We are using Solarwinds LEM 6.1.0 and need some help with reports. I need to find out all the drives, folder, files accessed by a user.
Please could you advise how the conditions and groups in nDepth should be.
Assuming you have FIM activate, it is pretty easy.Just use FileRead.SourceAccount = abc@def.com
Hi omar789 - I can't think of a way to do that offhand without FIM being enabled in probably an unreasonable number of places. Do you have any other SolarWinds products like Server & Application Monitor by chance?
What is FIM and how can I find if I have FIM enabled.
Sorry, kind of new to this.
omar789, FIM stands for File Integrity Monitoring. You can read more in the LEM Admin guide here.
Odds are then that you do not have it enabled as it is not enabled by default.
It is a connector that you are able to set up.
Log and Event Manager can collect File Auditing information a couple ways.
One, it can collect native file auditing info from the OS. This would require that you have the LEM Agent on the interesting servers/workstations, and that you have file auditing configured in Windows, Linux, MacOS, etc. In Windows, this means that you've gone into the Security dialogue for a location and set the audit policy:
Second, you can have File Integrity Monitoring do this, but FIM is only available for Windows devices and requires that the LEM Agent be installed on the interesting servers. It looks like links to FIM docs have been provided by others, but I can add this video:
https://www.youtube.com/watch?v=kZpkYjVGkeg
In either case, LEM is going to get data from the OS or from FIM and normalize it, meaning that events will be sorted into the LEM's predefined categories like FileRead, FileWrite, FileCreate, FileDelete, etc. You can search for all these different events separately, or you can use the pre-defined Event Group that ships with LEM to get them all in one go.
