2 Replies Latest reply on Jul 15, 2015 5:38 PM by nicole pauls

    FIM Questions

    jhillecu

       

      Hello all, I have recently deployed FIM on 2 servers and am a bit overwhelmed on a few things.  I’m hoping someone can help guide me a bit.  Currently I am getting data from the servers, but now need to tune it some and make my reports more useful.  I am not a server admin but my role is LEM and its reports.  My server guys will work with me to make changes if needed, but I have to guide them to what I need.

       

      1. Do I only need to enable the FIM connector on a server with agent installed to get it working? I  had seen some information at http://knowledgebase.solarwinds.com/kb/questions/3454/How+to+enable+file+auditing+in+Windows indicating I needed to enable file auditing on objects and files?  Is this still necessary or is this just the “old way” relying strictly on Windows auditing?
      2. From reading https://thwack.solarwinds.com/thread/71564 , I gather that there is no way to truly know if someone has opened a file, or simply opened the folder.  I assume this is still the case?  If so, is there any benefit to having the File: Read condition checked in the FIM monitor?
      3. Is there a use case for checking the condition check boxes for Permissions: Read, Other: Read, or Other: Write?  One can assume that you have permissions to get to the share, if you get to it.
      4. I am having the issue that many actions are showing as user NT AUTHORITY\SYSTEM in File Audit reports, as https://thwack.solarwinds.com/message/240397 .  We are using LEM 6.1 and have the 6.1 agent installed.  Any ideas?
      5. Any other suggestions you may have concerning making my data more useful with FIM would be appreciated.

        

      Thank you

       

        • Re: FIM Questions
          curtisi
          1. Windows file auditing isn't required to use the Log and Event Manager FIM
          2. That's still the case.  IMHO, reads aren't worth collecting
          3. The "Writes" can be useful for flagging changes to permissions and ownership
          4. Some operations will always show NTSYSTEM, but as long as the Agent is running where files are hosted, deletes and creates ought to have user credentials on them
          5. Solarwinds Log and Event Manager - Configuring FIM and Analyzing FIM Data - YouTube
          • Re: FIM Questions
            nicole pauls

            If you want to tell when someone opened a file vs. a folder with FIM, you can change whether to look for an extension or not (i.e. *.* vs. just *). Or, you can audit the files you're interested in directly and not the parent directory with a mask. Or, if you explicitly want to know about the directory, you can configure FIM without recursion. There's a lot of noise that comes with reading a directory, though, regardless of whether it's windows or FIM auditing.