Alert Action using powershell script

Hello!

Looking to create a rule for syslog & trap events in SW NPM with an alert action "execute an external program" that calls a powershell script that writes a json formatted event into an http event collector in Splunk.

The script works fine from the command line of SW NPM but once I add it to a rule it fails to inject into splunk when the alert rule fires.
The powershell script must be called with the -file option.
Other actions (email or another "perl" script) fires successfully
Example of Alert "Action Program to execute":
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File C:\scriptlocationhere\scriptname.ps1

Thanks!

Find more posts tagged with

alert action using powershell script

Accepted answers

All comments

lynchnigel

Hi there

so can you send screen shots of your alert? so we can see what your doing please?

zhockey71

@lynchnigel

Thanks for your reply. Just to be clear, the existing syslog or trap rules work fine. I'm looking to replace existing perl script with a powershell script.

The powershell script works fine outside of the alert rule (from a powershell prompt)

Example of Alert Action to execute a program.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File C:\scriptlocationhere\scriptname.ps1 -AG <GroupName> -CI <ConfigItemName> -SE <Severity> -ME "<Alert Message content from NPM ${MESSAGE}>" -HN <Hostname>

Example PS script...

param (

$AG,

$CI,

$SE,

$ME,

$HN,

$TO

)

if(!$AG){$AG = $null}

if(!$CI){$CI = $null}

if(!$SE){$SE = $null}

if(!$ME){$ME = $null}

if(!$HN){$HN = $null}

if(!$TO){$TO = $null}

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

$response = ""

$formatteddate = "{0:MM/dd/yyyy hh:mm:sstt zzz}" -f (Get-Date)

$arraySeverity = 'INFO','WARN','ERROR'

$severity = $arraySeverity[(Get-Random -Maximum ([array]$arraySeverity).count)]

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

$headers.Add("Authorization", '<KeyGoesHere>')

$body = '{

"host":"' + $HN + '",

"sourcetype":"testevents",

"source":"AlertSend",

"event":{

"message":"' + $ME + '",

"severity":"' + $SE + '",

"user": "' + $AG +'",

"date":"' + $formatteddate + '",

"CI":"' + $CI + '",

"TO":"' + $TO + '"

}

$splunkserver = "<ServerNameGoesHere>"

$response = Invoke-RestMethod -Uri $splunkserver -Method Post -Headers $headers -Body $body

"Code:'" + $response.code + "' text:'"+ $response.text + "'"

#Add -AG etc tags to command line parameters. If null, pass null.

zhockey71

FYI.....Resolved this issue by using "powershell.exe -ExecutionPolicy Unrestricted -NoProfile -File <scriptname>

faizan_123

zhockey71 Hello would you provide me with the powershell script for alert triggering for syslog which you used it would be of huge help.

Thanks