1 Reply Latest reply on Mar 7, 2013 3:33 PM by nicole pauls

    LEM Rule for change to a web.config file

    jeff.miller@acfe.com

      I'm trying to write a rule in Solarwinds LEM to alert me via email when a change is made to one of my web server applications web.config file and I can't seem to get anything to work?  Can anyone provide a screen shot or something on how I can setup a rule to do this?  I've tried messing with the windows audit stuff as outlined here:  http://knowledgebase.solarwinds.com/kb/questions/2833/Audit+Policy+and+Best+Practice but I think my problem is more in the RULE itself?  I've tried using FileAudit, FileDataWrite and FileWrite Events as well as "File Audit Alerts" Event Groups - but I can't get anything to fire?!

       

      Any help would be appreciated as this is one of the main reasons we bought this thing - to monitor and alert us when key files (like web.config files) have been modified on our network!?

       

      Thanks,

      Jeff M.

        • Re: LEM Rule for change to a web.config file
          nicole pauls

          Theoretically, the rule you want to build (show me any access/changes to the file path ending in web.config from my web server):

          File Audit Events.FileName = "*web.config"

          AND

          File Audit Events.InsertionIP = "<that system>"

           

          File auditing has multiple points of failure, so if you need to backtrack, you can narrow down whether it's the rule, file auditing, or something inbetween.

           

          Assuming your webserver is windows-based, you'll want to make sure there's an agent installed so we can pick up the local events.

          Next step is to enable File Auditing in the audit policy on that system.

          After that, you'll need to go into properties on that web.config file/directory and audit for whatever access you want (e.g. read/write/list/modify) from the users you're interested in monitoring.

          After THAT, we should see the events in LEM when someone accesses the file, and any rules related to those events should fire.

           

          To start chasing it down, you might build a filter in Monitor for first all events coming from that server, then narrow it down to only certain types of events (hopefully file audits). You can also do a search to see if any of those events have come in historically.

           

          The easiest filter to build for all events from a system is to look for any event coming from that system's IP/hostname - "Any Alert/Event.InsertionIP = <that system>" (use Alert/Event Group "Any Alert/Event" and drag the field "InsertionIP" into conditions, then fill in the right side with that machine's name - might use wildcards on either side in case it's reporting with the FQDN).

           

          If you want to search for ALL File Audit activity historically (regardless of where it came from), you can go to Explore>nDepth, clear all your conditions, then drag the alert group "File Audit Events" up to your conditions/search bar.  You can then use the refine fields on the left (drag them up to add to the conditions) if you want to keep narrowing things down, like only file audits from certain systems.

           

          Hopefully we can make some progress.