I am new to LEM and I am trying to setup file auditing using FIM. I have FIM getting data when a file is changed, for example, Word.docx changes to word.docx.ecc. I want to setup a rule to send me an email when this happens. I'm not sure if I created the rule correctly or if I'm missing something, but when this rule is triggered I get an email and the subject just has the word 'at' in it. Any input would be greatly appreciated.
Here are the results from my ndepth query.
Event Name: FileRead
EventInfo: File Open for Metadata Read "E:\DFS\Dept_Common\OIT\test.docx.ecc" by user "Username" InsertionIP: SERVER Manager: LEM SERVER DetectionIP: x.x.x.x InsertionTime: 11:35:09 Fri Mar 13 2015 DetectionTime: 11:35:02 Fri Mar 13 2015 Severity: 3 ToolAlias: FIM File and Directory InferenceRule: ProviderSID: 2 ExtraneousInfo: SourceAccount: dtyner SourceDomain: WALSHCOLLEGE SourceLogonID: DestinationAccount: DestinationDomain: DestinationLogonId: AccessRequested: PrivilegesExercised: FileName: E:\DFS\Dept_Common\OIT\test.docx.ecc FileHandleID: OperationID: ServingProcess: AccessProperties: OperationType:
here is a copy of my rule
You have to drop the appropriate event fields in those empty "slots" under "Recipients". Look at the event data that has been generated and decide what information from those event data you want to see in the emails generated by this event. You can modify an email template to add specific fields to be included in the email from LEM. Then as I said earlier, drop those fields in those slots - for instance, FileRead,EventInfo into the $EventInfo spot, FileRead.DetectionTime into $DetectionTime and so on.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.