-
Title
What are some of the events that are logged by Defender Event View log? -
Description
Token events performed by the Defender Administrator, such as assigning a token to a user, assigning a Defender password to a user, setting a token PIN, etc., can be logged to the "Defender" event log for auditing purposes.
The Defender event log can be viewed using the Windows Event Viewer and may include the messages shown in the table below. -
Resolution
ID
Message
1000
Token tokenname assigned to user username
1001
Failed to assign token tokenname to user username, error (messageID) messagetext
1002
Defender Password assigned to user username
1003
Failed to assign Defender Password to user username, error (messageID) messagetext
1004
Set PIN on token tokenname assigned to user username
1005
Failed to set PIN on token tokenname assigned to user username, error (messageID) messagetext
1006
Set temporary response on token tokenname assigned to user username
1007
Failed to set temporary response on token tokenname assigned to user username, error (messageID) messagetext
1008
Cleared temporary response on token tokenname assigned to user username
1009
Failed to clear temporary response on token tokenname assigned to user username, error (messageID) messagetext
1010
Modified data of token tokenname assigned to user username
1011
Failed to modify data of token tokenname assigned to user username, error (messageID) messagetext
1012
Token tokenname unassigned from user username
1013
Failed to unassign token tokenname from user username, error (messageID) messagetext
1014
Defender Password unassigned from user username
1015
Failed to unassign Defender Password from user username, error (messageID) messagetext
In the table above:
- "tokenname" is the token's distinguishedName.
- "username" is the user's distinguishedName.
- "messageID" is the message ID.
- "messagetext" is the descriptive text of the message.
By default, event logging is turned off in the Defender Console. To turn it on you must set the following value in the registry on each desktop/server that is used to administer Defender tokens (i.e., wherever the Defender Console is installed):
x86: HKEY_LOCAL_MACHINE\Software\PassGo Technologies\Defender\Defender AD MMC
x64: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PassGo Technologies\Defender\Defender AD MMC
Value: LoggingEnabled (create the entry if it does not exist)
Type: DWORD
Data: 0 to disable logging, 1 to enable logging
Log messages are written to the local event log and the event log on the PDC emulator.Enhancement Request #257951 has been raised to add additional data to the event log such as temporary response expiry and whether the check box to Allow multiple use of the temporary response was enabled
-
Change Request
257951 -
Additional Information
To allow all authenticated users to write to the PDC's event log, you must edit the existing Registry key as shown below: Windows 2008 and above Use Microsoft's wevtutil sl defender to capture the current channelAccess and then wevtutil sl defender /ca: to set to the current security plus (A;;0x3;;;NU).