2 Replies Latest reply on Aug 2, 2017 1:59 PM by dcokers

    Anyone using FIM on Desktop PCs?

    dcokers

      I am curious to know if anyone is using FIM on all desktop PCs in their organization. We currently only use it for our File Server but I see some benefits in using it on our desktop PCs as well. We currently have the LEM Agent on all PCs in our organization so adding them to the connector wouldn't be hard.

       

      Are there any downsides, space concerns, too many events....etc.

       

      Thanks!

        • Re: Anyone using FIM on Desktop PCs?
          jrouviere

          I want to leave the conversation for the wider batch of customers who might be using FIM on their desktop machines, but you will want to be mindful of how it's configured for your Workstations as any type of file auditing can generate a much larger than expected number of events.

           

          I would suggest two things at a high level:

           

          1)  Be sure to get a good sample group and enable FIM for a few machines to help gauge and estimate the new event load.

          2)  Start with the pre-defined monitors.

           

          When first testing with FIM on my own workstation, turning FIM on for C:/ recursively and every type of action generated thousands of new events in an hour.  The default monitors omit files that will constantly be read and modified so as to help clean some of this up, but as with adding any node or new monitoring it will generate a large number of new events and you'll want to be mindful of how that will impact the capacity and sizing of your LEM.

          1 of 1 people found this helpful
            • Re: Anyone using FIM on Desktop PCs?
              dcokers

              Thanks, space isn't a concern for us at this time. I am more worried about CPU and memory usage on the appliance. We have ~400 PCs.

               

              I think file monitor on desktops could be valuable in tracking issues associated with mass file copy/deletions and in the areas of ransomware detection. We also have an issue with an application that writes files locally to the workstation when the application has a problem connecting to a network file repository. FIM would allow me to track that easier.