuid: {0x5d8b1f9f,0x6,0xd2f190a,0xc0000001}; SequenceNum: 68; Action: drop; Origin: fw1; IfDir: >; InterfaceName: bond1.600; Alert: mail; OriginSicName: CN=fw1,O=srv-fwmgt-01.kfim.int.qaps4b; OriginSicName: CN=fw1,O=srv-fwmgt-01.kfim.int.qaps4b; HighLevelLogKey: 6192227919086323757; inzone: Internal; outzone: External; service_id: https; src: ******; dst: **********; proto: tcp; xlatesrc: fw-cluster; xlatedst: ; NAT_rulenum: 39; NAT_addtnl_rulenum: 1; UserCheck_incident_uid: A35E45FE-7E0B-1761-BA71-151F0654E3EF; user: Efimov-t (Efimov-t)(+)********** (V.Efimov)(+); src_user_name: Efimov-t (Efimov-t)(+)*******(V.Efimov)(+); src_machine_name: ws091@kfim.int; src_user_dn: CN=Efimov-t,OU=Admins,OU=Special Users,DC=kfim,DC=int(+)CN=V.Efimov,OU=Spb-users,OU=User Departments,DC=kfim,DC=int(+); snid: ; dst_user_name: ; dst_machine_name: ; dst_user_dn: ; UP_match_table: TAB E_START; ROW_START: 0; match_id: 178; layer_uuid: a26ede25-151d-4e2f-a863-ebea21a98bfd; layer_name: Network; rule_uid: 41195f98-14b7-4b3e-b582-726db64e9333; rule_name: Users_HTTP_HTTPS; action: 2; parent_rule: 0; ROW_END: 0; ROW_START: 1; match_id: 16777234; layer_uuid: 91658237-8cf4-45ab-8726-bad986646bb7; layer_name: Application; rule_uid: 894cc470-c30c-4d83-b12b-f66866da1219; rule_name: Teamviewer_Block; action: 0; parent_rule: 0; ROW_END: 1; UP_match_table: TABLE_END; context_num: 1; ProductName: VPN-1 & FireWall-1; svc: https; sport_svc: 30570; xlatedport_svc: ; xlatesport_svc: 37809; ProductFamily: Network;

 

what we should use in Run mail alert script ? thank you

0 Kudos
3 Replies
Danny
Pearl

Re: Custom Mail alert

So you already get a mail alert and you want the formatting to be more readable, right?
0 Kudos

Re: Custom Mail alert

Yea, i want to get more informative mail, for example:
HeaderDateHour: 25Sep2019 11:04:47;
ContentVersion: 5;
HighLevelLogKey: 6192227919086323757;
Uuid: {0x5d8b1f9f,0x6,0xd2f190a,0xc0000001};
SequenceNum: 68;
Action: drop;
Origin: fw1;
IfDir: >;
InterfaceName: bond1.600;
Alert: mail;

I have scripts: internal_sendmail -s 'Alert Checkpoint' -t ,,,,,,,,,,,,, -f ,,,,,,,@tkbip.ru ,,,,,,,,,@tkbip.ru

 

 


Now i geting:
HeaderDateHour: 25Sep2019 11:04:47; ContentVersion: 5; HighLevelLogKey: 6192227919086323757; Uuid: {0x5d8b1f9f,0x6,0xd2f190a,0xc0000001}; SequenceNum: 68; Action: drop; Origin: fw1; IfDir: >; InterfaceName: bond1.600; Alert: mail; OriginSicName: CN=fw1,O=srv-fwmgt-01.kfim.int.qaps4b; OriginSicName: CN=fw1,O=srv-fwmgt-01.kfim.int.qaps4b; HighLevelLogKey: 6192227919086323757; inzone: Internal; outzone: External; service_id: https; src: 10.26.10.8; dst: 17.248.150.112; proto: tcp; xlatesrc: fw-cluster; xlatedst: ; NAT_rulenum: 39; NAT_addtnl_rulenum: 1; UserCheck_incident_uid: A35E45FE-7E0B-1761-BA71-151F0654E3EF; user: Efimov-t (Efimov-t)(+)Валентин Ефимов (V.Efimov)(+); src_user_name: Efimov-t (Efimov-t)(+)Валентин Ефимов (V.Efimov)(+); src_machine_name: ws091@kfim.int; src_user_dn: CN=Efimov-t,OU=Admins,OU=Special Users,DC=kfim,DC=int(+)CN=V.Efimov,OU=Spb-users,OU=User Departments,DC=kfim,DC=int(+); snid: ; dst_user_name: ; dst_machine_name: ; dst_user_dn: ; UP_match_table: TAB E_START; ROW_START: 0; match_id: 178; layer_uuid: a26ede25-151d-4e2f-a863-ebea21a98bfd; layer_name: Network; rule_uid: 41195f98-14b7-4b3e-b582-726db64e9333; rule_name: Users_HTTP_HTTPS; action: 2; parent_rule: 0; ROW_END: 0; ROW_START: 1; match_id: 16777234; layer_uuid: 91658237-8cf4-45ab-8726-bad986646bb7; layer_name: Application; rule_uid: 894cc470-c30c-4d83-b12b-f66866da1219; rule_name: Teamviewer_Block; action: 0; parent_rule: 0; ROW_END: 1; UP_match_table: TABLE_END; context_num: 1; ProductName: VPN-1 & FireWall-1; svc: https; sport_svc: 30570; xlatedport_svc: ; xlatesport_svc: 37809; ProductFamily: Network;

0 Kudos

Re: Custom Mail alert

A UserDefined alert executed on the SMS in whatever scripting language your SMS supports should do the trick.  Your custom script can parse and format the original log data the way you want, then invoke sendmail to send the formatted output in an email.  UserDefined alerts are set up in the SmartConsole under Global Properties...Log & Alert...Alerts.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos