Distributing Files to Agent Computers
You can use the file distribution mechanism in InTrust rules to copy files to agent computers. Take the following steps:
- Create a site that includes the computers you need.
- In Configuration | Advanced | Scripts, create a script object that defines the OnInstall and OnUninstall functions. Example:
function OnInstall()
{
var objEnv = new ADCEnvironment();
var srcpath = objEnv.ExpandEnvironmentString("%ADC_INSTALL_PATH%\\data\\dda\\%adc_org_id%");
<where_to_put_the_file>";
var fso = new ActiveXObject("Scripting.FileSystemObject");
<file_name>",destpath+"\\<file_name>",1);
}
function OnUnInstall()
{
}
The <file_name> placeholder stands for the name of the file you want to distribute. All distributed files first arrive in the %ADC_INSTALL_PATH%\data\dda\%adc_org_id% folder, where:
- %ADC_INSTALL_PATH% is a local environment variable storing the agent installation folder
- %adc_org_id% is an InTrust organization parameter specifying the ID of the current InTrust organization
- In InTrust Manager, go to Configuration | Advanced | Distributable Files and add the file you need to distribute. In the properties of the file object, select the Run this script upon module delivery to the agent side option, and select the script from the previous step.
- Create a rule based on any Windows log data source, and add to it the file from the previous step as a distributable module. Enable the rule.
- Create a real-time monitoring policy that applies your rule to the computers you want to copy the file to. Activate the policy.
You can adapt this procedure to your specific needs: for example, add actions besides file copying or parameterize the file destination path, and so on.
Case Study: Enabling Tracing on Multiple Computers
Objective
Automatically enable tracing on specific computers.
Solution
Distribute the adctracer.ini file (see InTrust Server Tracing), which has been edited to enable tracing.
Details
This procedure is based on the generic steps described above, so refer to them for more information.
- Make a copy of an existing adctracer.ini file, and edit the parameters in it as necessary.
- Create a site with the computers you need.
- Create a script object with the following code:
function OnInstall()
{
var objEnv = new ADCEnvironment();
var srcpath = objEnv.ExpandEnvironmentString("%ADC_INSTALL_PATH%\\data\\dda\\{42D329C8-7150-485B-90F1-8FA1D224A767}");
Trace(40, "Source Path: " + srcpath);
var destpath = objEnv.ExpandEnvironmentString("%ADC_INSTALL_PATH%");
Trace(40, "Destination Path: " + destpath);
var fso = new ActiveXObject("Scripting.FileSystemObject");
Trace(40, "Copying " + srcpath+"\\adctracer.ini"+" to "+destpath+"\\adctracer.ini");
fso.CopyFile(srcpath+"\\adctracer.ini",destpath+"\\adctracer.ini",1);
}
function OnUnInstall()
{
}
- Add your copy of adctracer.ini as a distributable file, and associate your script with it.
- Create and enable a rule that provides the file.
- Create and activate a real-time monitoring policy that specifies the computers you need.
How to...
Work with Data Sources
Data sources are InTrust's representations of the event logs it works with. One of the InTrust data source types is the Script Event Provider.
This data source is actually a scripting component that InTrust executes periodically for auditing and real-time monitoring purposes. Scripts are meant to return one or more event records with filled-in fields. However, the initial information that the scripts get does not exist in event format.
The format your script works with is up to you. For example, the script can analyze text files.
Topics
See the following topics for details:
Creating a Data Source
If you want to create your custom data source from scratch, InTrust provides two starting points for convenience, depending on what you want the data source to do:
- Analyze text logs or other text files
- Perform arbitrary tasks that go beyond text file analysis
Text Log Data Sources
File-processing scripts are state-based. Such a script checks whether a file is present, or periodically parses a file and reconstructs events from the file changes it detects.
One of the data source types is the general-purpose custom text log data source. It is implemented as a script that processes specified files for auditing purposes.
You cannot specify the desired script directly. You must first create an outline for the data source in either Basic or Advanced mode. For more information about text log data source creation modes, see Auditing Custom Logs.
Data sources completed in Raw mode give you the advantage of easy flow control. Unlike Advanced mode, you do not have to rely on consecutive regular expressions and their order. You can introduce conditional jumps and eliminate regular expressions altogether. This makes Raw mode more suitable for many situations, including markup parsing.
Automatic data source creation gives you a starting point and spares you the effort of outlining the script structure manually. After you have created the initial data source, do the following:
- Open the properties of the data source.
- On the Settings tab, click Convert to and select Raw.
- Edit the resulting script using the code editor.
Custom Scripted Data Sources
Custom data sources are defined in ECMAScript and processed by InTrust agents.
To create a scripted data source
- Expand the Configuration node in the InTrust Manager snap-in.
- Right-click Data Sources and select New Data Source to start the New Data Source wizard.
- Select the Script Event Provider type and complete the wizard.
|
NOTE: One of the settings you can change in the wizard is the choice of scripting language. The option has no effect in this case, and the code you supply is always treated as ECMAScript. This is a known InTrust Manager issue that will be fixed later. |
The wizard prompts you for the following information:
- The script code
Supply a script that does the work you need.
- How often the script executes
Frequent launches are suitable for real-time monitoring uses. For data collection, the script does not have to run very frequently.
- Script parameters
Parameters are values that can be set externally without modifying the script. They are set in the user interface, and the values are stored in script variables. Script parameters are meant for easy access to the script's configurable portions.