Documentation for Product Version:
Enzoic for Active Directory stores logs, by default, in
C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs
The following log files are available:
| LogType | Filename(s) | Format(s) | Description |
|---|---|---|---|
| Console | EnzoicConsole_{logDate}.json EnzoicConsole_{logDate}.log |
JSON TXT |
These are logs generated by the Enzoic console UI. |
| Service | EnzoicService_{logDate}.json EnzoicService_{logDate}.log |
JSON TXT |
These are logs generated by the Enzoic service. These tend to be the most useful for troubleshooting and contain details for when a compromised password is found for a user by Compromised Password Protection as well as when a password change is blocked. |
| Filter | EnzoicFilter.txt | TXT | These are logs generated by the Enzoic password filter DLL. |
Logs rollover and are only stored for the last 7 days.
Enzoic for Active Directory logs important events to a JSON format log file which can be used for ingestion into SIEM systems. The following describes the information contained in these log entries.
Logs files are stored at
C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs
Each JSON log entry has the following structure.
| Field | Description |
| time | Timestamp at which the event occurred. |
| threadId | The managed .NET thread ID which was running. |
| level | Level of event severity. This can be one of the following: INFO, WARN, ERROR. |
| eventData | A JSON object containing additional details, specific to the event. The object has one field, “data” containing an object with the actual details. |
| event | This is either a message or an enum value indicating the event kind. (see the eventKind field in table 1.2) |
The content of eventData varies per the type of logged event, but the following fields are always present.
| Field | Description |
| eventKind | Indicates the nature of the event. See table 1.3 for possible values. |
| details | Either a free-form complex object or extended message. Can be null. |
| Name | Description |
| Info | General informational message. |
| Warning | A recoverable problem or unusual event has occurred. |
| Error | A (possibly unrecoverable) problem has occurred, and may require user intervention or investigation. |
| PasswordChanged | User account password was changed. |
| PasswordChangeRejected | User account password change was attempted, but the password did not pass the integrity checks. |
| CompromiseDetectedDelayedRemediationScheduled | A compromised password was detected, and was either remediated, or scheduled for remediation after a delay. |
| DelayedRemediationActionTaken | A previously scheduled remediation was applied. |
Recorded when there is a general informational message.
Example:
{
"time": "2019-08-07 16:24:57.2758",
"threadId": "22",
"level": "INFO",
"event": "Service shutdown.",
"eventData": {
"data": {
"eventKind": "Info",
"details": null
}
}
}
Recorded when a recoverable problem or unusual event has occurred.
Example:
{
"time": "2019-08-07 15:02:37.3696",
"threadId": "10",
"level": "WARN",
"event": "The user tu1 no longer exists. Cleaning up artifacts related to this user.",
"eventData": {
"data": {
"eventKind": "Warning",
"details": null
}
}
}
Recorded when a problem has occurred that may require user intervention or investigation. The eventData payload contains the exception details and can be helpful to support for further investigation.
| Field | Description |
| exceptionClass | The name of the .NET exception class, if there is an exception. |
| exceptionMessage | The exception message, if there is an exception. |
Example:
{
"time": "2019-08-07 15:02:37.3696",
"threadId": "10",
"level": "ERROR",
"event": "Something bad happened..",
"eventData": {
"data": {
"eventKind": "Error",
"details": null,
"exceptionClass": "Exception",
"exceptionMessage": "Exception text"
}
}
}
Recorded when a user password was successfully changed.
| Field | Description |
| user | The SAM account name of the account that was updated. |
Example:
{
"time": "2019-08-07 15:00:59.9008",
"threadId": "16",
"level": "INFO",
"event": "PasswordChanged",
"eventData": {
"data": {
"user": "tu1",
"eventKind": "PasswordChanged",
"details": null
}
}
}
Recorded when a user password change was rejected by Enzoic due to policy settings.
| Field | Description |
| user | The SAM account name of the account on which the password change was attempted. |
| detection methods | EnzoicApi, LocalDictionary, PasswordSimilarity, UserDisplayName, UserName, UserEmail |
| match types | ExactMatch, FuzzyMatch, RootPasswordMatch |
Example:
{
"time":"2020-09-02 14:15:08.5068",
"threadId": "4",
"level": "INFO",
"event": "The password is compromised and cannot be used. Detected by EnzoicApi and matched on RootPasswordMatch",
"eventData": {
"data": {
"user": "testfosmo",
"detectionMethod":"EnzoicApi",
"matchTypes":[
"RootPasswordMatch"
],
"eventKind": "PasswordChangeRejected",
"details": null
}
}
}
Recorded by Continuous Password Protection when a user password was detected as compromised and a delayed remediation was scheduled (e.g. force password change after 24 hours)
| Field | Description |
| user | The SAM account name of the affected account. |
| detectionTimestamp | Timestamp of when the compromise was detected. |
| actionTaken | Indicates the action that was taken in response to the compromise. See table 1.11 for possible values. |
| actionDelayHours | The number of hours before the delayed remediation will take effect . This only applies when actionTaken is ForcePasswordChangeOnLoginDelayed or DisableAccountDelayed |
Example:
{
"time": "2019-08-07 15:01:35.7445",
"threadId": "10",
"level": "INFO",
"event": "CompromiseDetectedDelayedRemediationScheduled",
"eventData": {
"data": {
"user": "tu1",
"detectionTimestamp": "2019-08-07T15:01:35.7134337-04:00",
"actionTaken": "ForcePasswordChangeOnLoginDelayed",
"actionDelayHours": 1,
"eventKind": "CompromiseDetectedDelayedRemediationScheduled",
"details": null
}
}
}
Recorded by Continuous Password Protection when a previously scheduled delayed remediation was taken. For example, if a user was scheduled to force a password change after 24 hours, this event gets logged when the user is set to Force Password Change on Next Logon in AD.
| Field | Description |
| user | The SAM account name of the affected account. |
| detectionTimestamp | Timestamp of when the compromise was detected. |
| actionTaken | Possible values: ForcePasswordChangeOnLogin, DisableAccount |
| actionDelayHours | Always zero. |
Example:
{
"time": "2019-08-07 15:01:35.7445",
"threadId": "10",
"level": "INFO",
"event": "DelayedRemediationActionTaken",
"eventData": {
"data": {
"user": "tu1",
"detectionTimestamp": "2019-08-07T15:01:35.7134337-04:00",
"actionTaken": "ForcePasswordChangeOnLogin",
"actionDelayHours": 0,
"eventKind": "DelayedRemediationActionTaken",
"details": null
}
}
}
The possible remediation action values for log events are listed below.
| Name | Description |
| ForcePasswordChangeOnLogin | The affected user account is updated to require the password to be changed on the next login attempt. |
| ForcePasswordChangeOnLoginDelayed | The affected user account is updated to require the password to be changed on the next login attempt. This action is delayed by the number of configured hours. |
| DisableAccount | The affected user account is disabled. |
| DisableAccountDelayed | The affected user account is disabled. This action is delayed by the number of configured hours. |
| NotifyOnly | An email notification is sent to the configured recipients. No further remediation is taken. |