How to use Execute Commands to send event information to text file (Linux) for SCSP 5.2.9 and DCS 6.0

book

Article ID: 181861

calendar_today

Updated On:

Products

Critical System Protection Data Center Security Server Advanced

Issue/Introduction

 

Resolution

How to use Execute Commands to send event information to text file (Linux).

 

This article will outline how to send information based on an IDS policy to send specific variables to a text file if a monitored file is modified.

 

First start by creating a custom rule with the category File Watch (fig1).

 

 (fig1)

 

You will need to fill out the following information these options can be anything you chose (fig2).

(fig2)

 

Please make additional modifications as needed depending on your needs (fig3).

(fig3)

Now to get the event variables to a text file, first start by creating a .sh (shell script) to write the variable to a text file (fig4).

 

e.g.

#/bin/bash

 

/bin/echo $* >>/temp/text1.txt

(fig4)

 

Add the shell script to the commands.txt located in the /opt/Symantec/scspagent/IDS/system directory (fig5).

(fig5)

 

Write the command to be executed in the policy (/tmp/test.sh  {Event Date} {File Name}) (fig6).

(fig6).

You can choose from {File Name} {Process ID} {User Name} {Session ID} {Agent Label} {Computer Name} {Event Date} etc. to be written to the files of your choice. If the file does not exist then it will be created.