Active Directory Audit Overview

Entralyzer provides real-time, comprehensive Active Directory auditing of critical changes across your environment. From user, group, computer, organizational unit (OU) modifications, logon activity and Group Policy Object (GPO) changes, Entralyzer delivers detailed, actionable insights that strengthen security, support compliance requirements, and simplify identity management. By turning complex directory data into meaningful reports, Entralyzer empowers IT teams to detect issues faster, reduce risk, and maintain tighter control over Active Directory.

How Entralyzer Collects Event Logs

Entralyzer collects Windows events in real time by utilizing Microsoft Windows APIs. It defines filters—such as specific event IDs or log channels—so that only relevant events are captured. When an event matching the filter occurs, Windows immediately notifies the application through a built-in event handler, allowing it to process or store the event right away. This approach ensures that critical activities, like logons or deleted accounts, group membership changes, are captured instantly without continuously scanning the logs. The Entralyzer does not require any agents to get the Event logs, this mechanism is built into Windows.

Log Sources: Active Directory servers send event logs in real time to the Entralyzer application via Microsoft Windows APIs. For logon events a Windows Event Collector (WEC) server needs to be enabled. Workstations, laptops and servers will send their logon events to the WEC server and then the Entralyzer collects the logs.
Entralyzer Application: Entralyzer processes and stores the event logs.
Browser: You then view the audit reports in your browser from any machine on your network.

Audit Categories

User
Groups
Group membership changes
Computers
User Logons
GPOs
OUs

Requirements

Audit policies must be enabled
Object level auditing must be configured
For user logons a windows event collector server needs to be configured