search cancel

PAM Session recording is not working for SSH applet.

book

Article ID: 132883

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration

Issue/Introduction

CLI session recording for the SSH applet fails silently and unpredictably.

Environment

Release : PAM 3.4.X , 4.0, 4.1

Cause

File corruption resulting in the loss of a flag file used to signal CLI session recording is enabled.

Resolution

With the 3.2.2.22 HotFixWe check for the presence of the file whenever CLI session recording data is being processed (including stop and start.)  If the file is missing and should be present we restore the file and continue as though it was always present.  A new log message PAM-UPD-1384 is written to the log table (and to syslog, if configured) each time this happens.


PAM-UPD-1384="Session recording flag file ksl_logfile restored. CLI recording flag was {0}. Graphical recording flag was {1}."

Additional Information

In order to collect information about the file corruption, new messages are being written to the log table and syslog whenever the flag file is touched or removed.    Because we unconditionally recreate the file each time, these messages will appear in the log even when the file has not been lost.  Only the PAM-UPD-1384 message indicates a file loss.


PAM-CM-4151=PAM-CM-4151: Session recording flag file ksl_logfile created. CLI recording flag was {0}. Graphical recording flag was {1}.

PAM-CM-4152=PAM-CM-4152: Session recording flag file ksl_logfile deleted. CLI recording flag was {0}. Graphical recording flag was {1}.

PAM-CM-4153=PAM-CM-4153: Syslog recording flag file ksl_syslog created.  Syslog recording flag was {0}.

PAM-CM-4154=PAM-CM-4514: Syslog recording flag file ksl_syslog deleted.  Syslog recording flag was {0}. 


The other new messages are PAM-CM-4151/2 which show when the CLI flag file is restored/created and deleted respectively and PAM-CM-4153/4 which does the same thing for syslog based session recording.