File Integrity Monitoring - Monitoring changes to files and folders
File Integrity Monitoring is a feature that helps you monitor all changes (addition/deletion/modification) to your Windows system files and folders. You can generate and schedule reports that give you precise details on the integrity of your files. You can also trigger alerts in real-time when changes are made to specific files or folders, by setting up alert profiles.
Requisites for file monitoring
The Windows machine, whose files/folders are to be monitored, must be added as a device in EventLog Analyzer.
An agent should be installed in that particular machine. The agent installed can monitor files and folders only in this machine.
Configuring File Integrity Monitoring
To configure File Integrity Monitoring, go to
- Home tab > File Monitoring > Actions: Add (above the Monitoring list), or
- Settings tab > Configurations: File Monitoring > Add
If you want to monitor the files/folders in a location that is same across various devices, then you can save the location as a template and assign it to a number of devices.
In the 'Assign device' field, you can either select the device from the auto-complete list or type the device name whose files/folders are to be monitored. You can select/enter multiple devices only if the files/folders are in the same location across all the devices.
In the 'Location(s)/File(s)' field, type the location (absolute path) of the files/folders which need to be monitored. Alternatively you can also import a text file that contains the location by clicking on the Import button. Select Enable Settings if you wish to additionally track which users make changes to the files and folders you are monitoring.
'Exclude' provides you an option to exclude certain sub-folders (contained in the folder you have specified above) from monitoring. Specify their location in this field.
Save the configuration by clicking on 'Save Monitoring'.
1. If an agent is already installed in the device whose files you want to monitor, file monitoring will automatically be enabled in the agent.
2. For versions prior to Build #8050, if you are already using an agent for log collection, it will be uninstalled and a version 8050 agent will be installed.
3. If no agent is installed in the device for which you want to monitor the files, then an agent will be installed and file monitoring will be enabled in the agent.
Importing Text File
Browse for and select the text file that contains the location of the files/folders that are to be monitored.
- Click on Import to import the text file.
- If you wish to know which users initiate changes to specific files and folders, select the Username checkbox next to the required paths.
- If you require the above information only for specific file types, specify the file types you wish to include/exclude for each path.
Enabling Username via Object Access is a resource intensive process.
File Integrity Monitoring Dashboard
Once you have configured devices for monitoring, you can access the File Integrity Monitoring dashboard which is a section of the Home tab in EventLog Analyzer.
This graph presents an overview of all changes made to the added files and folders.
- This table displays the changes made on each device.
With the +Add Alert option, you can trigger an alert whenever changes occur to the files and folders added.
Generating and Scheduling Reports for File Monitoring
To generate file monitoring reports, click on a device that has the files/folders for which you need the report. This will open up the File monitoring Report page.
Upon clicking on any particular device, you can view the corresponding File Integrity Monitoring Report which has a graph and table displaying changes made to individual files/folders.
- The File Integrity Monitoring report of particular device can be exported in PDF/CSV format by clicking on this icon.
- In the Criteria section you have the Location Filter and Save Report options.
- Location filter allows you to filter the location of the files/folders that are being monitored on that device.
- You can save the report and schedule it at regular intervals:
- Provide the name for the report and the location where the report is to be saved.
- For Scheduling the report at regular intervals:
- Specify whether the report is to be scheduled Once or at regular intervals. If you want to schedule the report at regular intervals, specify the time interval (hourly, daily, weekly, monthly) at which the report is to be generated automatically.
- Specify the exact time at which the report is to be generated. If the report is scheduled hourly/daily then specify the exact hour and minute at which the report is to be generated. If the report is scheduled weekly, then specify the Day, Hour and Minute at which the report is to be generated. If you have chosen monthly schedule for the report, then specify the Date, Hour and Minute at which the report is to be generated.
- Choose from the list - the time period for which the report is to be generated. You can generate the report for Previous Hour, Last 60 minutes, Previous day, Last 24 hours, Previous Week, Last 7 days, Previous Month and Last 30 days. Make use of the Time Filter option to select the time range for which the report is to be generated. You can select either Working Hours or Non-working Hours time range. You can also define a Custom Time range for the report to be generated.
- You can also select the report format from the PDF and CSV options.
- To redistribute the reports via email, specify the email id(s) in the Email To option. You can specify multiple email ids separated by a comma.
>> You change the working and non-working hour settings in the Settings panel.
>> Before redistributing the report through email, ensure an email server is configured.
- The graphical dashboard gives you the Event Count corresponding to the Change type. You can drill down to raw logs from this graph.
- The FIM Reports table gives you detailed information on changes in the file(s)/folder(s). It gives you the file location, user who made the change, change type (file creation, file deletion, modification, rename) and the time of change. You can drill down to raw logs from this table.
Setting up an alert for File Integrity Monitoring
With EventLog Analyzer, you can trigger an alert when any changes occur to the files/folders being monitored.
Provide a unique name for your alert profile.
Choose the criticality level from High, Medium and Low for the alert profile.
A File Integrity Monitoring alert can only be set up in a device where file integrity monitoring has been configured. Only those devices will be available for selection, in the 'Select Device/Group' field. You can select the Windows device group as such to configure the alert for all the devices added for monitoring. You can also select individual devices as per your requirement.
You can trigger the alert for any creation, deletion, modification or rename in the files/folders added for monitoring. The Location(s) field, narrows down your alerting criteria. Instead of generating alerts for changes in the entire file/folder, you can specify that the alert is to be triggered for changes in any sub-files/sub-folders of the location specified in this field.
Note: When you have set up the alert for multiple devices, ensure that the location of the file/folder you specified exists and is same for all the devices.
The triggered alert can be sent via Email or SMS. You can also remediate the alert condition by running a script using the Run Program option. Before setting up the alert notification, you need to configure the Email and SMS settings.
Click on the Add Alert Profile button to save the alert profile.