1 of 1 people found this helpful
I want to leave the conversation for the wider batch of customers who might be using FIM on their desktop machines, but you will want to be mindful of how it's configured for your Workstations as any type of file auditing can generate a much larger than expected number of events.
I would suggest two things at a high level:
1) Be sure to get a good sample group and enable FIM for a few machines to help gauge and estimate the new event load.
2) Start with the pre-defined monitors.
When first testing with FIM on my own workstation, turning FIM on for C:/ recursively and every type of action generated thousands of new events in an hour. The default monitors omit files that will constantly be read and modified so as to help clean some of this up, but as with adding any node or new monitoring it will generate a large number of new events and you'll want to be mindful of how that will impact the capacity and sizing of your LEM.
Thanks, space isn't a concern for us at this time. I am more worried about CPU and memory usage on the appliance. We have ~400 PCs.
I think file monitor on desktops could be valuable in tracking issues associated with mass file copy/deletions and in the areas of ransomware detection. We also have an issue with an application that writes files locally to the workstation when the application has a problem connecting to a network file repository. FIM would allow me to track that easier.