Read local log file from PC

rsingh · August 2, 2016, 12:53pm

i need help with creating a fixlet to read log files from every PC at this location
C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG
and send an email if there is a threat or view via on the bigfix console

is this possible?

Thanks Guys

vk.khurava · August 2, 2016, 1:37pm

You can create a analysis to do that & view them from webreport.

lines of file “C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG”

rsingh · August 2, 2016, 1:43pm

will the log file be under Revelance

vk.khurava · August 2, 2016, 1:45pm

use this one - lines of file “C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG”

rsingh · August 2, 2016, 2:41pm

Thanks vk.Khurava - what is the relevance to send an email if “action is taken” is found in the log

could it be

ActionTaken=ARW_ACTION_KILL_THREAD - email itsupport@company.com

vk.khurava · August 2, 2016, 2:51pm

its nothing like that just go in webreport & CreateScheduledActivity but to achive that you must have SMTP server configured 1st.

rsingh · August 2, 2016, 3:07pm

ok checking it out now. thanks

rsingh · August 2, 2016, 5:32pm

i setup the Schedule Activity but its not allowing me to choose a specific analysis

rsingh · August 9, 2016, 7:52pm

made some more changes to the relevance

file “C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG” line starts with “ActionTaken=ARW_ACTION_KILL_THREAD”

however is keeps reporting as “undefined”

Please help. thanks

AlanM · August 9, 2016, 10:13pm

The relevance format is wrong

If you just want a “True” if the string is there then it would be

exists line whose ( it starts with "ActionTaken=ARW_ACTION_KILL_THREAD" ) of file "C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG"

rsingh · August 10, 2016, 6:18pm

no matter what i try it keeps saying error, i even changed it to a word that i know is showing in the log file

exists line whose ( it starts with “ntfs” ) of file “C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG”

AlanM · August 11, 2016, 12:05am

If you hover over the "<error>" it will show what the error is

rsingh · August 11, 2016, 12:04pm

Thanks AlanM - i did not know that - the error reads “the expression could not be validated”

AlanM · August 11, 2016, 8:47pm

I can’t find that exact text.

Can only find:

This expression could not be parsed.
The expression could not be understood

rsingh · August 12, 2016, 3:17pm

sorry

the expression could not be evaluated

TimRice · August 12, 2016, 4:35pm

Is the file “MBAMSERVICE.LOG” in use by Malware bytes at the time? If the file is “Locked” for writing, then BigFix may not be able to read the file.

rsingh · August 12, 2016, 5:16pm

That works TimRice - thank you

now all i have to do is figure out how to search a working log file

AlanM · August 12, 2016, 5:23pm

The “could not be evaluated” suggests a relevance syntax or command error so that is not the same.

Can you post your exact analysis relevance?

rsingh · August 12, 2016, 6:11pm

here it is

exists line whose (it contains “ActionTaken=ARW_ACTION_KILL_THREAD” ) of file “C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG”

if i save the file to another location it works but since MalwareBytes lock the file for writing logs it does not work

AlanM · August 12, 2016, 6:31pm

That is going to be the issue then. You won’t be able to do this in an analysis unless you do it on a copy of a file made by an action.