Auditing

ESA records audit entries in the Windows event logs - specifically the Application log in the Windows Logs section. The Windows Event Viewer can be used to view the audit entries.

If you install the Reporting Engine (Elasticsearch), you can view these logs in the Reports screen of ESA Web Console.

 

Audit entries fall into the following categories:

User auditing

oSuccessful authentication attempts and failed authentication attempts (wrong OTP or MRK)

oChanges to 2FA state, for example, when a user account becomes locked

System auditing

oChanges to ESA settings

oWhen ESA services are started or stopped

The use of the standard Windows event logging architecture facilitates the use of third-party aggregation and reporting tools such as LogAnalyzer.