Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Configure LEM File Integrity Monitoring (FIM) to monitor Windows files, folders, and registry keys

Configure LEM File Integrity Monitoring (FIM) to monitor Windows files, folders, and registry keys

Updated: September 15, 2017

File Integrity Monitoring (FIM) monitors all file types for unauthorized changes. Using FIM, you can detect changes to critical files to ensure systems have not been compromised.

Please note that FIM does not support the monitoring of network shares. Only local drives are supported.

FIM can detect unauthorized modifications to configuration files, executables, log and audit files, content files, database files, web files, and so on. When FIM detects that a monitored file has changed, it logs an event. The event then prompts LEM to execute the configured action. You can build correlation rules to act as a second-level filter to send an alert if certain patterns of activity occurs (not just single instances). When an alert is triggered, the data is in context with your network and other system log data.

Features of FIM

  • Monitor real-time access and identify users who change file and registry keys
  • Configure file and directory logic and registry keys and values to monitor different types of access (create, write, delete, change permissions/metadata)
  • Standardize configurations across many systems
  • Configure monitoring templates to monitor the basics and create and customize your own monitors
  • Configure templates for rules, filters, and reports to assist in including FIM events

Add a FIM connector to an Agent to monitor a node

First add the FIM connector to an Agent, and then customize it. You can assign one instance of a FIM File and Directory connector, and one instance of a FIM Registry connector to an Agent.

Step 1: Add a FIM connector to a node

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click Manage > Nodes.

  3. Select a node to monitor.

  4. Click button-gear(gray)_17x14.png and select Connectors.

  5. Type FIM in the Refine Results pane.

    FIM Registry and FIM File and Directory connectors display in the search results.

  6. Select either the FIM File and Directory connector, or the FIM Registry connector.

  7. Click and select New.

    The FIM Connector configuration screen opens.

  8. Do one of the following:

    • Select a template from the Monitor Templates section. Several monitoring template are available to assist you in creating custom templates and configurations.

      Click and select Add to selected monitors.

      The monitor template moves to the Selected Monitor section.

    • Click Add Custom Monitor in the Selected Monitors section.

Step 2: Configure rules and specific actions for your monitored files

  1. In the Selected Monitors section, click next to the monitor you added in Step 1, and then choose Edit Monitor.

  2. Enter a monitor name and description.

  3. Click Add New to add conditions to the monitor.

    The Add Condition configuration screen opens.

  4. Complete the Add Condition form and click Save. See Add conditions to a directory that FIM is watching for help completing the form.

  5. Click Save Changes to save the monitor configuration for this FIM connector.

  6. Click Save to save the FIM connector configuration for this Agent.

Editing Monitors

  1. Select a Monitor from the Selected Monitors pane.

  2. Click and select Edit monitor

Promoting a Monitor to a Template

  1. Select the Monitor to be promoted.

  2. Click the gear button-gear(gray)_17x14.png icon and select Promote monitor to template.

  3. Click Yes to promote this monitor to a template. The monitor is now available in the Monitor Templates pane.

Deleting a Monitor

  1. Select the monitor to be deleted.

  2. Click and select Delete.

  3. Click Remove. The monitor is then removed from the Selected Monitors pane.

Add conditions to a directory that FIM is watching

  1. Click Add New in the Conditions window.

  2. Click Browse to select a File and Directory or a Registry key to watch.

  3. Click OK.

  4. Select whether the files are recursive or non-recursive. Refer to the table below for more information.

    Recursive

    The folder selected and all its sub-folders which match the given mask will be monitored for corresponding selected operations.

    Non-recursive Only the files in the selected folders will be monitored.
  5. Enter a Mask using the asterisk (*) as a wildcard, for example: *exe or directory*

  6. For a FIM File and Directory, select Create, Read, Write, and Delete for Directory, File, Permissions, and Other operations. For a FIM Registry, select Create, Read, Write, and Delete for Key and Value operations.

    For information about the "Other" option, refer to the Microsoft MSDN information.

  7. Click Save.

Editing Conditions

  1. Select the condition to be edited in the Conditions window.
  2. Click Edit.
  3. Click Browse to select a File and Directory or a Registry key to watch.
  4. Click OK.
  5. Select whether the files are recursive or non-recursive. Refer to the table below for more information.
    Recursive

    The folder selected and all its sub-folders which match the given mask will be monitored for corresponding selected operations.

    Non-recursive Only the files in the selected folders will be monitored.
  6. Enter a Mask. For example, *exe or directory*.
  7. For a FIM File/Directory, select Create, Read, Write, and Delete for Directory, File, Permissions, and Other operations. For a FIM Registry, select Create, Read, Write, andDelete for Key and Value operations. For more information on Other, refer to the Microsoft MSDN information.
  8. Click Save.

Deleting Conditions

  1. Select the condition to be deleted in the Conditions window.
  2. Click Delete.
  3. Click Remove.

FIM connector advanced settings

  1. Complete the Advanced Connector Settings form according to the device you're configuring. The following fields/descriptions are common for most connectors:
Log Directory

When you create a new alias for a connector, LEM automatically places a default log file path in the Log Directory field. This path tells the connector where the operating system stores the product’s event log file.

In most cases, you should be able to use the default log file path that is shown for the connector. These paths are based on the default vendor settings and the product documentation for each product. If a different log path is needed,

To manually change the log file location:

  1. Enter or paste the correct path in the Log Directory field.
  2. Stop the Agent.
  3. Manually update the Agent's spop.conf property
    • com.solarwinds.lem.fim.minifilter.fs 
      LogLocation for a file and directory connector. This appears as %SystemDrive%\\Mylocation\\FileSystem in the config file.
    • com.solarwinds.lem.fim.minifilter.registry 
      LogLocation for a registry connector . This appears as C:\\My other log location\\Registry in the config file.
  4. Restart the Agent.
Log Data Type to Save Select either nDepth, Alert, or Alert, nDepth. To store a copy of the original log data in addition to normalized data, change the Log Data Type to Save to Alert, nDepth. Storage for original log data must also be enabled on the appliance.
nDepth Host If you are using a separate nDepth appliance (other than LEM), type the IP address or host name for the nDepth appliance. Generally, the default setting is correct. Only change it if you are advised to do so.

nDepth Port

If you are using a separate nDepth appliance (other than the SolarWinds LEM), type the port number to which the connector is to send nDepth data. Generally, the default setting is correct. Only change it if you are advised to do so.

Sleep Time

Type or select the time (in seconds) the connector sensor is to wait between event monitoring sessions. The default (and minimum) value for all connectors is one (1) second. If you experience adverse effects due to too many rapid readings of log entries, increase the Sleep Time for the appropriate connectors.

Windows NT-based connectors automatically notify Windows Event Log sensors of new events that enter the log file. Should automatic notification stop for any reason, the Sleep Time dictates the interval the sensor is to use for monitoring new events.

Wrapper Name This is an identification key that the SolarWinds LEM uses to uniquely identify the properties that apply to this particular connector. This is read-only information for SolarWinds reference purposes.
Tool Version This is the release version for this connector. This is read-only information for reference purposes.
Enable Connector Upon Save

When this option is selected, the connector starts when you click Save.

  1. After completing the form, click Sold.
  2. If you did not select the Enable Connector Upon Save option, navigate to the Connectors list and click the gear Click the gear button-gear(gray)_17x14.png button next to the new connector (denoted by an icon in the Status column), and then select Start.
  3. After starting the connector, verify that it is working by checking for events on the Monitor tab.
Last modified

Tags

Classifications

Public