What to Test and How
We're interested in:
- Stability of File Integrity Monitoring driver on your systems (any issues deploying/starting, or any crashes/blue screens)
- Whether you're seeing data reported you'd expect to see
- Any issues or confusion with configuration
- What kind of monitoring templates it'd be useful to have
- Suggestions, comments, improvements, as usual
You will need to:
- Deploy a new LEM 5.8 Virtual Appliance (we provided just the VMware OVA, if you need Hyper-V let me know and we'll see what we can do)
- Deploy one/some LEM 5.8 agents (NON-PRODUCTION Windows systems, ideally virtual systems, but at the least systems that you could easily address if they had a blue screen or other crash)
- Enable the FIM driver manually on those agents
- Configure the FIM monitoring connector for those agents (you will need to configure both a FIM File AND a FIM Registry connector for everything to work in the beta)
Remember, this beta version of LEM is not supported in production and will not necessarily be upgrade-able to future or release versions.
Deploying and Configuring
- Deploy the LEM Virtual Appliance (included in the zip file in the OVA directory)
- Install the LEM 5.8 Agent and connect to the Virtual Appliance (use either the local or remote installer, included in the zip)
- On the Agent system, you'll need to manually register the FIM driver.
- Copy install.zip from the beta download to the system
- Extract install.zip
- Right click "SWFsInstall.bat" and Run as Administrator
- This also creates the SWLogFileFolder where the FIM events are temporarily stored to be read by the Agent.
- Connect to the LEM Console
- From Manage > Nodes (Gear on the Agent > Connectors), create BOTH a FIM File and Directory AND a FIM Registry connector for the Agent (only configuring one may not properly trigger events in the beta, though it will do that eventually)
- Based on what you've configured for monitoring, trigger some events, check them out in Monitor.
Known Issues & Caveats
- The FIM driver is a low level kernel driver, so it is possible other drivers (especially something not so well-written) could cause a conflict and lead to a blue screen or crash. We don't expect this, but it's possible.
- When the driver is actually deployed with the release of LEM, it'll automatically start when it should, and you'll be able to control it from the LEM console if you need to disable/stop, but this isn't implemented just yet.
- It is not possible to use connector profiles with FIM to configure multiple agents yet, but this is in process.
- You will need to configure BOTH File and Registry connectors for the beta to report events, but this won't be necessary downstream.
- When it comes to auditing file reads at the very least, there may be multiple events reported for a file being opened, especially when it comes to applications. If you see this, we're interested in understanding how often you're seeing it and how big of a problem it is.
Issues & Feedback
- If you encounter any stability issues, we'll at the very least need to know the OS version, and may need to do a more detailed inventory of what other conflicts might exist on the system.
- If you get lost, confused, or have configuration issues, let us know what might help - even if it's documentation (we know you're flying a little blind).
- If you have any suggestions or general feedback, we're all ears.