Community discussions

MikroTik App
 
earljack
newbie
Topic Author
Posts: 40
Joined: Thu Jan 22, 2009 7:34 pm

Logging Specific Firewall Rule to Email

Wed Feb 10, 2010 9:57 pm

Back in 2006 meister wrote this: (http://forum.mikrotik.com/viewtopic.php ... il+logging)
I created a firewall rule to log with a prefix 'email', then attempted to have an email sent whenever this rule was triggered. My problem is I'm getting emails on every firewall info message. The filter correctly prefixes the log message.
/ip firewall filter add chain=forward src-address=0.0.0.0 protocol=tcp dst-port=25 connection-limit=10,32 action=log log-prefix="email"
/ system logging add topics=info,firewall prefix="email" action=send2email disabled=no
/system logging action add name="send2email" target=email email-to="meister@domain.com"

I couldn't find much in the manual. Is it possible to email only selected firewall, info log messages?
4 years later are we able to do this yet? Sadly, no one replied to his question. From my investigating it looks like the answer is still "...". Can any of you experts give a definitive answer? Does ROS just lack the robustness to do this, or is there some nice script trickery to get this done?
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 730
Joined: Tue Aug 25, 2009 12:01 am

Re: Logging Specific Firewall Rule to Email

Thu Feb 11, 2010 1:12 am

Should be able to do it with Dude. Im actually working on this.... Email certain types of attacks to customers.
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: Logging Specific Firewall Rule to Email

Thu Feb 11, 2010 6:40 am

The log prefix should only exist on the filter rule, not the entire system logging rule.

First, create a logging action to hold the filter logs:
/system logging action add memory-lines=300 memory-stop-on-full=no name=InfoFirewallBuffer target=memory
Next, create logging rule to capture info,firewall logs:
/system logging add action=InfoFirewallBuffer disabled=no prefix="" topics=info,firewall
Now, every info,firewall is included in InfoFirewallBuffer, but we only want specific entries marked with log prefix.
Create a filter rule to log with specified prefix:
/ip firewall filter add chain=input action=log protocol=tcp dst-port=25 log-prefix="smtpfilter"
Only traffic on port 25 will get a log prefix added.

Set this script to run at specified interval via scheduler:
# Set this to a "memory" backed log action
:local logBuffer "InfoFirewallBuffer"

# Set this to the log prefix to search for
:local logPrefix "smtpfilter"

# Internal processing below....
# -----------------------------------
:local logEntries [/log find buffer=($logBuffer)]

:foreach logEntry in=$logEntries do={
   :local logEntryTopics [/log get $logEntry topics]
   :local logEntryMessage [/log get $logEntry message]
   :local logEntryTime [/log get $logEntry time]

# search for logPrefix in log entry's message
   :if ([:pick [:tostr $logEntryMessage] 0 [:len [:tostr $logPrefix]]] = [:tostr $logPrefix]) do={
#    found a log entry with specified prefix
      :local emailMsg ([:tostr $logEntryTime] . " " . [:tostr $logEntryTopics] . " " . [:tostr $logEntryMessage])
      /tool e-mail send to=<your email>  subject=("New " . $logPrefix . " Log") body=[:tostr $emailMsg]
   }
# end foreach $logEntry
}

# Clear log buffer
# Buffer names are listed under /system logging action
# First, logging -> rules with $logBuffer action are disabled
# Next, logging -> action $logBuffer is removed, then re-created
# Finally, logging -> rules previously disabled are set to newly created
#  action, then enabled.  This will fully clear the buffers contents
:local rules ""
:if ([:len $logBuffer] > 0) do={
   :foreach b in=$logBuffer do={
#    get logging rules with action $b
      :foreach a in=[/system logging find] do={
         :if ([/system logging get $a action] = [:tostr $b]) do={
            :if ([:len $rules] > 0) do={
               :set rules ($rules . "," . $a) } else={
                  :set rules $a }
            /system logging disable $a
         }
      }
#    remove logging action $b
#    create new logging action with name $b and defaults
      :foreach a in=[/system logging action find] do={
         :if ([/system logging action get $a name] = [:tostr $b]) do={
            /system logging action remove $a
            /system logging action add name=[:tostr $b] target=memory memory-lines=300 memory-stop-on-full=no
         }
      }
#    set previous rules' action to $b and enable
      :foreach a in=[:toarray $rules] do={
         /system logging set $a action=[:tostr $b]
         /system logging enable $a
      }
   }
}
 
Willy065
just joined
Posts: 1
Joined: Mon Jul 18, 2016 10:06 pm

Re: Logging Specific Firewall Rule to Email

Mon Jul 18, 2016 10:10 pm

If i ude the script i get for every email one log email can that by change to 30 lines in a email, my email box is flodding over with this i get at once 300 emails, with one log in a email instead of all the lines in one email.

Thanx in advance.

Willy.
 
User avatar
a.devecerski
just joined
Posts: 23
Joined: Tue Jan 24, 2006 11:23 pm

Re: Logging Specific Firewall Rule to Email

Fri May 12, 2017 11:48 pm

Hi everyone

I'm using router to give some of my users Remote Desktop access to their office computers and was wondering if it could be possible to get, let's say daily/weekly, notifications of all the RD sessions. Searching the Forum I've stumbled upon above post (thanks dssmiktik), which works but not quite as I would like.

Two issues:
1) as i have a few users/computers, log prefix is not a single one, but "RD -> Laptop 1" or "RD -> Desktop 5". Above script searches for exact prefix.
2) script sends one email for each occurrence, like this line
21:20:19 firewall;info [RD -> Desktop D-002] dstnat: in:VLAN1 out:(none), src-mac 80:fb:06:35:31:30, proto TCP (SYN), 5.180.58.94:59921->117.65.198.209:4223, len 52
So, when the script is run, for the 50 buffered events I get 50 emails with a single line in them. It would be good if it could compose a single email, but with all events logged in the buffer between two script run times

"Small" problem is, I REALLY don't know anything about scripting. Is there someone here who could advise how to rework dssmiktik's script to:
- find prefixes which begin with certain string (instead of finding the exact one) and, more importantly.
- compose single email with multiple buffered occurrences from the last time script was ran

Or, different approach, maybe

Cheers

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], DanMos79 and 75 guests