File Integrity monitoring shows events that have no username.
Resolving the problem
FIM events show two event names: "File Modified" and "Critical File Modified". The events that begin with "Critical ..." are events that are generated by real time monitoring. The other events are generated from a scheduled baseline comparison. The only events that will ever generate a user name are the events that come from real time monitor. This is because the event is associated with a user action. A user is logging in to the system and modifying a file. The FIM event then captures the user name and returns it to SiteProtector. Events that are generated by scheduled baselines can not determine the user name since the baseline can only see that a file has changed since the last baseline. The agent is not able to associate a user name with scheduled baseline events.
If the above information does not resolve your issue, please contact IBM Security Systems Customer Support.
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.