Windows: File Integrity Monitoring (FIM) issues
- Prerequisites: An agent needs to be deployed on the respective machine.
- Open the EventLog Analyzer GUI. Go to the Settings tab > Configuration > Manage File Integrity Monitoring. Configure the folders in the machine that should be monitored.
- Verify whether the following audit policies are enabled for the server:
- Audit Object Access
- Audit File System (Success, Failure)
- Audit Handle Manipulation (Success, Failure)
- Audit File Share (Success)
- Refer to the following steps to check if object-level auditing is configured for all the folders or drives:
- Right-click the relevant folder or drive, click Properties, and select the Security tab.
- Click Advanced, then go to the Auditing tab.
- Check if the following permissions have been provided for the Everyone group.
|
Principal
| Type | Access | Applies to |
File or Folder Changes | Everyone | Success and failure |
- Create files or write data
- Create folders or append data
- Write attributes
- Write extended attributes
- Delete subfolders and files
- Delete
| This folder, subfolders, and files
|
Folder Permission and Owner Changes | Everyone | Success and failure |
- Take ownership
- Change ownership
| This folder and subfolders |
5. Open the command prompt on the FIM machine and execute the following command to ensure that the policies are applied successfully.
- auditpol /get /category:"Object Access"
Windows: File Integrity Monitoring (FIM) issues
New to ADSelfService Plus?
Related Articles
How to configure Windows file integrity monitoring
Objective This article provides step-by-step instructions to configure Windows file integrity monitoring (FIM) in EventLog Analyzer. FIM is a feature that helps you monitor all changes (additions, deletions, and modifications) made to files and ...
File Integrity Monitoring Issues for Linux
Linux - File Integrity Monitoring Issues (FIM) Ensure that the Linux agent is installed in the respective machine. (Location: /opt/ManageEngine/EventLogAnalyzer_Agent) Check whether the agent service responds to the start and stop commands: To start: ...
How to get notified about archive integrity issues in EventLog Analyzer
Objective EventLog Analyzer sends alerts when archived log files are deleted or tampered with. These alerts help ensure the integrity and security of archived data, which is critical for audit trails, compliance, and forensic investigations. Email ...
Windows agent not communicating with EventLog Analyzer server
Issue description When the agent fails to communicate with the EventLog Analyzer server, the log transfer between devices is disrupted. As a result, logs accumulate on the agent machine until connectivity is restored. This delay in log transmission ...
How to install the EventLog Analyzer agent on Windows devices using a GPO
Overview EventLog Analyzer requires agents in specific scenarios to ensure seamless log collection and file monitoring: Windows file server monitoring: An agent is required to monitor files on Windows file servers. RPC connectivity issues: An agent ...