Categorizing messages in Netgear Log Emails

romanstardust

Occasional Visitor
I have an R7800 and was wondering if it would be possible to modify the script that sends out the log messages via email. It currently just dumps them like

Code:
[Time synchronized with NTP server] Tuesday, January 05, 2021 22:48:44
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:44:08
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:43:50
[DoS Attack: ACK Scan] from source: x.x.x.x, port 20025, Tuesday, January 05, 2021 22:28:17
[DoS Attack: ACK Scan] from source: x.x.x.x, port 25565, Tuesday, January 05, 2021 22:11:53
[LAN access from remote] from x.x.x.x:59222 to x.x.x.x:32400, Tuesday, January 05, 2021 22:00:34
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:50:37
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:45:54
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:19:10
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:01:59
[DoS Attack: ACK Scan] from source: x.x.x.x, port 5223, Tuesday, January 05, 2021 20:56:32
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 20:55:17
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 55555, Tuesday, January 05, 2021 20:34:58
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 20:30:38
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 19:30:53
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 19:27:46

I want to make them be split into categories like so

Code:
NTP
[Time synchronized with NTP server] Tuesday, January 05, 2021 22:48:44

DHCP IP
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:44:08
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:43:50
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:45:54
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:01:59
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 20:30:38
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 19:27:46

DoS Attack
[DoS Attack: ACK Scan] from source: x.x.x.x, port 20025, Tuesday, January 05, 2021 22:28:17
[DoS Attack: ACK Scan] from source: x.x.x.x, port 25565, Tuesday, January 05, 2021 22:11:53
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:50:37
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:19:10
[DoS Attack: ACK Scan] from source: x.x.x.x, port 5223, Tuesday, January 05, 2021 20:56:32
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 20:55:17
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 55555, Tuesday, January 05, 2021 20:34:58
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 19:30:53

LAN access from remote
[LAN access from remote] from x.x.x.x:59222 to x.x.x.x:xxxx, Tuesday, January 05, 2021 22:00:34

What would be the way to do this? I assume I need to modify some CGI code or something
 

kamoj

Very Senior Member
You can simply modify: /etc/email/email_log for your needs?

I have an R7800 and was wondering if it would be possible to modify the script that sends out the log messages via email. It currently just dumps them like

Code:
[Time synchronized with NTP server] Tuesday, January 05, 2021 22:48:44
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:44:08
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:43:50
[DoS Attack: ACK Scan] from source: x.x.x.x, port 20025, Tuesday, January 05, 2021 22:28:17
[DoS Attack: ACK Scan] from source: x.x.x.x, port 25565, Tuesday, January 05, 2021 22:11:53
[LAN access from remote] from x.x.x.x:59222 to x.x.x.x:32400, Tuesday, January 05, 2021 22:00:34
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:50:37
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:45:54
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:19:10
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:01:59
[DoS Attack: ACK Scan] from source: x.x.x.x, port 5223, Tuesday, January 05, 2021 20:56:32
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 20:55:17
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 55555, Tuesday, January 05, 2021 20:34:58
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 20:30:38
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 19:30:53
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 19:27:46

I want to make them be split into categories like so

Code:
NTP
[Time synchronized with NTP server] Tuesday, January 05, 2021 22:48:44

DHCP IP
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:44:08
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:43:50
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:45:54
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:01:59
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 20:30:38
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 19:27:46

DoS Attack
[DoS Attack: ACK Scan] from source: x.x.x.x, port 20025, Tuesday, January 05, 2021 22:28:17
[DoS Attack: ACK Scan] from source: x.x.x.x, port 25565, Tuesday, January 05, 2021 22:11:53
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:50:37
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:19:10
[DoS Attack: ACK Scan] from source: x.x.x.x, port 5223, Tuesday, January 05, 2021 20:56:32
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 20:55:17
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 55555, Tuesday, January 05, 2021 20:34:58
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 19:30:53

LAN access from remote
[LAN access from remote] from x.x.x.x:59222 to x.x.x.x:xxxx, Tuesday, January 05, 2021 22:00:34

