When there is a blacklist command violation, PAM can send a notification email to admin only.  We want to send a notification to other stakeholders.

We want to achieve that task from PAM Syslog.

Can you help which value/attribute in PAM Syslog should be checked for this?

Release : 3.2.x, 3.3.x

Component : PRIVILEGED ACCESS MANAGEMENT

Privileged Access Manager has two major formats for Syslog messages, and a few minor ones.

Look at the product documentation for further infomation, search for "Syslog Message Formats" and also refer to "Syslog Priority Facility Severity Grid" for better understanding of the message that is being generated.

Below is an example of the syslog message generated when an blacklisted command is executed.

Time: Apr 22 09:30:23
IP: <IP of the CA PAM server>
Host: <Hostname of CA PAM Server, this field is blank at times>
Facility: user
Priority: crit
Tag: gkpsyslog[23873]
Message: created = 2020-04-22 09:30:12 
Private IP: <IP address of the CA PAM host>, Nat/Proxy IP: <IP address of the Nat or Proxy if available in the network or this can be same as Private IP>, 
User: <User with which login to CA PAM was performed>,
User Group: --, 
Transaction: violation, 
Address: , 
Device Name: <target device name>, Device Group: --, 
Port: 22, 
Access/Protocol: SSH, 
Service/App: - -, 
Target Account: --, 
Details: PAM-CMN-2165: Unauthorized word echo "hello world" typed. 

For details regarding the fields above refer the the product documentation.

Product Documentation.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3/reference/messages-and-log-formats/syslog-message-formats.html