• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 92
  • Last Modified:

Creating a script that monitors a specific file

Hi, I am wondering if there is a way to creat a script that monitors additions to a file and stamps not only the time the change to the file took place, but lists the web page that the user was on when the change occured.  To give you a little background, I have a computer at home that has Cybersitter on it.  It filteres and blocks web pages that are not appropriate for the user to go to.  Now that filter has been showing that it is filtering a bunch of stuff but the user is not intentionally going to inapropriate sites.  So I figure if I can write a script that monitors changes in the filter file and logs the web page or pop up that cause the need to be filtered, it would explain alot. The system is XP pro.  Thanks alot for any help in advance.  If you need clarification please dont hesistate to ask.

Gordy
0
Gordyjb
Asked:
Gordyjb
  • 8
  • 8
  • 4
  • +1
1 Solution
 
Adam314Commented:
I'm not sure how the Cybersitter works, but it sounds like it is setup as a proxy for internet explorer?  And any inappropriate requests are denied and logged to a file?

If this is true, then you could have a script that would monitor the log for a change, and indicate what changes were made and at what time.  Knowing what page the user was looking at would be difficult though.

I can help with the script if you want it written in perl (you'll probably have to install a free perl interpreter).  If you want it in some other language, you should post a pointer in the appropriate programming topic area.
0
 
smidgie82Commented:
A few ideas:

Firstly, you could always write a system service with a thread that sleeps for n seconds, then wakes up, checks to see if the timestamp on the filter file has changed, if so writes that info to its own log, and then sleeps for another n seconds.  MoniDir uses this technicque (http://www.contactplus.com/products/freestuff/monidir.htm), if you want a program that'll do it for you instead of having to write it yourself.  Why reinvent the wheel?

There's also the possibility of using something like filemon (http://www.sysinternals.com/Utilities/Filemon.html).  The same programming technique that Mark uses to catch file activity can be used to simply log writes to a particular file.  As this is a relatively simple question, though, I'm going to assume you're not a system programming guru, and don't feel like writing hooks into the system service dispatch table.  But still, you might be interested in looking at filemon.  Just start it up and run it, and you'll be absolutely amazed at the sheer quantity of file IO going on on your system.  Same with Regmon and registry IO.  It's ridiculous.

You could also try looking online to see if there are any plugins for Cybersitter that will allow you more robust logging capabilities of the kind you need.  Maybe it's already built-in, just buried deep in an options menu?
0
 
GordyjbAuthor Commented:
No, I'm not a programming guru.  I looked at the Monidir 2000 utility.  But I think that would only let me note changes to the file.  and Filemon again seems to note the changes but note the changes but doesnt allow for "what they are" and which web page was being accesses when the changes occured.  The main problem is that Cybersitter, at times list stuff that it filtered but it leaves no indication of which web page it came from.  This knowledge would be important for the reason that if it is a harmless page cybersitter could be given permission to let it go by, hence de-cluttering the filter file.  I do know a little about batch files, VB, and Assembly.  
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
noam_dzCommented:
you can use :
http://www.phoneinbuddy.com/FAM_main.htm
To alert you when the file changes and then you know what page you are by your self (anybody else can do the same)
Or use file monitor  and  include 'the file' and 'htm' html' after which look for 'the file' in the log  see the html files near it.
0
 
Adam314Commented:
Could you post a sample of the cybersitter file, and what you'd like to see?
0
 
GordyjbAuthor Commented:
What I would like to see is the web page that the user is on when the filter occurs.  For example, the 05/03/06 09:11:02 PM      FILTERED      NUDE doesnt say what page is was on when it filtered that word.  Now, threw trial and error I figured out that this filter occurs when I open IE with www.google.com set as the home page.  So what I would like the log to do is: 05/03/06 09:11:02 PM      FILTERED      NUDE www.google.com 

below is copy of the file that is created by Cybersitter.  Each day it emails the file to a location of my choice and then creats a new file.  They are simple txt files.
05/03/06 09:11:02 PM      FILTERED      NUDE
05/03/06 09:12:16 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:12:18 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:12:19 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:12:39 PM      FILTERED      NUDE
05/03/06 09:12:52 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:12:58 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:12:59 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:13:03 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:13:12 PM      COMMENT      Password Accepted
05/03/06 09:13:12 PM      COMMENT      CYBERsitter opened from system tray
05/03/06 09:14:06 PM      FILTERED      NUDE
05/03/06 09:19:12 PM      FILTERED      SYSINTERNALS.COM
05/03/06 09:44:02 PM      FILTERED      NUDE
05/03/06 10:31:01 PM      FILTERED      NUDE
05/03/06 10:31:30 PM      FILTERED      NUDE
05/03/06 10:34:32 PM      FILTERED      SYSINTERNALS.COM
05/03/06 10:37:12 PM      FILTERED      SYSINTERNALS.COM
05/03/06 10:39:57 PM      COMMENT      Password Accepted
05/03/06 10:39:57 PM      COMMENT      CYBERsitter opened from system tray
0
 
GordyjbAuthor Commented:
Noam dz, that file monitor is a close solution except it wont let me monitor a .txt file in the Net folder, just the folder.
0
 
noam_dzCommented:
Are there any other files that change that prevent you from monitioering the folder?