What would be the way to do this? I assume I need to modify some CGI code or something
 

kamoj

Very Senior Member
Now I'm home and can give you an simple example:
If you change this in /etc/email/email_log :
From:
Code:
sed -n '1! G;$p;h' $LOG_FILE | sed -n '1,256 p'
To:
Code:
tail -n256 "$LOG_FILE" | sed -n '1! G;$p;h' >/tmp/MAIL.lines
awk '{print $1" "$2}' /tmp/MAIL.lines | sort -u | sed '/^ *$/d' | while IFS= read -r line; do
   echo "$line" | tr -d "["
   grep -F "$line" /tmp/MAIL.lines && echo ""
done

then the output will be like:

Code:
DHCP IP:
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:44:08
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:43:50
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:45:54
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:01:59
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 20:30:38
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 19:27:46

DoS Attack:
[DoS Attack: ACK Scan] from source: x.x.x.x, port 20025, Tuesday, January 05, 2021 22:28:17
[DoS Attack: ACK Scan] from source: x.x.x.x, port 25565, Tuesday, January 05, 2021 22:11:53
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:50:37
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:19:10
[DoS Attack: ACK Scan] from source: x.x.x.x, port 5223, Tuesday, January 05, 2021 20:56:32
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 20:55:17
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 55555, Tuesday, January 05, 2021 20:34:58
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 19:30:53

LAN access
[LAN access from remote] from x.x.x.x:59222 to x.x.x.x:32400, Tuesday, January 05, 2021 22:00:34

Time synchronized
[Time synchronized with NTP server] Tuesday, January 05, 2021 22:48:44
I have an R7800 and was wondering if it would be possible to modify the script that sends out the log messages via email. ...
...
I want to make them be split into categories like so
...
 
Last edited:

romanstardust

Occasional Visitor
Now I'm home and can give you an simple example:
If you change this in /etc/email/email_log :
From:
Code:
sed -n '1! G;$p;h' $LOG_FILE | sed -n '1,256 p'
To:
Code:
sed -n '1! G;$p;h' $LOG_FILE | sed '1,256 p' >/tmp/MAIL.lines
tail -n256 "$LOG_FILE" | sed -n '1! G;$p;h' >/tmp/MAIL.lines
awk '{print $1" "$2}' /tmp/MAIL.lines | sort -u | sed '/^ *$/d' | while IFS= read -r line; do
   echo "$line" | tr -d "["
   grep -F "$line" /tmp/MAIL.lines && echo ""
done

then the output will be like:

Code:
DHCP IP:
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:44:08
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:43:50
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:45:54
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:01:59
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 20:30:38
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 19:27:46

DoS Attack:
[DoS Attack: ACK Scan] from source: x.x.x.x, port 20025, Tuesday, January 05, 2021 22:28:17
[DoS Attack: ACK Scan] from source: x.x.x.x, port 25565, Tuesday, January 05, 2021 22:11:53
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:50:37
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:19:10
[DoS Attack: ACK Scan] from source: x.x.x.x, port 5223, Tuesday, January 05, 2021 20:56:32
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 20:55:17
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 55555, Tuesday, January 05, 2021 20:34:58
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 19:30:53

LAN access
[LAN access from remote] from x.x.x.x:59222 to x.x.x.x:32400, Tuesday, January 05, 2021 22:00:34

Time synchronized
[Time synchronized with NTP server] Tuesday, January 05, 2021 22:48:44

Wow! Thanks a ton! I'll give it a go

UPDATE: Just tried and the code above works perfect. Thanks again! My logs make sense now
 

romanstardust

Occasional Visitor
Incase someone wants to have this change done automatically via the Autorun functionality, here are the commands for it

