File Integrity Monitoring Troubleshooting Suggestions

If you have configured File Integrity Monitoring (FIM) but are unable to view events that trigger alerts in F5 Distributed Cloud App Infrastructure Protection (AIP), consider these troubleshooting suggestions or contact support.

  1. Ensure your server is assigned a ruleset.
  2. Confirm the specific rule is enabled.
  3. Confirm the rule is monitoring the expected directory and event type.
  4. Ensure no suppression is preventing the alert from triggering.
  5. Verify the rule reached the Agent.
  6. Verify FIM events are appearing on the Events page.
  7. Ensure the server does not run CentOS or RHEL 6 (RHEL 6 and CentOS specific FAQ).
Is the Ruleset Applied to the Server?

You can ensure Distributed Cloud AIP is monitoring the right server.

  1. In the left navigation pane, click the Servers tab.
  2. Click on the server from the list.
  3. Verify the correct ruleset displays in the Summary pane.

    serverruleset.png

Note

In this example, a Base Rule Set was assigned to the server named "instance-1".

Confirm the Rule is Enabled

Navigate to the ruleset and ensure the rule is enabled.

  1. In the left navigation pane, click the Rules tab.


    rulestab.png

    Note

    You can also navigate to the ruleset from the Servers page.

  2. Select a ruleset from the list.


    Base_ruleset_selected.png

    Note

    In this example, the Base Rule Set was selected.

  3. Click the Show More link to display additional rules.


    Show_more_link.png

  4. Select a rule from the list.


    Additional_rule_selected.png

    Note

    In this example, the Files: Secret File Opens rule is selected.

  5. Confirm the rule is enabled.


    Confirm_rule_enabled.png

    Note

    Disabled rules will be grayed out and listed at the bottom of the ruleset they belong to.

Confirm the Rule is Monitoring the Expected Directory and Event Type

You can inspect the rule and confirm the rule monitors the expected directory and event type(s).

  1. In the left navigation pane, click the Rules tab.


    rulestab.png

    Note

    You can also navigate to the ruleset from the Servers page.

  2. Select a ruleset from the list.


    Base_ruleset_selected.png

    Note

    In this example, the Base Rule Set was selected.

  3. Click the Show More link to display additional rules.


    Show_more_link.png

  4. Select a rule from the list.


    Additional_rule_selected.png

    Note

    In this example, the Files: Secret File Opens rule is selected.

  5. Click the File Paths link.


    File_paths_link.png

  6. In the right view pane, the File Paths to Monitor screen displays. Confirm the rule is monitoring the expected directory and event type(s) by reviewing the File Integrity Paths field and the Events To Monitor field.


    File_paths_to_monitor_pane.png

Confirm No Suppressions are Preventing Alerts from Triggering

There could be a suppression preventing an alert from displaying an event. You can confirm whether a suppression is enabled within a rule.

  1. In the left navigation pane, click the Rules tab.


    rulestab.png

    Note

    You can also navigate to the ruleset from the Servers page.

  2. Select a ruleset from the list.


    Base_ruleset_selected.png

    Note

    In this example, the Base Rule Set was selected.

  3. Click the Show More link to display additional rules.


    Show_more_link.png

  4. Select a rule from the list.


    Additional_rule_selected.png

    Note

    In this example, the Files: Secret File Opens rule is selected.

  5. Click the Suppressions link.


    Suppressions_link.png

  6. In the right view pane, the Suppressions screen displays. Review the related suppressions and confirm they do not interfere with your ability to generate an alert.


    Suppressions_pane.png

Confirm the Rule Reached the Agent
  1. Connect to your instance.
  2. Navigate to the following directory: /opt/threatstack/etc/.
  3. Open the tsfim.config.json file.
  4. Within this file, under the watcher’s key find the directories key.
    • Its value should be a list of the monitored directories.
  5. Confirm your directory displays on this monitored list.

    Note

    If you choose to monitor an individual file instead, or in addition to a directory, then it will display in the files key instead of the directories key.

Example

The “Files: Secret File Opens" rule has Distributed Cloud AIP monitor the "/fimtesting/" and "/home/ubuntu/.aws/" directories. Distributed Cloud AIP does not monitor any individual files because the rule does not call for monitoring.


Verify_Rule_Reached_Agent.png

Confirm Events are Generated and Searchable in Distributed Cloud AIP

You can confirm whether the right events are searchable in Distributed Cloud AIP.

  1. In the left navigation pane, click the Events tab. All raw events display.


    eventstab.png

  2. In the Search field, enter the following:
    event_type = "file"


    Event_type_search.png

    Note

    File refers to a FIM event in Distributed Cloud AIP.

  3. Click the Date and Time drop-down menu.


    Select_date_and_time.png

  4. The date and time dialog displays. Click the Quick Jump link.


    Quick_jump_link.png

  5. Select your desired time period from the available options.


    Quick_jump_time.png

    Note

    Selecting the time period triggers the search in Distributed Cloud AIP.

  6. A list of events displays.


    Event_search_results.png

    Note

    If no search results display, ensure there is no misspelling in your search criteria or select a different time frame.

Was this article helpful?
0 out of 0 found this helpful