In our case we're using text file monitoring and not binary, and our events look like this:
Time Event Type Message Nov 9, 2017 12:50:09 EST unnormalized <!-- test comments --> Nov 9, 2017 13:02:13 EST unnormalized test Nov 9, 2017 13:14:09 EST unnormalized <!-- test comments ADding additional changes not seeing an Error in SC--> Nov 9, 2017 13:28:22 EST unnormalized <!-- test comments ADding additional changes not seeing an Error in SC--> Nov 9, 2017 13:28:22 EST unnormalized <!-- test comments ADding additional changes not seeing an Error in SC--> Nov 9, 2017 13:32:22 EST unnormalized test new line 4 Nov 9, 2017 15:43:51 EST unnormalized test new line 6
And our policy is this:
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<!-- Created with LCE web policy editor by user admin -->
This is using LCE 5.0.2 and Windows Client 5.0.1. I created a test.xml in the monitored folder and added some new lines and comments to it to generate LCE events.
Those events would not be normalized; they don't clearly belong to one application or another, and tailing the text changes for that file probably doesn't make much sense because the functionality is meant for log files where text is always appended to the end, not randomly throughout as it might be when a configuration file is modified. For a configuration file, I think you would want to monitor it as a binary file, because you want to know when it changes. That would result in a normalized log providing you with the file name that was added/modified/deleted, along with the previous and current hashes. Then, you could search for the file modification event and combine it with a filename to create alerts for when certain configuration files are modified.
Hopefully that clarifies it a bit. If not, help me understand what you want to get out of watching that particular configuration file.
Thanks Mike, that makes sense. We will switch to binary and then do manual investigations to see what the actual changes were. In my mind, the text file monitoring would have had a normalized event with any new lines added to a file - kind of like a diff. Your explanation of what it's used for makes sense.