To monitor sensitive files and folders on your network, enable file auditing in Windows. You can configure file auditing to log an event any time a user accesses, modifies, or deletes an audited file. For best results only audit the specific files and folders that you want to monitor. Enabling auditing on unimportant files and folders creates an unnecessary burden on your LEM appliance.
There are two ways to enable file auditing in Windows: Method one uses LEM File Integrity Monitoring (FIM). Method two uses native Windows auditing. Both methods require that you have the LEM Agent installed on the Windows instance that you are monitoring. To audit files, SolarWinds recommends that you enable auditing on a file server. You can also enable auditing on client machines if needed, however.
To get started, choose one of the following methods (but not both).
- Open the LEM Console and choose Manage > Nodes.
- Click next to an agent whose files you want to monitor, then select Connectors.
- Search for File Integrity Monitoring (FIM) in the Refine Results pane.
- Click next to the connector, then select New to create a new FIM connector for this agent.
- You can choose a predefined template from the Monitor Templates pane, or create a custom monitor by performing the following steps:
- Click Add Custom Monitor in the Selected Monitors pane.
- Assign a name and description (optional).
- Click Add New Button.
- Click Browse to search for the directory that you want to monitor, then click OK.
- Specify which kind of files you want to monitor in the with mask field.
- Select the operations that you want to monitor, then click Save.
- Repeat steps a through f for every directory or file type that you want to monitor.
- Click Save.
The new monitor appears in the Selected Monitors pane.
You have the option to promote this custom monitor to a template.
You can create a Connector Profile under Build > Groups to allow a common group of connector configurations for agents that will be placed under this profile.
If you do not want to use File Integrity Monitor (FIM), enable native Windows auditing using the following steps. If Windows is logging the events and your server has a LEM Agent installed on it, your LEM Console will start displaying the new file auditing alerts immediately.
- Locate the file or folder that you want to audit in Windows Explorer.
- Right-click the file or folder, and then click Properties.
- Click the Security tab, and then click Advanced.
- Click the Auditing tab.
- If you are using Windows Server 2008, click Edit.
- Click Add.
- For the selected file or folder, enter the name of a user or group that you want to audit.
For example, enter
- Click Check Names to validate your entry, and then click OK.
- Select Success and Failure next to full control to audit everything for the selected file or folder.
- (Optional) Clear Success and Failure for unwanted events, such as:
- Read attributes
- Read extended attributes
- Write extended attributes
- Read permissions
- Click OK in each window until you are back at the Windows Explorer window.
- Repeat these steps for all of the files or folders that you want to audit.