Logging and SIEM Integration
Enzoic for Active Directory v3.5
Log Files
By default, Enzoic for Active Directory stores logs in the following location:
C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs
The following log files are available:
Logs rollover and are only stored for the last 7 days.
SIEM Integration
Enzoic for Active Directory logs important events to a JSON format log file which can be used for ingestion into SIEM systems. The following describes the information contained in these log entries.
Logs files are stored at:
C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs
1.1 Log Entry Fields / Structure
Each JSON log entry has the following structure.
1.2 Event Data Fields – Common to All Events
The content of eventData varies per the type of logged event, but the following fields are always present.
1.3 Event Kinds
Log Entry Details for Each Event Kind
1.4 Info
Recorded when there is a general informational message.
Example:
1.5 Warning
Recorded when a recoverable problem or unusual event has occurred.
Example:
1.6 Error
Recorded when a problem has occurred that may require user intervention or investigation. The eventData payload contains the exception details and can be helpful to support for further investigation.
Example:
1.7 PasswordChanged
Recorded when a user password was successfully changed.
Example:
1.8 PasswordChangeRejected
Recorded when a user password change was rejected by Enzoic due to policy settings.
Example:
1.9 CompromiseDetectedDelayedRemediationScheduled
Recorded by User Password Monitoring when a user password was detected as compromised and a delayed remediation was scheduled (e.g. force password change after 24 hours)
Example:
1.10 DelayedRemediationActionTaken
Recorded by User Password Monitoring when a previously scheduled delayed remediation was taken. For example, if a user was scheduled to force a password change after 24 hours, this event gets logged when the user is set to Force Password Change on Next Logon in AD.
Example:
1.11 Remediation Actions
The possible remediation action values for log events are listed below.
Last updated