Skip to Content

REPORT_FIM.bat file

This section provides an instance of how to use the REPORT_FIM.bat file, that is a special utility included with BMC Defender that can e-mail you the list of file changes when the BMC Defender File Integrity Monitor Audit Report adapter detects errors. This batch file operates as a Correlation > Action program and can be configured at any site when one or more File Monitor programs are installed on the network. 

When the REPORT_FIM.bat file is configured, you receive an e-mail message if the BMC Defender FIM Adapter detects any changes, and this e-mail message includes the list of file changes. This function exists in addition to any e-mail related to tickets and is a simple application that provides utility to the BMC Defender FIM Adapter described here.

Operational overview

The REPORT_FIM.bat file is included in the installationDirectory/actions folder of the system as a standard component. The operator configures this file using the Correlation > Actions screen.

Warning

Note

This screen configures programs that are executed when selected messages are received, that is an operation and is similar to but distinct from the Ticket > Actions of the system.

When the BMC Defender FIM Adapter executes, it generates a special error severity message when any changes are detected to the system. The REPORT_FIM.bat file is configured by the operator to execute when this special message is received. The script queries the remote BMC Defender FIM Adapter for a list of changes (using the rfmconf.exe program documented previously in this space). The REPORT_FIM.bat file then formats this list into an e-mail message and sends the message to the specified user. 

The REPORT_FIM.bat file contains additional notes, in the form of program commentary, that might be useful to developers or administrators. See this file, located in the installationDirectory/actions/REPORT_FIM.bat location of the system.

Configuration procedure

First, you should configure the System > SMTP settings of the system, and verify that the system correctly configures to send an e-mail. This includes testing of the e-mail interface (using the Test option on the System > SMTP screen). 

Once the SMTP server settings have been configured, you can click the Correlation > Actions tab, and then click AddNew to add a new action to the system. The settings for this program should be exactly, as shown as follows:

Match Severity:              GE ERROR
Match Expression:            "CorreLog File Monitor"
Action Program Name:         REPORT_FIM.bat
Action Program Arguments:    (e-mail address)
Warning

Notes

  • The Match Expression should include double quotes to match the entire phrase.
  • The Action Program Arguments should be the e-mail address that receives the BMC Defender FIM Adapter report. You can apply additional qualifiers, such as a match address. 

After configuring the preceding items, you can test the system by adding a new file to the system (such as a TEST.EXE file to the system32 directory) and can run a new check of the system. This generates a report showing the changes, including the addition of the new file.

Caveats

Usage of the script requires the proper operation of the system\rfmconf.exe program, such as allowing access through any firewalls of the system. Generally, you should verify that the BMC Defender system actually has access to the BMC Defender FIM Adapter remote configuration functions by clicking on an IP address of a remotely executing BMC Defender FIM Adapter agent. 

You continue to receive e-mail messages as long as the condition exists. To reduce the amount of e-mail, you can:

  • Schedule BMC Defender FIM Adapter to run less frequently (such as once a day).
  • Correct the problem to eliminate the error.
  • Manually generate a new image file.
  • Set the Auto-Generate image file to True.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Defender Agent for Windows 6.2