1. Cloud Control Host Lifecycle Management Guide
  2. Monitoring and Managing Hosts
  3. Additional Setup for Real-time Monitoring
  4. Preparing To Monitor Windows Hosts

Preparing To Monitor Windows Hosts

The Real-time monitoring features support Windows 2003 and 2008 Server along with Windows XP. The Real-time monitoring modules for Windows rely on various capabilities of the operating system to collect all of the information on actions. One part of this is to capture the user that made changes from the Windows Event Log. If you do not configure Windows to capture users that make changes, the agent will not capture this information. However it will still capture that a change occurred and when it occurred.

To configure the event log to work with real time monitoring, perform the following steps:

  1. From Windows Explorer, select the directory that is being monitored by a Real-time Monitoring Rule, right-click and select Properties.
  2. Go to the Security tab.
  3. Click Advanced.
  4. Select the Auditing tab.
  5. Click Add. (In Microsoft XP, double-click the Auditing Entries window).
  6. Select the Name Everyone, then click OK. You can also choose specific users if you are only monitoring for changes by specific users in Configuration Change Console rules. The rules filter the results by user as well, so even if you enable audit for everyone, only users that you want to monitor changes of in your rules will be captured.
  7. Select the following options (Successful and/or Failed) from the Access window. For Windows XP and Windows 2003:

    • Create Files/Write Data

    • Create Folders/Append Data

    • Delete Files Subfolders and Files

    • Delete

    For Windows 2008 and Windows 7:

    • Create Files/Write Data

    • Create Folders/Append Data

    • Write Attributes

    • Write Extended Attributes

    • Delete Files Subfolders and Files

    • Delete

    • Change Permissions

    • Take Ownership

  8. Click OK to exit.
  9. Repeat steps 1 through 7 for all other monitored directories and/or files.
  10. From the Start menu, select Settings, then Control Panel, then Administrative Tools , then Local Security Policy, then Local Policies, then Audit Policy. Double-click and turn on the following policies (Success and/or Failure):

    • Audit account logon events

    • Audit logon events

    • Audit object access

  11. Close the Local Security Settings screen.
  12. From the Start menu, select Settings, then Control Panel, then Administrative Tools, and finally Event Viewer.
  13. Select System Log, then click Action from the menu bar and select Properties.
  14. From the System Log Properties panel, on the General tab, set the Maximum log size to at least 5120 KB (5 megabytes) and select Overwrite Events as Needed. Note that the log size depends on the number of events generated in the system during a two-minute reporting interval. The log size must be large enough to accommodate those events. If you extend the monitoring time for file events because you expect the change rate to be lower, you need to ensure that the audit log in Windows is large enough to capture the events.
  15. Click Apply then OK to exit.

If Windows auditing is not configured properly, you will see warnings on the Compliance Standard Target Association page on the Cloud Control user interface. This is the same page where you associated your Real-time Monitoring compliance Standards to your targets.