How to use Execute Commands to send event information to text file.

Use PowerShell as the command and use the pipe function to send it to a test file.

This article will outline how to send information based on an IDS policy to send specific variables to a text file if a monitored file is modified.

First start by creating a custom rule with the category File Watch (fig1).

(fig1)

You will need to fill out the following information these options can be anything you chose (fig2).

(fig2)

Please make additional modifications as needed depending on your needs (fig3).

(fig3)

To get the desired variables to be written (piped) to a text file please add (powershell echo / {File Name} >> C:\WSM\text1.txt) the to the Execute Command option (fig4).

Powershell is the command, Echo gathers the variables and > pipes the variables to the desired file and the second > appends the file.

(fig4)

You can choose from {File Name} {Process ID} {User Name} {Session ID} {Agent Label} {Computer Name} {Event Date} etc. to be written to the files of your choice. If the file does not exist then it will be created.

Last step is to add the powershell command to the commands.txt file located in the “C:\Program Files (x86)\Symantec\Critical System Protection\Agent\IDS\system” directory (fig5).

 (fig5)

If you are using older versions of Windows e.g. 2003,XP you will need to install PowerShell.