Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Archive > 2017October25 - LEM Deletes > Set up file integrity monitoring

Set up file integrity monitoring

Created by Caroline Juszczak, last modified by Kevin.Swinson on Oct 25, 2017

Views: 163 Votes: 0 Revisions: 4

You can use File Integrity Monitoring (FIM) to monitor system and user file activity to protect your sensitive information from theft, loss, and malware.

Using log files to record suspicious activity, you can detect changes to critical files and registry keys to ensure they are not accessed or modified by unauthorized users. FIM also ensures your systems comply with regulatory regulations, including Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), and Sarbanes-Oxley.

After you install and integrate FIM with your LEM appliance, you can:

  • Monitor real-time file change and access
  • Detect insider abuse using file audits and intelligent correlation rules
  • Enhance your anti-virus software capabilities by detecting viruses that mask as similar-named files
  • Integrate Active Directory to disable user accounts and change user or group rights
  • Track file and directory access to critical files and registry keys
  • Identify changes to critical registry keys
  • Identify unwarranted file changes from zero-day malware and advanced persistent threat (APT) attacks

You can enable FIM by adding a FIM connector to a node or adding FIM to an existing connector profile.   

Add a FIM connector to a node

  1. Log in to your LEM console as an administrator.
  2. Click Manage > Nodes.
  3. Locate your targeted node in the Nodes grid.

    Ensure the node has a green statusFile:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0G0/010/lem_qsg_green_status_21x14.pngicon.

  4. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0G0/010/Button-Gear_16x13.png next to your targeted node and select Connectors.
  5. Enter FIM in the Refine Results search field.
  6. In the Connectors grid, click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0G0/010/Button-Gear_16x13.png next to your selected connector and click New.


  7. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0G0/010/Button-Gear_16x13.png next to your desired template and select Add to selected monitors.


    A template copy is moved to the selected monitors to be applied to the node.


  8. Click Save.
  9. (Optional) Add conditions to the template.
    1. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0G0/010/Button-Gear_16x13.png next to the template and select Edit monitor.


    2. Select the conditions you want LEM to monitor.


    3. Click Edit.
    4. In the Add Condition window, click the drop-down menu and select All Keys/Values (recursive) or Keys/Values (non-recursive).

      All Keys/Values (recursive) selects the folder and all sub-folders that match the given mask.

      Keys/Values (non-recursive) selects only the files in the selected folders to monitor.


      Click Tell me more for information about your configuration options.

    5. Enter a mask (for example, *.exe or directory*.


    6. Select the actions you want to monitor.


    7. (Optional) Click Add Another Condition.
    8. Click Save.
  10. Click Save Changes.

    The LEM agent on your node installs the FIM driver that collects the file system events. Next, LEM pushes the configuration you created to the remote agent and into the driver. In the Nodes grid, the FIM status icon File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0G0/010/lem_qsg_FIM_icon.png turns green, indicating the driver is working properly.


Last modified