File Integrity Monitoring shows no username

Technote (troubleshooting)


File Integrity Monitoring (FMI) shows events that have no username.

Resolving the problem

FIM events show two event names: File Modified and Critical File Modified. The events that begin with "Critical ..." are events that are generated by real time monitoring. The other events are generated from a scheduled baseline comparison. The only events that will ever generate a user name are the events that come from real time monitor. This is because the event is associated with a user action. A user is logging in to the system and modifying a file. The FIM event then captures the user name and returns it to SiteProtector. Events that are generated by scheduled baselines can not determine the user name since the baseline can only see that a file has changed since the last baseline. The agent is not able to associate a user name with scheduled baseline events.

Document information

More support for:

IBM Security Host Protection
Proventia Server

Software version:


Operating system(s):


Reference #:


Modified date:


Translate my page

Content navigation