Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Log & Event Manager (LEM) > Configure File Integrity Monitoring (FIM) - video

Configure File Integrity Monitoring (FIM) - video

Created by Khaled Mohamed, last modified by Erin Stenzel on Sep 06, 2016

Views: 269 Votes: 3 Revisions: 7

Configuring File Integrity Monitoring (FIM)

Configuring File Integrity Monitoring (FIM)

Resolution

Transcript:

In SolarWinds Log & Event Manager 6.0, we added Real-Time File Integrity Monitoring, or FIM, for Windows.   File Integrity Monitoring increases SIEM intelligence with policy-based auditing of file and registry activity including reads, writes and deletes.  FIM will help you comply with regulations including PCI DSS, HIPAA, and Sarbanes-Oxley, as well as increase security intelligence to detect insider abuse, zero day malware and advanced persistent threats.

 

In this video, we will take you through the steps of installing, using and customizing this important feature.

 

Let’s get started setting up FIM.

 

There are two ways to enable FIM.  The first is to configure individual nodes and the second is to add FIM to an existing connector profile.

 

Let’s first demonstrate adding FIM to an individual node using LEM's connectors. Connectors are what connect your LEM manager to data sources.  Connectors hook into the new data source and normalize the data so you can manage it consistently in LEM. 

 

From the LEM console, let's go to "Manage" and select "Nodes". If you don’t have any agent nodes in LEM, we have a wizard to help you along,  just click add node.

 

Since we already have an agent node, we will click on the "Gear" and click "Connectors".  You can see all of the connectors available on the right side.

 

We want to configure FIM, so I’ll type FIM in the search box.  We have two FIM connectors: one to monitor files, and the other to monitor registry settings.  Let’s take a look at the FIM File and Directory connector.  We’ll create a new instance of this connector on the node by clicking the "Gear" and clicking "New".  This brings me into FIM configuration for this node.

 

As you can see, on the left side we've pre-populated some templates to help you get FIM up and running more quickly.  In this scenario, we’re looking to deploy FIM to support PCI compliance.  We’ll click the "Gear" next to the "PCI for Windows Starter template" and click "Add to selected monitors".  This pushes a copy of the template over to the Selected Monitors that will be applied to the node.

 

To view or modify the template, click on the "Gear" next to the applied monitor, and click "Edit".  At the top we have a name and description.  Next, we have a summary of our conditions.  Conditions tell FIM exactly what you want to monitor.  In the template we monitor all of "C:/" recursively, for files ending in .exe, for file writes, creates, and deletes and any permission changes.  Selecting the monitor and clicking "Edit" allows us to see what this looks like in the configuration interface.

 

The directory we want to watch is the first thing we specify.  We decide if we want to monitor the contents of that directory only or if we want to monitor all sub-directories and their contents recursively.  We apply a mask here, using asterisks as needed, and we select what actions we want to monitor. In this case we are happy with the standard configuration. For more information about these configuration options, click "Tell Me More". 

 

Looking below, we see this template talks about one of the specific sections of PCI that calls out FIM.  Additionally, it directs you to supplement the policy with files that are critical to your specific environment. Let’s do that now.

We could edit this instance of the template that we've copied to selected monitors or we could just add a new custom monitor.  Let’s "Add New". We’ll call our monitor template “Company X PCI Files” and give it a description of “PCI sensitive files at Company X.”

 

Next, we’ll add a new condition. First, select the directory we’re interested in.  For ease of use, we can browse the file system on the remote node by clicking "Browse". This seems like an important directory for PCI compliance: C:\Credit Card Numbers.  For that directory, we want to monitor all files recursively, meaning  the contents of that directory and all sub-directories.  For the sake of our example, we’ll leave the mask very permissive.  This is extremely sensitive data so we will gather a full audit log including accessing files, not just changes, so let’s monitor creates, reads, writes, deletes, and any permissions changes.  Save this, and we see it’s now our first condition.

 

Save again, and this new monitor is now listed in our selected monitors.

 

We've applied a template and we've added files that are critical in our environment. 

 

Save once more.

 

Behind the scenes, LEM does the dirty work for us.  The LEM agent on this node automatically installs the FIM driver that collects file system events. Then, the LEM manager pushes the configuration we just created to that remote agent and into the driver.  The status icon turns green to tell us that the driver is now up and working. We should start receiving FIM events, viewable in the LEM console.  Let’s see what we’re getting!

 

Monitor is the first place to look. This shows us events coming in real time.

 

We have LEM telling us the FIM connector has started on our node and we’re starting to log some reads.  We can see what system this change happened on, the file path and file name, and the user who interacted with the file.

All FIM events are available to use in analytic functions of LEM, including nDepth searches, correlation rules and reports.

 

Now you should have all the information you need for a successful deployment of File Integrity Monitoring. For more tips and tricks or to ask a question, visit the LEM product page on thwack.com.

 

Last modified

Tags

Classifications

Public