Chat now with support
Chat with Support

InTrust 11.3.1 - Customization Kit

Distributing Files to Agent Computers

You can use the file distribution mechanism in InTrust rules to copy files to agent computers. Take the following steps:

  1. Create a site that includes the computers you need.
  2. In Configuration | Advanced | Scripts, create a script object that defines the OnInstall and OnUninstall functions. Example:
    function OnInstall()
    {
    var objEnv = new ADCEnvironment();
    var srcpath = objEnv.ExpandEnvironmentString("%ADC_INSTALL_PATH%\\data\\dda\\%adc_org_id%");
    <where_to_put_the_file>";
    var fso = new ActiveXObject("Scripting.FileSystemObject");
    <file_name>",destpath+"\\<file_name>",1);
    }
    function OnUnInstall()
    {
    }
    The <file_name> placeholder stands for the name of the file you want to distribute. All distributed files first arrive in the %ADC_INSTALL_PATH%\data\dda\%adc_org_id% folder, where:
    • %ADC_INSTALL_PATH% is a local environment variable storing the agent installation folder
    • %adc_org_id% is an InTrust organization parameter specifying the ID of the current InTrust organization
  3. In InTrust Manager, go to Configuration | Advanced | Distributable Files and add the file you need to distribute. In the properties of the file object, select the Run this script upon module delivery to the agent side option, and select the script from the previous step.
  4. Create a rule based on any Windows log data source, and add to it the file from the previous step as a distributable module. Enable the rule.
  5. Create a real-time monitoring policy that applies your rule to the computers you want to copy the file to. Activate the policy.

You can adapt this procedure to your specific needs: for example, add actions besides file copying or parameterize the file destination path, and so on.

Case Study: Enabling Tracing on Multiple Computers

Objective

Automatically enable tracing on specific computers.

Solution

Distribute the adctracer.ini file (see InTrust Server Tracing), which has been edited to enable tracing.

Details

This procedure is based on the generic steps described above, so refer to them for more information.

  1. Make a copy of an existing adctracer.ini file, and edit the parameters in it as necessary.
  2. Create a site with the computers you need.
  3. Create a script object with the following code:
    function OnInstall()
    {
    var objEnv = new ADCEnvironment();
    var srcpath = objEnv.ExpandEnvironmentString("%ADC_INSTALL_PATH%\\data\\dda\\{42D329C8-7150-485B-90F1-8FA1D224A767}");
    Trace(40, "Source Path: " + srcpath);
    var destpath = objEnv.ExpandEnvironmentString("%ADC_INSTALL_PATH%");
    Trace(40, "Destination Path: " + destpath);
    var fso = new ActiveXObject("Scripting.FileSystemObject");
    Trace(40, "Copying " + srcpath+"\\adctracer.ini"+" to "+destpath+"\\adctracer.ini");
    fso.CopyFile(srcpath+"\\adctracer.ini",destpath+"\\adctracer.ini",1);
    }
    function OnUnInstall()
    {
    }
  4. Add your copy of adctracer.ini as a distributable file, and associate your script with it.
  5. Create and enable a rule that provides the file.
  6. Create and activate a real-time monitoring policy that specifies the computers you need.

How to...

Work with Data Sources

Data sources are InTrust's representations of the event logs it works with. One of the InTrust data source types is the Script Event Provider.

This data source is actually a scripting component that InTrust executes periodically for auditing and real-time monitoring purposes. Scripts are meant to return one or more event records with filled-in fields. However, the initial information that the scripts get does not exist in event format.

The format your script works with is up to you. For example, the script can analyze text files.

Topics

See the following topics for details:

Creating a Data Source

If you want to create your custom data source from scratch, InTrust provides two starting points for convenience, depending on what you want the data source to do:

  • Analyze text logs or other text files

  • Perform arbitrary tasks that go beyond text file analysis

Text Log Data Sources

File-processing scripts are state-based. Such a script checks whether a file is present, or periodically parses a file and reconstructs events from the file changes it detects.

One of the data source types is the general-purpose custom text log data source. It is implemented as a script that processes specified files for auditing purposes.

You cannot specify the desired script directly. You must first create an outline for the data source in either Basic or Advanced mode. For more information about text log data source creation modes, see Auditing Custom Logs.

Data sources completed in Raw mode give you the advantage of easy flow control. Unlike Advanced mode, you do not have to rely on consecutive regular expressions and their order. You can introduce conditional jumps and eliminate regular expressions altogether. This makes Raw mode more suitable for many situations, including markup parsing.

Automatic data source creation gives you a starting point and spares you the effort of outlining the script structure manually. After you have created the initial data source, do the following:

  1. Open the properties of the data source.

  2. On the Settings tab, click Convert to and select Raw.

  3. Edit the resulting script using the code editor.

Custom Scripted Data Sources

InTrust requires the functionality of the Windows Script Host (WSH) object model on all computers that it monitors. If Windows Script Host is installed on a monitored computer, its objects can be used by InTrust.

If WSH is not installed (for example, on a Linux computer), then the scripting component can provide basic WSH functionality (available through ECMAScript) and ensure that InTrust scripts have access to the necessary objects.

The object model is defined by the scripting language you select in the properties of the data source.

To create a scripted data source

  1. Expand the Configuration node in the InTrust Manager snap-in.

  2. Right-click Data Sources and select New Data Source to start the New Data Source wizard.

  3. Select the Script Event Provider type and complete the wizard.

The wizard prompts you for the following information:

  • Scripting language
    You can write your script in JScript, VBScript or ECMAScript. The choice of language is up to you and should depend on the platform and available objects. You can use JScript or VBScript if the script is going to work on Windows computers. However, if the data source represents a log on a platform such as Linux, you should use ECMAScript, which is a cross-platform language.

  • The script itself
    Supply a script that meets the requirements described earlier.

  • How often the script executes
    Frequent launches are suitable for real-time monitoring uses. For data collection, the script does not have to run very frequently.

  • Script parameters
    Parameters are values that can be set externally without modifying the script. They are set in the user interface, and the values are stored in script variables. Script parameters are meant for easy access to the script's configurable portions.

Related Documents