Do you have an option in the software settings to chose wehre to locate the txt file?
0
 
GordyjbAuthor Commented:
No, the last file created is the only file that will change in that folder, so I guess it does let me know when the file in question changes.  Now I just need to know if I can get  or create a utility that logs what the change was and what web page was accessed to cause the change.
0
 
Adam314Commented:
I don't know the format that internet explorer uses to store it's history... but it does store the page and the date/time that it was last viewed.

I'm guessing there will be an entry in the history that with time/date corresponds to the cybersitter log file.

i did a quick search for the internet explorer history format, but didn't find anything....
If you could find this, it would not be hard to write a script that monitors the cybersitter file, and looks up the IE history for a matching entry - providing all the info you want in a log file.

If you are using a browser other than IE: which browser are you using?
0
 
noam_dzCommented:
"Now I just need to know if I can get  or create a utility that logs what the change was and what web page was accessed to cause the change."

filemon does this !!!
0
 
GordyjbAuthor Commented:
Well the version of Filemon that I have only logs the time and file that has been modified, it doesnt say what the modification was nor the web page that had the modification filtered from.  

I will try to locate the history file and see how it is formated.
0
 
noam_dzCommented:
you asked for "logs the web page or pop up that cause the need to be filtered"
so filemon tells you this, right?
now you want to know why it is filtered? do I understand correctly?
if so it should be in the options of the Cybersitter  to see hat if not then you have to figure ir out your self no external tool can know Cybersitter  logic.
0
 
GordyjbAuthor Commented:
Im sorry, maybe I am not making myself clear.  Some times the "Cybersitter Log" shows that it filtered a word like 'nude'.  Now through trial and error investitgation, it appears that that work gets filtered every time the "google search page" is loaded.  So I went into the "Cybersitter Options" and gave permission for that page to be viewed because Cybersitter blocks access to the pages that it has to filter something on unless you give it permission to be viewed.  But at the end of the day, "Cybersitter Log" shows a lot of stuff that has been filtered.  What Im interested in knowing is weather these are filtered from innocent pages, i.e. google.com or is the user trying to get on web sites that are innapproriate.  Now, here is an example of the Filemon log: 2006.05.07 10:22:36.859;Existing file '20060507.log' has been updated in 'C:\WINDOWS\system32\Logs\Net\'.  , this is one log entry in filemon log.  And then in an earlier post I showed you what a log entry looks like from Cybersitter.  Now it seems to me that all I really need is something that will stamp what web page the user is veiwing when the entry to the "Cybersitter Log" occurs.
0
 
noam_dzCommented:
Filemon should show you the name of the HTML page which was browsed  (this is done automaticly by  by IE) just double click the html file in filemon.

If you still have a problem just make a search in the computer and make it only with the creation date of the day you are looking for . look in explorer for creation date (which includs the time) notice this is creation time not modifcation time.

also you can post here 10 rows of filemon around the log file.
0
 
GordyjbAuthor Commented:
I do not see an html page listed in the filemon log nor do I see it as an option.  Also, I have windows XP and I have only the option to search for modifications, not creations.  
0
 
Adam314Commented:
Maybe I'm missing something, but I don't think filemon will do everything Gordyjb is asking.  Correct me if any of these are incorrect.

As I understand it:
- When browsing, IE will store it's history in it's own format
- If Cybersitter detects anything inappropriate, it will filter it, and create a log entry (as shown in a previous post) - this does NOT contain which page was being viewed at the time

Gordyjb wants:
- To be able to see what was being viewed when Cybersitter blocked something

Filemon will:
- Monitor a file for changes, and make it's own log of those.  So if monitoring the Cybersitter log - it will tell when the file is changed, and what the change is.  This doesn't solve the problem, because that file (the cybersitter log) doesn't contain the needed information (what page was being viewed).  If filemon can be configured to monitor the Cybersitter log, and provide the page IE was viewing - please provide more details on how to do this.

What I think needs to be done:
- Match the Cybersitter log with the IE log, and determine what pages were being viewed when Cybersitter filtered a page.
0
 
noam_dzCommented:
In "filmon filter" (Options -> filter) include iexplore.exe make sure all  boxes are checked.

this will show you the files saved by IE double click an entry  to et to the directory locate the file and view it.
0
 
noam_dzCommented:
another approach which you might find easier is to use
0
 
noam_dzCommented:
IE history viewer

http://www.nirsoft.net/utils/iehv.html

If you want to prevent anyone from clearing Internet Explorer's History.

http://www.g4tv.com/screensavers/features/506/Sarahs_Windows_Tweak_Lock_Down_IE_History.html
0
 
GordyjbAuthor Commented:
Noam dz, that might be where Im getting confused, I don't seem to have a "filter" option under filemon option.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 8
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now