Feature Idea: Getting alerts for a change in system as per new software installed

Do anyone has any idea or hack? to track if any change is happening in the server, let’s say any new software installed.

1. Can we check if any changes to program files and program files(x86) directory? because in case of a new software installed these directories will get some changes.

2. Can we track change in HKEY registry location?

New Relic Edit

We take feature ideas seriously and our product managers review every one when plotting their roadmaps. However, there is no guarantee this feature will be implemented. This post ensures the idea is put on the table and discussed though. So please vote and share your extra details with our team.

Hey @Abhinav.Sharma,

Some intriguing ideas there. I’ve filed them as feature requests just now on your behalf, thanks for taking the time to be so detailed with how you’d like to see our product work

I believe they will bring out some values to us. Hope for the best

We’ll be sure to update this thread if we get an update to that feature idea

What about InfrastructureEvents? Won’t they tell you if new software is installed?

Hmm, I wasn’t aware inventory data was queryable…

@Abhinav.Sharma - is there anything in the attribute list Phil shared a link to that would help you to write a query for this?

@RyanVeitch It is not inventory data, it is Infrastructure Events. Infrastructure records an event when a package is installed or updated, no?

Hi @Abhinav.Sharma,

For clarification on this.
The Infrastructure agent does capture the installed packages on your system and it sends it up to Inventory which is not queryable at the moment as @RyanVeitch mentioned.

However, and as @philweber says, every change in Inventory is captured by us and creates an event which is recorded in InfrastructureEvent in Insights.
The way we trigger the creation of those events is simply by comparing the last reported inventory list with the actual one. If something was changed/added/removed we create event for each line that differs from both samples.
So although we don’t have a “Inventory Change” alert feature per se, maybe using the change events will help achieve your goal for now.
If you create a NRQL based alert with a query similar to

SELECT count (*) FROM InfrastructureEvent WHERE changeType IN ('added','removed') AND source='packages/windows_programs'

and trigger an alert when the count is above 0, you will get alerts every time a package is added or removed (in the above case). You can omit the changeType condition if you want to be alerted every time a change happens, even if it’s a minor upgrade in the version of a package.

You can also add more conditions to narrow down on specific packages if you don’t want to receive alerts for all changes.

The only caveat of such an alert is that we don’t have a continuous feed of the event, like in metrics. It happens once and, for example, if our alert is sampling only the last 5 minutes, after 5 minutes it will clear the alert by itself as the change condition is no longer happening.
But at least this will trigger an alert and send you a notification on the channels of your choice so you are aware changes happened on your servers.

Hope this helps!

Hi Ccastro,

Your information helped me a lot, I am getting information now. But unfortunately, I am getting information about all the AWS cloudwatch logs added in the “packages/windows_programs”. when I tried this in the morning when the rush is less, it showed me the exact event that happened when I tried to install a package. but now it is showing everything.

As you mentioned, I can “You can also add more conditions to narrow down on specific packages if you don’t want to receive alerts for all changes.”

So do you have any suggestions where I can drill down to a very specific query where I can get info about (installed, uninstalled) packages and username of the person who did it?

I know it sounds dumb but I am learning this stuff, so it will be a huge opportunity for me to learn.

Hey @Abhinav.Sharma -

Can you share an example of what the results looked like when you did get the right event you were hoping for?

That’ll help us to figure out what specifically we need to narrow down to.

2nd.pdf (123.6 KB)
1st.pdf (24.8 KB)

Hi I have attached two PDF’s.
1st one is the result i got what i wanted for, second is the mixed result. it took everything

Thanks @Abhinav.Sharma

If you try to add in the following clause into the WHERE section after source='packages/windows_programs'

AND changedPath not like '%Cloudwatch%'

This will rule out all Cloudwatch events flooding your query results.

Hi there, thanks! What if i want to get information about the username which deleted or installed the application? can this be track via infra agent?

I don’t think so - I’ve been looking at the insights data and can’t see a way to tie the installation/removal of an application to a username.

Hey pal,

I believe in infrastructure events, user ID gets tracked along with process id.
can we work out something like this?

Hmm… I didn’t see UserID there, which attribute are you looking at?

If your data tracks the User ID then yes, absolutely you can use that you may then have some manual work to do to track a UserID to a user name, but that should get you close to what you need.

hey man, sorry i went off the hook for few days.
Can you elaborate this?

No worries Abhinav… When I looked at data returned by the InrastructureEvent - I did not see any UserID.

Though - if you can get that UserID from the NRQL query, then great, you will need to manually track ID that back to a user email or user name, but if you can find a UserID, then it should get you close to what you need.

Hey Thanks man, i will try to put UserID tag in the NRQL query and try.

Although is there is any way to get list of URL’s under synthetics via NRQL?

Sure! You’ll need to query the SyntheticRequest event:

SELECT count(*) FROM SyntheticRequest SINCE THIS WEEK FACET monitorName, URL