How to email when IP added to address list?

Geoffb · Fri Nov 06, 2009 2:58 pm

Hi All,

I need a little bit of help please.

We have a generic firewall rule which checks for more than 30 SMTP connections and then adds the clients IP to a src-address list.
See below:

37   ;;; Detect SMTP Spammers
     chain=SMTP action=add-src-to-address-list protocol=tcp address-list=smtp_spammers address-list-timeout=3h dst-port=25 connection-limit=30,32

What we want to do now is whenever an IP address is added to this src-list, we want it to email through to our support department so they can be aware of who was added.

Can anyone give some ideas?
Thanks.

kirshteins · Fri Nov 06, 2009 3:44 pm

Set up action and rule for logger

/system logging action
action add name=mail email-to=email@server.com target=email 
/system logging
add action=mail disabled=no prefix=_mail topics=firewall

Set up e-mail settings under

/tool e-mail

Then copy your given rule and place a copy before original rule. Change action=log and log-prefix=_mail properties for the new rule

Then you should be able to receive e-mails with necessary information. Something similar to:

firewall,info _mail: _mail input: in:ether1 out:(none), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 0, code 0), src-IP-address->dst-IP-address, len 44

Nutcracker · Fri Nov 06, 2009 5:05 pm

Is there any chance of making that line any short, ie just the IP and some text of our choice?

PS. I work with Geoffb, that is why i am asking.

fewi · Fri Nov 06, 2009 6:00 pm

Since it simply emails out the log entry itself you cannot easily change the content. You can either log to an external syslog server, parse the incoming logs there and email out alerts, or you can log to memory and write a script that is scheduled to run every minute or so and finds new log lines matching the pattern you are looking for, and then emails you. An example of such a script is on the wiki.

Personally I'd just keep it as you have it now.

er · Sat Nov 07, 2009 11:44 pm

Hi
I use this script

:foreach i in [/ip firewall address-list find list=spamm] do={ /tool e-mail send to=xxx@xxxx.xx subject="Spamm" body=("Spamm fra " . [/ip firewall address-list get $i  address])}

ploquets · Mon May 15, 2017 11:52 pm

Hi
I use this script

:foreach i in [/ip firewall address-list find list=spamm] do={ /tool e-mail send to=xxx@xxxx.xx subject="Spamm" body=("Spamm fra " . [/ip firewall address-list get $i  address])}

Is there any way to create only one email with all IPs inside at the address-list? Not one email per IP.
Thank you

Arxondas · Fri Nov 19, 2021 12:34 pm

Hello,

I have config the /tool email and router can send emails (tested OK).
Then I used the following :

/system logging action add name=PSD email-to=a@a.com target=email
/system logging add topics=firewall action=PSD prefix=psd
and also enabled log=yes with log-prefix=psd in my firewall rule.

My problem is that I get emails also from other rules with different prefix e.g. "drop_all".
It's very strange and cant find what's wrong.
RouterOS v6.48.5

Thanks

rextended · Fri Nov 19, 2021 6:18 pm

Please do not resurrect post some years old...

because prefix=psd do not select "when prefix is psd", but add another "psd" as prefix

when you select "firewall" you get all firewall log, no one excluded

How to email when IP added to address list?

How to email when IP added to address list?

Re: How to email when IP added to address list?

Re: How to email when IP added to address list?

Re: How to email when IP added to address list?

Re: How to email when IP added to address list?

Re: How to email when IP added to address list?

Re: How to email when IP added to address list?

Re: How to email when IP added to address list?

Who is online