[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Creating a script that monitors a specific file

Posted on 2006-05-03
21
Medium Priority
?
87 Views
Last Modified: 2008-03-10
Hi, I am wondering if there is a way to creat a script that monitors additions to a file and stamps not only the time the change to the file took place, but lists the web page that the user was on when the change occured.  To give you a little background, I have a computer at home that has Cybersitter on it.  It filteres and blocks web pages that are not appropriate for the user to go to.  Now that filter has been showing that it is filtering a bunch of stuff but the user is not intentionally going to inapropriate sites.  So I figure if I can write a script that monitors changes in the filter file and logs the web page or pop up that cause the need to be filtered, it would explain alot. The system is XP pro.  Thanks alot for any help in advance.  If you need clarification please dont hesistate to ask.

Gordy
0
Comment
Question by:Gordyjb
  • 8
  • 8
  • 4
  • +1
21 Comments
 
LVL 39

Expert Comment

by:Adam314
ID: 16596527
I'm not sure how the Cybersitter works, but it sounds like it is setup as a proxy for internet explorer?  And any inappropriate requests are denied and logged to a file?

If this is true, then you could have a script that would monitor the log for a change, and indicate what changes were made and at what time.  Knowing what page the user was looking at would be difficult though.

I can help with the script if you want it written in perl (you'll probably have to install a free perl interpreter).  If you want it in some other language, you should post a pointer in the appropriate programming topic area.
0
 
LVL 9

Expert Comment

by:smidgie82
ID: 16596600
A few ideas:

Firstly, you could always write a system service with a thread that sleeps for n seconds, then wakes up, checks to see if the timestamp on the filter file has changed, if so writes that info to its own log, and then sleeps for another n seconds.  MoniDir uses this technicque (http://www.contactplus.com/products/freestuff/monidir.htm), if you want a program that'll do it for you instead of having to write it yourself.  Why reinvent the wheel?

There's also the possibility of using something like filemon (http://www.sysinternals.com/Utilities/Filemon.html).  The same programming technique that Mark uses to catch file activity can be used to simply log writes to a particular file.  As this is a relatively simple question, though, I'm going to assume you're not a system programming guru, and don't feel like writing hooks into the system service dispatch table.  But still, you might be interested in looking at filemon.  Just start it up and run it, and you'll be absolutely amazed at the sheer quantity of file IO going on on your system.  Same with Regmon and registry IO.  It's ridiculous.

You could also try looking online to see if there are any plugins for Cybersitter that will allow you more robust logging capabilities of the kind you need.  Maybe it's already built-in, just buried deep in an options menu?
0
 

Author Comment

by:Gordyjb
ID: 16604283
No, I'm not a programming guru.  I looked at the Monidir 2000 utility.  But I think that would only let me note changes to the file.  and Filemon again seems to note the changes but note the changes but doesnt allow for "what they are" and which web page was being accesses when the changes occured.  The main problem is that Cybersitter, at times list stuff that it filtered but it leaves no indication of which web page it came from.  This knowledge would be important for the reason that if it is a harmless page cybersitter could be given permission to let it go by, hence de-cluttering the filter file.  I do know a little about batch files, VB, and Assembly.  
0
Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

 
LVL 4

Expert Comment

by:noam_dz
ID: 16606190
you can use :
http://www.phoneinbuddy.com/FAM_main.htm
To alert you when the file changes and then you know what page you are by your self (anybody else can do the same)
Or use file monitor  and  include 'the file' and 'htm' html' after which look for 'the file' in the log  see the html files near it.
0
 
LVL 39

Expert Comment

by:Adam314
ID: 16607075
Could you post a sample of the cybersitter file, and what you'd like to see?
0
 

Author Comment

by:Gordyjb
ID: 16610818
What I would like to see is the web page that the user is on when the filter occurs.  For example, the 05/03/06 09:11:02 PM      FILTERED      NUDE doesnt say what page is was on when it filtered that word.  Now, threw trial and error I figured out that this filter occurs when I open IE with www.google.com set as the home page.  So what I would like the log to do is: 05/03/06 09:11:02 PM      FILTERED      NUDE www.google.com 

below is copy of the file that is created by Cybersitter.  Each day it emails the file to a location of my choice and then creats a new file.  They are simple txt files.
05/03/06 09:11:02 PM      FILTERED      NUDE
05/03/06 09:12:16 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:12:18 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:12:19 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:12:39 PM      FILTERED      NUDE
05/03/06 09:12:52 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:12:58 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:12:59 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:13:03 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:13:12 PM      COMMENT      Password Accepted
05/03/06 09:13:12 PM      COMMENT      CYBERsitter opened from system tray
05/03/06 09:14:06 PM      FILTERED      NUDE
05/03/06 09:19:12 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:44:02 PM      FILTERED      NUDE
05/03/06 10:31:01 PM      FILTERED      NUDE
05/03/06 10:31:30 PM      FILTERED      NUDE
05/03/06 10:34:32 PM      FILTERED      SYSINTERNALS.COM
05/03/06 10:37:12 PM      FILTERED      SYSINTERNALS.COM
05/03/06 10:39:57 PM      COMMENT      Password Accepted
05/03/06 10:39:57 PM      COMMENT      CYBERsitter opened from system tray
0
 

Author Comment

by:Gordyjb
ID: 16610901
Noam dz, that file monitor is a close solution except it wont let me monitor a .txt file in the Net folder, just the folder.
0
 
LVL 4

Expert Comment

by:noam_dz
ID: 16611961
Are there any other files that change that prevent you from monitioering the folder?

