search cancel

Where are SCP / SFTP actions through TCP/UDP services recorded

book

Article ID: 214583

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

CA PAM after version 3.4.3 enables a feature to run sftp/scp file transfers vial the SSH proxy, and when this feature is used, session recording is not activated.  Where can I find the details for these transactions?

Cause

The scp and sftp transactions are single commands sent to the target device. There would be no need to record a session like we do for a SSH session so these actions are simply recorded in the session logs and syslog outputs

Environment

Release : 3.4.3 and higher

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

The following are samples of what is recorded for SCP / SFTP actions

 

  • New session log detail messages

PAM-PRX-0078="Downloaded {0} ({1}) as {2}”

PAM-PRX-0079=“Uploaded {0} ({1}) as {2}”

PAM-PRX-0080=“Deleted {0} as {1}”

PAM-PRX-0081=“Renamed {0} to {1} as{2}”

PAM-PRX-0082=“Created new directory {0} as {1}”

PAM-PRX-0083="Removed directory {0} as {1}”

  • Session Log Type: put, get, rmdir, mkdir, rename, rm
  • Log Destination: Session Log, Syslog
  • Examples:

Downloaded home/sshtest/scp-test/size-1048576.dat (1024.0 KB) as sshtest

Uploaded home/sshtest/scp-test/16B.txt (16 B) as sshtest

Deleted home/sshtest/scp-test/size-1048576.dat as sshtest

Renamed /home/sshtest/scp-test/size-256k-262144.dat to /home/sshtest/scp-test/size-256k.dat as sshtest

Created new directory home/sshtest/scp-test/test-folder as sshtest

Removed directory home/sshtest/scp-test/test-folder as sshtest