Windows: File Integrity Monitoring (FIM) issues - Online help | EventLog Analyzer

Windows: File Integrity Monitoring (FIM) issues

  1. Prerequisites: An agent needs to be deployed on the respective machine.
  2. Open the EventLog Analyzer GUI. Go to the Settings tab > Configuration > Manage File Integrity Monitoring. Configure the folders in the machine that should be monitored.
  3. Verify whether the following audit policies are enabled for the server:
    1. Audit Object Access
      1. Audit File System (Success, Failure)
      2. Audit Handle Manipulation (Success, Failure)
      3. Audit File Share (Success)
  4. Refer to the following steps to check if object-level auditing is configured for all the folders or drives:
    1. Right-click the relevant folder or drive, click Properties, and select the Security tab.
    2. Click Advanced, then go to the Auditing tab.
    3. Check if the following permissions have been provided for the Everyone group. 



Principal

Type
Access
Applies to
File or Folder Changes
Everyone
Success and failure

  1. Create files or write data
  2. Create folders or append data
  3. Write attributes
  4. Write extended attributes
  5. Delete subfolders and files
  6. Delete
This folder, subfolders, and files
Folder Permission and Owner Changes
Everyone
Success and failure

  1. Take ownership
  2. Change ownership
This folder and subfolders

5. Open the command prompt on the FIM machine and execute the following command to ensure that the policies are applied successfully.
  1. auditpol /get /category:"Object Access" 
Windows: File Integrity Monitoring (FIM) issues


                  New to ADSelfService Plus?

                    • Related Articles

                    • File Integrity Monitoring Issues for Linux

                      Linux - File Integrity Monitoring Issues (FIM) Ensure that the Linux agent is installed in the respective machine. (Location: /opt/ManageEngine/EventLogAnalyzer_Agent) Check whether the agent service responds to the start and stop commands: To start: ...
                    • Windows Agent version mismatch

                      Windows Agent version mismatch: Remote login to the Agent-installed machine ⇾ open Registry Editor ⇾ go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ZOHO Corp\EventLogAnalyzer\LogAgent and ensure that the Agent version matches the Server ...
                    • Windows device status: RPC server is unavailable

                      The RPC server is unavailable error will be displayed in the device status field if there isn’t any communication between the EventLog Analyzer server and the respective machine from which the logs should be collected. This lack of communication ...
                    • Does the given credentials of a Windows device have permission for log collection?

                      Case 1: The account is a local administrator or a domain administrator. The credentials will, by default, have the required permissions. Case 2: The account is a non-admin domain user. Provide the non-admin domain user with the required permissions. ...
                    • Windows device status: Access denied

                      The Access denied error indicates that the user account dedicated for log collection does not have the necessary access and permissions to collect logs from the respective devices. There are two approaches to fixing the error: Using a domain admin ...