This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ntsolution
Explorer
‎2019-09-26 01:23 AM

Custom Mail alert

Hi, we want to get mail alert : 

HeaderDateHour: 25Sep2019 11:04:47;
ContentVersion: 5;
HighLevelLogKey: 6192227919086323757;
Uuid: {0x5d8b1f9f,0x6,0xd2f190a,0xc0000001};
SequenceNum: 68;
Action: drop;
Origin: fw1;
IfDir: >;
InterfaceName: bond1.600;
Alert: mail;

and etc.

but we have: 

HeaderDateHour: 25Sep2019 11:04:47; ContentVersion: 5; HighLevelLogKey: 6192227919086323757; Uuid: {0x5d8b1f9f,0x6,0xd2f190a,0xc0000001}; SequenceNum: 68; Action: drop; Origin: fw1; IfDir: >; InterfaceName: bond1.600; Alert: mail; OriginSicName: CN=fw1,O=srv-fwmgt-01.kfim.int.qaps4b; OriginSicName: CN=fw1,O=srv-fwmgt-01.kfim.int.qaps4b; HighLevelLogKey: 6192227919086323757; inzone: Internal; outzone: External; service_id: https; src: ******; dst: **********; proto: tcp; xlatesrc: fw-cluster; xlatedst: ; NAT_rulenum: 39; NAT_addtnl_rulenum: 1; UserCheck_incident_uid: A35E45FE-7E0B-1761-BA71-151F0654E3EF; user: Efimov-t (Efimov-t)(+)********** (V.Efimov)(+); src_user_name: Efimov-t (Efimov-t)(+)*******(V.Efimov)(+); src_machine_name: ws091@kfim.int; src_user_dn: CN=Efimov-t,OU=Admins,OU=Special Users,DC=kfim,DC=int(+)CN=V.Efimov,OU=Spb-users,OU=User Departments,DC=kfim,DC=int(+); snid: ; dst_user_name: ; dst_machine_name: ; dst_user_dn: ; UP_match_table: TAB E_START; ROW_START: 0; match_id: 178; layer_uuid: a26ede25-151d-4e2f-a863-ebea21a98bfd; layer_name: Network; rule_uid: 41195f98-14b7-4b3e-b582-726db64e9333; rule_name: Users_HTTP_HTTPS; action: 2; parent_rule: 0; ROW_END: 0; ROW_START: 1; match_id: 16777234; layer_uuid: 91658237-8cf4-45ab-8726-bad986646bb7; layer_name: Application; rule_uid: 894cc470-c30c-4d83-b12b-f66866da1219; rule_name: Teamviewer_Block; action: 0; parent_rule: 0; ROW_END: 1; UP_match_table: TABLE_END; context_num: 1; ProductName: VPN-1 & FireWall-1; svc: https; sport_svc: 30570; xlatedport_svc: ; xlatesport_svc: 37809; ProductFamily: Network;

 

what we should use in Run mail alert script ? thank you

0 Kudos
3 Replies
Danny
Champion Champion
Champion
‎2019-09-26 01:40 AM

So you already get a mail alert and you want the formatting to be more readable, right?
0 Kudos
Ntsolution
Explorer
‎2019-09-27 12:07 AM
In response to Danny

Yea, i want to get more informative mail, for example:
HeaderDateHour: 25Sep2019 11:04:47;
ContentVersion: 5;
HighLevelLogKey: 6192227919086323757;
Uuid: {0x5d8b1f9f,0x6,0xd2f190a,0xc0000001};
SequenceNum: 68;
Action: drop;
Origin: fw1;
IfDir: >;
InterfaceName: bond1.600;
Alert: mail;

I have scripts: internal_sendmail -s 'Alert Checkpoint' -t ,,,,,,,,,,,,, -f ,,,,,,,@tkbip.ru ,,,,,,,,,@tkbip.ru

 

 


Now i geting:
HeaderDateHour: 25Sep2019 11:04:47; ContentVersion: 5; HighLevelLogKey: 6192227919086323757; Uuid: {0x5d8b1f9f,0x6,0xd2f190a,0xc0000001}; SequenceNum: 68; Action: drop; Origin: fw1; IfDir: >; InterfaceName: bond1.600; Alert: mail; OriginSicName: CN=fw1,O=srv-fwmgt-01.kfim.int.qaps4b; OriginSicName: CN=fw1,O=srv-fwmgt-01.kfim.int.qaps4b; HighLevelLogKey: 6192227919086323757; inzone: Internal; outzone: External; service_id: https; src: 10.26.10.8; dst: 17.248.150.112; proto: tcp; xlatesrc: fw-cluster; xlatedst: ; NAT_rulenum: 39; NAT_addtnl_rulenum: 1; UserCheck_incident_uid: A35E45FE-7E0B-1761-BA71-151F0654E3EF; user: Efimov-t (Efimov-t)(+)Валентин Ефимов (V.Efimov)(+); src_user_name: Efimov-t (Efimov-t)(+)Валентин Ефимов (V.Efimov)(+); src_machine_name: ws091@kfim.int; src_user_dn: CN=Efimov-t,OU=Admins,OU=Special Users,DC=kfim,DC=int(+)CN=V.Efimov,OU=Spb-users,OU=User Departments,DC=kfim,DC=int(+); snid: ; dst_user_name: ; dst_machine_name: ; dst_user_dn: ; UP_match_table: TAB E_START; ROW_START: 0; match_id: 178; layer_uuid: a26ede25-151d-4e2f-a863-ebea21a98bfd; layer_name: Network; rule_uid: 41195f98-14b7-4b3e-b582-726db64e9333; rule_name: Users_HTTP_HTTPS; action: 2; parent_rule: 0; ROW_END: 0; ROW_START: 1; match_id: 16777234; layer_uuid: 91658237-8cf4-45ab-8726-bad986646bb7; layer_name: Application; rule_uid: 894cc470-c30c-4d83-b12b-f66866da1219; rule_name: Teamviewer_Block; action: 0; parent_rule: 0; ROW_END: 1; UP_match_table: TABLE_END; context_num: 1; ProductName: VPN-1 & FireWall-1; svc: https; sport_svc: 30570; xlatedport_svc: ; xlatesport_svc: 37809; ProductFamily: Network;

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-09-26 06:06 AM

A UserDefined alert executed on the SMS in whatever scripting language your SMS supports should do the trick.  Your custom script can parse and format the original log data the way you want, then invoke sendmail to send the formatted output in an email.  UserDefined alerts are set up in the SmartConsole under Global Properties...Log & Alert...Alerts.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events