Sending FortiGate Firewall Alerts to Telegram/Discord

Sending alerts from a FortiGate device is similar to doing it from a vCenter Server Appliance. Once we know the content of an email alert we can start to process it to meet our needs. The following is an example alert from my company’s FortiGate device.

So as before, add an entry in the aliases file to redirect email to a script and the following is my script with minor changes.

#!/bin/bash

HEADER=`echo -n "\n\n**$1 Alert:**  \n\n"`
TIMESTAMP=`date +%Y-%m%d-%H%M.%S`
FILE="/dev/shm/mail-${TIMESTAMP}"
INFO_WEBHOOK_URL=https://discord.com/api/webhooks/12451972305586XXXXX/23XpFdftwGOwrGy5RLNcbjDTrN7eT2URuyjtortrNZ8WTqPe8F8CH_NJ7cNLCXXX-XXX
STATS_WEBHOOK_URL=https://discord.com/api/webhooks/12452121972615XXXXX/ht4ZiRUEFYbgQ4YDU9mUl1rtcdLsNGVFB95XW_UKIICd5Xppf-QvwzlMEqn-rMcXXXXX

### The following processes the mail stream and redirects to the named file ###
sed '' > $FILE

awk 'BEGIN { RS="" } NR>1 {F=sprintf("/dev/shm/info_%02d", NR) ; print > F ; close(F) }' $FILE

send_discord() {
    for i in `ls /dev/shm/info*`
    do
        MSG=$(sed 's/"/\\"/g' $i | sed 's/$/\\n/' | tr -d '\n')
        MSG="${HEADER}${MSG}"
        curl -H "Content-Type: application/json" -d "{\"content\": \"$MSG\"}" $1
    done

    rm -f /dev/shm/info*
}

grep intrusion $FILE

if [ $? -eq 0 ]
then
        send_discord $INFO_WEBHOOK_URL
else
        send_discord $STATS_WEBHOOK_URL
fi

rm $FILE

After the script is ready and set to executable, it should work as expected. The following screenshot shows a Discord message from another email alert.

The script to send to Telegram is similar and you should be able to write your own script too.

The following is a sample screenshot of Telegram alert from F5 Big IP that is to be shown in a later post.

I’ll talk about how to do the same from F5 Big IP which is somewhat different from the previous two devices. So wait for this in a future post.