Hi,
Is it possible to create a task/ fixlet that retrieves files from an x location?
At this point a fixlet to retrieve BES Client logs was created but it’s limited.
Thanks.
You can take the infrastructure of that fixlet to retrieve the logs and customize it to what you want. I’ve done it before and it has been pretty successful as far as getting something from a client which I can grab easily.
You basically take what it’s looking at and change up the paths of what file you want and put in any action such as zipping it up for compression and use the archive now command to send it to the core server.
Are you trying to get a log or something from a program on an endpoint?
1 Like
I’m trying to get some logs from an endpoint without using remote connection.
They are saved within C:\Windows\Logs\
1 Like
I created a package for our security team to be able to send a Redline scan down to an endpoint, do a scan quietly in the background, and zip up and send the results back to the IEM server. The parameters are what you would use for the archive command and it’s pretty simple.
//Configure settings for upload to IEM server
setting “_BESClient_ArchiveManager_MaxArchiveSize”=“1048576000” on “{now}” for client
setting “_BESClient_ArchiveManager_OperatingMode”=“2” on “{now}” for client
setting “BESClient_ArchiveManager_FileSet-Redline"="C:\TEMP\Redline{computer name}{(month of current date as two digits as string) & (day_of_month of current date as two digits as string) & (year of current date as string)}.zip” on “{now}” for client
//Grab 7za
prefetch 7za.exe sha1:cee178da1fb05f99af7a3547093122893bd1eb46 size:587776 http://bigfix:52311/BESPre-Cache/7z/7za.exe
//Package up Redline file
copy __Download\7za.exe C:\TEMP\Redline\7za.exe
delete __appendfile
appendfile cd C:\TEMP\Redline
appendfile 7za.exe a {computer name}_{(month of current date as two digits as string) & (day_of_month of current date as two digits as string) & (year of current date as string)}.zip C:\Temp\Redline\Sessions
copy __appendfile C:\TEMP\Redline\package.bat
waithidden C:\TEMP\Redline\package.bat
//Send it to the IEM server
if {exists file whose (name of it starts with computer name) of folder “C:\TEMP\Redline”}
archive now
endif
This is what allows the client to then upload that result. You would need to define the limit of the upload size and where the upload would be located on the endpoint. Note that in my example, the file needs to already exist for the parameter to be created.
1 Like
Thanks for the example, I will edit it and post the final form.
Note that I’m trying to get txt files so I will copy “*.txt”
Whatever works for you. My example is done this way because Redline scans can be gigabytes in size and I need to zip it up so it’s uploaded in a timely manner and can be moved from the IEM server to a PC easily.
1 Like
Is this what you mean by redline?
That would be the application used. You create your collector package and run your analysis through it. The tasks I created have a two step process requiring two tasks. The first is a task to push Redline down and run a scan dumping everything into a temp directory. The second task pulls the resuls back. I also created a third task to remove the results when they’ve been successfully retrieved.
1 Like
This would be the actionscript for my case - retrieve any file.
action parameter query "FilePath" with description "Please enter the full path of the file(s) to be retrieved. Wildcards can be used. The maximum size of the file(s) when zipped up is 10mb." and with default value "C:\Windows\Logs\*.log"
// set max size to 15 MB to prevent too much data. If the zip file is to bigger than 10 MB the upload won't occur
setting "_BESClient_ArchiveManager_MaxArchiveSize"="10240000" on "{parameter "action issue date" of action}" for client
setting "_BESClient_ArchiveManager_OperatingMode"="2" on "{parameter "action issue date" of action}" for client
//use data folder of client to identify logs (independent of exact drive/folder for IEM installation)
setting "_BESClient_ArchiveManager_FileSet-client"="{parameter "FilePath" of action}" on "{parameter "action issue date" of action}" for client
// send results
archive now
2 Likes