RSA enVision^® Discussions

RSAAdmin · ‎2010-02-17

Anyone using "Run Command" to excute external commands. What I am hoping to do is pass certain paramaters / command line agruments from the alert to the external script. The script will lookup additional information and tweak the format before sending email alert. The thing is I am unable to find any document on how to pass parameters to the external script.

Thank you.

RSAAdmin · ‎2010-02-18

I'd like to know that as well.

What I would like to do, is kick off a query, based upon an alert.

The specific example is

1) an alert comes in from the IPS, that has a destination of X, the source is our proxy server

2) Kick off a query of the proxy data looking for who connected to X

This way I can correllate the Proxy data (which comes before the IPS) and the IPS alert

We tried to set up a correllated report, but our Proxy is way too busy, to buffer all the requests, waiting for the IPS alert to match to.

Thanks

Tim

RSAAdmin · ‎2010-02-23

Great topic...

I tried to do this a while back and was unable to get an alert to trigger a .bat script at all, let alone passing parameters.

So what I did to work around this, though not ideal, does work: I changed the alert to write to a text file, then I wrote a little bat file to parse that text alert and grab the info I needed (like an IP address, etc.) and execute my commands. I then scheduled this bat to run every X minutes on the app server...so it runs, checks if the alert txt file exists, exits if it does not, parses and executes if it does.

Like I said, not ideal, but works reliably for my needs.

Hope that helps.

Adam

RSAAdmin · ‎2010-02-24

Hi,

1st of all you need to know that envision doesn't work so good with bacth and exe files so i recommend using a perl or vb script instead.

now the way to send parameters to the script is:

create an aoutput template, the checkbox you mark there are the parametrs that will be sent to the script

so for example:

at the output action --> run command --> excutable name: C:\perl\bin\perl.exe

at the output action --> run command --> excuteable parameters: c:\scripts\myscript.pl

and the parameters are for example: date/time, view name, message text

so what you need to do now is to catch the paramters in the script from the console and use them as you wish.

hope this helps

RSAAdmin · ‎2010-02-24

i Roy,

Thanks for the suggestions, but I tried getting a perl script to execute and nothing happened at all, just like with a batch file.

If I get some time, I will try again as you describe above, but for now the solution I have is working fine for me.

Thanks!

Adam

RSAAdmin · ‎2010-03-01

Roy,

Any chance you can post the perl script and example of one of the rules that you are using to fire the alert?

Thanks

RSAAdmin · ‎2010-05-03

I am having the same problem. Has anybody seen a resolution yet?

RSAAdmin · ‎2010-05-03

Hi,

sorry for the long delay, i've forgot about your request,

here's a simple script to get parameters out of envision and send them by mail.

you all probelbly notice that the emails of envision are a big mess so this should help a little.

hope it helps

RSA enVision® Discussions

Alert Output Action Question

RSA enVision^® Discussions