I've been looking at the difference between Installer Evidence and File Evidence within FN Manager. Two questions:
1. Within our system, we are currently seeing about 4x more Installer Evidence than File Evidence. What are the likely reasons for that. Is that 'typical' system behavior, or is this likely caused by how my system was configured to collect data on setup?
2. Within File Evidence, only 3/4 of the evidence includes an installation Path. What are the reasons why the Path would not be populated, and what can be done to populate them?
In most FNMS environments, the amount of file evidence exceeds the amount of installer evidence. Application recognition in FNMS is mainly based on installer evidence though.
For file evidence, there are some parameters that you may want to look into:
- Which source inventory system is being used? The labels in your post indicate that your inventory data are imported from ADDM and SCCM. In case you are NOT importing inventory data from a Flexera inventory database, you should look into the configuration settings and raw inventory data of your source inventory system.
- If you are collecting inventory data using Flexera agents installed locally and using the global FNMS inventory configuration settings, you can configure the amount of file evidence to be collected in FNMS in the 'Policy' visible in the UI in the "Discovery & Inventory > Settings" section. Folders to be scanned for file evidence can be configured independently for Windows, Unix/Linux and Mac OS.
- If you are collecting inventory data running Flexera agents manually, you must use command line options like 'IncludeDirectory' for collecting file evidence. If you run the Flexera agent 'ndtrack' without any such command line option, no file evidence will be collected.
The second question - why the file evidence does not contain an installation path or why the file path is not exposed in the UI - depends on the version of FNMS. With FNMS 2019 R2 or later, the raw file path is exposed in the FNMS UI.
Generally, the path for file evidence will not matter for application recognition. In case the same file evidence has been detected in more than one folder, most versions of FNMS will not report the file path. The objective is to minimize the amount of data that need to be collected and processed during a compliance import.
Here are some further comments to expand on @erwinlindemann's good answer: I'm not entirely confident from the way this question is phrased exactly what you are looking at. Are you looking at raw file and installer evidence records (i.e. the actual raw data that has been imported from your inventory source(s)), or are you looking at evidence recognition rules configured in the ARL settings?
I suspect you're probably looking at recognition rules (since I'm not sure how you would be counting the volume of raw evidence, unless you're directly querying the database). When looking at rules, consider:
- Recognition rules configured in the published ARL more commonly use installer evidence than file evidence, as installer evidence is generally more useful to work with.
- If you are looking at file paths shown on evidence rules, these do not represent an installation path of the file on any particular device. The path shown on a rule is a common path that the file is found in, but is only one path out of all the actual paths the file is found in across all the inventory that has been imported.
- File paths won't necessarily be populated on file evidence recognition rules, especially if the rule does not match any actual files that have been found in your environment.