Categorizing messages in Netgear Log Emails

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

nitant

Occasional Visitor
I have an R7800 and was wondering if it would be possible to modify the script that sends out the log messages via email. It currently just dumps them like

Code:
[Time synchronized with NTP server] Tuesday, January 05, 2021 22:48:44
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:44:08
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:43:50
[DoS Attack: ACK Scan] from source: x.x.x.x, port 20025, Tuesday, January 05, 2021 22:28:17
[DoS Attack: ACK Scan] from source: x.x.x.x, port 25565, Tuesday, January 05, 2021 22:11:53
[LAN access from remote] from x.x.x.x:59222 to x.x.x.x:32400, Tuesday, January 05, 2021 22:00:34
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:50:37
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:45:54
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:19:10
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:01:59
[DoS Attack: ACK Scan] from source: x.x.x.x, port 5223, Tuesday, January 05, 2021 20:56:32
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 20:55:17
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 55555, Tuesday, January 05, 2021 20:34:58
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 20:30:38
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 19:30:53
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 19:27:46

I want to make them be split into categories like so

Code:
NTP
[Time synchronized with NTP server] Tuesday, January 05, 2021 22:48:44

DHCP IP
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:44:08
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:43:50
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:45:54
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:01:59
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 20:30:38
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 19:27:46

DoS Attack
[DoS Attack: ACK Scan] from source: x.x.x.x, port 20025, Tuesday, January 05, 2021 22:28:17
[DoS Attack: ACK Scan] from source: x.x.x.x, port 25565, Tuesday, January 05, 2021 22:11:53
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:50:37
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:19:10
[DoS Attack: ACK Scan] from source: x.x.x.x, port 5223, Tuesday, January 05, 2021 20:56:32
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 20:55:17
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 55555, Tuesday, January 05, 2021 20:34:58
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 19:30:53

LAN access from remote
[LAN access from remote] from x.x.x.x:59222 to x.x.x.x:xxxx, Tuesday, January 05, 2021 22:00:34

What would be the way to do this? I assume I need to modify some CGI code or something
 

kamoj

Very Senior Member
You can simply modify: /etc/email/email_log for your needs?

I have an R7800 and was wondering if it would be possible to modify the script that sends out the log messages via email. It currently just dumps them like

Code:
[Time synchronized with NTP server] Tuesday, January 05, 2021 22:48:44
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:44:08
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:43:50
[DoS Attack: ACK Scan] from source: x.x.x.x, port 20025, Tuesday, January 05, 2021 22:28:17
[DoS Attack: ACK Scan] from source: x.x.x.x, port 25565, Tuesday, January 05, 2021 22:11:53
[LAN access from remote] from x.x.x.x:59222 to x.x.x.x:32400, Tuesday, January 05, 2021 22:00:34
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:50:37
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:45:54
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:19:10
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:01:59
[DoS Attack: ACK Scan] from source: x.x.x.x, port 5223, Tuesday, January 05, 2021 20:56:32
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 20:55:17
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 55555, Tuesday, January 05, 2021 20:34:58
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 20:30:38
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 19:30:53
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 19:27:46

I want to make them be split into categories like so

Code:
NTP
[Time synchronized with NTP server] Tuesday, January 05, 2021 22:48:44

DHCP IP
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:44:08
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:43:50
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:45:54
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:01:59
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 20:30:38
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 19:27:46

DoS Attack
[DoS Attack: ACK Scan] from source: x.x.x.x, port 20025, Tuesday, January 05, 2021 22:28:17
[DoS Attack: ACK Scan] from source: x.x.x.x, port 25565, Tuesday, January 05, 2021 22:11:53
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:50:37
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:19:10
[DoS Attack: ACK Scan] from source: x.x.x.x, port 5223, Tuesday, January 05, 2021 20:56:32
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 20:55:17
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 55555, Tuesday, January 05, 2021 20:34:58
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 19:30:53

LAN access from remote
[LAN access from remote] from x.x.x.x:59222 to x.x.x.x:xxxx, Tuesday, January 05, 2021 22:00:34

What would be the way to do this? I assume I need to modify some CGI code or something
 

kamoj

Very Senior Member
Now I'm home and can give you an simple example:
If you change this in /etc/email/email_log :
From:
Code:
sed -n '1! G;$p;h' $LOG_FILE | sed -n '1,256 p'
To:
Code:
tail -n256 "$LOG_FILE" | sed -n '1! G;$p;h' >/tmp/MAIL.lines
awk '{print $1" "$2}' /tmp/MAIL.lines | sort -u | sed '/^ *$/d' | while IFS= read -r line; do
   echo "$line" | tr -d "["
   grep -F "$line" /tmp/MAIL.lines && echo ""
done

then the output will be like:

