The process tracking feature works by intercepting Audit Success events that are written to the security event log when Audit Process Tracking is enabled in the Local Security Policy of the monitored host. As such the following requirements exist:
| 1. | "Audit process tracking" must be enabled. You can have the EventSentry agent automatically enable process tracking when the service starts by selecting "Auditing On" from the Requested Audit Policy. In this case make sure that no top-level policies are overwriting policy settings set by the EventSentry agent. |
 |
| 2. | If you would like to enable "Audit process tracking" yourself then you have several options: |
Windows NT 4
From the "Administrative Tools" open "User Manager" or "User Manager for domains" and select Policies -> Audit from the menu. Then, check the "Success" checkbox next to "Process Tracking".
Windows 2000 (and higher) without Active Directory
Open "Local Security Policy" in the "Administrative Tools". Navigate to "Security Settings" -> "Local Policies" -> "Audit Policy". Double-click "Audit process tracking" and check the "Success" checkbox. This change might take several minutes until it becomes effective.
Windows 2000 (and higher) with Active Directory
Open the appropriate group policy or open the "Domain Security Policy". There, navigate to "Audit Policy" and set "Audit process tracking" to "Success". Depending on your Active Directory setup you might need to edit a group policy other than the Domain Security Policy.
| 3. | The security event log "Log Size" needs to be configured to "Overwrite events as needed", it also recommended to specify a size of at least 2048kb. The EventSentry agent will write an error message upon startup to the application event log if the event log is not correctly configured. |
You can change the "Log size" settings by opening up "Event Viewer" (from Administrative Tools) and right-clicking "Security Log". Select "Properties" from the menu and verify that the "Log size" is correctly set to "Overwrite events as needed". Also verify that the "Maximum log size" is sufficiently big.
To disable previously enabled Process Tracking of the Operating System set the Requested Audit Policy to Auditing Off. Again, make sure that no domain policies undo any policy changes performed by the EventSentry agent. |