Logging and SIEM Integration

Log Files

By default, Enzoic for Active Directory stores logs in the following location on each Domain Controller: C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs

For the Enzoic Client, log files can be found here: C:\ProgramData\Enzoic\Enzoic for Active Directory Client\Logs

The following log files are available:

Log files are split after reaching 1 GB in size, with _NNN being appended to the filename (e.g. EnzoicService_20241218_001.log). This generally won’t happen unless logging is left in Verbose mode for an extended period of time, but it can also occur if your domain has a large number of users or password change/reset traffic.

Logs from previous days will be archived to ZIP files and placed into the Archive subfolder of the logs folder. A maximum of 30 days of archived logs are maintained. Once this limit is reached, the oldest will be deleted first.

If for some reason the console, the service, or the client does not start at all, there will be an __Enzoic***_FATAL_STARTUP_ERRORS.log for the failing module. This file, along with any other logs should be provided to Enzoic support to diagnose the problem, if requested.

SIEM Integration

Enzoic for Active Directory logs important events to a JSON format log file which can be used for ingestion into SIEM systems. The following describes the information contained in these log entries.

Logs files are stored at: C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs

1.1 Log Entry Fields / Structure

Each JSON log entry has the following structure.

1.2 Event Data Fields – Common to All Events

The content of eventData varies per the type of logged event, but the following fields are always present.

1.3 Event Kinds

Log Entry Details for Each Event Kind

1.4 Info

Recorded when there is a general informational message.

Example:

{
  "time": "2019-08-07 16:24:57.2758",
  "threadId": "22",
  "level": "INFO",
  "event": "Service shutdown.",
  "eventData": {
    "data": {
      "eventKind": "Info",
      "details": null
    }
  }
}

1.5 Warning

Recorded when a recoverable problem or unusual event has occurred.

Example:

{
  "time": "2019-08-07 15:02:37.3696",
  "threadId": "10",
  "level": "WARN",
  "event": "The user tu1 no longer exists. Cleaning up artifacts related to this user.",
  "eventData": {
    "data": {
      "eventKind": "Warning",
      "details": null
    }
  }
}

1.6 Error

Recorded when a problem has occurred that may require user intervention or investigation. The eventData payload contains the exception details and can be helpful to support for further investigation.

Example:

{
  "time": "2019-08-07 15:02:37.3696",
  "threadId": "10",
  "level": "ERROR",
  "event": "Something bad happened..",
  "eventData": {
    "data": {
      "eventKind": "Error",
      "details": null,
      "exceptionClass": "Exception",
      "exceptionMessage": "Exception text"
    }
  }
}

1.7 PasswordChanged

Recorded when a user password was successfully changed.

Example:

{
  "time": "2019-08-07 15:00:59.9008",
  "threadId": "16",
  "level": "INFO",
  "event": "PasswordChanged",
  "eventData": {
    "data": {
      "user": "tu1",
      "eventKind": "PasswordChanged",
      "details": null
    }
  }
}

1.8 PasswordChangeRejected

Recorded when a user password change was rejected by Enzoic due to policy settings.

Example:

{
  "time":"2020-09-02 14:15:08.5068",
  "threadId": "4",
  "level": "INFO",
  "event": "The password is compromised and cannot be used. Detected by EnzoicApi and matched on RootPasswordMatch",
  "eventData": {
    "data": {
      "user": "testfosmo",
      "detectionMethod":"EnzoicApi",
      "matchTypes":[
        "RootPasswordMatch"
      ],
      "eventKind": "PasswordChangeRejected",
      "details": null
    }
  }
}

1.9 CompromiseDetectedDelayedRemediationScheduled

Recorded by User Password Monitoring when a user password was detected as compromised and a delayed remediation was scheduled (e.g. force password change after 24 hours)

Example:

{
  "time": "2019-08-07 15:01:35.7445",
  "threadId": "10",
  "level": "INFO",
  "event": "CompromiseDetectedDelayedRemediationScheduled",
  "eventData": {
    "data": {
      "user": "tu1",
      "detectionTimestamp": "2019-08-07T15:01:35.7134337-04:00",
      "actionTaken": "ForcePasswordChangeOnLoginDelayed",
      "actionDelayHours": 1,
      "eventKind": "CompromiseDetectedDelayedRemediationScheduled",
      "details": null
    }
  }
}

1.10 DelayedRemediationActionTaken

Recorded by User Password Monitoring when a previously scheduled delayed remediation was taken. For example, if a user was scheduled to force a password change after 24 hours, this event gets logged when the user is set to Force Password Change on Next Logon in AD.

Example:

{
  "time": "2019-08-07 15:01:35.7445",
  "threadId": "10",
  "level": "INFO",
  "event": "DelayedRemediationActionTaken",
  "eventData": {
    "data": {
      "user": "tu1",
      "detectionTimestamp": "2019-08-07T15:01:35.7134337-04:00",
      "actionTaken": "ForcePasswordChangeOnLogin",
      "actionDelayHours": 0,
      "eventKind": "DelayedRemediationActionTaken",
      "details": null
    }
  }
}

1.11 Remediation Actions

The possible remediation action values for log events are listed below.