• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Email Reports formatting

Scheduled Pinned Locked Moved General pfSense Questions
4 Posts 3 Posters 528 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    michmoor LAYER 8 Rebel Alliance
    last edited by Apr 9, 2022, 6:56 PM

    I use the email reports feature to get a daily summarized email for a certain process.
    I mainly use it for arpwatch. I get daily reports of what new macs are on a restricted vlan.
    Is there a way to get this report better formatted instead of it just being pulled from the system log and placed in an email?
    So for example below, i would like to add headers on each column while also removing certain fields like 'bogon'. Later on i will use a backend process i have to create a diff to show changes if any and that will be daily report email but for now im curious if any customizations can be made on the reports itself from pfsense.

    Apr 8 23:53:49 GA-FW1 arpwatch[90684]: bogon 192.168.50.246 78:45:58:48:27:a0
    Apr 8 23:53:51 GA-FW1 arpwatch[90684]: bogon 192.168.50.177 b0:a7:b9:a4:ce:e9
    Apr 8 23:53:55 GA-FW1 arpwatch[90684]: bogon 192.168.50.245 24:5a:4c:7a:97:5e

    Firewall: NetGate,Palo Alto-VM,Juniper SRX
    Routing: Juniper, Arista, Cisco
    Switching: Juniper, Arista, Cisco
    Wireless: Unifi, Aruba IAP
    JNCIP,CCNP Enterprise

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Apr 11, 2022, 2:04 PM

      There is nothing to do that in pfSense. You might be able to script something.

      You could add a feature request here: https://redmine.pfsense.org/

      Steve

      M 1 Reply Last reply Apr 11, 2022, 2:06 PM Reply Quote 1
      • M
        michmoor LAYER 8 Rebel Alliance @stephenw10
        last edited by stephenw10 Apr 11, 2022, 2:24 PM Apr 11, 2022, 2:06 PM

        @stephenw10 much appreciated. thanks! Submitted request

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        N 1 Reply Last reply Apr 11, 2022, 3:01 PM Reply Quote 0
        • N
          NogBadTheBad @michmoor
          last edited by NogBadTheBad Apr 11, 2022, 3:14 PM Apr 11, 2022, 3:01 PM

          @michmoor have a play with the following:-

          awk, sed and echo

          I run the following at midnight to get yesterdays entries from the snort logs:-

          grep ^`date -v-1d +"%D"` /var/log/snort/snort_pppoe*/alert | awk -F, '{a[$5]++;} END {for(i in a) print a[i]" "i}' | sed 's/"//g' | sort -r ; echo
          
          grep ^`date -v-1d +"%D"` /var/log/snort/snort_pppoe*/alert ; echo
          

          So I get a summary like this:-

          Command output: Snort WAN Alerts (grep ^`date -v-1d +"%D"` /var/log/snort/snort_pppoe*/alert | awk -F, '{a[$5]++;} END {for(i in a) print a[i]" "i}' | sed 's/"//g' | sort -r ; echo)
          3 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 108
          3 ET TOR Known Tor Exit Node TCP Traffic group 107
          3 (spp_sip) Content length mismatch
          1 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
          
          Command output: Snort WAN Alerts Details (grep ^`date -v-1d +"%D"` /var/log/snort/snort_pppoe*/alert ; echo)
          04/10/22-07:46:07.832658 ,1,2522107,4759,"ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 108",TCP,45.61.188.191,60048,xx.xx.xx.xx,1080,54321,Misc Attack,2,alert,Allow
          04/10/22-07:46:07.832658 ,1,2520106,4759,"ET TOR Known Tor Exit Node TCP Traffic group 107",TCP,45.61.188.191,60048,xx.xx.xx.xx,1080,54321,Misc Attack,2,alert,Allow
          04/10/22-16:23:11.254875 ,140,18,2,"(spp_sip) Content length mismatch",UDP,192.241.212.220,55707,xx.xx.xx.xx,5060,54321,Potentially Bad Traffic,2,alert,Allow
          04/10/22-18:08:00.070426 ,1,2522107,4759,"ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 108",TCP,45.61.188.191,47241,xx.xx.xx.xx,1080,54321,Misc Attack,2,alert,Allow
          04/10/22-18:08:00.070426 ,1,2520106,4759,"ET TOR Known Tor Exit Node TCP Traffic group 107",TCP,45.61.188.191,47241,xx.xx.xx.xx,1080,54321,Misc Attack,2,alert,Allow
          04/10/22-20:42:03.730836 ,140,18,2,"(spp_sip) Content length mismatch",UDP,128.199.3.204,58177,xx.xx.xx.xx,5060,40209,Potentially Bad Traffic,2,alert,Allow
          04/10/22-21:11:10.595437 ,140,18,2,"(spp_sip) Content length mismatch",UDP,165.232.128.219,58181,xx.xx.xx.xx,5060,47623,Potentially Bad Traffic,2,alert,Allow
          04/10/22-22:53:32.283173 ,1,2522107,4759,"ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 108",TCP,45.61.188.191,50650,xx.xx.xx.xx,1080,54321,Misc Attack,2,alert,Allow
          04/10/22-22:53:32.283173 ,1,2520106,4759,"ET TOR Known Tor Exit Node TCP Traffic group 107",TCP,45.61.188.191,50650,xx.xx.xx.xx,1080,54321,Misc Attack,2,alert,Allow
          04/10/22-23:34:44.609324 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,14.1.112.177,38376,xx.xx.xx.xx,123,54321,Attempted Denial of Service,2,alert,Allow
          

          NB the snort logs date format differs.

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received