Theoretically, the rule you want to build (show me any access/changes to the file path ending in web.config from my web server):
File Audit Events.FileName = "*web.config"
File Audit Events.InsertionIP = "<that system>"
File auditing has multiple points of failure, so if you need to backtrack, you can narrow down whether it's the rule, file auditing, or something inbetween.
Assuming your webserver is windows-based, you'll want to make sure there's an agent installed so we can pick up the local events.
Next step is to enable File Auditing in the audit policy on that system.
After that, you'll need to go into properties on that web.config file/directory and audit for whatever access you want (e.g. read/write/list/modify) from the users you're interested in monitoring.
After THAT, we should see the events in LEM when someone accesses the file, and any rules related to those events should fire.
To start chasing it down, you might build a filter in Monitor for first all events coming from that server, then narrow it down to only certain types of events (hopefully file audits). You can also do a search to see if any of those events have come in historically.
The easiest filter to build for all events from a system is to look for any event coming from that system's IP/hostname - "Any Alert/Event.InsertionIP = <that system>" (use Alert/Event Group "Any Alert/Event" and drag the field "InsertionIP" into conditions, then fill in the right side with that machine's name - might use wildcards on either side in case it's reporting with the FQDN).
If you want to search for ALL File Audit activity historically (regardless of where it came from), you can go to Explore>nDepth, clear all your conditions, then drag the alert group "File Audit Events" up to your conditions/search bar. You can then use the refine fields on the left (drag them up to add to the conditions) if you want to keep narrowing things down, like only file audits from certain systems.
Hopefully we can make some progress.