• State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 27 subscribers
  • Views 2604 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

FIM - File Integrity Monitoring is only showing NT/Authority

Gbarnett101

I have the latest version of SEM. And I am running a Windows Server 2019 with file shares

When my users open a file from their own desktop, It flagging as NT/Authority.

How do I fix this?

Thanks

-Garen

  • 0

    Hello Garen,  If you want to get more information on who is access the file you must make sure that the logging options are enabled either group policy edit on your AD or change the local policy on the server to enable the access details.  

    Typically these are found in windows security event logs for the details you want.

    Look for file auditing on server for a more step by step instructions,

  • 0 in reply to npatterson

    I am having the same issue as the OP. I dont understand why FIM even exists if you cannot tell who is opening the files. So, just to clarify, you are saying that to actually see who is accessing the files you need to not use FIM and configure object auditing in group policy and then set up the auditing on the files you want and then use SEM to monitor the security event logs?. Seems pointless in having FIM! not having a go at you at all but makes the FIM connector useless. I mean, sure, its nice to know if someone changes some important files on the OS but what good is it if you cannot see who has done it? I am running this on the mail file share (but using the local drive version as I am monitoring the actual file server itself) and all the users who access files through the file share get registered as NT\Authority.

  • 0 in reply to neomatrix1217

    yes, that's exactly what I have done. I have also created a filter on the live events view to see who accesses the paths I am monitoring. The only time it ever comes up with the user is when I am logged into the server as an administrator and open the folder. If a user connects to the same folder via the network share it just logs them as NT\Authority.

    Maybe the wording on the link you sent is just open to misinterpretation?

    "Please note that FIM does not support the monitoring of network shares. Only local drives are supported."

    I took that to mean, Please note that FIM does not support the monitoring of network shares. Only local drives are supported.

    NOT

    You cannot monitor users accessing the local path you are monitoring if your users use it as a network share.

    or maybe I am missing something.

  • 0 in reply to paulow19782

    Also i think this link is what npatterson was referring to:

    Enable Windows file auditing for use with SEM (solarwinds.com)

    which doesnt utilise FIM.

  • 0 in reply to paulow19782

    Yes, you are correct meaning that you would need to install the agent on the file server you want to monitor for activity.

  • 0 in reply to neomatrix1217

    ok thanks but installing the FIM agent on the local server does not help. The users are not recorded in the logs just nt\authority IF they access the server via a file share. 

    example:

    Server01 has a D:\ with a folder called "Files"

    FIM Agent installed on Server01 and set up in SEM.

    "Files" is a share accessible over the network.

    user1 accesses "Files" share from Computer01.

    SEM logs the access as NT\Authority not user1

    Just wanted to point that out in case anyone else comes along and misunderstands.

    This seems to be a pointless piece of software (FIM). You may as well just use object auditing in Windows and monitor the security events from within SEM?

    Unless I am fundamentally misunderstanding something.... I genuinely wish I am as its much easier to use the FIM component.

  • 0 in reply to paulow19782

    also just to confirm, it does not register the source machine either. So, if I connect from another server, the source machine is still the file server.

    I GET that its good to know if files are changing on a machine

    I dont get what the point is if you cannot see the source of who is making those changes. Surely that is fundamental to file integrity monitoring?

  • 0

    I know this is an old thread but for you and others searching for info on this topic, this link may provide some clarity for the data returned by FIM where users are accessing the files through a file share:

    How File Integrity Monitor (FIM) handles actions performed on a network share

    In short, some of the types of actions will only show as NT Authority/SYSTEM and some of them might create more than one event (for both NT Authority/SYSTEM and the user that did it), and some will only show the user.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.