Configuring consolidation of FAM MS Office events
Use the FAM monitor Office event consolidation feature to filter out the extraneous, irrelevant MS Word, Excel, and PowerPoint file activities.
When FAM monitors MS Office products MS Word, Excel, and PowerPoint, it generates a lot of extraneous and confusing file events that make it difficult to determine what actually happened in the system. You can use the Office event consolidation feature to filter out the extraneous, irrelevant file activities so that only a clear concise stream of useful events is presented to the collector. The filter eliminates a very high percentage of extraneous events out of the data stream, although occasionally an extraneous file event could be reported. For instance, Windows and Office open files multiple times to read file attributes without ever actually loading the file into memory. For Office this occurs when a user opens a file. Office initially opens and closes the file to read its attributes (which generates a READ event) before actually reading the file into memory (which generates another READ event). Unfortunately it is impossible to distinguish opening a file to read its attributes, from Office opening and reading the actual file into memory.
The FAM monitor office filter software filters out all activity done to temporary files, all activity done to the office journaling files, and the majority of other events that don’t represent what the end user actually did. It also eliminates a lot of the ambiguity as to what happened on the system by providing a much finer granularity of file events. For instance, instead of FILEOP events, it reports the actual underlying events that make up the FILEOP, namely RENAME FILE, SET FILE PERMISSIONS, and SET FILE PROPERTIES. There are also separate events for activity that occurs to folders. This includes CREATE FOLDER, OPEN FOLDER, CLOSE FOLDER, RENAME FOLDER, READ FOLDER, WRITE FOLDER, EXECUTE FOLDER, DELETE FOLDER, SET FOLDER PERMISSIONS, and SET FOLDER PROPERTIES. These are the same events that are generated for files – the only difference is that they apply to folders instead.
The OPEN FILE, CLOSE FILE, OPEN FOLDER, and CLOSE FOLDER events are processed locally by the FAM monitor but are not delivered to the collector. The reason that they are not delivered to the collector is that the Windows file explorer program is constantly opening and closing files in the background and these events are rarely useful or desirable to have. Reporting all of them to the collector would essentially provide useless information to the end user and would flood the collector and the network with useless traffic.
The Office event consolidation is configured with these parameters, in the guard_tap.ini file. The parameters apply only to FAM monitoring; they are ignored by the S-TAP.
To modify the guard_tap.ini file:
- Log on to the database server system using the root account.
- Stop the S-TAP.
- Make a backup copy of the configuration file: guard_tap.ini. The default file locations is \Program Files\IBM\Windows S-TAP\Bin\
- Open the configuration file in a text editor.
- Edit the file as necessary. These parameters must be in the [Tap] section of the file.
- Save the file.
- Restart the S-TAP.
Parameter Name | Possible Values | Default Value | Description |
---|---|---|---|
ENABLE_OFFICE_FILTERS | 0, 1 | 1 | Enables or disables the office filter component of the FAM monitor software. When disabled, all files events are reported to the collector including those for temporary files, journaling files, etc. When enabled, only useful files events related to the actual operation the end user performed are delivered to the collector. |
WORD_EXTENSIONS | List of file extensions | .docx .doc .docm .dotm .dotx .dot .odt | The file extensions that identify a file as a Microsoft Office Word source file. The FAM monitor software uses the office filter component on the event streams generated for these files. |
EXCEL_EXTENSIONS | List of file extensions | .xlsx .xls .xlsm .xlsb .xltx .xltm .xlt .ods | The file extensions that identify a file as a Microsoft Office Excel source file. The FAM monitor software uses the office filter component on the event streams generated for these files. |
POWERPOINT_EXTENSIONS | List of file extensions | .pptx .pptm .ppt .potx .potm .pot .odp | The file extensions that identify a file as a Microsoft Office PowerPoint source file. The FAM monitor software uses the office filter component on the event streams generated for these files. |
FSM_LOG_EVENTS | 0, 1 | 0 | Enables or disables the logging of file events to the FAM monitor text log file. When enabled, all events like CREATE FILE, READ FILE, etc. that are sent to the appliance are also logged to the application’s circular text log file in the STAP ..\logs folder. |