Tested on 9.0 USE AT YOUR OWN RISK

For this example we are doing alerting for any IPS event logged or blocked and alerting an unlimited amount of times.

You must be able to ssh into your untangle box.

You can further broaden or narrow down the expression that is checked before alerting you, but for that you will need to go to the authors website and research there. Credit goes to www.rsyslog.com for their beautiful email alerting syslog daemon.

Here we go!

1. edit /etc/rsyslog.d/untangle.conf with the following (please note, this is probably the only file you will need to modify to fit your needs. If you set smtp server to localhost, then it will send email using your settings that are specified in the mail portion of Untangle's GUI. If you don't want to use Untangle to send email, then just change to your own smtp server(must alow open relay) Please see www.rsyslog.com for more help on config options)


$UDPServerRun 514

$ModLoad ommail
After this line add the following:
:msg, contains, "did-not-care" ~

##Note, smtp server must be able to relay mail!##
$ActionMailSMTPServer localhost 
$ActionMailSMTPPort 25
$ActionMailFrom email@fromaddress.com
$ActionMailTo email@toaddress.com
$template mailSubject,"Untangle Alert On Server"
$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
if $syslogtag contains 'Intrusion_Prevention' then :ommail:;mailBody
2. restart rsyslog

/etc/init.d/rsyslog restart
3. Your last step is to go to the administration section of untangle and enable syslog monitoring. For the hostname put in null, for the port leave at 514, leave facility at 0 and change threashold to notice.