Is there a way to send an email alert when a Firewall is triggered?
I realize this can lead to a lot of spam, but if the alerts are properly throttled, it can be handled.
The rule is set up to block outbound communications to known bad actors. If an internal computer actually attempts to contact the bad actor, then there is something bad going on with that computer. It would be prudent to check that machine for malware.
The email would be like:
"<computer name|ip> violated the known_abusers outbound firewall rule."
There would be an option to send the message only once until the alert is cleared. Possibly with reminders until the alert is cleared.
Or perhaps just send a summary message hourly/daily about machines that violated the rule.
If you want to fire alerts, on any number of conditions, with throttling, look at something like Graylog. I don't believe the devs will be implementing such an alert system directly on OPNsense.
Quote from: JustMeHere on January 07, 2026, 04:38:16 PMIs there a way to send an email alert when a Firewall is triggered?
[...] perhaps just send a summary message hourly/daily about machines that violated the rule.
Monit can do this.
Following a similar pattern as Example #3 for Suricata EVE logs in the OPNsense docs (link at bottom), we can do a regex match on the firewall filter log and vary the poll time to achieve an hourly (or daily) alert on matches. Just beware that the filter log file is rotated at least daily from what I see on my filesystem.
--
You need to add at least one test (Services:Monit:Settings:Service Test Settings) to detect the firewall rule in the filter log. In this example I added two tests: one for a "FireHOL" block rule, and one for a "Spamhaus DROP" block rule.
This is using the Monit syntax
content = "<regex>"to match a regular expression between the quotes, which in this case is just the rule ID.
firehol-test.png
spamhaus-test.png
Then you create a custom 'File' type service (Services:Monit:Settings:Service Settings) to monitor the filter log at /var/log/filter/latest.log and assign one or more tests.
Since my Monit poll interval in General settings is 120, I set the service Poll Time to 30 CYCLES (also Monit syntax) which I think effectively limits the alerts to once per hour.
I tried adding a cron expression to Poll Time since the helptext indicates it, but it wouldn't accept my input. YMMV.
filterlog_service.png
The Monit status page will reflect when the alert has been triggered (status = Content Match) and some data about the last collection time:
File 'filterlog_alert'
status Content match
monitoring status Waiting
monitoring mode active
on reboot start
permission 600
uid 0
gid 0
size 51.6 MB
hardlink 1
access timestamp Wed, 07 Jan 2026 18:11:30
change timestamp Wed, 07 Jan 2026 18:11:30
modify timestamp Wed, 07 Jan 2026 18:11:30
content match yes
data collected Wed, 07 Jan 2026 18:11:32
And the email should have a summary of the matched firewall logs for the duration:
Monit <admin@yourfirewall.net>
6:11 PM (6 minutes ago)
to me
Content match Service filterlog_alert
Date: Wed, 07 Jan 2026 18:11:30
Action: alert
Host: firewall.h1.home.arpa
Description: content match:
<134>1 2026-01-07T18:04:17-05:00 firewall.h1.home.arpa filterlog 44252 - [meta sequenceId="209394"] 1658,,,2be02dbd0d<redacted>,igc1,match,block,in,4,0x0,,249,54321,0,none,6,tcp,44,198.235.24.40,69.xxx.xxx.99,50451,9092,0,S,3741296355,,65535,,mss
<134>1 2026-01-07T18:05:16-05:00 firewall.h1.home.arpa filterlog 44252 - [meta sequenceId="209581"] 1658,,,2be02dbd0d<redacted>,igc1,match,block,in,4,0x0,,244,44935,0,none,6,tcp,44,193.163.125.214,69.xxx.xxx.99,35182,6669,0,S,2283158376,,14600,,mss
...
Your faithful employee,
Monit
I didn't test this for the full one hour time window, but I hope it should work.
Links:
https://docs.opnsense.org/manual/monit.html
https://mmonit.com/monit/documentation/monit.html#SERVICE-TESTS
@OPNenthu Holy ...! Chapeau you figured out how to do that without any additional scripts or modifications. Not that I personally need it. But great achievement.
I'm sure someone's figured it out already but I didn't need to dig into the archives for once :)
Another option is send your OPNsense syslog to Loki and use Grafana for your log monitoring/alerting:
https://roguesecurity.dev/blog/opnsense-loki (https://roguesecurity.dev/blog/opnsense-loki)
The instructions use containers, but you can just install Loki and Grafana into a VM instead.
So the issue with my cron input was that I was trying to use a slash character to test on 5-minute intervals (e.g. */5 * * * *), but this is not legal in Monit.
(https://mmonit.com/monit/documentation/monit.html#SERVICE-POLL-TIME)
However "0 * * * *" is accepted and should run at the top of every hour.
Probably best to do it 30 minutes past every hour in order to not clash with the log rotation at 00:00.
Quote from: OPNenthu on January 08, 2026, 04:34:41 AMSo the issue with my cron input was that I was trying to use a slash character to test on 5-minute intervals (e.g. */5 * * * *), but this is not legal in Monit. (https://mmonit.com/monit/documentation/monit.html#SERVICE-POLL-TIME)
No, Monit does not expect this, since it uses its own poll interval.
@OPNenthu Wow. I redact my post and hope the OP comes back to see your solution. Thanks.
@keeka I think centralized logging and analytics has a place, if users have the option to run those tools. I'm in the process (finally) of getting network storage here, so I may experiment with exporting OPNsense logs, but I am weary of tech debt and tool sprawl- more things to manage :(