Do you have an option in the software settings to chose wehre to locate the txt file?
0
 

Author Comment

by:Gordyjb
ID: 16613559
No, the last file created is the only file that will change in that folder, so I guess it does let me know when the file in question changes.  Now I just need to know if I can get  or create a utility that logs what the change was and what web page was accessed to cause the change.
0
 
LVL 39

Expert Comment

by:Adam314
ID: 16615986
I don't know the format that internet explorer uses to store it's history... but it does store the page and the date/time that it was last viewed.

I'm guessing there will be an entry in the history that with time/date corresponds to the cybersitter log file.

i did a quick search for the internet explorer history format, but didn't find anything....
If you could find this, it would not be hard to write a script that monitors the cybersitter file, and looks up the IE history for a matching entry - providing all the info you want in a log file.

If you are using a browser other than IE: which browser are you using?
0
 
LVL 4

Expert Comment

by:noam_dz
ID: 16617828
"Now I just need to know if I can get  or create a utility that logs what the change was and what web page was accessed to cause the change."

filemon does this !!!
0
 

Author Comment

by:Gordyjb
ID: 16622745
Well the version of Filemon that I have only logs the time and file that has been modified, it doesnt say what the modification was nor the web page that had the modification filtered from.  

I will try to locate the history file and see how it is formated.
0
 
LVL 4

Expert Comment

by:noam_dz
ID: 16622875
you asked for "logs the web page or pop up that cause the need to be filtered"
so filemon tells you this, right?
now you want to know why it is filtered? do I understand correctly?
if so it should be in the options of the Cybersitter  to see hat if not then you have to figure ir out your self no external tool can know Cybersitter  logic.
0
 

Author Comment

by:Gordyjb
ID: 16625556
Im sorry, maybe I am not making myself clear.  Some times the "Cybersitter Log" shows that it filtered a word like 'nude'.  Now through trial and error investitgation, it appears that that work gets filtered every time the "google search page" is loaded.  So I went into the "Cybersitter Options" and gave permission for that page to be viewed because Cybersitter blocks access to the pages that it has to filter something on unless you give it permission to be viewed.  But at the end of the day, "Cybersitter Log" shows a lot of stuff that has been filtered.  What Im interested in knowing is weather these are filtered from innocent pages, i.e. google.com or is the user trying to get on web sites that are innapproriate.  Now, here is an example of the Filemon log: 2006.05.07 10:22:36.859;Existing file '20060507.log' has been updated in 'C:\WINDOWS\system32\Logs\Net\'.  , this is one log entry in filemon log.  And then in an earlier post I showed you what a log entry looks like from Cybersitter.  Now it seems to me that all I really need is something that will stamp what web page the user is veiwing when the entry to the "Cybersitter Log" occurs.
0
 
LVL 4

Expert Comment

by:noam_dz
ID: 16625991
Filemon should show you the name of the HTML page which was browsed  (this is done automaticly by  by IE) just double click the html file in filemon.

If you still have a problem just make a search in the computer and make it only with the creation date of the day you are looking for . look in explorer for creation date (which includs the time) notice this is creation time not modifcation time.

also you can post here 10 rows of filemon around the log file.
0
 

Author Comment

by:Gordyjb
ID: 16626888
I do not see an html page listed in the filemon log nor do I see it as an option.  Also, I have windows XP and I have only the option to search for modifications, not creations.  
0
 
LVL 39

Expert Comment

by:Adam314
ID: 16631902
Maybe I'm missing something, but I don't think filemon will do everything Gordyjb is asking.  Correct me if any of these are incorrect.

As I understand it:
- When browsing, IE will store it's history in it's own format
- If Cybersitter detects anything inappropriate, it will filter it, and create a log entry (as shown in a previous post) - this does NOT contain which page was being viewed at the time

Gordyjb wants:
- To be able to see what was being viewed when Cybersitter blocked something

Filemon will:
- Monitor a file for changes, and make it's own log of those.  So if monitoring the Cybersitter log - it will tell when the file is changed, and what the change is.  This doesn't solve the problem, because that file (the cybersitter log) doesn't contain the needed information (what page was being viewed).  If filemon can be configured to monitor the Cybersitter log, and provide the page IE was viewing - please provide more details on how to do this.

What I think needs to be done:
- Match the Cybersitter log with the IE log, and determine what pages were being viewed when Cybersitter filtered a page.
0
 
LVL 4

Expert Comment

by:noam_dz
ID: 16633537
In "filmon filter" (Options -> filter) include iexplore.exe make sure all  boxes are checked.

this will show you the files saved by IE double click an entry  to et to the directory locate the file and view it.
0
 
LVL 4

Expert Comment

by:noam_dz
ID: 16633585
another approach which you might find easier is to use
0
 
LVL 4

Accepted Solution

by:
noam_dz earned 750 total points
ID: 16633602
IE history viewer

http://www.nirsoft.net/utils/iehv.html

If you want to prevent anyone from clearing Internet Explorer's History.

http://www.g4tv.com/screensavers/features/506/Sarahs_Windows_Tweak_Lock_Down_IE_History.html
0
 

Author Comment

by:Gordyjb
ID: 16635892
Noam dz, that might be where Im getting confused, I don't seem to have a "filter" option under filemon option.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Gift cards are not a new concept - it's been around for a very long time.  Undoubtedly, over the past you have received such a card or purchased one for a friend or relative.  Are you aware that you've been feeding the machine?  If not, read on :)
Notifications on Experts Exchange help you keep track of your activity and updates in one place. Watch this video to learn how to use them on the site to quickly access the content that matters to you.
Saved searches can save you time by quickly referencing commonly searched terms on any topic. Whether you are looking for questions you can answer or hoping to learn about a specific issue, a saved search can help you get the most out of your time o…
Suggested Courses
Course of the Month18 days, 17 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question