We want to optimize FiM. Can you please advice what should we monitor? The entire drive C?
thanksEdward B
Hi, Edward.
I can offer some tips on this.
First, it's always the wisest course to focus FIM on the things that actually need monitoring. More specific, less generic. For example, it's usually a very bad idea to just tell it to monitor entire drives - especially with no masks to filter anything out. Instead, configure it to monitor specific folders and file types that you actually need to monitor. For example, you can create an inclusion for a specific folder on C that's called "Project Files" and set the mask for specific file types - like *.js or *.exe.
Less is more with FIM. If you're not careful, FIM brings in far too much data to be very useful and it can severely increase overhead on the SEM.
Second, in addition to monitoring specific folders versus entire drives and using masks for specific files/file types, you'll want to be specific with the monitored actions. Don't just blindly turn on all the actions because they're there. That will again create excessive amounts of mostly useless data. My best advice is to turn on Create and Delete for Files and Directories, and turn on Write for File and Permissions (optional). I normally advise against any of the Read actions unless absolutely necessary. They always generate mountains of events and if you look at the event details - the data isn't really useful. That goes for Other as well.
But of course, your config will vary depending on your auditing needs. Those are just some best practices. If you're looking for more ideas on folders or file types to monitor, have a look at the built-in FIM templates. You can just click the Import from Template button at the top of the Edit screen and it will import multiple inclusions with all their details that you can choose to use or discard. The Windows Server Monitoring template will show you useful file types and folders to watch under the Windows folder, for example.
I hope this helps!
Jason
