Logging and SIEM Integration

Enzoic for Active Directory v3.0 and Earlier

Log Files

By default, Enzoic for Active Directory stores logs in the following location: C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs

The following log files are available:

LogType

Filename(s)

Format(s)

Description

Logs rollover and are only stored for the last 7 days.

SIEM Integration

Enzoic for Active Directory logs important events to a JSON format log file which can be used for ingestion into SIEM systems. The following describes the information contained in these log entries.

Logs files are stored at: C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs

1.1 Log Entry Fields / Structure

Each JSON log entry has the following structure.

Field

Description

1.2 Event Data Fields – Common to All Events

The content of eventData varies per the type of logged event, but the following fields are always present.

Field

Description

1.3 Event Kinds

Name

Description

Log Entry Details for Each Event Kind

1.4 Info

Recorded when there is a general informational message.

Example:

{
  "time": "2019-08-07 16:24:57.2758",
  "threadId": "22",
  "level": "INFO",
  "event": "Service shutdown.",
  "eventData": {
    "data": {
      "eventKind": "Info",
      "details": null
    }
  }
}

1.5 Warning

Recorded when a recoverable problem or unusual event has occurred.

Example:

{
  "time": "2019-08-07 15:02:37.3696",
  "threadId": "10",
  "level": "WARN",
  "event": "The user tu1 no longer exists. Cleaning up artifacts related to this user.",
  "eventData": {
    "data": {
      "eventKind": "Warning",
      "details": null
    }
  }
}

1.6 Error

Recorded when a problem has occurred that may require user intervention or investigation. The eventData payload contains the exception details and can be helpful to support for further investigation.

Field

Description

Example:

{
  "time": "2019-08-07 15:02:37.3696",
  "threadId": "10",
  "level": "ERROR",
  "event": "Something bad happened..",
  "eventData": {
    "data": {
      "eventKind": "Error",
      "details": null,
      "exceptionClass": "Exception",
      "exceptionMessage": "Exception text"
    }
  }
}

1.7 PasswordChanged

Recorded when a user password was successfully changed.

Field

Description

Example:

{
  "time": "2019-08-07 15:00:59.9008",
  "threadId": "16",
  "level": "INFO",
  "event": "PasswordChanged",
  "eventData": {
    "data": {
      "user": "tu1",
      "eventKind": "PasswordChanged",
      "details": null
    }
  }
}

1.8 PasswordChangeRejected

Recorded when a user password change was rejected by Enzoic due to policy settings.

Field

Description

Example:

{
  "time":"2020-09-02 14:15:08.5068",
  "threadId": "4",
  "level": "INFO",
  "event": "The password is compromised and cannot be used. Detected by EnzoicApi and matched on RootPasswordMatch",
  "eventData": {
    "data": {
      "user": "testfosmo",
      "detectionMethod":"EnzoicApi",
      "matchTypes":[
        "RootPasswordMatch"
      ],
      "eventKind": "PasswordChangeRejected",
      "details": null
    }
  }
}

1.9 CompromiseDetectedDelayedRemediationScheduled

Recorded by Continuous Password Protection when a user password was detected as compromised and a delayed remediation was scheduled (e.g. force password change after 24 hours)

Field

Description

Example:

{
  "time": "2019-08-07 15:01:35.7445",
  "threadId": "10",
  "level": "INFO",
  "event": "CompromiseDetectedDelayedRemediationScheduled",
  "eventData": {
    "data": {
      "user": "tu1",
      "detectionTimestamp": "2019-08-07T15:01:35.7134337-04:00",
      "actionTaken": "ForcePasswordChangeOnLoginDelayed",
      "actionDelayHours": 1,
      "eventKind": "CompromiseDetectedDelayedRemediationScheduled",
      "details": null
    }
  }
}

1.10 DelayedRemediationActionTaken

Recorded by Continuous Password Protection when a previously scheduled delayed remediation was taken. For example, if a user was scheduled to force a password change after 24 hours, this event gets logged when the user is set to Force Password Change on Next Logon in AD.

Field

Description

Example:

{
  "time": "2019-08-07 15:01:35.7445",
  "threadId": "10",
  "level": "INFO",
  "event": "DelayedRemediationActionTaken",
  "eventData": {
    "data": {
      "user": "tu1",
      "detectionTimestamp": "2019-08-07T15:01:35.7134337-04:00",
      "actionTaken": "ForcePasswordChangeOnLogin",
      "actionDelayHours": 0,
      "eventKind": "DelayedRemediationActionTaken",
      "details": null
    }
  }
}

1.11 Remediation Actions

The possible remediation action values for log events are listed below.

Name

Description

PreviousAutomated Deployments NextBackup Considerations

Last updated 11 months ago