Process Tracking will record all process activity (process creation, process exit) in a central database and is intended to monitor application usage on workstations in high-security environments. The collected information can be queried through the web interface to obtain tracking data, history, statistics etc..
This feature works by intercepting Audit Success events that are written to the security event log when Audit Process Tracking is enabled in the Local Security Policy of the monitored host. As such, some requirements need to be met before process tracking can function properly. Please see requirements for details.
EventSentry will collect the following process information on all supported Windows platforms:
The amount of details of the File Path field depend on the Operating System the agent is running. The following table illustrates this:
Process Tracking does not collect which documents have been opened, it does also not collect command line arguments that were passed to processes.
Since collecting process information does track a users activity to some extend, you will still need to make sure that collecting this information does not interfere or violate any corporate policies or laws in place.
Tracking All Processes (with exceptions)
Select "Track all processes except those listed below" to monitor all processes. To exclude processes click the + button and specify the filename (without path) of the process to exclude.
Tracking only selected Processes
Select "Only track processes listed below" and click the + button to add processes that should be monitored to the list.
Capture command line of processes
You can capture the command line of processes with this option. Obtaining the command line of a process is only possible while the process is running, and as such will not work for processes whose duration is very short (e.g. < 2 seconds). Activating this option might incur a small performance overhead.
Enabling Process Tracking in the OS
Since process tracking needs to be enabled in the Operating System you can configure the agent to active it automatically if it isn't already activated. Please see requirements for more information.
Select the ODBC action which points to the correct database.
If the database specified by the ODBC action is temporarily unavailable, then EventSentry will cache the pending process tracking data and run the transactions when the database server becomes available again.