Auditing
ESA records audit entries in the Windows event logs - specifically the Application log in the Windows Logs section. The Windows Event Viewer can be used to view the audit entries.
If you install the Reporting Engine (Elasticsearch), you can view these logs in the Reports screen of ESA Web Console.
Audit entries fall into the following categories:
•User auditing
oSuccessful authentication attempts and failed authentication attempts (wrong OTP or MRK)
oChanges to 2FA state, for example, when a user account becomes locked
•System auditing
oChanges to ESA settings
oWhen ESA services are started or stopped
The use of the standard Windows event logging architecture facilitates the use of third-party aggregation and reporting tools such as LogAnalyzer.