4 Replies Latest reply: Nov 13, 2017 9:31 AM by ski107 RSS

LCE Windows Client Text File Monitoring

ski107 Novice

We have set up text file monitoring for config changes within the Windows LCE Client policy, but the events are being shown in SC as unnormalized, and thus mostly useless. As a result, we can't do any reporting or use any file integrity dashboards. Is this expected behavior? I also tried upgrading everything to latest, same issue.

  • Re: LCE Windows Client Text File Monitoring
    ldavidson Expert

    Good evening,

     

    I want to make sure I understand.  Are you events like this are unnormalized? 

     

    Aug 24, 17 05:24 [192.168.1.1] File "C:\Windows\System32/wbem/Repository/OBJECTS.DATA" has been modified.Its MD5 checksum changed from 3dca726cad55dca560ae8e758f31fa5b3a to 21a2bb505bca686b2dbe7d956e8bd93e3a.

    • Re: LCE Windows Client Text File Monitoring
      ski107 Novice

      Hey Mike,

       

      In our case we're using text file monitoring and not binary, and our events look like this:

       

      TimeEvent TypeMessage
      Nov 9, 2017 12:50:09 ESTunnormalized<!-- test comments -->
      Nov 9, 2017 13:02:13 ESTunnormalizedtest
      Nov 9, 2017 13:14:09 ESTunnormalized<!-- test comments ADding additional changes not seeing an Error in SC-->
      Nov 9, 2017 13:28:22 ESTunnormalized<!-- test comments ADding additional changes not seeing an Error in SC-->
      Nov 9, 2017 13:28:22 ESTunnormalized<!-- test comments ADding additional changes not seeing an Error in SC-->
      Nov 9, 2017 13:32:22 ESTunnormalizedtest new line 4
      Nov 9, 2017 15:43:51 ESTunnormalizedtest new line 6

       

      And our policy is this:

       

      <?xml version="1.0" encoding="UTF-8" standalone="no" ?>

      <!-- Created with LCE web policy editor by user admin -->

      <options xmlns:xi='http://www.w3.org/2003/XInclude'>

        <event-log>Application</event-log>

        <event-log>Security</event-log>

        <event-log>System</event-log>

        <flat-file>

          <location>D:\\application\\bin</location>

          <include>*.config</include>

          <include>*.xml</include>

        </flat-file>

        <monitor-subdirectories>0</monitor-subdirectories>

        <tail-subdirectories>0</tail-subdirectories>

        <interval-log-seconds>60</interval-log-seconds>

        <send-new-events-only>1</send-new-events-only>

        <monitor-config>0</monitor-config>

        <info>0</info>

        <verbose>0</verbose>

        <debug>0</debug>

        <statistics-frequency>60</statistics-frequency>

        <heartbeat-frequency>300</heartbeat-frequency>

        <compress-events>1</compress-events>

      </options>

       

      This is using LCE 5.0.2 and Windows Client 5.0.1. I created a test.xml in the monitored folder and added some new lines and comments to it to generate LCE events.

      • Re: LCE Windows Client Text File Monitoring
        ldavidson Expert

        Good morning,

         

        Those events would not be normalized; they don't clearly belong to one application or another, and tailing the text changes for that file probably doesn't make much sense because the functionality is meant for log files where text is always appended to the end, not randomly throughout as it might be when a configuration file is modified.  For a configuration file, I think you would want to monitor it as a binary file, because you want to know when it changes.  That would result in a normalized log providing you with the file name that was added/modified/deleted, along with the previous and current hashes.  Then, you could search for the file modification event and combine it with a filename to create alerts for when certain configuration files are modified.

         

        Hopefully that clarifies it a bit.  If not, help me understand what you want to get out of watching that particular configuration file.

         

        Thanks!
        - Mike

        • Re: LCE Windows Client Text File Monitoring
          ski107 Novice

          Thanks Mike, that makes sense. We will switch to binary and then do manual investigations to see what the actual changes were. In my mind, the text file monitoring would have had a normalized event with any new lines added to a file - kind of like a diff. Your explanation of what it's used for makes sense.

           

          Thanks!