Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.





Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM Quick Start and Deployment Guide > Advanced LEM Options > Set up file integrity monitoring

Set up file integrity monitoring

Created by Caroline Juszczak, last modified by Caroline Juszczak on Aug 05, 2016

Views: 1 Votes: 0 Revisions: 3

You can use File Integrity Monitoring (FIM) to monitor system and user file activity to protect your sensitive information from theft, loss, and malware.

Using log files to record suspicious activity, you can detect changes to critical files and registry keys to ensure they are not accessed or modified by unauthorized users. FIM also ensures your systems comply with regulatory regulations, including Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), and Sarbanes-Oxley.

After you install and integrate FIM with your LEM appliance, you can:

  • Monitor real-time file change and access
  • Detect insider abuse using file audits and intelligent correlation rules
  • Enhance your anti-virus software capabilities by detecting viruses that mask as similar-named files
  • Integrate Active Directory to disable user accounts and change user or group rights
  • Track file and directory access to critical files and registry keys
  • Identify changes to critical registry keys
  • Identify unwarranted file changes from zero-day malware and advanced persistent threat (APT) attacks

You can enable FIM by adding a FIM connector to a node or adding FIM to an existing connector profile.   

Add a FIM connector to a node

  1. Log in to your LEM console as an administrator.
  2. Click Manage > Nodes.
  3. Locate your targeted node in the Nodes grid.

    Ensure the node has a green statusFile:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0G0/010/lem_qsg_green_status_21x14.pngicon.

  4. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0G0/010/Button-Gear_16x13.png next to your targeted node and select Connectors.
  5. Enter FIM in the Refine Results search field.
  6. In the Connectors grid, click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0G0/010/Button-Gear_16x13.png next to your selected connector and click New.


  7. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0G0/010/Button-Gear_16x13.png next to your desired template and select Add to selected monitors.


    A template copy is moved to the selected monitors to be applied to the node.


  8. Click Save.
  9. (Optional) Add conditions to the template.
    1. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0G0/010/Button-Gear_16x13.png next to the template and select Edit monitor.


    2. Select the conditions you want LEM to monitor.


    3. Click Edit.
    4. In the Add Condition window, click the drop-down menu and select All Keys/Values (recursive) or Keys/Values (non-recursive).

      All Keys/Values (recursive) selects the folder and all sub-folders that match the given mask.

      Keys/Values (non-recursive) selects only the files in the selected folders to monitor.


      Click Tell me more for information about your configuration options.

    5. Enter a mask (for example, *.exe or directory*.


    6. Select the actions you want to monitor.


    7. (Optional) Click Add Another Condition.
    8. Click Save.
  10. Click Save Changes.

    The LEM agent on your node installs the FIM driver that collects the file system events. Next, LEM pushes the configuration you created to the remote agent and into the driver. In the Nodes grid, the FIM status icon File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0G0/010/lem_qsg_FIM_icon.png turns green, indicating the driver is working properly.


Last modified
12:45, 5 Aug 2016