search cancel

Syslog messages for password updates of unsynchronized target accounts

book

Article ID: 202914

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

I am working with our team that receives our syslogs. We need to identify the expected syslog traffic that would be generated by a user manually updating the password for a static, non-managed account.

Environment

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

These events are Metric Data events, see e.g. https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-1/reference/messages-and-log-formats/syslog-message-formats.html, with type

<type>updateTargetAccountPassword</type>

An example is provided below. You know whether this is for an unsynchronized account by looking at the synchronize parameter within the hashmap of key/value pairs:

<k>TargetAccount.synchronize</k><v>false</v>

It would be "true" for a synchronized account.

The TargetServer.hostName and TargetAccount.userName values have the server host name, which is the device address in PAM, and the account name. The ID of the user who updated the account is the "userID" value (outside of the hashmap), in our case the super user:

<userID>super</userID>


Sample syslog message (from an rsyslog server log):

2020-11-05T21:57:00+00:00 cl-pam-202.lvn.broadcom.net pam DETAIL <Metric><type>updateTargetAccountPassword</type><level>1</level><description><hashmap><k>commandInitiator</k><v>USER</v><k>useTargetAliasNameParameter</k><v>true</v><k>TargetAccount.ownerUserId</k><v>-1</v><k>Attribute.extensionType</k><v>unixII</v><k>Attribute.discoveryAllowed</k><v>false</v><k>Attribute.discoveryGlobal</k><v>false</v><k>TargetAccount.password</k><v></v><k>TargetAccount.compoundAccount</k><v>false</v><k>TargetAccount.privileged</k><v>true</v><k>Attribute.verifyThroughOtherAccount</k><v>false</v><k>Attribute.passwordChangeMethod</k><v>DO_NOT_USE_SUDO</v><k>TargetAccount.compoundServerIDs</k><v>,</v><k>TargetAccount.ID</k><v>1048001</v><k>TargetApplication.name</k><v>lvntest000535-UNIX</v><k>GKCallback.gkrequest</k><v>true</v><k>isNotifyUpdateTargetAccount</k><v>false</v><k>Attribute.descriptor2</k><v></v><k>TargetAccount.cacheDuration</k><v>30</v><k>Attribute.descriptor1</k><v></v><k>Attribute.passphrase</k><v></v><k>PasswordViewPolicy.ID</k><v>1000</v><k>TargetAccount.synchronize</k><v>false</v><k>TargetAccount.cacheBehavior</k><v>useCacheFirst</v><k>Attribute.keyOptions</k><v></v><k>Attribute.protocol</k><v>SSH2_PASSWORD_AUTH</v><k>TargetAccount.accessType</k><v></v><k>Attribute.useOtherAccountToChangePassword</k><v>false</v><k>Attribute.otherAccount</k><v></v><k>TargetServer.hostName</k><v>lvntest000535.bpc.broadcom.net</v><k>TargetApplication.ID</k><v>8001</v><k>Attribute.publicKey</k><v></v><k>Attribute.privateKey</k><v></v><k>TargetAccount.userName</k><v>testsyslog2</v><k>passwordGenerated</k><v>false</v></hashmap></description><errorCode>0</errorCode><userID>super</userID><success>true</success><originatingIPAddress></originatingIPAddress><originatingHostName></originatingHostName><extensionType></extensionType></Metric>