On a Windows environment, Change Guardian monitors the following:
File integrity
File shares
File systems
Local users and groups
Processes
Registry
Removable media
NOTE:Change Guardian supports monitoring removable media events only on USB flash drives. To monitor external hard disk drive (HDD), create a file system monitoring policy on the mounted drive.
The following table provides an overview of the tasks required for Change Guardian to start monitoring Windows events:
Task |
See |
---|---|
Complete the prerequisites |
|
Add a license key |
|
Configure Change Guardian for monitoring |
|
Triage events. |
You can triage events in the Change Guardian dashboard and the Administration Console. |
NOTE:Change Guardian supports monitoring removable media events only on USB flash drives and Windows platform. To monitor external hard disk drive (HDD), create a file system monitoring policy on the mounted drive.
Ensure that you have completed the following:
You can create policies to monitor changes to the following:
File integrity
File shares
File systems
Local users and groups
Processes
Registry
Removable media
NOTE:To enable the Registry Browser in Change Guardian, you must set the repositoryEnabled flag (under HKLM\Software\Wow6432Node\NetIQ\ChangeGuardianAgent\repositoryEnabled) to 1, and then restart the agent.
If you do not manually set the flag to 1, when you use the Registry Browser, you will receive a Could not connect to Windows Data Source error.
For information about creating policies, see Creating Change Guardian Policies.
After creating policies, you can assign them to assets. For information about assigning policies, see Working with Policies.