Process Tracking

 Top  Previous  Next

Process Tracking will record all process activity (process creation, process exit) in a central database and is intended to monitor application usage on workstations in high-security environments. The collected information can be queried through the web interface to obtain tracking data, history, statistics etc..

 

Requirements

This feature works by intercepting Audit Success events that are written to the security event log when Audit Process Tracking is enabled in the Local Security Policy of the monitored host. As such, some requirements need to be met before process tracking can function properly. Please see  Requirementsfor details.

 

Collected Data

EventSentry will collect the following process information on all supported Windows platforms:

 

Field

Description

Database Field

Process Identifier

PID

process_id_part1, process_id_part2

Parent Process Identifier

PID of parent process

process_creator_id_part1, process_creator_id_part2

Filename

name of file executed (without path)

filename

File Path

path of the file execute *(please see below)

filename_path

Username

username of user who executed process

user_name

Domain

domain (or computername) of user who executed the process

user_domain

Start Time & Date

date and time when process was launched

start_datetime, start_unix

Duration

the time the process was active

duration

Incomplete

indicates that the duration field is not reliable

incomplete

 

The amount of details of the File Path field depend on the Operating System the agent is running. The following table illustrates this:

 

Operating System

Supported Details

Windows NT (all versions)

not supported, field is empty

Windows 2000 (all versions)

contains path to executable without logical drive information

Windows XP, Windows Server 2003

contains path to executable including logical drive information

 

Privacy

Process Tracking does not collect which documents have been opened, it does also not collect command line arguments that were passed to processes.

 

Since collecting process information does track a users activity to some extended you will still need to make sure that collecting this information does not interfere or violate any corporate policies or laws in place.

 

Configuration

Tracking All Processes (with exceptions)

Select "Track all processes except those listed below" to monitor all processes. To exclude processes click the + button and specify the filename (without path) of the process to exclude.

 

Tracking only selected Processes

Select "Only track processes listed below" and click the + button to add processes that should be monitored to the list.

 

Enabling Process Tracking in the OS

Since process tracking needs to be enabled in the Operating System you can configure the agent to active it automatically if it isn't already activated. Please see requirements for more information.

 

Database

Select the ODBC target which points to the correct database and table.

 

Additional Features

If the database specified by the ODBC target is temporarily unavailable, then EventSentry will cache the pending process tracking data and run the transactions when the database server becomes available again.