Page 1 of 1
How to email when IP added to address list?
Posted: Fri Nov 06, 2009 2:58 pm
by Geoffb
Hi All,
I need a little bit of help please.
We have a generic firewall rule which checks for more than 30 SMTP connections and then adds the clients IP to a src-address list.
See below:
37 ;;; Detect SMTP Spammers
chain=SMTP action=add-src-to-address-list protocol=tcp address-list=smtp_spammers address-list-timeout=3h dst-port=25 connection-limit=30,32
What we want to do now is whenever an IP address is added to this src-list, we want it to email through to our support department so they can be aware of who was added.
Can anyone give some ideas?
Thanks.
Re: How to email when IP added to address list?
Posted: Fri Nov 06, 2009 3:44 pm
by kirshteins
Set up action and rule for logger
/system logging action
action add name=mail email-to=email@server.com target=email
/system logging
add action=mail disabled=no prefix=_mail topics=firewall
Set up e-mail settings under
Then copy your given rule and place a copy before original rule. Change
action=log and
log-prefix=_mail properties for the new rule
Then you should be able to receive e-mails with necessary information. Something similar to:
firewall,info _mail: _mail input: in:ether1 out:(none), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 0, code 0),
src-IP-address->dst-IP-address, len 44
Re: How to email when IP added to address list?
Posted: Fri Nov 06, 2009 5:05 pm
by Nutcracker
Is there any chance of making that line any short, ie just the IP and some text of our choice?
PS. I work with Geoffb, that is why i am asking.
Re: How to email when IP added to address list?
Posted: Fri Nov 06, 2009 6:00 pm
by fewi
Since it simply emails out the log entry itself you cannot easily change the content. You can either log to an external syslog server, parse the incoming logs there and email out alerts, or you can log to memory and write a script that is scheduled to run every minute or so and finds new log lines matching the pattern you are looking for, and then emails you. An example of such a script is on the wiki.
Personally I'd just keep it as you have it now.
Re: How to email when IP added to address list?
Posted: Sat Nov 07, 2009 11:44 pm
by er
Hi
I use this script
:foreach i in [/ip firewall address-list find list=spamm] do={ /tool e-mail send to=xxx@xxxx.xx subject="Spamm" body=("Spamm fra " . [/ip firewall address-list get $i address])}
Re: How to email when IP added to address list?
Posted: Mon May 15, 2017 11:52 pm
by ploquets
Hi
I use this script
:foreach i in [/ip firewall address-list find list=spamm] do={ /tool e-mail send to=xxx@xxxx.xx subject="Spamm" body=("Spamm fra " . [/ip firewall address-list get $i address])}
Is there any way to create only one email with all IPs inside at the address-list? Not one email per IP.
Thank you
Re: How to email when IP added to address list?
Posted: Fri Nov 19, 2021 12:34 pm
by Arxondas
Hello,
I have config the /tool email and router can send emails (tested OK).
Then I used the following :
/system logging action add name=PSD email-to=
a@a.com target=email
/system logging add topics=firewall action=PSD prefix=psd
and also enabled log=yes with log-prefix=psd in my firewall rule.
My problem is that I get emails also from other rules with different prefix e.g. "drop_all".
It's very strange and cant find what's wrong.
RouterOS v6.48.5
Thanks
Re: How to email when IP added to address list?
Posted: Fri Nov 19, 2021 6:18 pm
by rextended
Please do not resurrect post some years old...
because prefix=psd do not select "when prefix is psd", but add another "psd" as prefix
when you select "firewall" you get all firewall log, no one excluded