PAM Syslog
search cancel

PAM Syslog

book

Article ID: 189534

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

When there is a blacklist command violation, PAM can send a notification email to admin only.  We want to send a notification to other stakeholders.

We want to achieve that task from PAM Syslog.

Can you help which value/attribute in PAM Syslog should be checked for this?

Resolution

Privileged Access Manager has two major formats for Syslog messages, and a few minor ones.

Look at the product documentation for further information, search for "Syslog Message Formats" and also refer to "Syslog Priority Facility Severity Grid" for better understanding of the message that is being generated.

Below is an example of the syslog message generated when an blacklisted command is executed.

Time: Apr 22 09:30:23
IP: <IP of the CA PAM server>
Host: <Hostname of CA PAM Server, this field is blank at times>
Facility: user
Priority: crit
Tag: gkpsyslog[23873]
Message: created = 2020-04-22 09:30:12 
Private IP: <IP address of the CA PAM host>, Nat/Proxy IP: <IP address of the Nat or Proxy if available in the network or this can be same as Private IP>, 
User: <User with which login to CA PAM was performed>,
User Group: --, 
Transaction: violation, 
Address: , 
Device Name: <target device name>, Device Group: --, 
Port: 22, 
Access/Protocol: SSH, 
Service/App: - -, 
Target Account: --, 
Details: PAM-CMN-2165: Unauthorized word echo "hello world" typed. 

For details regarding the fields above refer the the product documentation.

Additional Information

Product Documentation: Syslog Message Formats

Powered by Wolken Software