Please enable JavaScript to view this site.

Navigation: Monitoring with EventSentry > System Health Monitoring

File Change & Integrity Monitoring

Scroll Prev Top Next More

info_24

See File Monitoring vs. File Access Tracking for a comparison between File Change Monitoring and File Access Tracking.

 

File change monitoring monitors one or more directories and generates alerts when changes to specified files in a directory occur:

 

a file was added to a directory

a file was removed from a directory

a file increased in size

a file decreased in size

a file changed its checksum (SHA256)

 

In addition, EventSentry can log all changes to the database and allows viewing of the current status and the history of changes made in the monitored directories. The following file properties are available in the web reports:

 

Version

Hash (SHA256)

Size

Entropy

Digital Signature (when available)

Stream info

 

clip0166

 

Monitoring Interval / Type

Monitor folder(s) in real time

By default, the listed directories will be monitored in real time. This means that the OS will notify EventSentry when changes in the affected directories occur. This is the most efficient monitoring option, but might add unnecessary overhead if the monitored directory contains a large number of files that change frequently.

 

When monitoring directories in real time, checking "Only verify checksum when last write time changed" is recommended.

 

Setting a recurring monitoring option in addition to monitoring folders in real time is also recommended in case the OS does not send real time notifications to EventSentry.

 

Monitor every X seconds

Instead of monitoring folders in real time, files can also be monitored with a recurring schedule, for example every 10 minutes. This is useful for directories that contain a large number of files that change very frequently, or for directories where real time notifications are not required.

 

warning_48

The file monitoring feature can potentially consume a significant amount of CPU time, especially when using the checksum feature and when monitoring folders containing many files.

 

If folders containing thousands of files need to be monitored, and the CPU time of the EventSentry agent is higher than expected, then please carefully consider and adjust the following settings:

 

"Monitor every x minute(s)" should be increased from the default of one hour.

"Ignore checksums for files larger than" may need to be decreased to reduce the number of times a checksum is created

"Detect file checksum changes" should be disabled if it is not needed

 

Advanced Settings & Optimizations

It is recommended to set the optimization options in this section to reduce the load the EventSentry agent has on the monitored system(s) when monitoring file checksums.

 

Ignore checksums for files larger than

If the monitored directories contain large files (e.g. files larger than 50Mb) , then calculating the checksum might take many minutes and use up most of the available CPU time on a server. By setting a maximum file size for the checksum feature, you can prevent the service from calculating the checksum of large files.

 

Only verify incremental checksum (log files)

Only calculates & compares the checksum up to the previously known size when a monitored file increases in size. This is useful for files storing transactions, where existing data may not be modified but new data is being added.

 

Disable folder redirection on 64-bit systems (Wow64)

When running the EventSentry agent on a 64-bit machine and monitoring folders for which the OS has file redirection for 32-bit processes enabled (e.g. %SYSTEMROOT%\SYSTEM32), then the OS will automatically redirect them to their "Windows on Windows" counterpart. For example, C:\Windows\System32 would be redirected to C:\Windows\SysWOW64. Enabling this option will disable folder redirection on 64-bit systems.

 

Only verify checksum when last write time changed

By default, EventSentry will calculate the checksum of every included file in a monitored directory when a file change is reported by the OS. This, again, can consume a large amount of CPU time If the monitored directory contains a large number of files. By activating this option, the agent will only calculate and compare the checksum of a file if the last write time has changed.

 

Only verify checksum when file size has changed

By default, EventSentry will calculate the checksum of every included file in a monitored directory when a file change is reported by the OS. This, again, can consume a large amount of CPU time If the monitored directory contains a large number of files. By activating this option, the agent will only calculate and compare the checksum of a file if the file size has changed.

 

warning_48

Known Limitations

 

It is not recommended to also specify directories which are sub directories of already configured directories when the "Include Sub Directories" option is selected. For example, monitoring both C:\Documents as well as C:\Documents\Finance is not recommended.

 

Monitoring UNC paths (e.g. \\SERVER1\Payroll) is not supported.

 

Database

Specify the database that will be used when a directory is configured to record changes to the central database.