Windows: File Integrity Monitoring (FIM) issues - Online help | EventLog Analyzer

Windows: File Integrity Monitoring (FIM) issues

  1. Prerequisites: An agent needs to be deployed on the respective machine.
  2. Open the EventLog Analyzer GUI. Go to the Settings tab > Configuration > Manage File Integrity Monitoring. Configure the folders in the machine that should be monitored.
  3. Verify whether the following audit policies are enabled for the server:
    1. Audit Object Access
      1. Audit File System (Success, Failure)
      2. Audit Handle Manipulation (Success, Failure)
      3. Audit File Share (Success)
  4. Refer to the following steps to check if object-level auditing is configured for all the folders or drives:
    1. Right-click the relevant folder or drive, click Properties, and select the Security tab.
    2. Click Advanced, then go to the Auditing tab.
    3. Check if the following permissions have been provided for the Everyone group. 



Principal

Type
Access
Applies to
File or Folder Changes
Everyone
Success and failure

  1. Create files or write data
  2. Create folders or append data
  3. Write attributes
  4. Write extended attributes
  5. Delete subfolders and files
  6. Delete
This folder, subfolders, and files
Folder Permission and Owner Changes
Everyone
Success and failure

  1. Take ownership
  2. Change ownership
This folder and subfolders

5. Open the command prompt on the FIM machine and execute the following command to ensure that the policies are applied successfully.
  1. auditpol /get /category:"Object Access" 
Windows: File Integrity Monitoring (FIM) issues


      • Related Articles

      • Windows agent status: Unavailable

        Establish a remote connection with the machine that the agent is installed on. Open a web browser and ensure that the EventLog Analyzer web UI is accessible. On the remote machine, open the file under C:\Program Files (x86)\EventLog ...
      • Windows device status: RPC server is unavailable

        The RPC server is unavailable error will be displayed in the device status field if there isn’t any communication between the EventLog Analyzer server and the respective machine from which the logs should be collected. This lack of communication ...
      • Mismatch in the Windows agent version

        Establish a remote connection with the machine where the agent is installed. Open the Registry Editor, then go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ZOHO Corp\EventLogAnalyzer\LogAgent and ensure that the agent version matches the ...
      • Windows device status: Access denied

        The Access denied error indicates that the user account dedicated for log collection does not have the necessary access and permissions to collect logs from the respective devices. There are two approaches to fixing the error: Using a domain admin ...
      • Windows agent service is not running

        Establish a remote connection with the machine running the agent. Open services.msc and check if the ManageEngine EventLog Analyzer agent service is running. Open a web browser and ensure that the EventLog Analyzer web console is accessible. Open the ...