Centralized monitoring of plural file systems that operate within or in association with an enterprise computing environment is provided. Each of the plural file systems are provided with a security policy, wherein the security policy defines one or more file system access activities to be monitored at the file system. Each file system is instrumented with a software agent that intercepts the relevant file system access activity. A centralized collector component is operative to receive from each of the plural file systems audit trail data, wherein the audit trail data is data that has been generated locally as file system access activity is intercepted at the file system by the local software agent in accordance with the applicable security policy. The collector applies the security policy against the audit trail data received from at least one of the plural file systems and, in response thereto, takes a given action.