Shell Command Source

Definition

Protocol

Action

 

 

Description

Execute shell Command every TimeInterval using Shell, setting FieldName to its output, FieldName to its error output and FieldName to its return status.  

 

 

Comments
Event Field Contents
ev:host hostname
ev:app %Shell% %Command%
ev:log Shell command
ev:srctime Source time
ev:protocol Shell command

If either Command is missing, blank or invalid, the source will be disabled.

If Shell is missing, blank or invalid, it will default to "/bin/sh -c" for Unix and "cmd.exe" for Windows.

If the first FieldName is missing, blank or invalid, make its default ev:msg. If the other FieldName parameters are missing, blank or invalid, do not set their values.

If the TimeInterval is zero, empty, or missing, the command will only be executed once at the beginning of the ECS session.

The TimeInterval starts when the command is initiated, but another command will not be sent until the prior command has completed.

When the shell command completes, the event is released into the stream after creating the following event fields:

ev:shellCommand.StartTime = StartingTime
ev:shellCommand.EndTime = EndingTime
ev:shellCommand.ExecutionSecs = time in seconds for shell command to execute
ev:shellCommand.CommandString = the shell command string that was executed
ev:shellCommand.ProcessId = process ID, if available

Typically, Shell is set to "/bin/sh –c" for Linux and "c:\cmd.exe \C" for Windows, allowing for execution of multiple commands in Command. Under Linux, the commands will execute using the UID and environment of the ECS and '/' as its current working directory, and under Windows the command will execute with 'C:\' as its working directory and the privileges of the ECS process.

 

Example

<source objectId="ShellCmdSource" type="ShellCommandSource" stdout="FS.DemoAlive">
	<parameter type="Shell">C:\command.com \C</parameter>
	<parameter type="Command">C:\Program Files\EventGnosis\bin\cleanLogs –d -t</parameter>
	<parameter type="FieldName">ev:msg2</parameter>
	<parameter type="FieldName">ev:msg3</parameter>
	<parameter type="FieldName">ev:msg4</parameter>
	<parameter type="TimeInterval">
		<time>12</time>
		<units>hr</units>
	</parameter>
</source>

Event Mapping

Resulting XML:

<event xmlns:ev="http://www.eventgnosis.com/">
	<ev:host>joeHost</ev:host>
	<ev:app>D\Program Files\EventGnosis\logs\textLog3.txt</ev:log>
	<ev:log>Shell Command</ev:app>
	<ev:protocol>Text Log</ev:protocol>
	<ev:msg2> This new line with &lt;/event&gt; inside has just arrived in the end of log.</ev:msg2>
	<ev:msg3></ev:msg3>
	<ev:msg4>0</ev:msg4>
	<ev:shellCommand.StartTime> Feb 25 2003 12:34:56 </ev:shellCommand.StartTime>
	<ev:shellCommand.EndTime> Feb 26 2003 23:10:05 </ev:shellCommand.EndTime>
	<ev:shellCommand.ExecutionSecs>13</ev:shellCommand.ExecutionSecs>
	<ev:shellCommand.CommandString> C:\command.com \C C:\Program Files\EventGnosis\bin\cleanLogs –d -t </ev:shellCommand.CommandString>
	<ev:shellCommand.ProcessId>32786</ev:shellCommand.ProcessId>
	<ev:shellCommand.ErrorStatus>-32</ev:shellCommand.ErrorStatus>
	<ev:shellCommand.ExitCode>1</ev:shellCommand.ExitCode>
</event>