Navigation:  Monitoring with EventSentry > Tracking Processes, Logons and Print Jobs >

Process Tracking

 Top  Previous  Next

Process Tracking will record all process activity (process creation, process exit) in a central database and is intended to monitor application usage on workstations in high-security environments. The collected information can be queried through the web interface to obtain tracking data, history, statistics etc..

 

Requirements

This feature works by intercepting Audit Success events that are written to the security event log when Audit Process Tracking is enabled in the Local Security Policy of the monitored host. As such, some requirements need to be met before process tracking can function properly. Please see Requirements for details.

 

Collected Data

EventSentry will collect the following process information on all supported Windows platforms:

 

Field

Description

Process Identifier

PID

Parent Process Identifier

PID of parent process

Filename

name of file executed (without path)

File Path

path of the file execute *(please see below)

Username

username of user who executed process

Domain

domain (or computername) of user who executed the process

Start Time & Date

date and time when process was launched

Duration

the time the process was active

Incomplete

indicates that the duration field is not reliable

 

The amount of details of the File Path field depend on the Operating System the agent is running. The following table illustrates this:

 

Operating System

Supported Details

Windows NT (all versions)

not supported, field is empty

Windows 2000 (all versions)

contains path to executable without logical drive information

Windows XP, Windows Server 2003

contains path to executable including logical drive information

 

Privacy

Process Tracking does not collect which documents have been opened, it does also not collect command line arguments that were passed to processes.

 

Since collecting process information does track a users activity to some extend, you will still need to make sure that collecting this information does not interfere or violate any corporate policies or laws in place.

 

Configuration

Tracking All Processes (with exceptions)

Select "Track all processes except those listed below" to monitor all processes. To exclude processes click the + button and specify the filename (without path) of the process to exclude.

 

Tracking only selected Processes

Select "Only track processes listed below" and click the + button to add processes that should be monitored to the list.

 

Enabling Process Tracking in the OS

Since process tracking needs to be enabled in the Operating System you can configure the agent to active it automatically if it isn't already activated. Please see requirements for more information.

 

Database 16 n g Database

Select the ODBC action which points to the correct database.

 

Additional Features

If the database specified by the ODBC action is temporarily unavailable, then EventSentry will cache the pending process tracking data and run the transactions when the database server becomes available again.