Sessions Logs - Missing password view events

Article Id: 109779
Status: Published
Updated On: 19-02-2020 10:57
Products:
CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM) CA Privileged Access Manager (PAM)
Issue/Introduction:



Why aren't password views logged to CA PAM's Session Logs?

Environment:

PAM 3.x

Resolution:

In CA PAM - the password views are not logged to our session logs because we have the following: 

A specific report for this: 
CA PAM UI >> Credentials >> Reports >> Run >> Here you will find a report call "View Password Requests" that will give the information that you are looking for. 

Alternatively; you can either implement our Splunk or Syslog Forwarding Integration - that will send these "Audiiting" type messages. 

Example Audit event in Splunk: 

Aug 3 09:16:57 141.202.114.132 1 2018-08-03T13:18:39+00:00 dedke01-pam32 pam - metric DETAIL <Metric><type>viewAccountPassword</type><level>1</level><description><hashmap><k>commandInitiator</k><v>USER</v><k>adminUserID</k><v>super</v><k>reason</k><v></v><k>selectedComponent</k><v>0</v><k>Attribute.descriptor2</k><v></v><k>Attribute.descriptor1</k><v></v><k>TargetAccount.ID</k><v>1020</v><k>TargetApplication.name</k><v>WIN-Remote</v><k>reasonDetails</k><v>Password Viewed</v><k>password</k><v></v><k>TargetServer.hostName</k><v>10.162.29.14</v><k>TargetAccount.accessType</k><v></v><k>referenceCode</k><v></v><k>adminPassword</k><v></v><k>TargetAccount.userName</k><v>administrator</v></hashmap></description><errorCode>0</errorCode><userID>super</userID><success>true</success><originatingIPAddress></originatingIPAddress><originatingHostName></originatingHostName><extensionType></extensionType></Metric> 

 

Additional Information:

For more information on integrating CA PAM with Splunk via Syslog - you can follow this knowledge document: 

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=97550