Skip to main content
Version: 2.14.0

Wiretap

Introduction

Wiretap lets security administrators and auditors view a sequence of file system events by one or more users to build a complete picture of activity. The feature relies on the ECA cluster to process and stream audit events to the Wiretap UI in real time.

Wiretap supports the following monitoring options:

  • Monitor a specific file system path across multiple users, or monitor a single user across the entire file system.
  • Monitor a folder and its subfolders, or limit monitoring to a single directory.
  • Filter by file or directory events to reduce the volume of data shown in the UI.
  • Filter by username, or leave the field blank to capture activity from all users on the path.
note
  • Only two Wiretap filters can be active at a time. To create a third filter, delete one of the existing filters first.
  • Wiretap outputs a maximum of 25 events per second, regardless of the actual event rate on the monitored path. Some events may be dropped to maintain this rate. This is expected behavior and ensures events remain viewable in real time.
  • High event rates require sufficient browser RAM and CPU to process the audit data stream. If the browser becomes slow or unresponsive, apply additional filters to reduce the number of events displayed.
  • The ECA cluster monitors for matching events only while the Wiretap watch window is open. Events are not forwarded to Eyeglass when the window is closed.

Configure Wiretap

  1. Under Active Auditing in the navigation menu, select Wiretap.

  2. In the Path Selector, browse the cluster paths and select the path to monitor.

  3. In the Filters panel, configure the following fields:

    • User Name — Enter a user ID to filter events by a specific user, or leave the field blank to capture events from all users.
    • File Name — Enter a file name to filter activity on a specific file within the monitored path.
    • Event Type — Select an event type to filter by, or leave blank to capture all event types.
    • Show Subfolder Events — Select the checkbox to include events from subfolders, or deselect it to reduce the event rate.

  4. Select Apply filters. The ECA cluster begins filtering events for Wiretap. Events may take several seconds to appear in the UI.

  5. Select Clear filters to remove all active filter settings from the ECA.

  6. Select the arrow next to Wiretap filters to collapse the filter panel and expand the event view.

Wiretap Events

After applying filters, matching events appear in the Wiretaps table with the following columns:

  • Event Time — The date and time the event occurred.
  • Event Type — The type of file system event (for example, FILE_CLOSE or FILE_OPEN_READ).
  • User — The Active Directory user who performed the action.
  • Path — The full file system path of the affected file.