Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ntsolution
Explorer

Custom Mail alert

Hi, we want to get mail alert : 

HeaderDateHour: 25Sep2019 11:04:47;
ContentVersion: 5;
HighLevelLogKey: 6192227919086323757;
Uuid: {0x5d8b1f9f,0x6,0xd2f190a,0xc0000001};
SequenceNum: 68;
Action: drop;
Origin: fw1;
IfDir: >;
InterfaceName: bond1.600;
Alert: mail;

and etc.

but we have: 

HeaderDateHour: 25Sep2019 11:04:47; ContentVersion: 5; HighLevelLogKey: 6192227919086323757; Uuid: {0x5d8b1f9f,0x6,0xd2f190a,0xc0000001}; SequenceNum: 68; Action: drop; Origin: fw1; IfDir: >; InterfaceName: bond1.600; Alert: mail; OriginSicName: CN=fw1,O=srv-fwmgt-01.kfim.int.qaps4b; OriginSicName: CN=fw1,O=srv-fwmgt-01.kfim.int.qaps4b; HighLevelLogKey: 6192227919086323757; inzone: Internal; outzone: External; service_id: https; src: ******; dst: **********; proto: tcp; xlatesrc: fw-cluster; xlatedst: ; NAT_rulenum: 39; NAT_addtnl_rulenum: 1; UserCheck_incident_uid: A35E45FE-7E0B-1761-BA71-151F0654E3EF; user: Efimov-t (Efimov-t)(+)********** (V.Efimov)(+); src_user_name: Efimov-t (Efimov-t)(+)*******(V.Efimov)(+); src_machine_name: ws091@kfim.int; src_user_dn: CN=Efimov-t,OU=Admins,OU=Special Users,DC=kfim,DC=int(+)CN=V.Efimov,OU=Spb-users,OU=User Departments,DC=kfim,DC=int(+); snid: ; dst_user_name: ; dst_machine_name: ; dst_user_dn: ; UP_match_table: TAB E_START; ROW_START: 0; match_id: 178; layer_uuid: a26ede25-151d-4e2f-a863-ebea21a98bfd; layer_name: Network; rule_uid: 41195f98-14b7-4b3e-b582-726db64e9333; rule_name: Users_HTTP_HTTPS; action: 2; parent_rule: 0; ROW_END: 0; ROW_START: 1; match_id: 16777234; layer_uuid: 91658237-8cf4-45ab-8726-bad986646bb7; layer_name: Application; rule_uid: 894cc470-c30c-4d83-b12b-f66866da1219; rule_name: Teamviewer_Block; action: 0; parent_rule: 0; ROW_END: 1; UP_match_table: TABLE_END; context_num: 1; ProductName: VPN-1 & FireWall-1; svc: https; sport_svc: 30570; xlatedport_svc: ; xlatesport_svc: 37809; ProductFamily: Network;

 

what we should use in Run mail alert script ? thank you

0 Kudos
3 Replies
Danny
Champion
Champion

So you already get a mail alert and you want the formatting to be more readable, right?
0 Kudos
Ntsolution
Explorer

Yea, i want to get more informative mail, for example:
HeaderDateHour: 25Sep2019 11:04:47;
ContentVersion: 5;
HighLevelLogKey: 6192227919086323757;
Uuid: {0x5d8b1f9f,0x6,0xd2f190a,0xc0000001};
SequenceNum: 68;
Action: drop;
Origin: fw1;
IfDir: >;
InterfaceName: bond1.600;
Alert: mail;

I have scripts: internal_sendmail -s 'Alert Checkpoint' -t ,,,,,,,,,,,,, -f ,,,,,,,@tkbip.ru ,,,,,,,,,@tkbip.ru

 

 


Now i geting:
HeaderDateHour: 25Sep2019 11:04:47; ContentVersion: 5; HighLevelLogKey: 6192227919086323757; Uuid: {0x5d8b1f9f,0x6,0xd2f190a,0xc0000001}; SequenceNum: 68; Action: drop; Origin: fw1; IfDir: >; InterfaceName: bond1.600; Alert: mail; OriginSicName: CN=fw1,O=srv-fwmgt-01.kfim.int.qaps4b; OriginSicName: CN=fw1,O=srv-fwmgt-01.kfim.int.qaps4b; HighLevelLogKey: 6192227919086323757; inzone: Internal; outzone: External; service_id: https; src: 10.26.10.8; dst: 17.248.150.112; proto: tcp; xlatesrc: fw-cluster; xlatedst: ; NAT_rulenum: 39; NAT_addtnl_rulenum: 1; UserCheck_incident_uid: A35E45FE-7E0B-1761-BA71-151F0654E3EF; user: Efimov-t (Efimov-t)(+)Валентин Ефимов (V.Efimov)(+); src_user_name: Efimov-t (Efimov-t)(+)Валентин Ефимов (V.Efimov)(+); src_machine_name: ws091@kfim.int; src_user_dn: CN=Efimov-t,OU=Admins,OU=Special Users,DC=kfim,DC=int(+)CN=V.Efimov,OU=Spb-users,OU=User Departments,DC=kfim,DC=int(+); snid: ; dst_user_name: ; dst_machine_name: ; dst_user_dn: ; UP_match_table: TAB E_START; ROW_START: 0; match_id: 178; layer_uuid: a26ede25-151d-4e2f-a863-ebea21a98bfd; layer_name: Network; rule_uid: 41195f98-14b7-4b3e-b582-726db64e9333; rule_name: Users_HTTP_HTTPS; action: 2; parent_rule: 0; ROW_END: 0; ROW_START: 1; match_id: 16777234; layer_uuid: 91658237-8cf4-45ab-8726-bad986646bb7; layer_name: Application; rule_uid: 894cc470-c30c-4d83-b12b-f66866da1219; rule_name: Teamviewer_Block; action: 0; parent_rule: 0; ROW_END: 1; UP_match_table: TABLE_END; context_num: 1; ProductName: VPN-1 & FireWall-1; svc: https; sport_svc: 30570; xlatedport_svc: ; xlatesport_svc: 37809; ProductFamily: Network;

0 Kudos
Timothy_Hall
Champion
Champion

A UserDefined alert executed on the SMS in whatever scripting language your SMS supports should do the trick.  Your custom script can parse and format the original log data the way you want, then invoke sendmail to send the formatted output in an email.  UserDefined alerts are set up in the SmartConsole under Global Properties...Log & Alert...Alerts.

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos