BigFix fixlet to copy bigfix endpoint logs helpp :(

Iamabeginner · June 16, 2024, 11:38pm

I need to create a fixlet that would copy bigfix endpoint logs to a network destination. The fixlet would have to copy the logs to the destination so that bf-logfile.log is saved as computername-date-bflogfile.log at the destination.

any help would be appreciated

Jstev · June 17, 2024, 3:39pm

To collect and manage logs using BigFix, you have a couple of options depending on your environment and use case:

Use the Archive Feature:

Instruct BigFix to archive the logs via the relay system to the root server using the ‘archive now’ function.
Set up a process on the root server to gather these archived logs and transfer them to a network share.

Directly Use a Network Share from the Endpoint:

Ensure the network share has appropriate permissions for access, keeping in mind this could increase security risks.
Remember, the BigFix agent operates under the system account, not a user account. So, if only users have access to the share, you’ll need to run the script as a user. This might be problematic unless the user has admin rights to access the BigFix client directory.

For my specific task, I collected logs no older than 14 days since I didn’t need everything. To avoid creating a separate folder for each computer, you can:

Set a single destination name.
Include both the Computer Name and Timestamp variables in the file names to differentiate them when copying to the destination path.

action uses wow64 redirection {not x64 of operating system}

if {exists logged on user}
parameter “CName” = “”{(name of logged on user as string)}“”
else
parameter “CName” = “$ComputerName”
endif

delete __createfile
createfile until END_OF_FILE

$TimeStamp = get-date -f yyyyMMddhhmm
$source = “C:\ProgramData\App\XXX*.*”
$ComputerName = $env:computername

$Destination = "\Servername\Sharename$" + {parameter “CName”} + "AppLogs" + $ComputerName
New-Item -ItemType directory -Path $Destination -Force
Get-ChildItem -Path $source | Where-Object {{$.LastWriteTime -gt (Get-date).AddDays(-14)} | Foreach-object {{Copy-Item $_ -destination $Destination -Force}

END_OF_FILE

delete backupAppLogs.ps1
move __createfile backupAppLogs.ps1

override run
runas=agent
run { pathname of file ((it as string) of value “Path” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell” of native registry) } -ExecutionPolicy Bypass -windowstyle hidden -File backupAppLogs.ps1

Iamabeginner · June 17, 2024, 8:23pm

I will try this, and will let you know. appreciate it