Once auditing has been configured on one or more directories, then you can either choose to monitor one or more specific directories with EventSentry, or simply intercept all file access tracking events and normalize them.
Event Analysis
When setting up file access tracking, you need to determine at which detail level you would like to analyse events. You can either Normalize events, Normalize & Verify or Normalize, Verify & Filter events.
Normalize Only
This is the least resource-intensive option, which intercepts object tracking events, normalizes them and writes them to the EventSentry database. When setting this option, no additional verification on the files being accessed is being performed. This is the only option available when using the Track all file access activity.
Normalize Only is the recommended setting for computers running Vista and later, since those computers already generate operational events.
Normalize & Verify
This option, in addition to simply normalizing events as described above, also performs additional verifications on the files being accessed. This option requires more resources, since it creates a checksum for every file in the monitored directories as well as for any file being written to.
Verify attempts to determine most file modifications:
1.Write access to files is being verified using SHA checksums of the files
2.File deletions are being verified by checking for the non-existence of the files
3.File additions are being verified by checking for the existence of the files
If an action can be verified, then the event is flagged as "verified".
The Verify option is only available when you specify one or more directories, since it requires the agent to initialize every monitored directory.
Normalize, Verify & Filter
This selection is identical to the Normalize & Verify setting, except that only file modifications that have been verified (e.g. through a checksum) will be logged to the database. If an action was not verified, then the event will be discarded.
This option is not recommended for security-sensitive environments, since important events might be discarded when an action cannot be properly determined.
Tracking directories
You can either track all file access activity, or specify one or more directories to be monitored.
Tracking all file access activity
Select this option to track all object tracking events that are being generated on a system. When selecting this option, Event Analysis is automatically set to Normalize Only.
Monitoring one or more directories
Add one or more directories to the list to only track file access events from selected directories. You will also need to select this option to use the "Normalize & Verify" or the "Normalize, Verify & Filter" option. Click the plus icon to add a directory to the list of monitored directories. Monitoring a UNC path or network share (such as \\SERVER1\Payroll) is not supported.
Additionally, you can configure which access masks should be recorded (e.g. only WriteData or Delete) and also specify a file filter to include only certain files or exclude files that should not be tracked. See Access Masks & Filter for more information.
Retrieve Source IP address and Computer Name
When the logon id contained in the file access tracking event can be linked (correlated) to an earlier logon session, then EventSentry will include the IP address and/or host name. In the case that only the host name or IP address are available, a DNS (reverse) lookup will be performed to gather the missing information.
Due to the nature of DNS lookups, this information might not be 100% accurate.