In the past, we’ve written about monitoring file access in Windows. However, monitoring file access events alone doesn’t capture the full lifecycle of changes that matter for security and compliance.
To gain true end-to-end visibility, you need to track not only when a file is accessed, but also when it’s modified, renamed, or deleted. In this guide, we’ll show how combining File Integrity Monitoring (FIM) with Windows Security Auditing delivers a complete file monitoring solution and how NXLog Agent ties these log sources together.
How FIM and Windows Security Auditing complement each other
FIM and Windows Security Auditing each provide valuable, but fundamentally different, visibility into file activity.
- File Integrity Monitoring (FIM)
-
Focuses on state changes. It tells you when a file was created, deleted, renamed, or modified, and it provides post-change attributes such as size and hash values. This makes FIM ideal for verifying file integrity and establishing a reliable forensic record of file changes.
- Windows Security Auditing
-
Captures access attempts and user interactions with the file system. Audit events describe who accessed a file, the operation they attempted, and whether the action succeeded. This level of context is essential for understanding who made the change, identifying abnormal access patterns, and meeting compliance requirements.
When used together, FIM and Windows Security Auditing complement each other to produce a complete picture. FIM tells you what changed, and Windows auditing tells you who did it. By correlating data from both sources, you gain end-to-end visibility: from the moment a user accesses a file to the resulting state.
Event coverage comparison: FIM vs. Windows Security Auditing
To better understand how FIM and Windows Security Auditing work together, it’s helpful to look at a side-by-side comparison of which file operations each method captures. The table below summarizes coverage for common file and directory events.
| Operation | File Integrity Monitoring | Windows Security Auditing |
|---|---|---|
File Created |
✅ EventType=NEW, Object=FILE |
✅ Event ID 4663 (AccessMask=CreateFile/WriteData) |
File Deleted |
✅ EventType=DELETE |
✅ Event ID 4660 |
File Renamed |
✅ EventType=RENAME |
⚠️ Indirect (Event IDs 4660 + 4663) |
File Content Modified |
✅ EventType=CHANGE, includes hash + result file size |
✅ Event ID 4663 (AccessMask=WriteData/AppendData) |
Directory Created |
✅ EventType=NEW, Object=DIRECTORY |
⚠️ Indirect (Event ID 4663 on directory object) |
Permissions Changed |
❌ |
✅ Event ID 4670 |
File Read |
❌ |
✅ Event ID 4663 (AccessMask=ReadData) |
Key takeaways:
-
FIM focuses on file state changes and includes hashes and digests, making it ideal for forensic integrity monitoring.
-
Windows Security Auditing focuses on user access attempts and operational details for behavioral monitoring and compliance.
-
FIM does not capture read operations or permission changes, while Windows Security Auditing doesn’t provide file hashes or confirm content changes.
-
Correlating both sources gives you full visibility: who accessed a file, what actions they attempted, and what changed.
Collecting FIM and Windows Security Auditing logs
Now that we’ve covered how FIM and Windows Security Auditing complement each other, the next step is to collect and centralize these events. NXLog Agent makes it straightforward to gather both types of telemetry data and forward them to your SIEM or log analytics platform. Here is how:
-
Use the Event Log for Windows input module to collect Windows Security Auditing events. Refer to the Audit File System section in Microsoft’s documentation for more information on the relevant event IDs.
-
Use the File Integrity Monitoring input module to monitor and log changes to directories and files.
-
Forward the events to your SIEM or log repository using any of the NXLog Agent’s output modules.
Here is the complete configuration. For simplicity, it writes the events in JSON format to a file on disk.
<Extension json>
Module xm_json
PrettyPrint TRUE (1)
</Extension>
<Input windows_security_auditing>
Module im_msvistalog
ResolveGUID TRUE
ResolveSID TRUE
<QueryXML>
<QueryList>
<Query Id="1">
<Select Path="Security">*[System[(EventID=4656 or EventID=4658 or EventID=4660 or EventID=4663 or EventID=4664 or EventID=4670 or EventID=4985 or EventID=5051)]]</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
if ($ObjectName !~ /^C:\\Program Files/ ) { (2)
drop();
}
</Exec>
</Input>
<Input fim>
Module im_fim
File 'C:\Program Files\*'
Recursive TRUE
ScanInterval 120
</Input>
<Output file>
Module om_file
File 'C:\Logs\file_monitoring.log'
Exec to_json();
</Output>
<Route file_monitoring_events_to_file>
Path windows_security_auditing, fim => file
</Route>| 1 | Pretty-prints the output for readability. |
| 2 | Discards events generated for objects outside the C:\Program Files directory. |
Conclusion
Combining File Integrity Monitoring (FIM) with Windows Security Auditing gives you complete visibility of file system changes, capturing both what changed and who performed the action. FIM ensures forensic integrity by tracking state changes, while Windows Security Auditing provides detailed context and permission changes. Together, they form a complete solution for security, compliance, and threat detection.
If you want to learn more about these two file monitoring systems, check out our File Integrity Monitoring and Windows Security Auditing integration guides.
