- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- How to use mail alert body data in external script...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use mail alert body data in external script for user defined alerts (thresholds)
Hi,
I have set up thresholds in smart view monitor to send SNMP trap alert on policy push.
As configured I am receiving mail alert every time a policy is pushed with policy information as mail body.
Now I want an external script to get triggered by the same scenario
and I want to use policy information in the external script.
External script is getting triggered.
How can I use policy information(send by mail alert as mail body) in an external script?
Is there any variable which I can send as an argument to get this data in the script?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm pretty sure the same information is sent in both circumstances (through stdin to the command that is being called).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We need to pass some argument to the script. Is it some specific argument name which I need to pass to stdin?
I tried passing "alert" as the argument with my script in following way but didn't work:
path_to_script/myscript.sh "alert"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume you should be able to read the arguments passed via the CLI command that calls your script in the standard way.
Unless we're not passing the arguments when the script is called (which is possible).
The data that is provided as part of the log that triggers the script would be passed through stdin (I believe).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dameon Welch Abernathy How can we get the list of arguments / parameters so i can use the same in my external script.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are not passing specific arguments.
We are passing the relevant log entry thru stdin to the script.
What is passed will depend on the log entry.
Viewing logs using the CLI command "fw log" will give you a rough idea of what is sent (and it will vary depending on the log entry).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dameon Welch Abernathy Thanks for replying. How can I call that specific log from the script?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dameon Welch AbernathyThank you for the reply.
As you can see I have defined my external script here so once a matching rule is met the script is executing successfully.
In the script (UD_SCRIPT) I have a simple code which will print lines and a text into a text file .Below is my script content.
If the policy is met the following script will execute.
so when i view the text file that was created by the script I can see that the script executed successfully.
What I want is to get the following values through my external script
HeaderDateHour: 24May2018 17:36:51; ContentVersion: x; HighLevelLogKey: N/A; LogUid: N/A; SequenceNum: N/A; Action: ctl; Origin: xxxxx; IfDir: >; IfName: N/A; Alert: mail; OriginSicName: CN=xxxxxxxxx,O=cpm.xxxx; OriginSicName: CN=xxxxxxxxxxx,O=cxxxxxxxx..xxxx; HighLevelLogKey: xxxxxxxxxxx; cluster_info: (ClusterXL) member 1 (xx.xx.xx.xx) is down.; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
How can I do this? Thanks for your time and for replying
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
$1 is the first argument passed to the script, which is not the same thing as standard input.
You want to use the "read" command.
Using your sample, it'd be something like:
#!/bin/bash
echo "-----------" >> /tmp/kbs1.txt
read input
echo $input >> /tmp/kbs1.txt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dameon Welch Abernathy Thank you very much this worked!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Am I to understand there is NO facility to format the email that gets sent via sendmail form the SMS when enabling alerts? No XML, no text file? Really? This is just gibberish for a customer. What was the purpose for the alerts? Is there any COMPLETE documentation on the abilities or the lack thereof?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Is there any way to format these emails? This is all gibberish to the customer. No xml? no text files? to adjust only the fields we want to see? Any documentation on what all these fields are?
HeaderDateHour: 20Mar2019 0:22:33; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x5c91c009,0x0,0x17000b0a,0xc0000002}; SequenceNum: 1; Action: accept; Origin: GCBFW2; IfDir: >; InterfaceName: eth2; Alert: mail; OriginSicName: CN=GCBFW2,O=PGCB-Mgmt..7dm32n; OriginSicName: CN=GCBFW2,O=PGCB-Mgmt..7dm32n; HighLevelLogKey: 18446744073709551615; inzone: Internal; outzone: Local; service_id: ssh; src: V84af7e3e-e52f-4e45-8b5e-ce3a21a5d21e; dst: GCBFW2; proto: tcp; xlatesrc: ; xlatedst: ; NAT_rulenum: 107; NAT_addtnl_rulenum: 1; security_inzone: Interface_inside; security_outzone: ; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 272f1cae-8179-4bb4-b5e6-e46943b12057; layer_name: Hbg_5600_Cluster Network; rule_uid: 379515d1-7b4f-42f9-99f3-3ec0fba782d1; rule_name: SSH Access to GW's or SMS will generate an email.; action: 2; parent_rule: 0; ROW_END: 0; UP_match_table: TABLE_END; UP_alert_table: TABLE_START; ROW_START: 0; alert: mail; ROW_END: 0; UP_alert_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ssh; sport_svc: 57388; xlatedport_svc: ; xlatesport_svc: ; ProductFamily: Network;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mmm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After reading the questions and answers, I found myself with the same problem of trying to get the information in a readable-ish format, and going through an Office 365 cloud server. The internal_sendmail command wasn't working for me because the Mgmt server's hostname was only FW-MGT (didn't have an FQDN), so Office365 always rejected it. So I'm using the regular sendmail in Gaia.
