Submit a ticketCall us

whitepaperYour VM Perplexities Called, and They Need You to Read This.

Virtualization can give you enormous flexibility with future workloads and can be a key enabler for other areas, like cloud computing and disaster recovery. So, how can you get a handle on the performance challenges in your virtual environment and manage deployments without erasing the potential upside? Learn the four key areas you need to be focusing on to help deliver a healthy and well-performing data center.

Get your free white paper.

Home > Success Center > Log & Event Manager (LEM) > Log and Event Manager (LEM) Training > Free SolarWinds Training Videos - LEM > Configure File Integrity Monitoring (FIM) - video

Configure File Integrity Monitoring (FIM) - video

 Updated September 6th, 2016

Configuring File Integrity Monitoring (FIM)

Configuring File Integrity Monitoring (FIM)



In SolarWinds Log & Event Manager 6.0, we added Real-Time File Integrity Monitoring, or FIM, for Windows.   File Integrity Monitoring increases SIEM intelligence with policy-based auditing of file and registry activity including reads, writes and deletes.  FIM will help you comply with regulations including PCI DSS, HIPAA, and Sarbanes-Oxley, as well as increase security intelligence to detect insider abuse, zero day malware and advanced persistent threats.< /p>


In this video, we will take you through the steps of installing, using and customizing this important feature.


Let’s get started setting up FIM.


There are two ways to enable FIM.  The first is to configure individual nodes and the second is to add FIM to an existing connector profile.


Let’s first demonstrate adding FIM to an individual node using LEM's connectors. Connectors are what connect your LEM manager to data sources.  Connectors hook into the new data source and normalize the data so you can manage it consistently in LEM. 


From the LEM console, let's go to "Manage" and select "Nodes". If you don’t have any agent nodes in LEM, we have a wizard to help you along,  just click add node.


Since we already have an agent node, we will click on the "Gear" and click "Connectors".  You can see all of the connectors available on the right side.


We want to configure FIM, so I’ll type FIM in the search box.  We have two FIM connectors: one to monitor files, and the other to monitor registry settings.  Let’s take a look at the FIM File and Directory connector.  We’ll create a new instance of this connector on the node by clicking the "Gear" and clicking "New".  This brings me into FIM configuration for this node.


As you can see, on the left side we've pre-populated some templates to help you get FIM up and running more quickly.  In this scenario, we’re looking to deploy FIM to support PCI compliance.  We’ll click the "Gear" next to the "PCI for Windows Starter template" and click "Add to selected monitors".  This pushes a copy of the template over to the Selected Monitors that will be applied to the node.


To view or modify the template, click on the "Gear" next to the applied monitor, and click "Edit".  At the top we have a name and description.  Next, we have a summary of our conditions.  Conditions tell FIM exactly what you want to monitor.  In the template we monitor all of "C:/" recursively, for files ending in .exe, for file writes, creates, and deletes and any permission changes.  Selecting the monitor and clicking "Edit" allows us to see what this looks like in the configuration interface.


The directory we want to watch is the first thing we specify.  We decide if we want to monitor the contents of that directory only or if we want to monitor all sub-directories and their contents recursively.  We apply a mask here, using asterisks as needed, and we select what actions we want to monitor. In this case we are happy with the standard configuration. For more information about these configuration options, click "Tell Me More". 


Looking below, we see this template talks about one of the specific sections of PCI that calls out FIM.  Additionally, it directs you to supplement the policy with files that are critical to your specific environment. Let’s do that now.

We could edit this instance of the template that we've copied to selected monitors or we could just add a new custom monitor.  Let’s "Add New". We’ll call our monitor template “Company X PCI Files” and give it a description of “PCI sensitive files at Company X.”


Next, we’ll add a new condition. First, select the directory we’re interested in.  For ease of use, we can browse the file system on the remote node by clicking "Browse". This seems like an important directory for PCI compliance: C:\Credit Card Numbers.  For that directory, we want to monitor all files recursively, meaning  the contents of that directory and all sub-directories.  For the sake of our example, we’ll leave the mask very permissive.  This is extremely sensitive data so we will gather a full audit log including accessing files, not just changes, so let’s monitor creates, reads, writes, deletes, and any permissions changes.  Save this, and we see it’s now our first condition.


Save again, and this new monitor is now listed in our selected monitors.


We've applied a template and we've added files that are critical in our environment. 


Save once more.


Behind the scenes, LEM does the dirty work for us.  The LEM agent on this node automatically installs the FIM driver that collects file system events. Then, the LEM manager pushes the configuration we just created to that remote agent and into the driver.  The status icon turns green to tell us that the driver is now up and working. We should start receiving FIM events, viewable in the LEM console.  Let’s see what we’re getting!


Monitor is the first place to look. This shows us events coming in real time.


We have LEM telling us the FIM connector has started on our node and we’re starting to log some reads.  We can see what system this change happened on, the file path and file name, and the user who interacted with the file.

All FIM events are available to use in analytic functions of LEM, including nDepth searches, correlation rules and reports.


Now you should have all the information you need for a successful deployment of File Integrity Monitoring. For more tips and tricks or to ask a question, visit the LEM product page on


Last modified