The File & Directory Change Monitor is a very powerful monitor that can for watch changes to files and directories on a server including file and directory creation and deletion. It can aid you in keeping track of changes to your systems, and even act as an intrusion detection system. In particular, this monitor can help fulfill the requirements of several mandated security practices, such as file integrity monitoring (FIM) as described in the "Payment Card Industry Data Security Standard" (PCI DSS) (part 11.5).
When configuring the File & Directory Change Monitor, specify the starting directory and whether the subdirectories should also be checked. If the directory is not local to the computer, using UNC paths is required since mapped drives are usually not available to the service when it runs.
The File & Directory Change Monitor can watch any CIFS share, which includes Windows shares, shares on a NAS device, and shares on Linux/Unix computer that were shared with the Samba daemon.
You can specify which file types (by file extension) should be monitored. There are buttons that let you quickly add common executable file types, all files, or you can manually add individual file types that you care about.
If you select All Files, you can then filter out certain file types by extension. For example, knowing that temporary (.tmp) files have changed is often not helpful.
The Monitor files for changes... is where you specify what aspects of the files and directories you'd like to monitor. If you select File Contents the file is opened and its entire contents are read and a checksum is generated for later comparison. This can be resource intensive, and should generally only be done for the smallest subset of files that will accomplish your needs.
If you indicate that subdirectories should be monitored, you have the ability to filter out some of the subdirectories. The pattern-matching algorithm is very simple: Before a path is scanned, a backslash "\" is appended to the end of the path. Then the list of ignored directories is scanned and if the text of any ignored directory can be completely found within the path to be scanned, that directory (and all of its subdirectories) is skipped. The check is not case sensitive.
Some files are always changing (some system files for example), but not enough that you can ignore all files of that extension. You can specify individual files to ignore during the scan.
"Files to ignore" is a text box where you can enter the names of files that are to be ignored by the File and Directory Change Monitor. This feature operates in conjunction with the Training feature in order to customize the behavior of PA Server Monitor easily.
Training is a powerful feature available on many monitors. With the File & Directory Change monitor, the monitor will watch for changes over a period of time. Everything that changes within that period of time is automatically added to the Files to Ignore list.
After the training period ends, the monitor automatically switches into its normal scanning pattern.
Because "Files to ignore" is a text box, you can remove any files or add new files as you require by editing the list of files by hand.
All file and directory changes that can be alerted on are also recorded to a database. This database allows you to run reports on types of changes, changes to particular files or directories, etc.