When you enable UAM on LogRhythm System Monitors, it generates a log when a user logs on to a Windows or UNIX host and another when the user logs off. The first log includes the user name and logon time. When a user logs off, the log includes:
- User name
- Log on time
- Log off time
- Duration of the logon
The logs are sent to the Data Processor for processing and archiving.
When UAM is enabled in File Integrity Monitor (FIM), you can see which users were logged into a host when a FIM event is detected.
In addition to enabling UAM within the File Integrity Monitor settings sub tab, select either or both Monitor Logon Activity or Monitor Process Activity for the Logonusers and Processusers values to be populated within the individual Standard FIM events.