Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

Custom SAM Monitors

I'm looking for two very specific SAM monitors that I unfortunately cannot find.

  • File Version Monitor (Get's the version of an EXE from the file details)
  • File Last Write Date (Get's the latest file write time)

I have searched both the built-in application templates and the shared templates on thwack, but alas, I found nothing that would satisfy my requirements. Since they don't exist, I was thinking about creating them, but I couldn't find any clear documentation on how to do this.

0 Kudos
11 Replies

You could take the approach of DNS zone file versioning. By policy and procedure put a version or sequence number as the first line of the file. Then you could do a Get-Content on the item and parse that line to get the number of interest. It works even if you copy the config file to a variety of hosts, meaning you work out the config on one system then deploy it broadly. It eliminates the OS file system variations you might otherwise encounter.

Community Manager
Community Manager

I can probably do both in PowerShell. Are they supposed to be separate templates or the same with two parts? Do they need to look at one specific find or all files in a directory/path?
"Shoot for the stars to reach the moon"

Either way would be excellent! They could both be in the same, but I think it would probably be most beneficial to the community if they were separated out as separate thwack templates.

I am looking for specific files, but if the file path was passed in as an arg or could be set within the script, either would be a good solution.

Thanks @KMSigma 

0 Kudos

Actually, I found someone who already did half of the work.

This is a greatly documented and setup template and you should be able to tweak it for your needs.

"Shoot for the stars to reach the moon"
0 Kudos

Unfortunately, the file age monitor won't work for this application. I'll give you a bit of background:

We have deployed SysMon to many of our servers. We are going through several rounds of config changes. Each time the config gets updated, the last write time should change. My goal isn't to see how old a file is, it's to know the date of the "running config". Once we have the sysmon config "tuned", we shouldn't have to touch it much. With the file age monitor, it would very quickly become a problem, whereas if I knew the date of the config was the proper date, I'd be good to go.

0 Kudos

The issue here is that SAM relies on a "number" response.  We need a number for a comparison (great than, less than, equal to) to determine if it's "warning" or "critical."  SAM won't store a "date" because it's not truly numeric.  Server Configuration Monitor is a better use case for that.  We could do it in SAM, but it's not able to use a date as a statistic, so we need to be clever about scripting it.

"Shoot for the stars to reach the moon"
0 Kudos

The best thing to do would probably be to convert the date to a numeric number.

Using today's date as an example, the value could be converted to 20200825. Any config after that, would have a higher number.

Get-Date -UFormat "%Y%m%d"



 What do you think?

0 Kudos

That should work.

The only issue I see is whether you actually need to alert on that value using the built-in options (equal to, greater than, etc). It'd be cumbersome to reset alert values to a new 'gold' date, if you were to do mass deployment of your code.

If you are only interested in storing the data in Orion, and using reports or custom widgets to view the results, then worrying about what is 'good' and what is 'bad' isn't necessary and you can simply remove any thresholds from the resulting component.

Having said that, if you DID want to add active monitoring to this, you could use comparison of your date against today's date in the PoSH code, converted to the same "%Y%m%d" format, and have the result set a variable which you would then alert on. For example, if you had a variable named  $GoCompare, which has set to zero on your script if the dates are less than 30 days apart, but otherwise it would have it's value set to 1. You'd then alert on whenever this value equals 1, indicating a potential old deployment. 

- Jez Marsh
Community Manager
Community Manager

And this is the logic you are looking for to get file version information:

$Executables = Get-ChildItem -Path C:\PathToFiles\ -Filter *.exe -File
$Executables | Select-Object -Property Name, FullName, @{ Name = "ProductVersion"; Expression = { $_.VersionInfo.ProductVersion } }, @{ Name = "FileVersion"; Expression = { $_.VersionInfo.FileVersion } }

That'll give you both "versions" that are exposed by the System.Diagnostics.FileVersionInfo .NET classes.

Version information will be interesting for monitoring.  Do you want to just check to see if a file version number matches?  Do you want to see if a version number is "higher" than a defined number.  Depending on what you want to do, you'll probably have to play a little bit with the System.Version classes.

"Shoot for the stars to reach the moon"
Community Manager
Community Manager

If you need to monitor a ton of these for changes, you might be better off using Server Configuration Monitor.  It's very much built for these kinds of questions.  I did a quick example here with Utility Folder Versions.

"Shoot for the stars to reach the moon"

SCM is definitely pretty awesome.  

While you can (and I have) used SAM for things, SCM is designed for the task.

Now if only I could convince my organisation to buy more licences for SCM....