Email Reports formatting

michmoor

I use the email reports feature to get a daily summarized email for a certain process.
I mainly use it for arpwatch. I get daily reports of what new macs are on a restricted vlan.
Is there a way to get this report better formatted instead of it just being pulled from the system log and placed in an email?
So for example below, i would like to add headers on each column while also removing certain fields like 'bogon'. Later on i will use a backend process i have to create a diff to show changes if any and that will be daily report email but for now im curious if any customizations can be made on the reports itself from pfsense.

Apr 8 23:53:49 GA-FW1 arpwatch[90684]: bogon 192.168.50.246 78:45:58:48:27:a0
Apr 8 23:53:51 GA-FW1 arpwatch[90684]: bogon 192.168.50.177 b0:a7:b9:a4:ce:e9
Apr 8 23:53:55 GA-FW1 arpwatch[90684]: bogon 192.168.50.245 24:5a:4c:7a:97:5e

stephenw10

There is nothing to do that in pfSense. You might be able to script something.

You could add a feature request here: https://redmine.pfsense.org/

Steve

michmoor

@stephenw10 much appreciated. thanks! Submitted request

NogBadTheBad

@michmoor have a play with the following:-

awk, sed and echo

I run the following at midnight to get yesterdays entries from the snort logs:-

grep ^`date -v-1d +"%D"` /var/log/snort/snort_pppoe*/alert | awk -F, '{a[$5]++;} END {for(i in a) print a[i]" "i}' | sed 's/"//g' | sort -r ; echo

grep ^`date -v-1d +"%D"` /var/log/snort/snort_pppoe*/alert ; echo

So I get a summary like this:-

Command output: Snort WAN Alerts (grep ^`date -v-1d +"%D"` /var/log/snort/snort_pppoe*/alert | awk -F, '{a[$5]++;} END {for(i in a) print a[i]" "i}' | sed 's/"//g' | sort -r ; echo)
3 ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 108
3 ET TOR Known Tor Exit Node TCP Traffic group 107
3 (spp_sip) Content length mismatch
1 ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03

Command output: Snort WAN Alerts Details (grep ^`date -v-1d +"%D"` /var/log/snort/snort_pppoe*/alert ; echo)
04/10/22-07:46:07.832658 ,1,2522107,4759,"ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 108",TCP,45.61.188.191,60048,xx.xx.xx.xx,1080,54321,Misc Attack,2,alert,Allow
04/10/22-07:46:07.832658 ,1,2520106,4759,"ET TOR Known Tor Exit Node TCP Traffic group 107",TCP,45.61.188.191,60048,xx.xx.xx.xx,1080,54321,Misc Attack,2,alert,Allow
04/10/22-16:23:11.254875 ,140,18,2,"(spp_sip) Content length mismatch",UDP,192.241.212.220,55707,xx.xx.xx.xx,5060,54321,Potentially Bad Traffic,2,alert,Allow
04/10/22-18:08:00.070426 ,1,2522107,4759,"ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 108",TCP,45.61.188.191,47241,xx.xx.xx.xx,1080,54321,Misc Attack,2,alert,Allow
04/10/22-18:08:00.070426 ,1,2520106,4759,"ET TOR Known Tor Exit Node TCP Traffic group 107",TCP,45.61.188.191,47241,xx.xx.xx.xx,1080,54321,Misc Attack,2,alert,Allow
04/10/22-20:42:03.730836 ,140,18,2,"(spp_sip) Content length mismatch",UDP,128.199.3.204,58177,xx.xx.xx.xx,5060,40209,Potentially Bad Traffic,2,alert,Allow
04/10/22-21:11:10.595437 ,140,18,2,"(spp_sip) Content length mismatch",UDP,165.232.128.219,58181,xx.xx.xx.xx,5060,47623,Potentially Bad Traffic,2,alert,Allow
04/10/22-22:53:32.283173 ,1,2522107,4759,"ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 108",TCP,45.61.188.191,50650,xx.xx.xx.xx,1080,54321,Misc Attack,2,alert,Allow
04/10/22-22:53:32.283173 ,1,2520106,4759,"ET TOR Known Tor Exit Node TCP Traffic group 107",TCP,45.61.188.191,50650,xx.xx.xx.xx,1080,54321,Misc Attack,2,alert,Allow
04/10/22-23:34:44.609324 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,14.1.112.177,38376,xx.xx.xx.xx,123,54321,Attempted Denial of Service,2,alert,Allow

NB the snort logs date format differs.