Sessions Logs - Missing password view events
Article ID: 109779
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager (PAM)
Issue/Introduction
Why aren't password views logged to CA PAM's Session Logs?
Environment
PAM 3.x
Resolution
In CA PAM - the password views are not logged to our session logs because we have the following:
A specific report for this:
CA PAM UI >> Credentials >> Reports >> Run >> Here you will find a report call "View Password Requests" that will give the information that you are looking for.
Alternatively; you can either implement our Splunk or Syslog Forwarding Integration - that will send these "Audiiting" type messages.
Example Audit event in Splunk:
Aug 3 09:16:57 141.202.114.132 1 2018-08-03T13:18:39+00:00 dedke01-pam32 pam - metric DETAIL <Metric><type>viewAccountPassword</type><level>1</level><description><hashmap><k>commandInitiator</k><v>USER</v><k>adminUserID</k><v>super</v><k>reason</k><v></v><k>selectedComponent</k><v>0</v><k>Attribute.descriptor2</k><v></v><k>Attribute.descriptor1</k><v></v><k>TargetAccount.ID</k><v>1020</v><k>TargetApplication.name</k><v>WIN-Remote</v><k>reasonDetails</k><v>Password Viewed</v><k>password</k><v></v><k>TargetServer.hostName</k><v>10.162.29.14</v><k>TargetAccount.accessType</k><v></v><k>referenceCode</k><v></v><k>adminPassword</k><v></v><k>TargetAccount.userName</k><v>administrator</v></hashmap></description><errorCode>0</errorCode><userID>super</userID><success>true</success><originatingIPAddress></originatingIPAddress><originatingHostName></originatingHostName><extensionType></extensionType></Metric>
A specific report for this:
CA PAM UI >> Credentials >> Reports >> Run >> Here you will find a report call "View Password Requests" that will give the information that you are looking for.
Alternatively; you can either implement our Splunk or Syslog Forwarding Integration - that will send these "Audiiting" type messages.
Example Audit event in Splunk:
Aug 3 09:16:57 141.202.114.132 1 2018-08-03T13:18:39+00:00 dedke01-pam32 pam - metric DETAIL <Metric><type>viewAccountPassword</type><level>1</level><description><hashmap><k>commandInitiator</k><v>USER</v><k>adminUserID</k><v>super</v><k>reason</k><v></v><k>selectedComponent</k><v>0</v><k>Attribute.descriptor2</k><v></v><k>Attribute.descriptor1</k><v></v><k>TargetAccount.ID</k><v>1020</v><k>TargetApplication.name</k><v>WIN-Remote</v><k>reasonDetails</k><v>Password Viewed</v><k>password</k><v></v><k>TargetServer.hostName</k><v>10.162.29.14</v><k>TargetAccount.accessType</k><v></v><k>referenceCode</k><v></v><k>adminPassword</k><v></v><k>TargetAccount.userName</k><v>administrator</v></hashmap></description><errorCode>0</errorCode><userID>super</userID><success>true</success><originatingIPAddress></originatingIPAddress><originatingHostName></originatingHostName><extensionType></extensionType></Metric>
Additional Information
For more information on integrating CA PAM with Splunk via Syslog - you can follow this knowledge document:
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=97550
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=97550
Feedback
Yes
No
Powered by
