3 Replies Latest reply on Oct 10, 2017 8:36 AM by zhockey71

    Alert Action using powershell script

    zhockey71

      Hello!

       

      Looking to create a rule for syslog & trap events in SW NPM with an alert action "execute an external program" that calls a powershell script that writes a json formatted event into an http event collector in Splunk.

       

      • The script works fine from the command line of SW NPM but once I add it to a rule it fails to inject into splunk when the alert rule fires.
      • The powershell script must be called with the -file option.
      • Other actions (email or another "perl" script) fires successfully
      • Example of Alert "Action Program to execute":
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File C:\scriptlocationhere\scriptname.ps1

       

      Thanks!

        • Re: Alert Action using powershell script
          lynchnigel

          Hi there

           

          so can you send screen shots of your alert? so we can see what your doing please?

            • Re: Alert Action using powershell script
              zhockey71

              @lynchnigel

              Thanks for your reply.  Just to be clear, the existing syslog or trap rules work fine. I'm looking to replace existing perl script with a powershell script.

              The powershell script works fine outside of the alert rule (from a powershell prompt)

               

               

              Example of Alert Action to execute a program.

              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File C:\scriptlocationhere\scriptname.ps1 -AG <GroupName> -CI <ConfigItemName> -SE <Severity> -ME "<Alert Message content from NPM ${MESSAGE}>" -HN <Hostname>

               

               

              Example PS script...

               

               

               

               

              param (

                  $AG,

                  $CI,

                  $SE,

                  $ME,

                  $HN,

                  $TO

              )

               

               

              if(!$AG){$AG = $null}

              if(!$CI){$CI = $null}

              if(!$SE){$SE = $null}

              if(!$ME){$ME = $null}

              if(!$HN){$HN = $null}

              if(!$TO){$TO = $null}

               

               

              [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

              $response = ""

              $formatteddate = "{0:MM/dd/yyyy hh:mm:sstt zzz}" -f (Get-Date)

              $arraySeverity = 'INFO','WARN','ERROR'

              $severity = $arraySeverity[(Get-Random -Maximum ([array]$arraySeverity).count)]

               

               

              $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

              $headers.Add("Authorization", '<KeyGoesHere>')

               

              $body = '{

                        "host":"' + $HN + '",

                        "sourcetype":"testevents",

                       "source":"AlertSend",

                       "event":{

                           "message":"' + $ME + '",

                           "severity":"' + $SE + '",

                           "user": "' + $AG +'",

                           "date":"' + $formatteddate + '",

                           "CI":"' + $CI + '",

                           "TO":"' + $TO + '"

                           }

                       }'

               

              $splunkserver = "<ServerNameGoesHere>"

              $response = Invoke-RestMethod -Uri $splunkserver -Method Post -Headers $headers -Body $body

              "Code:'" + $response.code + "' text:'"+ $response.text + "'"

               

               

              #Add -AG etc tags to command line parameters.  If null, pass null.

            • Re: Alert Action using powershell script
              zhockey71

              FYI.....Resolved this issue by using "powershell.exe -ExecutionPolicy Unrestricted -NoProfile  -File <scriptname>