File & Directory Change Monitor
The File & Directory Change Monitor is a very powerful monitor that can watch changes to files and directories on a server including file and directory creation and deletion. It can aid you in keeping track of changes to your systems, and even act as an intrusion detection system. In particular, this monitor can help fulfill the requirements of several mandated security practices, such as the "Payment Card Industry Data Security Standard" (part 11.5).
When configuring the File & Directory Change Monitor, specify the starting directory and whether the subdirectories should also be checked. If the directory is not local to the computer, using UNC paths is a good idea since mapped drives may not be available to the service when it runs.
You can specify which file types should be monitored. There are buttons that let you quickly add common executable file types, all files, or you can manually add individual file types that you care about.
If you select All Files in above, you can then filter out certain file types by extension. For example, knowing that temporary (.tmp) files have changed is often not helpful.
The Monitor Files For Changes area of the dialog is where you specify what aspects of the files and directories you'd like to monitor. If you select File Contents the file is opened and its entire contents are read and a checksum is generated for later comparison. This can be resource intensive, and should generally only be done for the smallest subset of files that will accomplish your needs.
If you indicate that subdirectories should be monitored, you have the ability to filter out some of the subdirectories. The pattern-matching algorithm is very simple: Before a path is scanned, a backslash "\" is appended to the end of the path. Then the list of ignored directories is scanned and if the text of any ignored directory can be completely found within the path to be scanned, that directory (and all of its subdirectories) is skipped. The check is not case sensitive.
Some files are always changing (some system files for example), but not enough that you can ignore all files of that extension. You can specify individual files to ignore during the scan.
Easy Train is a powerful feature that lets you setup your File & Directory Change Monitor, and then let it learn which files need to be ignored. The way it works is it performs an initial scan and records data on all files. Then, after an interval that you specify (a number of days in which typical actions on files will have taken place), it performs another scan. All files that changed during this learning period are assumed to be files that will always be changing, so those files are automatically entered into the "Files to ignore" list for you. After the training period ends, the monitor automatically switches into its normal scanning pattern. If the monitor is in its training mode, it will indicate this in the space to the left of the Easy Train button.