Configure File Integrity Scanner

Configure AgentX to monitor files and directories for changes on Windows or Linux endpoints.

Prerequisites

• Template created or selected for editing

• Understanding of which files and directories require integrity monitoring

• Knowledge of file system structure and critical paths on target endpoints

Procedure

1. In the template configuration, locate File Integrity Scanner.

2. Select Add New to add a file integrity monitoring configuration.

3. Enter a Name for the monitored file or directory.

4. In Include Path, enter the full path to the file or directory to monitor.

5. In Exclude Path, enter paths to exclude from monitoring (optional). Leave empty to monitor all items in the Include Path.

6. In Schedule, enter the scan frequency in seconds. This determines how often AgentX checks for changes.

7. In Recursion, select the depth level for directory scanning:

   • 1 - Monitor only the specified directory (no subdirectories)

   • 2 - Monitor the directory and one level of subdirectories

   • Higher values enable deeper recursion but increase resource usage

8. Select Save to save the template configuration.

To add multiple file integrity monitoring configurations, select Add New and repeat the procedure.

To remove a configuration, select Delete next to the configuration.

Expected outcome

AgentX Client monitors the specified files and directories according to the scan schedule. When changes are detected, AgentX generates file integrity events and forwards them to Logpoint.

Verification

After assigning the template to a device:

1. Make a change to a monitored file (edit content, modify permissions, or change attributes).

2. Wait for the next scheduled scan to complete.

3. Go to the Logpoint search interface.

4. Run the following query:

Replace <hostname> with your endpoint hostname.

Verify that file integrity events appear showing the detected changes.

Configuration guidelines

Balance scan frequency with resource usage Frequent scans of large directories consume CPU and disk I/O resources. For directories with many files, set the schedule to 10-30 minutes (600-1800 seconds).

Limit recursion depth Keep recursion to 1 or 2 levels to maintain performance. To monitor deep directory structures, create multiple configurations with specific paths rather than using high recursion values.

Use multiple specific paths instead of broad scanning Rather than monitoring C:\ with high recursion, create separate configurations for specific critical directories like C:\Windows\System32, C:\Program Files, etc.

Escape commas in directory paths For directories containing commas in their names, use \ to escape each comma.

Exclude high-change directories Use Exclude Path to skip directories with frequent legitimate changes (temp directories, cache directories, log directories) that would generate excessive alerts.

Critical Windows paths to monitor:

• C:\Windows\System32 (system files)

• C:\Program Files (application files)

• C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (startup programs)

Critical Linux paths to monitor:

• /etc (configuration files)

• /bin, /sbin, /usr/bin, /usr/sbin (system binaries)

• /root (root user home directory)

• /home/*/.ssh (SSH keys)

Example configurations

Monitor Windows system directory (limited recursion):

• Name: System32 Files

• Include Path: C:\Windows\System32

• Exclude Path: (empty)

• Schedule: 1800 (30 minutes)

• Recursion: 1

Monitor Linux configuration files:

• Name: System Configuration

• Include Path: /etc

• Exclude Path: /etc/ssl/certs,/etc/X11 (exclude certificate store and X11 configs)

• Schedule: 900 (15 minutes)

• Recursion: 2

Monitor specific critical file:

• Name: Hosts File

• Include Path: C:\Windows\System32\drivers\etc\hosts

• Exclude Path: (empty)

• Schedule: 600 (10 minutes)

• Recursion: 0

Next steps

• Configure Windows Registry Scanner (Windows only)