E-mail when alert or drop

Started by kelskein, July 07, 2020, 04:06:00 PM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
July 07, 2020, 04:06:00 PM
I am using Surricata as IDS/IPS on several OPNSense firewalls, which is running great. Now I am cheking once a month the firewalls for alerts/drops. Is it possible to configure OPNsense to email when an Surricata alert occured?

I have been reading to setup monit, but this seems only for Firewall system alerts.
July 07, 2020, 04:16:21 PM #1
You should be able to select suricata logs as well I think ..
July 08, 2020, 08:36:27 PM #2
Should be able to select the log file and use a reg expression to pull the dropped log. Might be a bit over my head.  I'm wanting to do this as well of i figure ot out I'll try and remember to post it here.

Sent from my GM1917 using Tapatalk

July 12, 2020, 02:51:43 AM #3
I've made some progress here but I'm still a bit over my head.

The logs are located in /var/log/suricata/eve.json

I can parse the logs and provide output using tail and piping to awk and parsing with

Code Select
tail eve.json | awk -F"," '$10 ~ blocked {print $1,$5,$6,$7,$8,$9,$10,$14}'

I'm struggling to understand how to get monit to look at only new logs.  Do I have to make a script?  I'm in over my head there for sure.  The tail of the file does a good job of providing output for an alert, but I don't know how it can be used for monitoring. 

Articles of note. 

July 12, 2020, 03:17:37 AM #4 Last Edit: July 19, 2020, 03:37:34 PM by FullyBorked
ok, I waaaaay overthought this.  Mainly due to my noobness with monit and opnsense.  Here's how to make this work.

Create a Service Test

Name: IPS Block
Condition: content= "blocked"
Action: Alert

Then create Service Settings

Name: Suricata_alert
Type: File
Path: /var/log/suricata/eve.json
Tests: Select "IPS Blocked"

Save, apply, and restart suricata then test and you should get an alert via monit.  Hope this helps.
July 12, 2020, 07:13:51 AM #5
Thx, really smart  8)
Do you want to add it to official docs?
July 15, 2020, 03:06:59 PM #6
Quote from: mimugmail on July 12, 2020, 07:13:51 AM
Thx, really smart  8)
Do you want to add it to official docs?

Not sure if that's necessary, I think the docs cover it ok.  I was just not understanding how it worked.
July 15, 2020, 04:02:41 PM #7
I will add it as a third example :)
Maybe it's also too easy to understand for others :)
July 15, 2020, 04:03:52 PM #8
Quote from: mimugmail on July 15, 2020, 04:02:41 PM
I will add it as a third example :)
Maybe it's also too easy to understand for others :)

8)
July 18, 2020, 10:44:06 PM #9
I tried this and Monit won't start up. Had to delete to get it started again. It was complaining about syntax error on line 37.
July 18, 2020, 11:48:01 PM #10
Quote from: penguin44 on July 18, 2020, 10:44:06 PM
I tried this and Monit won't start up. Had to delete to get it started again. It was complaining about syntax error on line 37.
Can you post screenshots of what you have?  Maybe we can notice the syntax error.

Sent from my GM1917 using Tapatalk

July 19, 2020, 03:31:57 AM #11
No screenshot.. here's the error message

root: /usr/local/etc/rc.d/monit: WARNING: failed to start monit

Jul 18 15:20:07   monit: /usr/local/etc/monitrc:32: syntax error 'content='
July 19, 2020, 06:43:59 AM #12
content = "blocked"

check spaces ...
July 19, 2020, 03:35:07 PM #13
Ok, tried with spaces... so far so good. Will monitor

Thanks,
Richard
July 19, 2020, 03:38:08 PM #14
Added the space into my example so that copy paste works without error.
Print
Go Up Pages1 2 3
User actions