Results 1 to 2 of 2
  1. #1
    Master Untangler
    Join Date
    Apr 2007
    Posts
    594

    Default Untangle Active Alerting..IN 3 STEPS!


    UPDATED FOR 7.0


    INSTALL AT YOUR OWN RISK THIS WAS TESTED ON 6.2, 6.2.1 and 7.0

    This is a follow up howto for versions 6.2, 6.2.1 and 7.0. Things changed since previous versions because Debian Lenny's default syslog daemon is now rsyslog.

    If you need to know how to install for older versions, please visit: http://forums.untangle.com/tip-day/6...-alerting.html

    I have somewhat limited linux experience, but had to come up with a solution for active intrusion detection alerting.

    For this example we are doing alerting for any IPS event logged or blocked and alerting an unlimited amount of times.

    You must be able to ssh into your untangle box.

    You can further broaden or narrow down the expression that is checked before alerting you, but for that you will need to go to the authors website and research there. Credit goes to www.rsyslog.com for their beautiful email alerting syslog daemon.

    Here we go!

    1. edit /etc/rsyslog.conf with the following (please note, this is probably the only file you will need to modify to fit your needs. If you set smtp server to localhost, then it will send email using your settings that are specified in the mail portion of Untangle's GUI. If you don't want to use Untangle to send email, then just change to your own smtp server(must alow open relay) Please see www.rsyslog.com for more help on config options)

    Under

    #### MODULES ####

    Add

    Code:
    $ModLoad ommail
    Under

    # provides UDP syslog reception

    Uncomment the following two lines:

    Code:
    #$ModLoad imudp
    #$UDPServerRun 514
    Under

    #### GLOBAL DIRECTIVES ####

    Add the following action, changing to your information

    Code:
    ####ACTIONS####
    
    ##Note, smtp server must be able to relay mail!##
    $ActionMailSMTPServer localhost 
    $ActionMailSMTPPort 25
    $ActionMailFrom email@fromaddress.com
    $ActionMailTo email@toaddress.com
    $template mailSubject,"Untangle Alert On Server"
    $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
    $ActionMailSubject mailSubject
    if $syslogtag contains 'Intrusion_Prevention' then :ommail:;mailBody
    2. Restart rsyslog
    Code:
    /etc/init.d/rsyslog restart
    3. Your last step is to go to the administration section of untangle and enable syslog monitoring. For the hostname put in localhost, for the port leave at 514, leave facility at 0 and change threashold to notice.
    Last edited by bigdessert; 10-04-2009 at 07:27 PM.

  2. #2
    Newbie
    Join Date
    May 2009
    Posts
    11

    Default

    This works great, thanks for the tip!

    -Aaron

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2