Re: Check Point smartevent automatic reaction via ...

dehaasm · ‎2024-02-29

I am trying to get this external script to work whenever a smart event occurs it should be both send via email and using the external script using syslog/logger command. The mails are being send however the external script is not being used and nothing is send out via syslog.

#!/bin/bash
echo "starting automatic reaction" >> /var/log/automaticreaction.txt
EVENT=$(cat);
echo "logging event details $EVENT" >> /var/log/automaticreaction.txt
logger -n 10.1.1.1 -P 1234 $EVENT
echo "sending to syslog" >> /var/log/automaticreaction.txt

According to the documentation the EVENT=$(cat); and using the $EVENT should automatically retrieve the event data. Does someone here have experience with this?

the_rock · ‎2024-02-29

I believe below line, you might be missing -u for user

logger -n 10.1.1.1 -P 1234 $EVENT

dehaasm · ‎2024-02-29

when i run it manually by sending some text (not using variable EVENT) then it works

the_rock · ‎2024-02-29

Lets see if someone else may know, as not sure TAC might be able to assist with scripting.

Best,

Andy

Amir_Senn · ‎2024-03-03

External script for automatic reaction must be located on the following directory in order to work: $RTDIR/bin/ext_commands/

Kind regards, Amir Senn

dehaasm · ‎2024-03-04

Yes it is there, I only added logging to /var/log to see if the script runs and where it stops, it seems to stop at EVENT 3rd line

dehaasm · ‎2024-03-04

we just checked again we have two automatic reactions one mail the other the script, it seems the script is not executed as i have zero log entries for that I should see following in log file, again while running manually this works (of course not using the EVENT data)

echo "starting automatic reaction" >> /var/log/automaticreaction.txt

I think i have to engage TAC as I am out of options

Amir_Senn · ‎2024-03-04

TAC is probably the way to go in this case.

I will also recommend to create a new very simple script to see if the issue is generally in scripts.

Scripts of auto reaction also has limitation, but I think that a way to WA this is having the script trigger the other script.

Kind regards, Amir Senn

dehaasm · ‎2024-03-04

Hi Amir, I will do one test more to only have a script with one line that is to add some local logging, then we know if it is executed, if not then something goes wrong with the external reaction solution itself.

dehaasm · ‎2024-03-05

not even with a single line script it is executed gonna engage CP TAC

dehaasm · ‎2024-03-06

In the automatic reaction configuration we need to specify the location of the script command line I currently have /opt/CPrt-R81-10/bin/ext_commands/automaticreactionsyslog and this file exists.

Creating an External Script Automatic Reaction (checkpoint.com)

In the Add Automatic Reaction window:

Give the automatic reaction object a significant name.
In Command line, enter the name of the script to run.
Specify the name of the script that is in $RTDIR/bin/ext_commands/ directory.
Use the relative path if needed.
Do not specify the full path of $RTDIR/bin/ext_commands/.
perhaps I just have to fill in the name of the script instead of the full path?

Amir_Senn · ‎2024-03-06

Full path won't work if I remember correctly, use only relative path (just file name actually).

Kind regards, Amir Senn

Are you a member of CheckMates?

Check Point smartevent automatic reaction via logger