Code:
DHCP IP:
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:44:08
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:43:50
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:45:54
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:01:59
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 20:30:38
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 19:27:46

DoS Attack:
[DoS Attack: ACK Scan] from source: x.x.x.x, port 20025, Tuesday, January 05, 2021 22:28:17
[DoS Attack: ACK Scan] from source: x.x.x.x, port 25565, Tuesday, January 05, 2021 22:11:53
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:50:37
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:19:10
[DoS Attack: ACK Scan] from source: x.x.x.x, port 5223, Tuesday, January 05, 2021 20:56:32
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 20:55:17
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 55555, Tuesday, January 05, 2021 20:34:58
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 19:30:53

LAN access
[LAN access from remote] from x.x.x.x:59222 to x.x.x.x:32400, Tuesday, January 05, 2021 22:00:34

Time synchronized
[Time synchronized with NTP server] Tuesday, January 05, 2021 22:48:44
I have an R7800 and was wondering if it would be possible to modify the script that sends out the log messages via email. ...
...
I want to make them be split into categories like so
...
 
Last edited:

nitant

Occasional Visitor
Now I'm home and can give you an simple example:
If you change this in /etc/email/email_log :
From:
Code:
sed -n '1! G;$p;h' $LOG_FILE | sed -n '1,256 p'
To:
Code:
sed -n '1! G;$p;h' $LOG_FILE | sed '1,256 p' >/tmp/MAIL.lines
tail -n256 "$LOG_FILE" | sed -n '1! G;$p;h' >/tmp/MAIL.lines
awk '{print $1" "$2}' /tmp/MAIL.lines | sort -u | sed '/^ *$/d' | while IFS= read -r line; do
   echo "$line" | tr -d "["
   grep -F "$line" /tmp/MAIL.lines && echo ""
done

then the output will be like:

Code:
DHCP IP:
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:44:08
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 22:43:50
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:45:54
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 21:01:59
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 20:30:38
[DHCP IP: x.x.x.x] to MAC address x:x:x:x:x:x, Tuesday, January 05, 2021 19:27:46

DoS Attack:
[DoS Attack: ACK Scan] from source: x.x.x.x, port 20025, Tuesday, January 05, 2021 22:28:17
[DoS Attack: ACK Scan] from source: x.x.x.x, port 25565, Tuesday, January 05, 2021 22:11:53
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:50:37
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 80, Tuesday, January 05, 2021 21:19:10
[DoS Attack: ACK Scan] from source: x.x.x.x, port 5223, Tuesday, January 05, 2021 20:56:32
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 20:55:17
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 55555, Tuesday, January 05, 2021 20:34:58
[DoS Attack: SYN/ACK Scan] from source: x.x.x.x, port 443, Tuesday, January 05, 2021 19:30:53

LAN access
[LAN access from remote] from x.x.x.x:59222 to x.x.x.x:32400, Tuesday, January 05, 2021 22:00:34

Time synchronized
[Time synchronized with NTP server] Tuesday, January 05, 2021 22:48:44

Wow! Thanks a ton! I'll give it a go

UPDATE: Just tried and the code above works perfect. Thanks again! My logs make sense now
 

nitant

Occasional Visitor
Incase someone wants to have this change done automatically via the Autorun functionality, here are the commands for it

Bash:
sed -i '[email protected] -n .1! G;$p;h. $LOG_FILE | sed -n .1,256 [email protected] -n256 "$LOG_FILE" | sed -n ℞1! G;$p;h℞ >/tmp/MAIL.lines\n℥℥℥awk ℞{print $1" "$2}℞ /tmp/MAIL.lines | sort -u | sed ℞/^ *$/d℞ | while IFS= read -r line; do\n℥℥℥℥echo "$line" | tr -d "["\n℥℥℥℥grep -F "$line" /tmp/MAIL.lines \&\& echo \""\n℥℥℥[email protected]' /etc/email/email_log
sed -i "s/℞/'/g" /etc/email/email_log
sed -i "s/℥/$(printf '\t')/g" /etc/email/email_log

I had to split it into 3 commands for it to be done correctly. The first one will do the bulk of the work. The second command simply replaces ℞ with '. The third one replaces ℥ with TABs as the Netgear version of sed doesnot support the \t command


NOTE: Please modify the Autorun file via a GUI based editor. When trying to do it directly via SSH on the Router itself, both "nano" & "vi" were unable to correctly add/display the lines above.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top