File Integrity Monitoring (FMI) shows events that have no username.
Resolving the problem
FIM events show two event names: File Modified and Critical File Modified. The events that begin with "Critical ..." are events that are generated by real time monitoring. The other events are generated from a scheduled baseline comparison. The only events that will ever generate a user name are the events that come from real time monitor. This is because the event is associated with a user action. A user is logging in to the system and modifying a file. The FIM event then captures the user name and returns it to SiteProtector. Events that are generated by scheduled baselines can not determine the user name since the baseline can only see that a file has changed since the last baseline. The agent is not able to associate a user name with scheduled baseline events.
If the above information does not resolve your issue, please contact IBM Security Systems Customer Support.