Send email alert if FW rule is triggered

[JustMeHere]

Is there a way to send an email alert when a Firewall is triggered? 

I realize this can lead to a lot of spam, but if the alerts are properly throttled, it can be handled.

The rule is set up to block outbound communications to known bad actors.  If an internal computer actually attempts to contact the bad actor, then there is something bad going on with that computer.  It would be prudent to check that machine for malware.

The email would be like:

Code Select Expand

"<computer name|ip> violated the known_abusers outbound firewall rule."
There would be an option to send the message only once until the alert is cleared.  Possibly with reminders until the alert is cleared.
Or perhaps just send a summary message hourly/daily about machines that violated the rule.

[keeka]

If you want to fire alerts, on any number of conditions, with throttling, look at something like Graylog. I don't believe the devs will be implementing such an alert system directly on OPNsense.

[OPNenthu]

Is there a way to send an email alert when a Firewall is triggered?

[...] perhaps just send a summary message hourly/daily about machines that violated the rule.

Monit can do this.

Following a similar pattern as Example #3 for Suricata EVE logs in the OPNsense docs (link at bottom), we can do a regex match on the firewall filter log and vary the poll time to achieve an hourly (or daily) alert on matches.  Just beware that the filter log file is rotated at least daily from what I see on my filesystem.

--

You need to add at least one test (Services:Monit:Settings:Service Test Settings) to detect the firewall rule in the filter log.  In this example I added two tests: one for a "FireHOL" block rule, and one for a "Spamhaus DROP" block rule.

This is using the Monit syntax

Code Select Expand

content = "<regex>"to match a regular expression between the quotes, which in this case is just the rule ID.

You cannot view this attachment.

You cannot view this attachment.

Then you create a custom 'File' type service (Services:Monit:Settings:Service Settings) to monitor the filter log at /var/log/filter/latest.log and assign one or more tests.

Since my Monit poll interval in General settings is 120, I set the service Poll Time to 30 CYCLES (also Monit syntax) which I think effectively limits the alerts to once per hour. 

I tried adding a cron expression to Poll Time since the helptext indicates it, but it wouldn't accept my input.  YMMV.

You cannot view this attachment.

The Monit status page will reflect when the alert has been triggered (status = Content Match) and some data about the last collection time:

Code Select Expand

File 'filterlog_alert'
  status                       Content match
  monitoring status            Waiting
  monitoring mode              active
  on reboot                    start
  permission                   600
  uid                          0
  gid                          0
  size                         51.6 MB
  hardlink                     1
  access timestamp             Wed, 07 Jan 2026 18:11:30
  change timestamp             Wed, 07 Jan 2026 18:11:30
  modify timestamp             Wed, 07 Jan 2026 18:11:30
  content match                yes
  data collected               Wed, 07 Jan 2026 18:11:32

And the email should have a summary of the matched firewall logs for the duration:

Code Select Expand

Monit <admin@yourfirewall.net>
   
6:11 PM (6 minutes ago)
   
   
to me
Content match Service filterlog_alert

        Date:        Wed, 07 Jan 2026 18:11:30
        Action:      alert
        Host:        firewall.h1.home.arpa
        Description: content match:
<134>1 2026-01-07T18:04:17-05:00 firewall.h1.home.arpa filterlog 44252 - [meta sequenceId="209394"] 1658,,,2be02dbd0d<redacted>,igc1,match,block,in,4,0x0,,249,54321,0,none,6,tcp,44,198.235.24.40,69.xxx.xxx.99,50451,9092,0,S,3741296355,,65535,,mss
<134>1 2026-01-07T18:05:16-05:00 firewall.h1.home.arpa filterlog 44252 - [meta sequenceId="209581"] 1658,,,2be02dbd0d<redacted>,igc1,match,block,in,4,0x0,,244,44935,0,none,6,tcp,44,193.163.125.214,69.xxx.xxx.99,35182,6669,0,S,2283158376,,14600,,mss

...


Your faithful employee,
Monit

I didn't test this for the full one hour time window, but I hope it should work.

Links:
https://docs.opnsense.org/manual/monit.html
https://mmonit.com/monit/documentation/monit.html#SERVICE-TESTS

[Patrick M. Hausen]

@OPNenthu Holy ...! Chapeau you figured out how to do that without any additional scripts or modifications. Not that I personally need it. But great achievement.

[OPNenthu]

I'm sure someone's figured it out already but I didn't need to dig into the archives for once :)

[julsssark]

Another option is send your OPNsense syslog to Loki and use Grafana for your log monitoring/alerting:

https://roguesecurity.dev/blog/opnsense-loki

The instructions use containers, but you can just install Loki and Grafana into a VM instead.

[OPNenthu]

So the issue with my cron input was that I was trying to use a slash character to test on 5-minute intervals (e.g. */5 * * * *), but this is not legal in Monit.


However "0 * * * *" is accepted and should run at the top of every hour.

Probably best to do it 30 minutes past every hour in order to not clash with the log rotation at 00:00.

[viragomann]

So the issue with my cron input was that I was trying to use a slash character to test on 5-minute intervals (e.g. */5 * * * *), but this is not legal in Monit.

No, Monit does not expect this, since  it uses its own poll interval.

[keeka]

@OPNenthu Wow. I redact my post and hope the OP comes back to see your solution. Thanks.

[OPNenthu]

@keeka I think centralized logging and analytics has a place, if users have the option to run those tools.  I'm in the process (finally) of getting network storage here, so I may experiment with exporting OPNsense logs, but I am weary of tech debt and tool sprawl- more things to manage :(