File Change Monitoring

File change monitoring allows you to monitor one or more directories and be notified when changes to specified files in a directory occur. You can be notified when

In addition, EventSentry can log all changes to the database and allows you to view the current status and the history of changes made in the monitored directories.

Please see File Monitoring vs. File Access Tracking for a comparison between this and the File Access Tracking feature.

Before you start specifying directories to monitor, you should set the general monitor options of the object.

By default, the listed directories will be monitored in real time. This means that the OS will notify EventSentry when changes in the affected directories occur. This is the most efficient monitoring option, but might add unnecessary overhead if the monitored directory contains a large number of files (> 100) that change frequently.

When monitoring directories in real time, it is recommended that you check the "Only verify checksum when last write time changed" check box in the "Checksum Optimizations" section.

We also recommend setting a recurring monitoring option in addition to monitoring folders in real time, in case the OS does not send the real time notifications to EventSentry.

Instead of monitoring folders in real time, you can also monitor them with a recurring schedule, for example every 10 minutes. This is useful for directories that contain a large number of files that change very frequently, or for directories where real time notifications are not required.

Please keep in mind that the file monitoring feature can potentially consume a significant amount of CPU time, especially when using the checksum feature and when monitoring folders containing many files.

If you need to monitor folders containing thousands of files and the CPU time of the EventSentry agent (eventsentry_svc.exe) is higher than expected, then please carefully consider and adjust the following settings:

•	"Monitor every x minute(s)" should be increased from the default of one hour.

•	"Ignore checksums for files larger than" may need to be decreased to reduce the number of times a checksum is created

•	"Detect file checksum changes" should be disabled if it is not needed

If you are monitoring the checksum of files then it is recommended to you set the optimization options in this section to reduce the load the EventSentry agent has on the monitored system(s).

If the monitored directories contain large files (e.g. files larger than 50Mb) , then calculating the checksum might take many minutes and use up most of the available CPU time on a server. By setting a maximum file size for the checksum feature, you can prevent the service from calculating the checksum of large files.

If you run the EventSentry agent on a 64-bit machine and monitor folders for which the OS has file redirection for 32-bit processes enabled (e.g. %SYSTEMROOT%\SYSTEM32), then the OS will automatically redirect them to their "Windows on Windows" counterpart. For example, C:\Windows\System32 would be redirected to C:\Windows\SysWOW64. Enabling this option will disable folder redirection on 64-bit systems.

By default, EventSentry will calculate the checksum of every included file in a monitored directory when a file change is reported by the OS. This, again, can consume a large amount of CPU time If the monitored directory contains a large number of files. By activating this option, the agent will only calculate and compare the checksum of a file if the last write time has changed.

Specify the database that will be used when a directory is configured to record changes to the central database.