How to configure Windows file integrity monitoring

How to configure Windows file integrity monitoring

Objective  

This article provides step-by-step instructions to configure Windows file integrity monitoring (FIM) in EventLog Analyzer. FIM is a feature that helps you monitor all changes (additions, deletions, and modifications) made to files and folders on Windows systems.

Prerequisites  

It is recommended that FIM only be implemented for strictly necessary files and folders so as to avoid disk space issues that may rise due to the high volume of generated logs. 

1. License requirements 

Performing FIM with EventLog Analyzer requires the following licenses and Add-ons:
  • If a Windows file server is being configured for FIM, both a Windows Server license and a file server license are required.
  • If a Windows server is being configured for FIM, only a Windows Server license is required.
  • If a Windows workstation is being configured for FIM, only a Windows workstation license is required.

 2. Audit policies to be applied 

When FIM is enabled for Windows, specific audit policies will be automatically applied to the file server. However, if there are Group Policy Objects (GPOs) in your domain that override these settings, you'll need to manually configure the required audit policies.
To do so, follow these steps:
  1. Open Command Prompt as an administrator.
  2. Run the following command to view the current audit settings:
     auditpol /get /category:"Object Access"
  3. You can enable the following audit policies using Group Policy Management Console (GPMC) if they are not enabled:
    • Audit file share - Success and Failure
    • Audit file system - Success and Failure
    • Audit handle manipulation - Success and Failure
    • Audit detailed file share - Success and Failure
    • Audit other object access events - Success and Failure
  1. You can also manually enable the following audit policies if they are not already enabled using the AuditPol commands listed below:
    • auditpol /set /subcategory:"File Share" /success:enable /failure:enable
    • auditpol /set /subcategory:"File System" /success:enable /failure:enable
    • auditpol /set /subcategory:"Handle Manipulation" /success:enable /failure:enable
    • auditpol /set /subcategory:"Detailed File Share" /success:enable /failure:enable
    • auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable
These policies ensure that FIM functions correctly despite any domain-level GPO overrides.

Note: If you're in a domain environment, you can force a Group Policy Refresh using the following Command Prompt command as an administrator:
gpupdate /force

3. SACLs to be applied

System Access Control Lists (SACLs) must be enabled for the files and folders being monitored. These are typically configured automatically by EventLog Analyzer.
However, if the SACLs are not automatically configured, you can manually configure them with the following steps:
  1. Open File Explorer and right-click on the file or folder you want to monitor, then select Properties.
  2. Go to the Security tab and click Advanced.
  3. In the Advanced Security Settings window, go to the Auditing tab and click Add.
  4. Choose the Principal (i.e., Everyone or a specific user/group based on your requirements).
  5. Set the Type to All.
  6. Under the Applies to tab, choose the appropriate option according to your needs. Then, specify the required Basic Permissions:
    • Execute files/traverse folder
    • Write data/create files
    • Append data/create folders
    • Write attributes
    • Write extended attributes
    • Delete subfolders and files
    • Delete read permissions
    • Change permissions
    • Take ownership

 4. Installation of agents for FIM 

Since an agent must be installed on the device for configuring Windows FIM, please ensure that all agent orchestration prerequisites are fulfilled beforehand.

Steps to follow  

To configure FIM, follow the steps below:
Step 1: Navigate to Settings > Log Source Configuration > File Monitoring.
Step 2: Click the Windows tab, then click Add FIM.
Step 3: Select the device where the target files or folders are located, provide the appropriate credentials, then click Browse Location to navigate and choose the files or folders you want to monitor.
Step 4: Alternatively, you can select a predefined location from the Templates dropdown, or manually enter the file/folder path, then click Add.
Step 5: If you want to know who made the change to the file or folder, check the Audit Username checkbox.
Step 6: You can make use of the Exclude Filter if required. The filter gives you the option to:
  1. Include or Exclude Certain file types
  2. Exclude All Sub-locations
  3. Exclude Selected Sub-locations
Step 7: Click Configure.
 
If the same files and folders located in multiple devices need to be added for monitoring, then you can make use of the Configure Multiple Devices option:
  • Step 1: Navigate to Settings > Log Source Configuration > File Monitoring.
  • Step 2: Click the Windows tab, then click Add FIM.
  • Step 3: Click Configure Multiple Devices in the top-right corner.
  • Step 4: Select the devices in which the files/folders to be monitored are located, then enter the correct credentials.
  • Step 5: Select the file template(s).
  • Step 6: Click Configure.
 
To create file integrity monitoring templates, follow these steps:
  • Step 1: Navigate to Settings > Log Source Configuration > File Monitoring.
  • Step 2: Click Manage File Integrity Monitoring Templates in the top-right corner.
  • Step 3: Click the Windows tab, then click Add FIM Template.
  • Step 4: Type the Template Name.
  • Step 5: Select the Locations you want to include.
  • Step 6: Check the Audit Username checkbox if required.
  • Step 7: You can also select the Exclude filter option based on your requirements.
  • Step 8: Click Configure.
 
Note:
  • If an agent is already installed on the device whose files you want to monitor, file monitoring will automatically be enabled by the agent.
  • If no agent is installed on the device for which you want to monitor the files, then an agent will be installed, and file monitoring will be enabled by the agent. If you prefer manual installation of agents, please refer here. 

Tips  

  1. Please note that the volume of logs generated for each change occurring to the folders can affect the performance of the file server. It is a recommended practice to limit monitoring to only the required files and folders.

Related topics and articles

  1.  File integrity monitoring (FIM) help guide
  2. File integrity monitoring (FIM) troubleshooting
  3. EventLog Analyzer agent installation
 
 
 
 


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • Windows: File Integrity Monitoring (FIM) issues

                      Prerequisites: An agent needs to be deployed on the respective machine. Open the EventLog Analyzer GUI. Go to the Settings tab > Configuration > Manage File Integrity Monitoring. Configure the folders in the machine that should be monitored. Verify ...

                    • Windows agent not communicating with EventLog Analyzer server

                      Issue description When the agent fails to communicate with the EventLog Analyzer server, the log transfer between devices is disrupted. As a result, logs accumulate on the agent machine until connectivity is restored. This delay in log transmission ...

                    • File Integrity Monitoring Issues for Linux

                      Linux - File Integrity Monitoring Issues (FIM) Ensure that the Linux agent is installed in the respective machine. (Location: /opt/ManageEngine/EventLogAnalyzer_Agent) Check whether the agent service responds to the start and stop commands: To start: ...

                    • How to get notified about archive integrity issues in EventLog Analyzer

                      Objective EventLog Analyzer sends alerts when archived log files are deleted or tampered with. These alerts help ensure the integrity and security of archived data, which is critical for audit trails, compliance, and forensic investigations. Email ...

                    • How to install the EventLog Analyzer agent on Windows devices using a GPO

                      Overview EventLog Analyzer requires agents in specific scenarios to ensure seamless log collection and file monitoring: Windows file server monitoring: An agent is required to monitor files on Windows file servers. RPC connectivity issues: An agent ...

                      Related Products