Note: In the Office365 Exchange Admin, I went to the spam whitelist and added the NAT address of the Mgmt server so that Office365 accepts the emails. It doesn't allow relays because the connection is not authenticated, and getting Auth to work was more trouble than I wanted.
The script reads the standard input and puts it into an $input variable. Then I use sed to replace the semi-colon with newlines, and write it to a file. Then I read the file again with sed, to output only the line that has either 'System Alert' or 'cluster_info' (the two most common events I found, but you can add more if you want), and put it into a $subject variable.
I then erase the file by writing the 'To: ' line, i.e 'To: SOC team'.
Then I append the 'Subject: Check Point: $subject' line to the file, so that it's apparent what's going on from the subject of the email.
Then I append a blank line, and then append the $input processed as before with sed, changing semi-colons to newlines.
Finally I use sendmail with the --domain parameter so that Office365 accepts the EHLO command, -f as the email sender, -v as the email destination address, host as the mail server, and the input is the file we create above. As you can see I use Office365 with the yourdomain-com.mail.protection.outlook.com host.
The entire script looks like this:
#!/bin/bash
read input
echo $input | sed 's/;/\n/g' >mail.txt
subject="$(sed -n -e '/cluster_info/p' -e '/System Alert/p' mail.txt)"
echo "TO: SOC Team" > mail.txt
echo "Subject: Check Point: $subject" >> mail.txt
echo "" >>mail.txt
echo $input | sed 's/;/\n/g' >>mail.txt
sendmail --domain=checkpoint.com -f cpalerts@checkpoint.com -v alerts@yourdomain.com --host=yourdomain-com.mail.protection.outlook.com
Remember to chmod 555 the script so that it can run, and then use it in the User defined alerts of Global Properties.
The email you receive will look something like:
Subject: Check Point: System Alert message: CLUSTER-CP is disconnected
HeaderDateHour: 5Aug2019 21:34:21
ContentVersion: 5
HighLevelLogKey: N/A
Uuid: {0x0,0x0,0x0,0x0}
SequenceNum: 1
Action:
Origin: FW-MGT
IfDir: <
IfName: N/A
Alert: useralert
OriginSicName: N/A
System Alert message: GW1 is disconnected
Object: GW1
Event: Exception
Parameter: status_connection
Condition: is
Current value: 8
ProductName: System Monitor
ProductFamily: Network
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I also would like to use this feature but so far no luck 😕
For this moment I use simple script just to confirm that I can capture the log data as below:
[Expert@sms01:0]# ll $FWDIR/bin/ud_script.sh
-rwxrwxrwx 1 admin bin 92 Jul 1 14:06 /opt/CPsuite-R81/fw1/bin/ud_script.sh
[Expert@sms:0]# cat $FWDIR/bin/ud_script.sh
#!/bin/bash
echo "-----------" >> /tmp/kbs1.txt
read input
echo $input >> /tmp/kbs1.txt
In Global Properties I checked "Run UserDefined Script" and set path:
$FWDIR/bin/ud_script.sh
I set track method on access rule to "Log - User Alert 1"
kbs1.txt file is not being created in /tmp.
Can someone give me a clue why this feature is not working ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you need to put the script inside the management machine, NOT the FW machine.