Bash:
sed -i '[email protected] -n .1! G;$p;h. $LOG_FILE | sed -n .1,256 [email protected] -n256 "$LOG_FILE" | sed -n ℞1! G;$p;h℞ >/tmp/MAIL.lines\n℥℥℥awk ℞{print $1" "$2}℞ /tmp/MAIL.lines | sort -u | sed ℞/^ *$/d℞ | while IFS= read -r line; do\n℥℥℥℥echo "$line" | tr -d "["\n℥℥℥℥grep -F "$line" /tmp/MAIL.lines \&\& echo \""\n℥℥℥[email protected]' /etc/email/email_log
sed -i "s/℞/'/g" /etc/email/email_log
sed -i "s/℥/$(printf '\t')/g" /etc/email/email_log

I had to split it into 3 commands for it to be done correctly. The first one will do the bulk of the work. The second command simply replaces ℞ with '. The third one replaces ℥ with TABs as the Netgear version of sed doesnot support the \t command


NOTE: Please modify the Autorun file via a GUI based editor. When trying to do it directly via SSH on the Router itself, both "nano" & "vi" were unable to correctly add/display the lines above.
 
Last edited:

romanstardust

Occasional Visitor
I made an updated version of this script, which summarizes the log lines, so that it is even easier to read.

The main changes are
- DHCP IP assignment is summarized and shows a max of 5 assignments per IP/MAC combo
- DHCP IP Address being assigned to more than 1 MAC, it will be flagged as [DUPLICATE]
- DoS Attack is summarized by IP & Port
- If DoS Attack from a source IP hits multiple ports, those will be flagged as [MULTIPORT]
- Minor formatting changes


Sample output

Code:
==========================================================
DHCP IP
==========================================================

[DHCP IP: xxx.xxx.xxx.xxx] to MAC address - RA:ND:OM:MA:CA:DD - 2 - times
   Friday, January 01, 2021 00:00:00
   Friday, January 01, 2021 00:00:00
[DHCP IP: xxx.xxx.xxx.xxx] to MAC address - RA:ND:OM:MA:CA:DD - 5 - times
   Friday, January 01, 2021 00:00:00
   Friday, January 01, 2021 00:00:00
   Friday, January 01, 2021 00:00:00
   Friday, January 01, 2021 00:00:00
   Friday, January 01, 2021 00:00:00
--- Truncated - Last 5 shown ---

==========================================================
DoS Attack
==========================================================

[DoS Attack:] From source - xxx.xxx.xxx.xxx - to port - 5223 - 4 - occurences
   ACK Scan --- Friday, January 01, 2021 00:00:00
   ACK Scan --- Friday, January 01, 2021 00:00:00
   ACK Scan --- Friday, January 01, 2021 00:00:00
   ACK Scan --- Friday, January 01, 2021 00:00:00
[DoS Attack:] From source - xxx.xxx.xxx.xxx - to port - 443 - 2 - occurences
   ACK Scan --- Friday, January 01, 2021 00:00:00
   ACK Scan --- Friday, January 01, 2021 00:00:00

==========================================================
Initialized, firmware
==========================================================

   [Initialized, firmware version: V1.0.2.89SF] Friday, January 01, 2021 00:00:00

How to use

- Save the attached text file and change the extension to .sh
- Save it somewhere on the router
- Include it in the /etc/email/email_log by using source. Eg: source /path/to/script.sh
- Change this line in /etc/email/email_log to call the function from the script
Code:
sed -n '1! G;$p;h' $LOG_FILE | sed -n '1,256 p'
to
Code:
print_modified_log

Autorun Sed commands

If you are using a USB, add these commands to the autorun file located at /mnt/sda1/autorun/scripts/post-mount.sh to automatically make the changes. They will replace the "sed" line and add the "source" command to the Line#2 of the "email_log" file

Code:
sed -i 's/sed -n .1! G;$p;h. $LOG_FILE | sed -n .1,256 p./print_modified_log/g' /etc/email/email_log
sed -i '1 a source /mnt/sda1/custom_logs.sh' /etc/email/email_log

EDIT: The second autorun line had an error. Updated

5th December 2021 - Fixed bugs in script. Updated
18th December 2021 - Fixed more bugs with DOS Attack Section in script.
 

Attachments

  • print_modified_log.txt
    2.7 KB · Views: 47
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top